MDM

Mobile Device Management

How bad is the OpenSSL "Heartbleed" vulnerability for MDM?

Your rating: None (2 votes)

Yesterday a vulnerability came to light in OpenSSL, which underpins much of the security infrastructure on web servers and application servers around the Internet. Today the technology world is on fire about the bug. Basically, any server running OpenSSL versions 1.0.1 through 1.0.1f is at risk to a simple query. There is an online tool available to check your servers.

The bug, however, doesn't only affect SSL. OpenSSL is also commonly used for generating the asymmetric encryption keys that are the foundation of, oh, the Apple Push Notification Service. And APNS is the foundation for MDM.

If your MDM service happens to be vulnerable, or was vulnerable any time in the last two years the bug has been available, then it is possible someone has stolen your server's private APNS key. And if they do that then your MDM is compromised. But since the attack leaves no trace, well it may be better to err on the safe side.

The "safe side" for MDM means revoking your APNS certificate, and re-enrolling all devices. By hand. That is going to be a huge a bucket of pain.

So here is hoping your particular MDM service is not and was not vulnerable. I've heard from a few already, but will wait for official statements to become available before posting. Watch this thread for more as this develops.

QUICK Poll: What MDM Do You Use

bevo_79's picture
Your rating: None (2 votes)

What is everybody's preference for MDMs? We currently have a solution, but are looking to change.

MDM and iOS Music

T_tins's picture
Your rating: None (2 votes)

Hey everyone,

This is my first post here and I signed up for this account solely to ask this question. First, some helpful background info.

I work for several restaurants (all owned by the same company) managing their music. Basically, I create playlists, upload them onto iPods at each restaurant, and update the music regularly (ideally once per month). I hope to add more restaurants in the future, but it's already quite a pain to drive to each location (especially when I'm simply going to take a handful of songs off of a playlist).

So here's my question: Are there any MDM providers that would allow me to manage the music on several iPod touches (assuming they have wifi). I am new to MDMs, but as I look around I haven't seen anyone post this question yet. Thanks in advance for your help!

What is Apple Volume Services?

Your rating: None (2 votes)

AppleInsider notices a new Apple web site, http://volume.apple.com.

Quote:

Enable your organization to:

  • Automate MDM Enrollment
  • Buy Apps and Books in Volume

What could it be?

Original post: http://appleinsider.com/articles/14/02/17/ios-71-rumored-to-arrive-march...

Open Letter to MDM Companies

Your rating: None (5 votes)

[Editor's note: This letter from a member of our community brings up some interesting points. But as noted in the comments, the MDM providers are simply using the APIs provided by the device manufacturers.]

You all have it wrong. All of your products are good don't get me wrong! You enable us to protect our networks, provide our users with ease of use and ease of setup. You allow us to block or allow anything we feel is harmful (separate opinion about that). The thing you have wrong is wiping the phone after failed attempts at the password!

Why is this wrong?

  • Whoever steals the phone knows this so they just enter random passwords and then have a usable phone to sell. That is until you figure it out or it is reported to you.
  • If the end user forgets a lot of times the phone will wipe and they will continue to use it. Then a couple weeks later they bring you the phone saying that it isn't working right.
  • While the user is using the phone unprotected they install their personal email or just text company information leaving your company at risk.

What the is the "right" way?

  • After 10 (or whatever your specified time would be) wrong password attempts you lock the device with an alternate password that only the administrator knows.
  • Each phone could have a different admin password that auto populates when you register the device.
  • The password is only viewable in the MDM console.
  • The phone can be unlocked with this passcode or through the MDM provided the end user answers the appropriate questions correctly.
  • Also there should be a notification on the MDM and an email sent to the MDM admin. This would allow them to be a bit more proactive and give the admin some visibility to what is happening in their world.

I think this method is more secure for our data and protects the assets we place in the field mischief better. What are your thoughts?
http://redd.it/1xzxd2

How to silently push free apps using VPP, Managed Distribution, Supervision and AirWatch

Your rating: None (2 votes)

What's the best way to get an App Store app onto many iOS devices? If those devices are supervised, the best way is to use MDM and Apple's new Managed Distribution method. I'll demonstrate how to do that using AirWatch below. (Other MDM providers have similar capabilities. Check with your favorite.)

Steps

  1. Make sure you will meet the requirements: VPP, MDM, Supervision, and a common Apple ID.
  2. Link your MDM provider to your Apple VPP account
  3. Invite your MDM "users" to your VPP program
  4. Use VPP to "purchase" apps (even free ones)
  5. Use MDM to deploy the apps to your users.

Alternatives

Before we start, are you sure you want to do this? Apple Configurator may be a much better solution for the "getting apps onto iPads and iPhones" problem, at least when all the devices are in the same room. But if the devices will be scattered far from the iGeek, then keep reading.

Requirements

The setup is quite important.

  • Make sure your MDM provider your platform version supports iOS 7's new Managed Distribution system. ("New" means November 2013.)
  • You'll need to create an MDM user who will own all those devices. You will want to make sure this user is in a new location group.
  • You will need to set up an iTunes Volume Purchase Program account for your business or school. Note this requires a new Apple ID, a DUNS number, a pound of flesh, some eyes of newts and toe of dog, and a few days for processing. OK, it isn't that hard, I'm just having fun.
  • You'll need an Apple ID to share among your devices. You will want to use the technique to credit an Apple ID without a credit card. (I'm assuming you will be distributing only free apps to your devices, which means you can share the same Apple ID.)

Got it? Good. Now for every iOS device, you'll need to do a few preparation steps. (Hint: If you play your cards right, you will be able to accomplish all of the below in a single stoke.)

  • Supervise it using Configurator
  • Sign in to the App Store using the common Apple ID (restore a backup image with the App Store user signed in)
  • Enroll into MDM (you can do that automatically using Configurator during the supervision process, at least with Casper Suite, AirWatch, MobileIron, and others.)
  • Associate the device with the common MDM user (that should be a setting in MDM prior to generating the enrollment profile)

Link your MDM provider to your Apple VPP account

Sign into your VPP Account. In the upper-right corner, click on your Apple ID and then "Account Summary".

In the "Managed Distribution" section, download the VPP token. This contains the credentials your MDM provider needs to link to VPP.

Now log into AirWatch. Navigate to Settings > Apps > Catalog > License Based VPP. Double check you are looking at the correct location group.

Enter a name to describe this connection (I called it "Tekserve VPP") and upload the token. I strongly recommend "Automatically Send Invites" is NOT checked.

Save this config, and you now have linkage!

Invite your MDM "users" to your VPP program

Next step is to invite your MDM users to participate in the program. There is no assumption that the Apple ID is the same as the MDM user's email. In fact, Apple is pretty clear they don't want MDM (or the employer) to ever know an employee's Apple ID. Therefore the MDM system needs to send an email to the users, who click a link to accept enrollment in the VPP program.

I haven't yet figured out how to invite one user at a time, so we're going to have to invite EVERY user in the MDM location group. Now if you have been following carefully, you are working in a location group with only a single MDM user. Cool. Send the invitations by clicking the "(Re)Invite Users" button. There won't be a confirmation, but email will be sent to all addresses the MDM has on file.

Quote:

Aaron Freimark,

Using your iOS7 device's browser, please click on this https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/associateVPPUse... to register for Apple's License Based VPP Program. Registering for the program will enable you to download applications purchased by your organization on your behalf.

Please contact your IT helpdesk if you have any questions: noreply@air-watch.com

Regards,
AirWatch

Clicking the link will open the App Store (on an iOS device) or the Mac App Store (on a Mac) and ask for an Apple ID and password.

Quote:

This organization can now assign apps and books to you.

Use VPP to "purchase" apps (even free ones)

Next step -- there are a lot of steps -- is to use Apple's VPP to purchase an app.

The iTunes VPP store used to have only paid apps. Now it has free apps as well. Today let's install Tiny Death Star, a popular enterprise productivity app. So log into the iTunes VPP store, search for "death star", and "purchase" several copies. You can purchase as many as you want, it's free!

A paid app presents a choice for either downloading old-style redemption codes or new-style managed distribution. Free apps don't get a choice; managed distribution for all.

After purchase, Apple takes a few minutes to prepare your order. Wait until you receive email confirmation before continuing to the next step.

Use MDM to deploy the apps to your users

Back in AirWatch, click on Apps & Books > Applications > Purchased. Now you ask AirWatch to check with Apple, so click the "Sync Licenses" button. This part may take a short time, but in my test I just needed to refresh the page.

Once AirWatch is aware of the app, you can assign it to users. Click the twisted-arrow button.

AirWatch assigns these apps via smart groups only. This article is already way too long, so I won't explain how to create these.

Now decide how many licenses you want allocated to the group.

Now save the assignment. The last step is to publish the app.

In my experience, the app isn't quite ready to publish immediately. So if it doesn't work immediately, wait 15 minutes and try to publish again.

As expected...

On my test supervised iPod, I get the Tiny Death Star app, automatically downloaded and without any prompts. It works! Woo hoo!

As unexpected...

My unsupervised iPhone also received the Tiny Death Star app, and it isn't even enrolled into AirWatch. Hmm.

I understand part of this. I used my personal Apple ID for the test; the same Apple ID I used on my iPhone. Managed distribution works by adding the assigned apps to my Apple ID purchase history. And my iPhone has automatic app downloads enabled. But does this imply that unsupervised devices can also receive silent installs?

Looks like more exploration is needed.

Simple MDM for developers who want to test enterprise features in their iOS 7 apps

tomasmcguinness's picture
No votes yet

Hello,

I have just released a new web application called TestMDM, available at http://testmdm.cloudapp.net

It is designed to help enterprise iOS developers test their app's features by providing them with a simple platform that mimics an MDM.

Rather than purchase an MDM or sign up for a trial with one of the large MDM providers, TestMDM can be accessed for short periods of time, allowing developers to test their apps in a cost effective, time-boxed way.

This is the very first version and supports app installation and removal. App Configuration and Profile Installation are next up.

If you're an enterprise developer, I'd love to hear from you as I want to add features that make a difference to enterprise devs.

Anyone interested in giving TestMDM should email me (tomas@coldbear.co.uk) and I can arrange to give you a run through of the features.

Regards,

Tomas McGuinness
http://testmdm.cloudapp.net

KocharTech offers Mobile device management solution MDM

Anonymous's picture
No votes yet

KocharTech, Mobile Device Management is a customizable device, application and security management system. It simplifies mobility across multiple device types and multiple operating systems, all managed through a single console.

Features:

• Device Management: Rapidly and securely deploys mobile device, tablet, applications with automated policy compliance, configuration and application management

Application Management: Remote deployment and control of applications on devices

• Policy Management: Facilitates IT to retain control with Mobile Policy Management simultaneously maintaining user productivity.

• Security Management: Secure propriety data on devices and wipe out critical corporate data in the event of device lost

• Data Analytics: Centralized track and control of devices, its applications and the data usage pattern of end users.

Right from the Procurement of Devices and Applications, to the Deployment and trouble shooting, Kochartech, covers all your enterprise mobility related needs.

http://www.kochartech.com

Updating to iOS7 while enrolled in an MDM

sivart6's picture
Your rating: None (2 votes)

A handful of our 700 users have started upgrading their iPads to iOS7 (even though we've told them not to, but I'm not surprised).

These users are enrolled onto our MDM, and have various apps and restrictions enforced.

Some of these users have come back to report that "everything has disappeared" post upgrade. Including the enterprise app we've deployed and the MDM agent. Which means to me that the device has become unenrolled.

Some other users have actually updated their devices to iOS7 and their apps/restrictions have remained post update.

So what we're doing is either manually re-enrolling the devices if they're close enough to come into the office, or we're walking the users through it over the phone (which isn't easy).

We're doing some testing now to try and figure out what has happened to the first user, but what I'm wondering is how do others with large deployments of managed iOS devices handle such a significant OS upgrade?

In your experience, do you see this as a smooth transition, or are there common problems which occur?

Thanks

About iOS 7's overhauled app licensing program (VPP)

Your rating: None (2 votes)

In iOS 7 VPP is all brand new. I haven't yet seen a demo of MDM that works with the new VPP system (I may on Monday). But here is how I understand it is all supposed to work.

The process still begins by visiting http://vpp.itunes.apple.com, searching for and purchasing apps. Before iOS 7 you would need to download a spreadsheet of redemption codes. Now there is nothing to download. Instead, the iTunes VPP store keeps a record of your purchases. Then...

  1. You use your MDM system to send VPP program invitations to your devices.
  2. You use MDM to register users with VPP
  3. MDM import your app catalog. This tells MDM which apps you have purchased and which, if any, licenses have been used.
  4. You use MDM to assign any unused licenses with users, and tell Apple about these associations
  5. You may now push out these apps to devices

The key here is step 4. When you associate the app "PCalc" with user "George Washington," Apple adds "PCalc" to George's App Store purchase history. George can now use PCalc on all his devices. What's more, George doesn't need to enter his Apple ID and password to download. After all, he's not purchasing it, he's just downloading it. There is, however, a confirmation on the device that George needs to accept. (On supervised devices there is no confirmation and the app installs silently.)

What's more, you can now use MDM to revoke an app from a user. This allows the institution to reassign PCalc to someone else, while allowing George a grace period. Pretty nifty.

If the entire process is much smoother, there are still some quirks. Not only does the institution not need the user's Apple ID to assign an app, Apple has seemingly bent over backwards to avoid revealing the Apple ID to the institution. Apple IDs are, apparently, private to Apple's relationship with the user.

Since this is merely a set of APIs I'm curious how MDM vendors implement it in different ways. Who will have the smoothest implementation?

Four more MDM providers added to the comparison for iOS 7

Your rating: None (2 votes)

Thanks to SOTI MobiControl, PUSHMANAGER, BoxTone and ProMDM for updating their entries on our Comparison of MDM Providers. Woo hoo!

We've updated our huge Comparison of MDM Providers for iOS 7

Your rating: None (2 votes)

We've spent a good number of hours over the last week updating our Comparison of MDM Providers for iOS 7. We've removed some of the more arcane sections that were getting in the way and have made the list easier to navigate. This was no small feat: there are over 100 points of comparison and 48 MDM providers.

Here are some of the many new fields we're now including:

  • Info Last Updated (date)
  • Supports iOS 7 (Y/N)
  • Enrollment by Configurator
  • Enrollment by Apple Device Enrollment Program
  • Geofencing
  • Allow Custom XML profiles
  • Supervised MDM features: Prevent Game Center, Prevent iMessage, App Lock (iOS 6), Global HTTP Proxy (iOS 6), Web Site White & Black-Listing (iOS 7), Prevent Manual Profile Installation
  • App Management: Push Enterprise Apps, Separate Managed and Unmanaged Data, Per-App VPN, Push App Configuration, Pull App Feedback, App Wrapping, App Developer SDK
  • VPP Licensing Integration
  • Reassign VPP Licenses
  • Support for other devices: Apple TV, Samsung, Nexus, HTC

So how do we learn about every MDM provider on the planet? Our secret is that we crowd-source the data. Much of it comes from the providers themselves, but other parts are added by a dedicated group of MDM aficionados. And if you see an incorrectly-ticked box, please edit the page and fix it. Hey, it's a wiki!

So I'm extra proud that here, on Day 1 of iOS 7, our chart has been updated for the following MDM providers:


l

If your favorite isn't on this list, just log in and update it! I'll announce updates as you do.

Comparison of MDM Providers

Your rating: None (125 votes)

Note (2017): This table is now quite a bit out of date. I'm leaving it here for posterity. — Aaron

More Resources: See also our pages on Sandbox Environments and Mobile Application Management for alternatives and complements to MDM. you may also find our page on Apple Configurator vs. MDM helpful.

Legend: Yes (has this feature) / No (does not have this feature) / Coming Soon

Recent Activity