To install apps without prompting the iOS user, a few steps need to be taken. This article outlines those changes and provides additional gotchas to be aware of:
Feel free to ask additional questions here. I'm happy to help.
I have iOS 9.3.1 on an iPad which I am supervising via Apple configurator. It is not DEP enrolled.
I am looking into the what the optimal enrollment flow might be when we need to deploy several hundreds. (If they are not DEP enrolled).
When executing the supervision proces via Apple Configurator 2 then it is activating the iOS devices with the apple ID I am currently logged on with in Configurator. Everything progresses as expected and I end up with a device supervised by my organisation.
However, I am forced to log in with my apple ID AFTER the actual activation. Am I doing something wrong or is the some way of skipping this step?
The purpose of supervising is to avoid no entering the organisation Apple ID several times, which works for activation but iOS still requires me to log in with an apple ID to access iCloud, iTunes, App Store etc.
There's been a lot of press on the new features coming out for iOS 9.3, but most of this hasn't covered the more subtle, MDM functionality enhancements. Namely:
- Ability to enable/disable apps from running
- Ability to reconfigure icon layout on the Home Screen
- Control over notification settings
- Additional restriction options
- Safari auto-fill domain control
We go into more depth in the following article:
Feel free to respond, I'll answer any questions the best that I can
iOS 9 contains many new restrictions, especially for devices supervised by GroundControl, Configurator, and DEP.
Over at GroundControl's web site, I've posted a list of the new restrictions, plus sample configuration profiles for each. Want to lock the device name or wallpaper? Prevent the device passcode from being set or being changed? These are for you.
A few of the MDM providers will be ready on day 1, but if your on-prem solution may take some time to update, then you may use these files to bridge the gap.
Does anyone have experience with the behavior on a Supervised device that is locked in Single-app mode and has an iOS update available? I need to specifically know if the update prompt comes to the foreground. If anyone has a device laying around that's on <7.0.3 and could test I'll owe you big time!
Quote from Apple KB article found here:
Users with supervised iOS 6 devices
For devices that have not yet been updated to iOS 7, upgrade from iOS 6 to iOS 7.0.3 over the air. The devices will remain supervised.
Users with unsupervised iOS 7 devices
For devices that have already been upgraded to iOS 7 and lost supervision, AppleCare will create a profile to re-supervise your devices. This profile will require the serial numbers of the affected devices and verification of ownership. To verify that a device is supervised, see this article.
Collect the serial numbers of affected devices. To export the serial numbers of devices supervised by an Apple Configurator station:Optionally, if you want devices to be able to connect to a specific Apple Configurator station, export a Supervision Certificate. To export a certificate in Apple Configurator version 1.4.1 or later, hold down the Option key and choose File > Export > Supervision Certificate.
Go to the Supervise tab.
In the Supervised Devices list, select either All Devices or a Device Group which contains all the devices that have lost supervision. You can include a device even if you are not sure if it has lost supervision.
Choose Devices > Export Info....
Select Device Information and check the box for Serial Number.
Click Export and save the file.
Contact AppleCare and ask to speak to an Enterprise Support Advisor for instructions to submit your serial numbers and any necessary Supervision Certificates. AppleCare will require proof of purchase information if the devices were not purchased directly from Apple.
AppleCare will validate your proof of purchase information and create a customized Re-supervision Profile for your organization.
Update your devices to iOS 7.0.3.
When you receive the Re-supervision Profile, install it on your devices using the enclosed instructions.
After the necessary profiles are installed on your iOS devices, they will again be supervised.
Supervision Certificate A certificate that identifies your Apple Configurator station to an iOS device.
Supervision Profile A profile created by Apple Configurator used to supervise iOS 6 devices.
Re-supervision Profile A custom, Apple-signed profile used to re-supervise specific devices that lost supervision upon upgrading to iOS 7."
Today is a day that has been a long time coming! I will be testing and waiting a few days before I fully deploy!
I Received this Communication from our Apple rep. I am really glad we have not updated to iOS 7 at our school and would need to provide serial numbers and proof of purchase. I have emailed support and I am waiting on directions. It looks like we will be able to push a profile that will prevent find my iPad activation lock settings in the background (speculation). Once the iOS 7 update is available we can remove our block and upgrade to iOS 7.
Recently some users have reported that their supervised iOS devices have reverted to un-supervised after they were upgraded to iOS 7. We are aware of this issue and will have a fix in an iOS software update coming this month.
If you upgraded your devices to iOS 7, we can help you re-supervise devices wirelessly once the software update is available. If your devices are still on iOS 6, we can help you prep your devices in order to maintain supervision when the software update is installed. Please see below for details. AppleCare is ready to help you with implementing whichever solution works for you.
Devices on iOS 7
For devices that were upgraded to iOS 7, we can create a profile to re-supervise your devices. In order to create this profile, we need two things from you — your device serial numbers and valid proof-of-purchase information. When you contact AppleCare, we will provide details on how to send us this information. AppleCare will also let you know when you will receive the profile and provide deployment instructions.
Devices on iOS 6
If you have devices that haven’t been upgraded to iOS 7, we will give you the ability to generate a profile to install before upgrading. Then your devices will be able to upgrade to the upcoming release of iOS as supervised devices.
Please email email@example.com to obtain more information from AppleCare.
Is Activation Lock appropriate on a corporate-owned device? Community member Duane Herring found the Apple support document below that shows Apple has been thinking about this too.
Learn how to manage Activation Lock feature of Find My iPhone in iOS 7.
With iOS 7, when you turn on Find My iPhone, you enable Activation Lock. Activation Lock prevents anyone else from reactivating your iOS device if it is lost or stolen. Mobile device administrators can manage this setting by supervising devices.
If you use Apple Configurator to supervise an iOS 7 device, Activation Lock will not be enabled when a user turns on Find My iPhone.
If an iOS 7 device is not supervised, Activation Lock will be enabled as soon as a user logs in to iCloud and turns on Find My iPhone. Mobile device management cannot prevent a user from enabling Activation Lock on an unsupervised device.
In any case, only the iCloud user who enabled Activation Lock can disable it.
If the user has access to the iOS device, they can turn it off in Settings > iCloud > Find My iPhone.
If the user doesn't have access to the iOS device, they can log in to icloud.com or the Find My iPhone app on another iOS device, then erase the device and remove it from the device list.
A mobile device administrator cannot disable Activation Lock after it is enabled.
Find more information about Find My iPhone Activation Lock.
If you use Apple Configurator to prepare a device that has Find My iPhone enabled, you will see the message "Unable to check iOS."
If the device was previously unsupervised, Activation Lock is enabled and the iCloud user who enabled Find My iPhone must disable it before you can prepare the device.
If the device was previously supervised, either the iCloud user who enabled Find My iPhone can disable it, or you can put the device into recovery mode and then prepare it.
This can be a sticky problem. Does Apple's solution work for you? Please continue the comment thread...
With Find My iPhone turned on in iOS 7, your Apple ID password will always be required before anyone can Erase the iphone or reactivate and use the device.
So if we fire someone and they fail to give us their Apple ID password, they have effectively locked out of the phone preventing it from being re-used.
How are enterprises going to deal with this? Is there an MDM solution out there that can circumvent this or load a profile that prevents this scenario from happening?
Mobile Management Provider changed by FrankGraziani 1 week ago
Mobile Management Provider changed by rachana 2 weeks ago
Forum topic added by taylor 2 weeks ago
Mobile Management Provider changed by taylor 7 weeks ago
Forum topic comment by Elizabeth Hale 9 weeks ago
Mobile Management Provider changed by Simo Kari 10 weeks ago
Forum topic comment by jpref 10 weeks ago
Forum topic comment by bugfrisch 12 weeks ago
Mobile Management Provider changed by krypted 12 weeks ago
Mobile Management Provider changed by JAMFSoftware 12 weeks ago
Forum topic comment by spurtipreetham 12 weeks ago
Forum topic added by okta 12 weeks ago
Forum topic added by am.imran.ahmed 12 weeks ago
Forum topic comment by Samuelbrown 13 weeks ago
Forum topic comment by Elizabeth Hale 14 weeks ago
Forum topic comment by taylor 14 weeks ago
Forum topic comment by bhaveshagrawal1014 14 weeks ago
Forum topic comment by Sabi 14 weeks ago
Wiki Page changed by Aaron Freimark 14 weeks ago
Forum topic comment by philback 14 weeks ago