We are using a MDM, one that is listed to the right, to manage our iOS devices and I have ran into an issue with pushing profiles while the iOS devices are locked. I am able to ping the iOS device but when I push the profile, either a new one like a webclip or a change to an existing profile the device does not get the payload.
If I unlock the iOS device the policy does show up, I can ask the iOS client to check home and it connects, but the policy still doesn't show up. I have to push the policy AGAIN and then the profile is successfully pushed down to the device. This has left me in a quandary about my MDM. All of our devices are on 5.1.1, we did a proof of concept last year on iOS 4.35 and this was not an issue.
My MDM provider states this is the effect of iOS 5 and that Apple has changed this policy and there is nothing they can do to modify this behavior.
Any MDM user out there experiencing the same thing? I can't believe all my iOS device have to be unlock to manage them.
this is correct behaviour for locked devices with data protection in place - it means the databases can't be modified on the device at that time. The Device will respond back to the server with a NotNow status and won't perform the installation of the Profile. However the device should poll the server once it is unlocked for any outstanding commands that have not been applied to the device - I'd suggest this is when the server should re-try with any pending commands that haven't been completed while the device was responding with NotNow.
There are a list of commands that are guaranteed to never return NotNow - essentially information requests from the MDM APIs and also erase, lock and clear passcode.
Hope this helps