Introducing GroundControl: USB Setup for iPads and iPhones, Managed in the Cloud

Your rating: None (10 votes)

[Editor's note: Folks, for the last nine months or so I've been working on a pretty big project, and today I'm happy to help reveal it to you. Much of what I've learned has come from this community. Thank you! And if you are in Atlanta at AirWatch Connect, please stop by the expo and say hi.]

GroundControl is a new system for streamlining iOS deployment, launching today. Plug in a USB cable, and GroundControl supervises, restores a base image, and installs configuration profiles, on out-of-the-box iPhones and iPads and without a screen touch. The multiple "Launchpad" base stations are managed by the cloud, helping ensure a consistent experience no matter how large your deployment is. If you like, think of it as "Configurator in the cloud".

Perhaps the best way to get a feel for the product is to take a look at the demo video below:

Visit the site http://www.groundctl.com for an FAQ and a signup for a trial. If you have questions please ask.

-- Aaron

The press release follows.

What does "Expanded data protection" actually mean?

banthafodder's picture
No votes yet

I've been wondering this for quite some time and haven't been able to figure it out. Apple has touted the following as a new feature coming in iOS 8.

"In addition to Mail and third-party apps, the Calendar, Contacts, Reminders, Notes, and Messages apps as well as user credentials are protected with a passcode until after the device is unlocked following a reboot."

What does that actually mean? It seems incredibly vague. Does that mean those applications will be able to have their own passcode at the application level instead of the device level? If not, then what is actually different from how passcodes worked before? Hasn't "protected with a passcode until after the device is unlocked following a reboot," always been the case when a passcode is being used?

Reselling of iPad to end user - Apple ID is stuck

cmasonrun's picture
No votes yet

We have a program that is just getting off the ground that allows our franchised users to purchase an iPad from us with good financing terms and the company specific apps to be preloaded when they receive it.

The problem we are running into is, since we are using Configurator to setup the iPads (download Google Chrome and Podcasts among others). When the user receives the iPad, it is not tied to an Apple ID but when Google Chrome releases an update, then the update screen prompts for the password that was originally used to download the app.

Is there any way to avoid this?

We currently,
Setup email, download apps, and download some content within the apps. Some of this is automated through Configurator and some is manual. If we move to a completely manual process we still get the same issue as an Apple ID is required to download the free stuff.

The devices will not be supervised nor will they be ever touched again by our IT staff. These are resold to the end user and setup as a value added service.

Apple expands iTunes VPP to 16 new countries

Your rating: None (5 votes)

Apple has announced that its iTunes Volume Purchase Program is now available in 16 additional countries. The full list is now:

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

In addition, Apple is now allowing VPP credits to be purchased through resellers (at least in the U.S.). Previously, credits were sold direct only. Support your favorite reseller and purchase locally!

can a sideloaded app with apple configurator be independantly updated by another apple id?

dvincent's picture
No votes yet

i have a question about the nature of app updates on iOS7 that are sideloaded using the apple configurator. Is there any technical reason why apps sideloaded on an iOS 7 device cannot be later updated with another signed in apple id?

i looking into sideloading the MobileIron MDM client using the apple configurator, but only if the mobileiron mdm client can be updated from the apple app store using the owner's own personal apple id?

Does anyone have any experience with sideloading MDM client ipa files using the apple configurator?

Regards,

Dave

Zdziarski's Backdoor: A Roundup of Articles

No votes yet

About a week ago, security researcher Jonathan Zdziarski revealed what apparently is a number of "backdoors" to iOS. These allow access to data on even encrypted devices, as long as a pairing record is available from a trusted source (not trivial). Although Jonathan took pains to qualify the announcement, several reports have seemed to exaggerate the issue.

In response, Jonathan has compiled a list of more reputable tech articles on the topic. I've reprinted the list below.

iOS Lockdown “Backdoors” (TL;DR)
Dino Dai Zovi, Co-Author “iOS Hacker’s Handbook”

Surveillance Mechanisms in iOS Devices – Don’t Panic but… Do Read This
Elissa Shevinsky, CEO of Glimpse

Apple iPhones allow extraction of deep personal data, researcher finds
Reuters / Joseph Menn

Is Apple’s iOS Backdoor Not a Backdoor
Wall Street Cheat Sheet / Nathaniel Arnold

iOS slurp ware brouhaha: It’s for diagnostics, honest, says Apple
The Register / Iain Thomson

Any questions?

Upgrading iOS devices enmasse...

TechTimm's picture
No votes yet

All, I have an oddity that hopefully someone has some ideas.

My infrastructure does not support traditional IP structures.
When we set up Apple Server to do Caching it instantly disables and errors out that we are using a public network. Which we are not, we just (as I said) don't use the traditional 10.*.* approach.

We need to upgrade multiple devices in multiple locations and don't / can't tie up the bandwidth needed to do them all over the air.
Here is an example:
One location may have 300 iPads.
iOS 8 is going to come in ~1.7 gb.
You don't have to be a network genius to see that 510gb of data, is going to drop traffic to a crawl!
Especially when other traffic gets the majority of the bandwidth and these device scavenge for what they get.

Has anyone tackled this, if so... please elaborate.
Are there other offerings Casper or SCCM come to mind in my quandry.

Any and all assistance is a boon at this point,
Thanks!

Updated version of the Apple ID-creating Script

usher.br's picture
No votes yet

I have updated the script to work with versions 11.2.2 and 11.3

You can find the updated version here: https://github.com/brandonusher/Apple-ID-AppleScript

I have tested the creation process with the updated version while creating ~3,000 IDs and I only ran into one issue I couldn't fix, which is as follows:

  • Sometimes AppleScript won't be able to find the iTunes window, so it breaks. To fix this, just edit the spreadsheet to remove the IDs it has already created and run the script again.

If you have any questions, feel free to ask and I can try to help you out Smile

About the security content of iOS 7.1.2

No votes yet

iOS 7.1.2 was released yesterday, and it includes a long list of security improvements. See the details here: http://support.apple.com/kb/HT6297

From the horse's mouth: Apple posts pre-release iOS 8 Configuration Profile Reference

Your rating: None (6 votes)

It seems Apple has made the prerelease Configuration Profile Key Reference available to the public. This the technical documentation for much of the iOS and Mac enterprise management capabilities Apple makes available via MDM vendors, Configurator, etc. (The other main document, the MDM Protocol Reference, remains behind the developer site authentication wall.)

I've done a diff with the documentation for iOS 7, and here are the highlights. Remember, this is prerelease and may change before release.

  • SMIMEEnablePerMessageSwitch (Email Payload): Optional. If set to true, enable the per-message signing and encryption switch. Defaults to false.
  • allowManagedAppsCloudSync (Restrictions Payload): Optional. If set to false, prevents managed applications from using cloud sync.
  • allowEraseContentAndSettings (Restrictions Payload): Supervised only. If set to false, disables the “Erase All Content And Settings” option in the Reset UI.
  • allowSpotlightInternetResults (Restrictions Payload): Supervised only. If set to false, Spotlight will not return Internet search results.
  • allowEnablingRestrictions (Restrictions Payload): Supervised only. If set to false, disables the "Enable Restrictions" option in the Restrictions UI in Settings.
  • allowActivityContinuation (Restrictions Payload): If set to false, Activity Continuation will be disabled. Defaults to true.
  • allowEnterpriseBookBackup (Restrictions Payload): If set to false, Enterprise books will not be backed up. Defaults to true.
  • allowEnterpriseBookMetadataSync (Restrictions Payload): If set to false, Enterprise books notes and highlights will not be synced. Defaults to true.
  • EAPFASTUsePAC (WiFi Payload): Clearer fallback rules
  • AlwaysOn VPN
  • IKEv2 VPN
  • Web Content Filter Plugins
  • Managed Domains: New Email domains and Web domains. This payload defines web domains that are under an enterprise’s management.

Apple Device Enrollment Program for iPhones

ChrisTx's picture
No votes yet

Is anyone here using the new Apple Device Enrollment Program (DEP) for iPhones? I can see it being used for iPads since you can normally buy these direct from Apple however iPhones are a bit more challenging because I would think most enterprises buy the phones from their wireless provider. Can anyone please provide any insight they may have regarding DEP and iPhones? Thanks!

3 common pitfalls when developing Enterprise Mobile Apps

No votes yet

This has been said and heard over many times but I thought it will be good to reiterate since many enterprises will dive into creating their first mobile App and my goal is for them to avoid these pitfalls

1) Taking over 6 months from start to deploying the mobile App's first version: Everyone is very comfortable with traditional water flow implementation approach where you take 2 to 3 months to gather requirements and then go into design and build phases. You even extend the timeline to accommodate all the requirements. However this model is lethal for several reasons. First, mobile space is fast growing space where the OS sees a major version upgrade 3 to 4 minor upgrades every year. Second, you have plethora of new devices and accessories coming in everyday and current model become absolute in less than 2 years. So if your App is somewhat dependent on a particular device type then the device may become absolute even before you deploy the first version. At times, device compatibility becomes an issue if your App utilizes accessories to work
Solution: Take the traditional development approach and reverse it. Identify 1 to 2 must have requirements and reverse engineer the timeline. Identify and develop foundational elements such as logins, navigation, UI design items and create a template so that new view controllers and additional page can be easily developed later. Deploy that 1 functionality to the end users and get their feedback. 1st deployment should be within 10-12 weeks and after the first deployment go into 3-4 week update cycle where incremental functionality is introduced

2) Connecting the mobile App to existing backend systems sitting inside corporate data center: I have seen this scenario many times. The requirement goes like this...You have a desktop application that is connected to your On premise backend system such as SAP or Oracle or even mainframe. Now the requirement is to develop a mobile App that uses the integration web services to send and receive data directly to the backend system. The App is developed in xcode by instantiating the web service directly to send and receive data. In theory everything should work great because users can use either mobile App or desktop to access the backend system data and update them at the same time. However it screws up the user experience because the integration to the web service is not optimized for mobile traffic.
There are huge differences between how a desktop application sends data and mobile device send the data. In desktop application,
○ Bandwidth is not an issue so the payload size (actual data size) is always big.
○ Mostly they are request/reply interfaces where the data is sent and it waits for confirmation before "Success/failure" status is returned and the connection is closed
○ There are minimum of 2 to 3 hops before the data is handed off (it may hit gateway, application server and then the database)
Now this is opposite for mobile App… Mobile App requires small payload, multi-threaded, reduced connection time, and least no. of hops
When user open the App it takes at least 30 sec to get to the main screen because it is getting all the data in a single thread. During updates the user sees the loading spinner for more than 30 sec because it is waiting for the backend system to provide confirmation before the App can let the user go. Imagine a user trying to use the App while not on Wi-fi but with their wireless network. That might be the last time the user will ever use the App...
Solution: Do not connect your mobile App directly to your backend system but introduce a staging area where the data can be stored and retrieved by the App. The staging area can be even housed within a cloud provider outside of corporate network as long as there is VPN connectivity to the corporate network. This provides great user experience when the user opens the App and within seconds all the data is already loaded. Use background App refresh to preload the data where applicable. When saving the record, the data updates goes into this staging and then the sync occurs between staging and the backend system. The App will be really fast and the end users will love it.

3) Using existing business process with mobile App rather than creating a new one: it is hard to manage change and expensive to change the existing tried and tested business process. When creating mobile App the same business process is extended rather than changing it or introducing a new one. It is totally wrong if the goal is to create a mini me version of desktop so that the users can use mobile device.
Solution: Take advantage of new assets on the mobile device such as Camera, GPS, Bluetooth and add change time consuming business process. In this article American Airlines CIO talks consumerization, the CIO talks about how baggage mishandling was reduced by 65% by scanning the bags.

Overall, I think there is a lot of disruption to be made with enterprise mobility if the right solution is developed and implemented the way the employees can use them effectively. As always feel free to correct me and add your comments.

Beyond the Keynote: Apple's Detailed Enterprise Presentation Videos from WWDC 2014

Your rating: None (2 votes)

WWDC has always been the one time each year when Apple peels back the curtain of secrecy and previews what is to come. That is if you were one of the lucky ones to score a ticket. But in 2014, in what I think is an unprecedented display of openness, Apple has released every video of every WWDC session online and to the public. Last year, you needed to be at least a member of the developer program to view these. This year everyone can see.

Here are the three most directly focused on Enterprise. I hope you take the time to watch and comment. They really are worth your time.

Managing Apple Devices


Learn about the latest developments in managing Apple devices in an enterprise environment. Learn how MDM can be used to wirelessly configure settings, monitor compliance with policies, install apps, and remotely wipe devices, and how these capabilities can be integrated with in-house or third-party server solutions.

Building Apps for Enterprise and Education


Learn about data security, enterprise authentication, integration with back-end systems, app configuration methods, and the latest technologies for interacting with documents, accessories, and more. Get helpful tips for constructing your apps to meet the needs of schools and educators, as well as key requirement from IT. Perfect for everyone looking to get their apps in the hands of business professionals, educators, and students worldwide.

Distributing Enterprise Apps


Learn how to provision and deploy apps across your enterprise. Leverage key Apple programs such as the Volume Purchase Program and the iOS Developer Enterprise Program to get the right apps in the hands of your employees, contractors, and partners. Learn how to manage certificates and provisioning profiles to deploy your apps, and take advantage of mobile device management (MDM) tools to provide a seamless experience for your users. Gain insight into the complete app management lifecycle; from signing your in-house apps in Xcode, to distributing, managing, and revoking apps across your workforce.

50+ iOS Admins at our WWDC meetup! Here are the photos you didn't want to see...

Your rating: None (1 vote)

Our annual WWDC meeting was a big success, cramming over 50 people into a space designed for quite a few less even so, it was a great meeting of the minds, or at least a clinking of the glasses. Our sponsors MobileIron, Acronis and Tekserve deserve a very special shout-out for lubricating the whole shebang.

What do you think about repeating this next year, in a slightly larger space?

Photos after the break.

Let the App Migration start in the enterprise

Your rating: None (1 vote)

Apple, Inc. quotes “The iPhone is being used in 97% of Fortune 500, and the iPad is used in 98% of Fortune 500 and 93% of the Global 500 companies”.

What these numbers really mean? This means either employee bought their own devices (iPads, iPod Touch, iPhones) to connect to corporate network for checking emails or employee got their iPhone through corporate mobility programs or few brave companies deployed iPads for a specific use case.

What is their potential use? Mainly to use corporate emails, phone calls, imessages and other personal stuff.
While the devices are perfectly capable of handling many complex corporate applications that are in use as intranet applications or windows applications they are still restricted for several reasons until now. Even intranet sites are not mobile optimized to be viewed in iPhone or iPads. If you ask the question why, here are some obvious answers…

• We can’t manage iOS devices similar to how we manage windows laptops
• User experience is bad when they need to login through each App individually
• Data is not secured or encrypted on the device
• Secure connectivity to corporate network cannot be easily configured or managed
• App distribution is not easy – Users need to manually download the app and upgrade them
• Cost is high to develop enterprise Apps due to limited developers with Objective-C experience

At WWDC, Apple has clear response and answers for all these questions. With the introduction of new programming language “Swift”, opening up Touch ID and keychain to 3rd party Apps, App extensions, and B2B Apps they made adoption to enterprise easy and quick. There were several sessions focused on enterprise app development and deployment and dedicated resources to provide additional information. This will accelerate the migration of boring, non-intuitive windows applications and intranet sites to iOS Apps which will be secured, silently installed and managed by corporate programs.

Here are the details if you still think the questions are not answered…

list.png

Within the next few years this will change where new applications, functionality and use cases will be developed specifically for iOS devices once ROI (Return On Investement) can be justified through increase in employee productivity.

Stay tuned for more updates and feel free to add your comments…!

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Comparison of MDM Providers

Recent Activity

Who's New