Apple Releases New iOS 7 Deployment Technical Reference Guide

benhuckle's picture
Your rating: None (2 votes)

It can be downloaded from here.

This guide is for IT administrators who want to support iOS devices on their networks. It provides information about deploying and supporting iPhone, iPad, and iPod touch in a large-scale organization such as an enterprise or education institution. It explains how iOS devices provide comprehensive security, integration with your existing infrastructure, and powerful tools for deployment.
Understanding the key technologies supported in iOS will help you implement a deployment strategy that provides an optimal experience for your users. The following chapters serve as a technical reference you can use when deploying iOS devices throughout your organisation.

iOS 7.0.6 released with important SSL security fix

Your rating: None (2 votes)

Apple today released iOS 7.0.6 with an important security fix:


iOS 7.0.6
Data Security

Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later

Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS

Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.



Available, as always, via Software Update. Direct download links for each build are in our database of iOS Devices.

What is Apple Volume Services?

Your rating: None (2 votes)

AppleInsider notices a new Apple web site,


Enable your organization to:

  • Automate MDM Enrollment
  • Buy Apps and Books in Volume

What could it be?

Original post:

Open Letter to MDM Companies

Your rating: None (5 votes)

[Editor's note: This letter from a member of our community brings up some interesting points. But as noted in the comments, the MDM providers are simply using the APIs provided by the device manufacturers.]

You all have it wrong. All of your products are good don't get me wrong! You enable us to protect our networks, provide our users with ease of use and ease of setup. You allow us to block or allow anything we feel is harmful (separate opinion about that). The thing you have wrong is wiping the phone after failed attempts at the password!

Why is this wrong?

  • Whoever steals the phone knows this so they just enter random passwords and then have a usable phone to sell. That is until you figure it out or it is reported to you.
  • If the end user forgets a lot of times the phone will wipe and they will continue to use it. Then a couple weeks later they bring you the phone saying that it isn't working right.
  • While the user is using the phone unprotected they install their personal email or just text company information leaving your company at risk.

What the is the "right" way?

  • After 10 (or whatever your specified time would be) wrong password attempts you lock the device with an alternate password that only the administrator knows.
  • Each phone could have a different admin password that auto populates when you register the device.
  • The password is only viewable in the MDM console.
  • The phone can be unlocked with this passcode or through the MDM provided the end user answers the appropriate questions correctly.
  • Also there should be a notification on the MDM and an email sent to the MDM admin. This would allow them to be a bit more proactive and give the admin some visibility to what is happening in their world.

I think this method is more secure for our data and protects the assets we place in the field mischief better. What are your thoughts?

How to silently push free apps using VPP, Managed Distribution, Supervision and AirWatch

Your rating: None (2 votes)

What's the best way to get an App Store app onto many iOS devices? If those devices are supervised, the best way is to use MDM and Apple's new Managed Distribution method. I'll demonstrate how to do that using AirWatch below. (Other MDM providers have similar capabilities. Check with your favorite.)


  1. Make sure you will meet the requirements: VPP, MDM, Supervision, and a common Apple ID.
  2. Link your MDM provider to your Apple VPP account
  3. Invite your MDM "users" to your VPP program
  4. Use VPP to "purchase" apps (even free ones)
  5. Use MDM to deploy the apps to your users.


Before we start, are you sure you want to do this? Apple Configurator may be a much better solution for the "getting apps onto iPads and iPhones" problem, at least when all the devices are in the same room. But if the devices will be scattered far from the iGeek, then keep reading.


The setup is quite important.

  • Make sure your MDM provider your platform version supports iOS 7's new Managed Distribution system. ("New" means November 2013.)
  • You'll need to create an MDM user who will own all those devices. You will want to make sure this user is in a new location group.
  • You will need to set up an iTunes Volume Purchase Program account for your business or school. Note this requires a new Apple ID, a DUNS number, a pound of flesh, some eyes of newts and toe of dog, and a few days for processing. OK, it isn't that hard, I'm just having fun.
  • You'll need an Apple ID to share among your devices. You will want to use the technique to credit an Apple ID without a credit card. (I'm assuming you will be distributing only free apps to your devices, which means you can share the same Apple ID.)

Got it? Good. Now for every iOS device, you'll need to do a few preparation steps. (Hint: If you play your cards right, you will be able to accomplish all of the below in a single stoke.)

  • Supervise it using Configurator
  • Sign in to the App Store using the common Apple ID (restore a backup image with the App Store user signed in)
  • Enroll into MDM (you can do that automatically using Configurator during the supervision process, at least with Casper Suite, AirWatch, MobileIron, and others.)
  • Associate the device with the common MDM user (that should be a setting in MDM prior to generating the enrollment profile)

Link your MDM provider to your Apple VPP account

Sign into your VPP Account. In the upper-right corner, click on your Apple ID and then "Account Summary".

In the "Managed Distribution" section, download the VPP token. This contains the credentials your MDM provider needs to link to VPP.

Now log into AirWatch. Navigate to Settings > Apps > Catalog > License Based VPP. Double check you are looking at the correct location group.

Enter a name to describe this connection (I called it "Tekserve VPP") and upload the token. I strongly recommend "Automatically Send Invites" is NOT checked.

Save this config, and you now have linkage!

Invite your MDM "users" to your VPP program

Next step is to invite your MDM users to participate in the program. There is no assumption that the Apple ID is the same as the MDM user's email. In fact, Apple is pretty clear they don't want MDM (or the employer) to ever know an employee's Apple ID. Therefore the MDM system needs to send an email to the users, who click a link to accept enrollment in the VPP program.

I haven't yet figured out how to invite one user at a time, so we're going to have to invite EVERY user in the MDM location group. Now if you have been following carefully, you are working in a location group with only a single MDM user. Cool. Send the invitations by clicking the "(Re)Invite Users" button. There won't be a confirmation, but email will be sent to all addresses the MDM has on file.


Aaron Freimark,

Using your iOS7 device's browser, please click on this to register for Apple's License Based VPP Program. Registering for the program will enable you to download applications purchased by your organization on your behalf.

Please contact your IT helpdesk if you have any questions:


Clicking the link will open the App Store (on an iOS device) or the Mac App Store (on a Mac) and ask for an Apple ID and password.


This organization can now assign apps and books to you.

Use VPP to "purchase" apps (even free ones)

Next step -- there are a lot of steps -- is to use Apple's VPP to purchase an app.

The iTunes VPP store used to have only paid apps. Now it has free apps as well. Today let's install Tiny Death Star, a popular enterprise productivity app. So log into the iTunes VPP store, search for "death star", and "purchase" several copies. You can purchase as many as you want, it's free!

A paid app presents a choice for either downloading old-style redemption codes or new-style managed distribution. Free apps don't get a choice; managed distribution for all.

After purchase, Apple takes a few minutes to prepare your order. Wait until you receive email confirmation before continuing to the next step.

Use MDM to deploy the apps to your users

Back in AirWatch, click on Apps & Books > Applications > Purchased. Now you ask AirWatch to check with Apple, so click the "Sync Licenses" button. This part may take a short time, but in my test I just needed to refresh the page.

Once AirWatch is aware of the app, you can assign it to users. Click the twisted-arrow button.

AirWatch assigns these apps via smart groups only. This article is already way too long, so I won't explain how to create these.

Now decide how many licenses you want allocated to the group.

Now save the assignment. The last step is to publish the app.

In my experience, the app isn't quite ready to publish immediately. So if it doesn't work immediately, wait 15 minutes and try to publish again.

As expected...

On my test supervised iPod, I get the Tiny Death Star app, automatically downloaded and without any prompts. It works! Woo hoo!

As unexpected...

My unsupervised iPhone also received the Tiny Death Star app, and it isn't even enrolled into AirWatch. Hmm.

I understand part of this. I used my personal Apple ID for the test; the same Apple ID I used on my iPhone. Managed distribution works by adding the assigned apps to my Apple ID purchase history. And my iPhone has automatic app downloads enabled. But does this imply that unsupervised devices can also receive silent installs?

Looks like more exploration is needed.

Apple ignores the enterprise! Or not. A chart of new enterprise features by iOS release.

Your rating: None (2 votes)

Apple ignores the enterprise! So says the conventional wisdom. But I thought I'd share this slide with you guys. It was part of a presentation I gave yesterday to some business leaders at an Apple event in New York.

Every year Apple releases a new version of iOS. Every version of iOS includes new features focused on the enterprise. Every new release includes more new features than the year before.

Apple may not market to the enterprise, but they most certainly engineer to the enterprise.

AirWatch VPP issues

m.lepich's picture
No votes yet

The company that I work for just started using AirWatch. We have upgraded to which allows us to use the Apple VPP program. I have everything set up in the Apple VPP program and have copied the token over to the AirWatch server. I tried "buying" a free app to test out the push to devices, however I can't get it to show up on the test iPad.

Is this because I need to test with a "paid" app as opposed to a free app?

Thanks in advance for any help!


iOS and Root/Intermediate Certficates + iCloud

SeanP1971's picture
Your rating: None (1 vote)

I was wondering if anybody has any information around how certificates are handled in iOS and what iCloud retains?

In our environment we have an MDM solution which deploys certificate based ActiveSync and VPN profiles as well as other policies. We also have to manually install our internal root/intermediate certificates on the device which are required for the in-house iOS web apps and the Active Directory chain of trust over the MDM automated VPN.

Two things -

1) We discovered that in some cases one or two of the profiles would fail to install and after much troubleshooting it appeared to be solved by doing the following workaround steps -
Installing the manual certificates, re-booting the device, removing them cleanly, rebooting again and re-enroll the device to successfully bring down the profiles.
It also seems to suggest that the iCloud backup retains remnants of the certificates even when they are not present which comes down to the device or a new device but not sure how? e.g. If it's a fresh new device it was always work 100%.

2) Are you aware of what tools can be used to deploy these certificates over the air automatically?

Any advice greatly appreciated.

Configurator 1.4.3 is out; improves VPP code redemption (updated with release notes)

Your rating: None (6 votes)

Apple today release Configurator 1.4.3, which "improves redemption of VPP codes when installing App Store apps.

Configuration is a very handy tool for setting up and deploying multiple iOS devices. It is free and available on the Mac App Store.

Update: Apple has released release notes:


Apple Configurator 1.4.3 is a recommended update for all Apple Configurator users. This update is available from the Updates tab of the Mac App Store. It requires OS X Mountain Lion or later, and iTunes 11.1 or later.

What's new in Apple Configurator 1.4.3?

  • Improves redemption of VPP codes when installing App Store apps by fixing an issue in which valid codes were incorrectly reported as "already redeemed".
  • Fixes an issue with skipping Setup Assistant steps while preparing an unsupervised device.
  • Resolves an issue that could prevent quitting the Apple Configurator app.

Want to get together at NRF 2014? Let me know...

Your rating: None (3 votes)

The National Retail Federation "Big Show" is January 12-15 in my hometown, New York City. We have the opportunity to get together for an Enterprise iOS networking event. Sound interesting? Please drop me a line that you are interested.

strange error during mail synch - when a certificate is used to authenticate, sometimes certificate cannot be validate

bongio's picture
No votes yet

We have the following situation:
- native ios email client
- certificate for user authentication.
- ios 7.04 (this happen even with 6.x.x)

Usually it works fine, but sometimes for some users we have a strange behaviour:
- the error is "..certificate cannot authenticate.." or mail client requests a user password
- after a lot of log checking, it appears the device does not arrive to external firewall, then the exchange too

We checked the error is showed immidiatly and it appears the device does not try to connect to the external url

Debugging the ipad we see this type of error:
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|Failed to get version string
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|error syncing folder: Error Domain=MFMessageErrorDomain Code=1054 "The operation couldn’t be completed. (MFMessageErrorDomain error 1054.)"
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|ASGetOptionsTask failed: Error Domain=DAErrorDomain Code=63 "The operation couldn’t be completed. (DAErrorDomain error 63.)"
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|Failed to get version string
Nov 28 15:42:18 s-iPad MobileMail[174] : 0x17da9130|EAS|Error|error syncing folder: Error Domain=MFMessageErrorDomain Code=1054 "The operation couldn’t be completed. (MFMessageErrorDomain error 1054.)"
Nov 28 15:42:18 s-iPad MobileMail[174] : ERROR: MFMessageErrorDomain/Missing Password - No password provided for “Exchange ActiveSync”

If I enter in settings\mail,contact,calendar\email_configured and I turn off and turn on the "Mail", the mail client starts again to work. After some hours, it stop again...
It appears a device problem, but now we have 400 devices, the end use cannot access the email configuration and this error is becoming a big issue.

Thank you for your help

How iOS decides which wireless network to auto-join

Your rating: None (1 vote)


iOS follows these guidelines when deciding which wireless network to auto-join.

iOS defines two categories of networks: hotspot and private.

  • A hotspot network can be an HS2.0/Passpoint (802.11u) network, a "captive" network, or an EAP-SIM network. iOS distinguishes between captive / EAP-SIM and HS2.0/Passpoint hotspots.
  • A private network is any network that is not a hotspot.

When iOS evaluates SSIDs to auto-join, it prefers known networks, higher levels of security, and stronger relative signal strength (RSSI).

iOS will try to connect to networks in this order:

  1. The private network it has most recently previously joined
  2. Connect to a private network
  3. Connect to a hotspot network

If iOS finds more than one network, it will evaluate SSIDs by security level and choose one based on the following order:

  1. Private network: EAP
  2. Private network: WPA
  3. Private network: WEP
  4. Private network: Unsecure/open
  5. Hotspot network: HS2.0/Passpoint
  6. Hotspot network: EAP
  7. Hotspot network: WPA
  8. Hotspot network: WEP
  9. Hotspot network: Unsecure/open

If iOS finds multiple networks of identical type and security level, it will choose the SSID with the stronger RSSI.

Auto-joining after a restart

After a restart, iOS Wi-Fi credentials are available only after a device is unlocked.

If an iOS 6 device is restarted near both open and secure networks, the device will auto-join the open network because the secure network credentials are not available until the device is unlocked.

After restarting, iOS 7 will not auto-join an open network first because it waits until after the device is unlocked.

Last Modified: Nov 20, 2013

EDA Surveys Enterprise IT Admins about Managing Mobile Devices

Your rating: None (2 votes)

Hello MacEnterprise Community,

The Enterprise Device Alliance is conducting its 3rd annual survey of IT professionals at

In our pursuit to develop the best solutions for your IT management challenges, we ask for your feedback on the use of mobile devices and non-Windows systems integration in large organizations. As the pervasiveness of these devices grows, your experiences and opinions, collected in these survey results every year, help us to better serve your needs.

To thank you for your contribution we will raffle one $50 gift certificate from Amazon for every 100 respondents. We will, of course, provide every participant with a copy of the results. Please make a difference and give us your thoughts.

Take the Survey here:

On December 12 at 2 pm ET/11 am PT. Ryan Faas, noted IT journalist, will discuss the survey results with me, T. Reid Lewis, president of the Enterprise Device Alliance. This webcast will explore the results in detail, offering examples of how other companies are tackling the challenges presented by mobile device management.

Sign up for the Webcast here:

Questions? Write to us at For more information and past survey results, visit

Thank you on behalf of everyone who will benefit from the survey results.

- Reid

T. Reid Lewis
Enterprise Device Alliance

Apple Configurator 1.4.2 and Apple TV 6.0.1.

estrois's picture
No votes yet

Hello eveyone,

For my first post here, I find myself pretty much at the cutting edge of all recently updated Apple Stuff.

Apple Configurator 1.4.2
Apple TV 6.0.1
OS X 10.8 Server and Clients.
Profile Manager.
iOS 7.0.4

Although I've learned computers since DOS and System 6, I'm sitting in front of Apple Configurator and Apple TV and can't quite guess how all these payload that are useful to iOS iPads can be useful to Apple TVs which are new stuff to me.

I googled a lot, asked in discussion dot apple dot com, tried Youtube, Yahoo and even BIng...

How can all these payloads that are useful to iOS iPads can be useful to Apple TVs?

Is there a good walkthrough for Apple Configurator 1.4.2 and Apple TV 6.0.x?


Remote Reboot of OS or APPs?

Joshua Elvey's picture
Your rating: None (2 votes)


I'm wondering if anyone has come across a solution to our problem in any of the MDM software out there. We need to remotely reboot our iPads (NOT wipe). Basically, after a few days of our app running non stop on the devices, they need a refresh. If a remote reboot isn't possible, is it possible to close out the app and the relaunch it remotely? Currently, we're using Airwatch and there seems to be no function similar to this. If you have a solution, know a different provider with this function, or are looking for the same solution, please share.

Recent Activity