Lockdown MDM profile?

dleven's picture
No votes yet

I'm currently using Mobileiron as my MDM solution and have deployed to about 200 iPad users. The most annoying thing is when users go ahead and uninstall the the MI agent then I get notified and have to contact them to get their iOS device back in compliance. I thought to myself that there has to be a way to lock this down which sounds simple especially since coming from the BES environment which allowed you to do so. Looking deeper into this, a profile pushed via MDM, cannot be locked. Apple's thinking here is that if you have the device in your possession, the user must have given you permission to install a locked profile, so it's allowed. In the MDM scenario, the user has no warning that a locked profile will be installed, and Apple is concerned a user will be locked-into a behavior which they cannot opt-out of. So removing MDM profile with password is not option in our environment since we are using MDM certificate. The configuration profile created in the iPhone Configuration Utility which is pushed to the device over USB, can be locked so that it cannot be removed. Any thoughts? Anyone running into the same situation?

Thanks! Smile

What MDM will not do??

rohanparakh's picture
No votes yet

There is lot of confusion about what MDM solution cannot/will not do.
Why not compile such points and put across one article.
Your views??

Apple's head of iOS Security to speak at Black Hat security conference

No votes yet

In a sign of the changing times, Apple's head of platform security, Dallas De Atley, is scheduled to speak at the Black Hat USA security conference this Thursday. His topic is on "key security technologies in iOS."

Apple has never before presented at this conference, which has sometimes exposed embarrassing flaws in Apple's systems. This year's talk is bookended by presentatiions titled "iOS Kernel Heap Armageddon Revisited" and "The Dark Art Of iOS Application Hacking."

Should be fun.

(via Ars Technica.)

Introducing SimpleMDM: Fast and Free iOS Device Management

mattvlasach's picture
No votes yet


I am pleased to introduce SimpleMDM, a new cloud-based iOS Mobile Device Management solution for small businesses and individuals.

As a completely free service, SimpleMDM is designed to be a fast and effective tool to provide essential management of iPhones, iPads, and iPods. In spite of its cost, it provides a unique and intuitive web administration interface built with enterprise-grade security and best practices in mind. There are no limitations in terms of features or device counts.

You can learn more and create your free account to enroll a new device within 3 minutes by checking out the SimpleMDM website at:


I would love to hear your feedback and thoughts of the product, and I hope you find it useful for you and/or your organization!

Matt Vlasach

Update In-House App Without User Interaction

andyboutte's picture
No votes yet

We are looking to deploy a large number of iPads with our in house app pre installed using the Apple Configuration application. That part is very simple and straight forward. Our iPads will primarily be in kiosk mode so in an effort to avoid confusion I am looking for a way that I could push updates for our in house app without user interaction. I know according to the Apple documentation on Wireless Distribution the user would be instructed to click on a link to initiate the update installation. So is there any way to wrap that manifest file into a profile that can be pushed to the devices?

Lightweight MDM?

jamitchell's picture
No votes yet

I'm new to MDM but have been tasked by my organization in finding a solution to some mobile device issues we have been having. I've spent a pretty fair amount of time in the googleverse looking for potential solutions but the information out there is either sparse or beyond the scope of my knowledge.

We are a small organization in terms of out mobile IT footprint (<50 devices) and they are all iOS based (iPhone, iPad, iPad2). The main issue we have been managing our devices with EAS (exchange 2007) using basic authentication but have an AD policy mandating password changes every 45 days. Our primary issue stems when either our users can't get to a computer or they change their passwords on their computer and don't update the credentials on their mobile devices. What then occurs is the mobile device tries to connect using the expired credentials and locks out the users account.

In my reading some information has indicated that switching to certificate based authentication as opposed to the basic authentication could possibly alleviate our issue but didn't really see any conclusive information.

We don't really need many of the features provided by say AirWatch or MobileIron, though Centrify looked like it might be a good lightweight solution. I would really appreciate some insight into how I can prevent my users from getting locked out, as education doesn't seem to be a viable alternative in this case.

iOS6 - Will it allow MDMs to block iOS OS Updates?

LiNuXbOx's picture
No votes yet

One of the big frustrations from an ongoing cost of managing enterprise apps is the cost associated with keeping your apps up to date for each new iOS OS revision and unfortunately iOS 5x and below don't allow MDMs to manage this.

Has anyone heard if Apple will allow MDMs to manage iOS updates in iOS 6?



Poll: Which iOS productivity suite do you prefer?

iWork (Pages, Numbers, Keynote)
49% (43 votes)
QuickOffice Pro
22% (19 votes)
Documents To Go
7% (6 votes)
Office2 HD
6% (5 votes)
Google Drive (Docs)
15% (13 votes)
Other (please comment below)
2% (2 votes)
Total votes: 88

Can OWA & MDM go together??

rohanparakh's picture
No votes yet

I have been working on MDM for quite some time now, but this thing came to mind recently.
In a scenario where email is the only way to access corporate data(no in house apps, nothing) and OWA is enabled for all users.
Why would some go for MDM?

Exploring a Mobile App Vetting Process

pghmobility's picture
No votes yet


As we move forward with enterprise applications (such as corporate travel apps, recommended commercial apps), the topic has come up regarding a software review process for mobile applications.

Does anyone have any insight they can provide? What are some things you look for when 'approving' an app for corporate use? Security? Permissions required? Update intervals, etc?


Mobile Management Strategies

No votes yet

All companies deploying mobile devices have a mobile management strategy, whether they plan one or not.

Today's mobile management boils down to a trade-off between control and usability. The stronger the control, the less flexible and familiar the experience is for the user.

The slide above is from a talk I gave for Tekserve. It shows the relationship between five possible mobile management strategies: wild west, Exchange, Mobile Device Management, sandboxing, and VDI.

(footnote: These strategies are not exclusive. It is common to see a combination deployed in large or even not-so-large environments.)

Wild West

By far, the most common mobile strategy is Wild West. Rather, we should call this a non-strategy. In the Wild West, iPads roam free. "Shadow IT" is the law of the land. Users have themselves figured out access to corporate email and documents. Dropbox is a common solution. No lock-screen passcodes burden their users. There is no uniformity to apps. There is no way to remotely remove data from a lost iPad. A thief would have unimpeded access to email, contacts, calendar, and documents.


Adding a thin layer of management is not difficult if your company uses a corporate email server. Microsoft Exchange and Google Apps for Business and Education have mobile management built in. This protection rides on top of Microsoft's Exchange ActiveSync Protocol, and requires nothing more than an "Exchange" type email account on the device. With this level of control, you get a number of helpful over-the-air abilities:

  • Require passcode
  • Require a complex passcode
  • Lock device after X unsuccessful attempts to unlock
  • Remove passcode
  • Disable camera
  • Erase device

The most significant of these is "require passcode," which enables Apple Data Protection.j

Mobile Device Management

Mobile Device Management, or MDM, adds additional controls on top of Exchange. Devices must be "enrolled" into MDM, usually using a web page or an app. MDM delivers all the features of Exchange, plus several more:

  • Remotely set up email, VPN, calendar, identity certificates
  • Send free and pre-paid apps to devices
  • Send web bookmarks to devices
  • Inventory devices for apps, usage info, and identities
  • Configure features of email accounts not available in the UI: sandboxing, encryption
  • Additional restrictions on iCloud, encrypted backups, FaceTime, the App Store, videos, and more

The MDM protocol is built into iOS by Apple and has been present since iOS 4. Apple continues to quietly expand MDM with each iOS revision.

There are a large number of MDM Providers, each building on Apple's common foundation. The differences tend to show up within the administrative console.

MDM takes more effort on the backend than Exchange. But apart from the initial enrollment, users do not experience a significant change to their experience of the device.


A Sandbox is a world within an app. Just like Las Vegas, whatever happens in the app, stays in the app. The app syncs content back to the corporate servers. So the company focuses its management efforts on securing that data within the sandbox.

Sandboxes can limit themselves to certain read-only documents pushed out from corporate. Or they can be close to entire OSes, with their own email and document editing. Unlike MDM, a sandbox environment can be fully FIPS compliant for those businesses who need this.

Sandboxes effectively segregate personal and corporate use. By their nature, all company work must be done within the Sandbox app. This can severely limit the options for users, who are no longer able to decide the best choices for their tools.

VDI/Remote Desktop

VDI is an option when Sandboxing isn't enough control. With VDI, the iPad uses a remote desktop protocol to control a desktop computer (usually Windows) running in a secure data center. So data isn't actually stored on the iPad itself. Unfortunately, the iPad makes a lousy replacement for a real mouse and keyboard. Mapping a desktop interface onto the multitouch display just doesn't fit well.


Each deployment comes with its own requirements. But in general, Mobile Device Management offers the best balance of strong management and familiar experience.

InstallApplication from Apple Store without entering Apple ID?

tyt_g207's picture
No votes yet

Hello everybody,

I'm new to iOS MDM. I would like to know if it's possible to send an InstallApplication command to install an application from AppleStore without entering AppleID? Considering that the device has been registered with an Apple ID of enterprise.

Many thanks,

Which RDP app?

drvcrash's picture
No votes yet

I need an rdp app that will either let me save a session shortcut to the home screen or one that will let me have a default connection that it automatically connects to when opened. Trying to use ipads as pos terminals and dont want users to have to do anything . anyone have an idea?

Daring Fireball: The Misunderstood iPhone

No votes yet

John Gruber's blog Daring Fireball has a great piece on the iPhone's five year anniversary.

The iPod’s success fooled almost everyone (including me) into thinking that Apple’s entry into the phone market would be similar. The iPod was the world’s best portable media player; the “iPhone”, thus, would likely be the world’s best cell phone.

But that’s not what it was. It was the world’s best portable computer. Best not in the sense of being the most powerful, or the fastest, or the most-efficient to use. The thing couldn’t even do copy-and-paste. It was the best because it was always there, always on, always just a button-push away. The disruption was not that we now finally had a nice phone; it was that, for better or for worse, we would now never again be without a computer or the Internet.

In other words, the iPad isn't a large phone. The iPhone is a small iPad.

iOS automation tool Apple Configurator updated to 1.1

No votes yet

Apple has update Apple Configurator, it's tool for automating iOS device deployment and assignment, to version 1.1. From the release notes, the new version:

  • Improved reliability and ease of use when installing paid apps with Volume Purchase Program redemption codes
  • A new preference to disable the automatic removal of apps or profiles installed by the user when a configuration is reapplied to a supervised device
  • A new preference to disable reapplying a configuration each time a supervised device is connected to Apple Configurator
  • The profile editor now indicates when a profile cannot be installed on a supervised device due to a missing value in a required field

The app is available on the Mac App Store.

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Comparison of MDM Providers

Recent Activity

Who's New