Hello! We're wanting to put together a model where we have a standard approach to evaluating iOS releases (major and minor versions) as well as new iPhone and iPad models when they're released. We have three main "sections" that we're needing to expound on: usability, supportability, security.
What do the rest of you do when new software and/or devices are released? How do you judge them as being supportable or secure in your environment?
Any input and advice is appreciated. Also, if you happen to have a template or document that details your approach, that is helpful as well!
If an organization buy an apps through volume purchase program, will they be able to use redemption codes. For example i have given an application to a business user with a redemption code. If he leaves the organization can i use the same redemption code for the new user.
Help me to get this information and any more information on this.
Hi, we have airwatch as our mdm software, and we are looking to generate a white and a black list of sites where our mobile users cant or cant navigate, ithere is a feature called secure web browser on airwatch, that can help you to achieve this, but i havent found where to configure this on the mdm admin console, does anybody have done this? Can somebody help?
Thank you vey much
We have both Mobile Iron and AirWatch to manage our mobile devices (mainly iOs).
We have several InHouse applications to deploy but these applications don't have to be published to the same population and AirWatch is not flexible for our need. Let me give you an exemple :
We would like to apply to our users all possible scenarios :
- E-mail only
- Application A only
- Application B only
- E-mail + Application A
- E-mail + Application B
- Application A + Application B
- E-mail + Application A + Application B
If we want to do that with Mobile Iron, no problem, we create what they call a "label" for E-mail, another one for Application A, and another one for Application B... and apply the needed labels to a user. The problem is with AirWatch where we have to create a location group per scenario and enroll the user in the right location group for the policy to apply. This is a problem because we have more applications coming which means much more possible scenarios and that will be a nightmare to manage if we have to create one location group by scenario (App. A + App. B + App.C ...)
Is there something we did not understand in the way AirWatch handles applications deployment or is it just the way it works with AirWatch ?
Thanks for your help
Bring Your Own Device (BYOD) is an acknowledgement that the tools you could give your users aren't any better than the ones they already have. If your users already have iPhones, they won't want to use an Android phone. Plus, your users will hate you for forcing them to carry two devices that perform the same functions.
John Welch, Director of IT at a 200-person creative firm (Zimmerman Agency), spoke at the Mac IT Conference in San Francisco on the benefits of Bring Your Own Device and how he supports it. John stood out among IT Directors at the conference by stating that his job is to say "yes" whenever possible. IT departments of the past have been about control and locking down devices whereas he comes from the perspective of enabling people to do their jobs however they wish. He is also the author of iOS in the Enterprise.
The Benefits of Bring Your Own Device (BYOD)
- Saves your budget on buying devices. You'll need to buy the MDM solution either way but you can save some serious money on devices.
- Makes your users happier because they don't have to carry two devices that do the same thing. Happier users are more likely to work cooperatively with you.
- Saves your time on training users on how to use devices they don't already own. You'll have fewer support calls to answer.
The Disadvantages of BYOD
- You can't really lock down someone's personal device.
- If they decide to upgrade the device or change carriers, you don't have control over that.
- Less device consistently, which means you may have to support Windows Phone, etc.
When Does BYOD Not Work
- Sarbanes-Oxley and HIPPA environments may not allow for BYOD.
- High-security areas, such as work places where you are not allowed to use a phone with a camera.
- School environments may not work because your end-users may not be mature enough to mange their own devices.
The Compromise To Support Any Device
- At the Zimmerman Agency, employees can bring in any device that supports IMAP & SMTP for email.
- In exchange the user has to register their iOS device with the MDM solution. They also are asked to use Exchange ActiveSync instead of IMAP.
- Devices are setup to allow remote wipes in case of loss. Users are educated that they don't have to freak out if their device goes missing because they can text or call IT to have it wiped.
- Some users went from using 1-2 IP addresses on the corporate network to up to 5. You may have reconfigure your DHCP server, especially for wireless access points.
Many companies specify a limited range of devices for BYOD so that it's easier to deploy mobile device management solutions and support. What challenges and advantages have you seen with Bring Your Own Device environments?
Photograph by Miki Yoshihito.
How does a Windows-centric schools district deploy over a 1,000 iPads to elementary students not old enough to legally have an Apple ID? How do you get high school students to come to IT voluntarily if they jail break their device? How do you prevent iPad damage in schools? All these questions and more were answered by Cecile Lelievre from Brandeis Hillel Day School Maribel Guizar-Maita from Alum Rock Union Elementary School District in Santa Clara. Both deployed over a 1,000 iPads in their schools and shared lessons learned during a panel moderated by JAMF software at Mac IT Conference 2012.
Apple ID Strategies for Large iPad Deployments
Cecile used a combination of personal Apple IDs and JAMF's Casper Suite to offer high school students a blend of choice. Each student had an Apple ID tied to their parent's credit card so they could buy content they wanted. Apps that the school district required the student to own were available via JAMF's self-service center. Once the App is gifted to the individual's Apple ID you can't get it back so they had to expense it similarly to buying paper for students that isn't returned.
Maribel's school creates Apple IDs per grade level. Only approved applications can be downloaded and all applications are pushed via JAMF. When working in a grade school environment you must keep in mind that students under 13 can not legally have an Apple ID. This is was an additional reason why they manage all the Apple IDs.
Backup Strategies for iPad Deployments
Maribel's school gives each classroom a Bretford iPad cart with a MacBook. The iPads are backed up to that MacBook when plugged in each night. Cecile ran into problems with students taking their iPad home and syncing it with their home computer, which blew away the institutional image. She prefers Apps that sync their data online because if students accidentally sync their device at home and erase it, they don't lose the data on the device.
Who Chooses Which Apps Are Used
The school chose an assortment of Apps that covered many areas. Then the teachers can suggest Apps for their classes that they can ask IT to push out to students. If the App is free and has some educational value, it is always approved.
Loss & Damage of iPads in Schools
Brandeis Hillel Day School offered a third-party insurance program to families for an additional $50 that would cover damage and loss, they also bundle in the cost of AppleCare. They keep a whole bunch of spares. If a student drops their device twice, they get downgraded to an iPad 1. Finally, they include a ballistic case with all iPads which prevents a lot of damage.
Alum Rock Union Elementary School District hasn't had as many problems with damage because the students love these devices and are very careful with them. They actually see more breakage from teachers who are less careful with the device. They include a clear case, protective film, and also tag each device with big ugly serial numbers.
Catching Jail Breakers
In the high school environment, Cecile would run a report using JAMF that would show the last time each device had been on-site. If the device hadn't registered lately, she would disable it from connecting to the network by blocking their MAC address. The student then comes to IT on their own because they can't connect to the network and then she "educates" them on why.
Pushing Non-App Content
Cecile used Dropbox or Box.net to allow teachers to push and sync content on the devices. She is now investigating a hybrid cloud using WebDav to provide a more secure place to store shared content for staff.
Maribel's school distributes content by syncing each iPad to the cart with a Macbook each night. They also configure email accounts for each student so that they can use Apps that require email addresses. Email accounts for the younger students are only allowed to email addresses within the school's domain.
You Have A Great Network But Do You Have Enough IP Addresses?
If you're considering an iOS device roll-out you need to examine your network infrastructure first. For example, Maribel's school had plenty of access points but ran out DHCP addresses during deployment.
- It's dirt cheap. Profile Manger is included in Lion Server which is $50-$80 flat. Contrasted with other MDM providers that charge an annual fee.
- It does MOST of what you want in an MDM solution.
- It's a First Party solution. You can call Apple for support.
- Large installs of devices - thousands of devices will require a more robust MDM solution.
- A required MDM element isn't available - see below and the complete comparison of MDM solutions.
- App installs - You can push free Apps (getting conflicting reports on this) or in-house developed Apps to users. You can NOT push paid or volume purchased Apps to users.
- Policy setting - Yes.
- Security - Restrictions, VPN profiles, remote wipes.
- Asset Tracking - Lion server will track the device.
- Remote Control - Nope.
- Backup - Nope. The only Apple way of doing backup is through iTunes right now.
- Firmware / OS updates Control - Nope.
- Lion Server running on a Mac with Core 2 Duo or later, 2GB+ of RAM. A Mac mini for less than 1,000 devices is a very affordable solution.
- Internet connection with certain ports open. You may need to troubleshoot push notifications.
- Working DNS - Not just an IP address.
- Open Directory Master - Server that holds user accounts.
- Certificates - You'll need the following certificates: SSL/TLS Certificate (purchased from a registrar, StartCom offers the only free certificate for iOS devices), Apple Push Notification Service Certificate (free from Apple with an Apple ID), Code Signing Certificate (you can use the Lion server but a best practice is to purchase one from one of these authorities for around $300)
- Change your Administrator account name to something besides the default of "diradmin" because someone could guess it.
- Don't use a comma in your organization name, it'll cause the install to fail.
- Don't use your personal Apple ID because your certificate will be tied to it. Create a new one for the institution. If the person whose Apple ID leaves you won't be able to manage it anymore.
- If you use disable the App store your users won't be able to sync Apps via iTunes either.
- If you use content restrictions, all Apps that allow web browsing are rated 17+.
- You can run Profile Manager on an iPad because it's a web app.
I would like to create an in house catalog with a native app for my enterprise with the app enterprise program. My main issue is to know if it is possible to link itunes apps directly in this store with the possibility to use redeem code without to have to go in the App store application.
The main idea is to ease installation of recommended apps (free or with redeem code). I saw that it was possible with the casper suite to do push-like installation but I wonder if it is possible to do something close directly from an in-house app catalog ?
In the same way if the first part is possible, I wonder if it is possible to update apps the same way without to have to go to the app store and put a password. Should it be possible to use the same redeem code to update the app ?
Thank you very much in any case.
BTW this website is really great
This week CIO.com published an interview with me on muddying the consumerization of IT. The story includes the following quote:
Interestingly, a lot of IT guys are rooting for Android. The reason, I think, is that there's some unexpressed hope that they can lock down the Android OS. They can put on what they want. They can do the monitoring. They can do the auditing. They can reconfigure and redeploy with their own image.
Of course, that's missing the point. It's no longer consumerization of IT, but goes back to the traditional models where IT has control all over again. If you think you have trouble supporting Android with its fragmentation now, just wait until businesses start getting a hold of the source code and recompiling it.
My point is to celebrate and embrace the tremendous innovations we've seen in the consumer space. Attempts by business to control these technologies only slow down innovation and make emoyees much less productive.
What do you think? Does this reflect the situation in your company? Please comment below.
If you work in the mobile Apps space, I'll bet that you often need to present iPad Apps & slideshows from your iPad in web conferences such as Citrix Go To Meeting and WebEx. Let me share my recommendation as to how to accomplish these presentations with high quality and low hassle.
As the president of a GroupLogic, a software firm not associated with any of the products I will recommend here, my colleagues and I have had great success with the Epiphan VGA2USB-LR adapter. When combined with video capture software (I use Evocam), the VGA2USB makes web conferences and recording easy and consistently delivers high quality.
Until my colleagues found the Epiphan, we struggled with a document camera from Ipevo and were always fooling with the adjustable arm and sitting in the dark to reduce the glare from office lights. Even in the best lighting (we purchased a photo stand that shielded the lights) the Ipevo left a lot to be desired for sharing the iPad screen.
You will need to spend the extra money for the 30 fps "LR" version which at $799 is worth the extra money over the $299 basic version that does 10 fps. The slower 10 fps frame rate makes scrolling visibly very unappealing to your viewing audience so I strongly advise that you buy the LR.
Here are the links to these products:
Epiphan VGA2USB-LR adapter http://www.epiphan.com/products/frame-grabbers/vga2usb-lr
EvoCam 4.0.1 http://www.evological.com/evocam.html
Apple today released a minor update to iOS 5. This update applies to all devices running iOS 5: iPad and iPad 2, iPhone 3GS, iPhone 4 and 4S, and iPod touch 3rd and 4th Generation. Security information can be found on Apple's support site.
This update is notable as it is Apple's first delivered over-the-air. Reports indicate no issues so far. You must be connected to a wifi network (not cell) to download. Also, you need at least 50% battery life (or be plugged in) to update.
For enterprise environments, you can't prevent or force this update on your managed devices. However, you can use MDM queries to check the versions of your devices, and set policies accordingly.
Any experiences yet?
I am new to this forum so I apologize if this is a repeat...
We have recorded multiple incidents of meetings dropping off of iOS calendars, but still appearing on the Outlook client. We have traced it to users with delegates that manage their calendar (some even manage their own) and more often than not, the meeting event is a recurring one that has been edited or moved in some way. We have instances of a single occurrence of a recurring meeting dropping off and the entire series. We have not been able to reproduce this issue with users that do not have delegates, that is unless the meeting invite they received comes from someone who does have a delegate.
Note: Exchange 2007 environment.
We have heard that one resolution could be disabling Cached Exchange Mode for the troubled users, but the loss of functionality has been determined to be unacceptable.
This is a sensitive issue because users that have delegates are often... senior management. Any help or direction would be greatly appreciated.
Blogger Michael DeGusta compiled the release and upgrade history of every Android phone released through mid-2010. It is impressive, and not in a good way.
(via Daring Fireball)
To unlock some of the most interesting iOS features for enterprise, you need to use a Certificate Authority (CA) to create, manage, and distribute identity certificates to your devices. (Actually, the deployment is typically done through [[MDM]). With this infrastructure in place, you can teach your servers to recognize valid certificates, allowing secure VPN, email, WIFi and intranet access without password authentication. However, many businesses do not have this infrastructure, known as PKI, in place.
I'm curious about experiences with hosted PKI. It would have to be simple to use -- that's the point.
Any of you have experience you'd like to share? Any successful hosted PKI/MDM integrations?
- Comparison of MDM Providers (662,778)
- Complete List of iOS User-Agent Strings (289,528)
- How to get remote viewing/control of the IPAD screen via internet or preferably 3G? (189,853)
- Apple Configurator vs. MDM (131,473)
- Mobile Device Management (86,357)
- iOS Devices (81,766)
- Apple Profile Manager (77,588)
- Gartner Magic Quadrant for MDM (2014, 2012, 2011) (73,134)
- Batch Apple ID Creator (72,927)
- AirWatch (69,928)
Comparison of MDM Providers
Forum topic comment by usher.br 2 hours ago
Forum topic comment by princesly 2 hours ago
Forum topic comment by annalake123 14 hours ago
Forum topic comment by HenryOzsoy 19 hours ago
Forum topic comment by flowerjeni 2 days ago
Story comment by Uroshnor 3 days ago
Story comment by brentc 3 days ago
Forum topic comment by dianawilliams 3 days ago
Forum topic added by faheem uz zaman 4 days ago
Forum topic added by firstname.lastname@example.org 6 days ago
Forum topic comment by appliTech 1 week ago
Forum topic comment by Mr.Bear 1 week ago
Forum topic comment by Dvelopin 1 week ago
Forum topic comment by acemary 1 week ago
Forum topic comment by jackmann17 1 week ago
Forum topic comment by greghacke 1 week ago
How does MDM server support the Managed Application Configuration settings and Managed Application Feedback?Forum topic comment by Igor 1 week ago
How does MDM server support the Managed Application Configuration settings and Managed Application Feedback?Forum topic comment by Aaron Freimark 1 week ago
How does MDM server support the Managed Application Configuration settings and Managed Application Feedback?Forum topic added by Igor 1 week ago
Forum topic comment by RemyJay 1 week ago