Carrots and Sticks

Your rating: None (2 votes)

"Carrots and Sticks" is a methodology of balancing the "stick" of security-enhancing restrictions with the "carrot" of user access to otherwise restricted data.

By design, users may opt-out of Mobile Device Management at any time. Settings > General > Profiles > Global MDM Profile > Remove. Individual configuration profiles may be password protected, but the root MDM certificate is always removable without anything more than the device passcode. And once that is removed, all child profiles are also removed. There is no programmatic way to prevent this.

One solution is to make MDM more attractive for the users. These are the "carrots." Here are some ways to do that.

  • Deploy managed apps (new to iOS 5) using MDM. Managed apps are sent over the air as art of the MDM package. If MDM is removed, these apps can be set to disappear as well.
  • Develop in-house apps using Apple's iOS Developer Program, and distribute the deployment certificate only by MDM.
  • Use a Public Key Infrastructure to grant access to VPN, Exchange, Wi-Fi, etc. Deploy user credentials through MDM only.
  • Slightly different than using PKI to grant access to corporate resources, more MDMs are offering DMZ based components to their solution which are in-line proxies prior to their Exchange, Domino, Office365, Google Apps services. These proxies/filters check with the MDM to ensure compliancy prior to allowing the device through. By using this, users are blocked & required to enroll in MDM to get to the corporate email resources.

Got more carrots, Doc? Edit this wiki page and add them here.

Demonstrating Over-the-Air App Deployment in iOS 5

Your rating: None (2 votes)

Perhaps the biggest enterprise feature yet uncovered in iOS 5 is Over-the-Air app deployment. It's not quite "push"; but I'll call it "push-like".

Here's how it working, using JAMF's Casper Suite. JAMF updated their software today to support the latest iOS 5 technologies.

First, log into the MDM console.

Under Management, click "Mobile Device App Catalog".

Click "Add App".

iPhone Configuration Utility Updated to 3.4

Your rating: None (2 votes)

Briefly: Apple's updated their iPhone Configuration Utility to include the .mobileconfig features of iOS 5.

The update is currently available via Software Update. We'll post a download link when available.

iOS 5 is Out

Your rating: None (2 votes)

Apple has released iOS 5, the latest version of the operating system for its iPads, iPhones and iPod touches. The release is available for all current and many earlier models. See our table of iOS Devices for the list of upgradable models. The update is available via iTunes, but hopefully this is the last time we'll need a PC for updating.

iOS 5 brings a laundry list of features, including:

  • A new Notification Center for text messages, email, and other alerts
  • iMessage (think Apple's answer to BBM)
  • New MDM features (story to follow)

Over the next few days, we'll be exploring how this update affects Enterprise users. (Yes it does, and in some big ways.)

Please post your experiences in the comments below.

iPhone 4S Nifty Features for Business Users

Your rating: None (2 votes)

Today's Apple product intro is now available online. In case you haven't heard, they announced the iPhone 4S, available on October 14. There are some nifty features in the iPhone 4S for business users. I'll have more tomorrow, but my short list is:

  1. Siri for a 24-hour personal assistant that won't break up your marriage
  2. Long battery life
  3. Quicker download speeds without the 4G downsides
  4. AirPlay -- fantastic for wireless presentations
  5. GSM+CDMA go-anywhere world phone
  6. Quicker dual-core A5 processor for background VPN and innovative apps

What did you think?

Completely Revised Comparison of Mobile Device Management Providers

Your rating: None (2 votes)

We're happy to announce the re-release our popular Comparison of MDM Providers'. While the original comparison was built by an HTML table, the new page sits atop a wiki-enabled database. This allows MDM providers and users to modify and improve the data on each provider.

We've also added several MDM solutions: Apple, MaaS360, and SOTI.


If you're favorite MDM provide is missing from this list, we encourage you to add them yourself using a simple form. We hope you find this change useful.

Your Business Your Apps – Video and Q&A

Aaron Freimark's picture
No votes yet

Thank you to everyone who attended our hugely successful panel discussion "Your Business, Your App," organized by Tekserve, New York's largest independent Apple consultancy and retailer. We had time for only a few questions from the audience. To address this, we've created this forum thread so we can continue the discussion online. Our panelists will try to respond to any question posted here.

In addition, we are pleased to bring you a video of the entire event. We hope you can add your questions and comments below.

EiOS will be on the panel "Your Business, Your App" this Friday, in NYC

Your rating: None (2 votes)

This Friday, September 30, I have the honor of being a part of a distinguished panel discussion titled "Your Business, Your App." Members of the Enterprise iOS community are invited to register for this special event.

The luncheon and panel will be at Ogilvy, 636 11th Avenue, between 46th And 47th Streets, in New York City. The panel includes:

  • Joe Zeff of Joe Zeff Design, creative studio that helps companies merge content, technology and business opportunities through iPad apps. Their specialty is consumer engagement, leveraging the power of storytelling to help publishers, corporations and agencies forge deeper relationships with their audiences.
  • Jason Richelson of, a cloud-based point-of-sale service that allows small retail businesses to replace their cash registers with iPads and ring up customers, collect sales tax, print receipts, accept credit cards and manage inventory and customers.
  • Jamie Manalio of Rust Labs, dedicated to exploring new technologies for custom hardware and A/V installations, creating custom interactive presentations for private and public events, programming applications for smart phones.
  • Joseph Wachs of [x]cube LABS, a specialty mobile app development firm offering end-to-end solutions across a wide range of mobile applications; from games to enterprise apps, across all major mobile platforms, including iPhone, BlackBerry, and Android, as well as the iPad.
  • Irven Cassio of Luxottica Group, a retail technologist - with a focus on convergence, multichannel integration, social media, fashion, design and marketing.

The event is being sponsored by my employer, Tekserve, New York's largest independent Apple consultancy and retailer.

Update: We've posted a video and some Q&A of the event on this site.

EiOS and Tekserve in CIO

Your rating: None (2 votes)

CIO Magazine has published an interview with me about the iPad Culture Shock for IT. I would sincerely appreciate your thoughts on the topic.

Managing iOS Devices with Lion Server

Your rating: None (2 votes)

The eBook "Managing iOS Devices with Lion Server" is now available on the iBooks store and the Kindle store, and soon on

The $4.99 ($3.99 for Kindle) is a steal considering the weeks I put into preparing this. I really hope you find it useful.

I also wrote the official description below, and I think it captures it perfectly; there's not much about using Profiles for managing Macs other than remotely locking and wiping them (which is vey cool). It really is all about managing iOS devices.

Learn how to use Profile Manager, a feature included in OS X Lion Server, to configure and remotely manage iOS devices (including iPad, iPhone, and iPod touch) and Macs running Lion. With this eBook, you will learn how to use Profile Manager's web-based tools to configure user settings for services such as Mail, Calendar, VPN, and Wi-Fi; define passcode settings to prevent unauthorized access to data stored on your users' devices; and remotely wipe devices if they go missing. The Profile Manager uses the Apple Push Notification Service (APNS), so you can immediately push configuration changes to your devices, as long as they have some kind of network connectivity. Why do all the work yourself? Show your users how easy it is for them to use the self-service web portal to download and install the configuration profiles you've carefully crafted for them, and how to remotely lock or wipe their own devices without your intervention. This eBook includes the knowledge you need to configure your Lion Server to be an Open Directory master, use an appropriate SSL certificate, provide Profile Manager services, and perform basic troubleshooting.

It's 339 pages on my iPhone 4.

Apple Introduces App Store Volume Purchasing for Business

Your rating: None (2 votes)

Apple today introduced its Volume Purchase Program for Business Apps. The program, available "soon," answers a simple question that has had no satisfactory answer: How does a company buy apps for its users?

Some notes:

  • Businesses must have a Dun & Bradstreet number to participate, and go through a validation process.
  • Admins will be asked to create a new Apple ID for exclusive use with the Business VPP.
  • There are no minimum or maximum quantities for purchase.
  • Only paid apps are available through VPP. Free apps should be downloaded by the device user.
  • Payment must be made via corporate credit card or PayPal. (There seems to be no mechanism for purchase orders at this time.)

The program seems to follow the contours of the Education VPP system, introduced last year. The enrollment process, which is not yet online, is outlined in a PDF. Here's what they say about distribution:

Distributing apps purchased through the Volume Purchase Program is easy. For each app you purchase you’ll receive a redemption code to authorize the app download. The program website delivers these redemption codes in a spreadsheet format that contains multiple codes, one for each app in the quantity purchased. Each time a code is redeemed, the spreadsheet is updated on the program website so you can track the number of codes that have been redeemed by your users. The spreadsheet also includes a redemption URL with the redemption code embedded in the link so users don’t have to type or enter the redemption code manually when downloading apps.

Apple suggests that you email these URLs to each user, but I'd rather poke my eye with a stick. Alternatively, expect your MDM Provider to allow for VPP Integration. Casper Suite and Absolute Manage MDM already has this feature, and I hope others quickly jump on board.

So the user clicks on the link, they visit the Apple store, "purchase" the app, and the redemption code is used in lieu of payment. Then the app downloads and installs.

Read the documentation closely, and you'll find a second new initiative: Apple is releasing private app distribution for businesses. The idea here is to combine custom app development but use VPP for distribution, creating a new market strategy for enterprise-focused developers. (And Apple will happily take its 30% cut for the service.) Sound interesting?

Any outstanding questions? Do you like the plan? Please add your comments below.

Zenprise expands our Comparison of Mobile Device Management Providers

Your rating: None (2 votes)

I'm very happy to announce that Zenprise has added their data to our Comparison of MDM Providers. We are now at 800 boxes with / ticks.

As this feature has grown, we've seeing some areas where we can improve the chart. Please visit MDM Comparison 2.0 Beta to see where we are going, and contribute your suggestions.

In-house App Deployment

Your rating: None (8 votes)

Has your company built a great app? But you don't want it on the app store? In-house App Deployment is for you. There are two ways to go:

Outsource It

Several companies make a living building private app catalogs for businesses (like this mobile application development company). These sites typically require an enterprise subscription to Apple's iOS Developer Program.

Do It Yourself

(I haven't done all these steps myself. Hopefully some of you can fill in whatever gaps exist.)

Once you have established your iOS Developer Enterprise Program, everything you need to know is listed under the Provisioning Portal.

The rough steps for in-house app distribution are:

  1. Identify internal development resources
  2. Establish a cross-functional team to establish security, design & look and feel guidelines
  3. Download Xcode from AppStore or via free iOS Developer Program
  4. Build an app in Xcode
  5. Sign up for the iOS Enterprise Developer Program (not the standard program)

iOS Developer Enterprise Program
Requires DUNS number
Enrolling employee must have binding authority to enter into contracts
This employee becomes the Team Agent
Legal contact at your company to verify enrolling employee & their binding authority
Budget 10 - 15 business days for enrollment

From Apple's iOS Provisioning Portal

  1. Create App ID (performed by Team Agent)
  2. Register development devices (Team Agent)
  3. Create Development Provisioning Profile (Team Agent)
  4. Create Developer code signing Certificate
  5. Add Provisioning Profile & Developer Certificate in Xcode

To add the app to your device, you must also add the provisioning profile. This may be done with either the iPhone Configuration Utility or with most Mobile Device Management systems.

Note that with iOS 4, provisioning profiles are read only at boot. So here is what will happen: MDM will install both profile and app, but then the app will seem to disappear. The system is simply hiding the app because it is not aware of the provisioning profile. Just reboot the device to have the app function.

McAfee EMM added to our Mobile Device Management Comparison

Your rating: None (2 votes)

Our member andrer9999 was kind enough to fill in the blanks for our enormous Comparison of MDM Providers. Thank you!

Open Source iOS Device Management

Your rating: None (3 votes)

EoIS member Haruhiko Nishi has released a prototype system for managing iOS devices as Open Source. The code works through an ActiveSync connection to your device, which can manage some restrictions and policies. There's a bit of discussion in our forum about this already.

The demo is quite interesting. See our forums for the URL. Thanks, Hanishi!

Recent Activity