Only permit users to install from a specified app whitelist?

Marc H.'s picture
No votes yet

My apologies for the noob question. I am tasked with detection, enforcement, and validation that deployed devices only have approved applications installed. The MDM were using is MobileIron, which from my limited involvement seems fine to detected after an app is installed. I was looking for a solution similar to OTG that locksdown the device to only permit installs from an internal appstore that has approved applications.

Is there a solution that appstore requests only go to our internal appstore, not the official Apple appstore?

Any thoughts suggestions are welcome.

tia,
Marc

Supervised Mode iOS 7 and Airwatch 6.5

klberg's picture
No votes yet

I'm pretty new to deployment, and the area I'm struggling with right now is supervised mode with apple configurator. All of the devices I'm working with right now are on iOS7, and will be enrolled in airwatch. There are a list of features in airwatch that are attractive, but require the device be in supervised mode.

I'm basically wondering what are the cons to supervised mode?

How to enroll a device in OS X Server Profile Manager via app?

studiobrain's picture
No votes yet

How do I go about enrolling a device in my osx server via an app downloaded from the app store?

Ex: user downloads my app from app store. How do I enroll them into my osx server profile manager for profile provisioning OTA?

Free iWork Apps via Apple Configurator?

Karl Rivers's picture
No votes yet

With iWork apps (Pages, Numbers, Keynote, iMove etc.) now free for new devices I was wondering how I can install the apps via Apple Configurator without paying for them.

I have 15 brand new iPads, but when I login to the VPP store I am still asked to pay for the apps.

Thanks

http://www.classthink.com

Override Configurator Web Filtering?

alexk's picture
No votes yet

Hi all,

Thank you for being so helpful in my last post.

I deployed about 30 devices using Apple Configurator to set the original image and restrictions, and then Meraki for MDM. Everything seems to be going great except that the automatic Web Content Filter is far more invasive than we realized. We'd like to roll the Web Content Filtering back, and allow access to all websites. Unfortunately Configurator is installed on a desktop in one city, and our users are in multiple different cities. Anyone have ideas of how we can remove the website restriction without messing with people's new settings or causing them undue annoyance? Basically, can we remotely remove the Web Content Filtering?

Thanks!
Alex

Apple Care poised to fix supervision issue in iOS 7

mscheid13's picture
No votes yet

I Received this Communication from our Apple rep. I am really glad we have not updated to iOS 7 at our school and would need to provide serial numbers and proof of purchase. I have emailed support and I am waiting on directions. It looks like we will be able to push a profile that will prevent find my iPad activation lock settings in the background (speculation). Once the iOS 7 update is available we can remove our block and upgrade to iOS 7.

Dear Mike,

Recently some users have reported that their supervised iOS devices have reverted to un-supervised after they were upgraded to iOS 7. We are aware of this issue and will have a fix in an iOS software update coming this month.

If you upgraded your devices to iOS 7, we can help you re-supervise devices wirelessly once the software update is available. If your devices are still on iOS 6, we can help you prep your devices in order to maintain supervision when the software update is installed. Please see below for details. AppleCare is ready to help you with implementing whichever solution works for you.

Devices on iOS 7

For devices that were upgraded to iOS 7, we can create a profile to re-supervise your devices. In order to create this profile, we need two things from you — your device serial numbers and valid proof-of-purchase information. When you contact AppleCare, we will provide details on how to send us this information. AppleCare will also let you know when you will receive the profile and provide deployment instructions.

Devices on iOS 6

If you have devices that haven’t been upgraded to iOS 7, we will give you the ability to generate a profile to install before upgrading. Then your devices will be able to upgrade to the upcoming release of iOS as supervised devices.

Please email supervised_devices_support@services.apple.com to obtain more information from AppleCare.

Thank you,

Apple Profile Manager 2 issue (two issues actually)

rizzinim's picture
No votes yet

Hello,

I just deployed 24 iPads in my company, and I'm using Apple Profile Manager 2 as MDM solution.

I'm using variable to create a single configuration profile that will load user info automatically, leaving just password entry for the users.

%short_name% is used as variable for user account
%mail% is used as variable for the exchange server email

Everything go smooth, the user enter his password and mail start to receive exchange mails.

1st issue:
It turns out that exchange mail configured in this way are not fully recognized by iOS:
1- if you use mail everything works fine
2- if you use 3rd party app like Smart Office 2 or BBC app, and you want to share via mail something you get a message that first you need to configure an email account
3- if you configure extra email account like iCloud one or gmail one, any of them can be selected as default email account, except for the exchange account that won't be listed at all, like if it don't exist, but it's there and working from mail app.
The above is verified both with iOS 6 and iOS 7, so it's not iOS7 issue

2nd issue:
a guy left the company, a new guy get the iPad, he enroll the device login in with his account info, but exchange mail setting still report the previous user mail (configured as explained before)
I tried restoring iPad, soft and hard reset, from the device and connected to the MDM (MacMini), I assume the problem is in MDM software and not in the device itself considering when it's restored it's completely empty

Any idea / suggestion?
Any help will be appreciated
Thanks
Max

How to type ".com" in a single gesture, and other iOS 7 keyboard tips

Your rating: None (1 vote)

TechHive has an article on several iOS 7 keyboard tips. Here is my favorite:

The old ".com" button is hidden inside Safari's keyboard. Just press and hold the period.

Makes it so much easier to type enterpriseios.com.

How to manage cellular data use per app with iOS 7

No votes yet

A quick tip on a new feature for iOS 7: You can now manage which apps are allowed to use cellular networking and which must be confined to WiFi. Check out Settings > Cellular and scroll to the bottom. Unfortunately this isn't manageable via MDM.

Favorite (inexpensive) USB hub for Configurator Deployment?

alexk's picture
No votes yet

Hi Everyone,

I'm new to Enterprise iOS, thank you for providing this very useful resource!

I was wondering if anyone has a favorite not-too-expensive USB hub for rolling out iPhones using Apple Configurator. I can't seem to find a USB hub for 5-10 devices with enough power to charge and sync, that's not prohibitively expensive.

Any help would be great!

Thanks,
Alex

Going to Interop NY? I could use your support on Friday!

No votes yet

The Interop conference & Expo is this week at New York City's Javits Center. I'm honored to be part of a small panel, on Enterprise Mobility Management – What’s Next?:

Terms like “mobile device management” and “mobile application management” imply that we should manage mobile devices and applications differently than their desktop counterparts. This panel will debate that premise. Is it really better to handle desktop management separately from MDM and MAM? Or is a holistic approach a better fit as the lines between device types blur? And will we even need to worry about managing devices if MAM lives up to its promise?

The session is Friday, October 4, from 11:30am-12:30pm at location 1E08. I'm joining Colin Steele and Steve Damadeo.

I hope I'll see you there.

Introducing our handy Database of iOS Devices — Identifiers, IPSW links, etc.

No votes yet

Quick quiz: How many iOS devices have ever been released? Not counting colors here, but boards. (Answer: only 35.)

I know that because today we launched our Database of iOS Devices. This is a pretty simple table of each iPhone, iPad, iPod touch and Apple TV Apple's released since 2007. It has introduction dates, model identifiers (i.e. "iPhone 6,2") and links to the latest firmware updates.

We're leveraging the API from Just a Penguin, which has done the dirty work of compiling the firmware versions (probably by a clever script).

But we're also able to add additional details to our database. What would you like to see?

iOS 7: Supervision disables Find My iPhone Activation Lock, and vice-versa

Your rating: None (2 votes)

Is Activation Lock appropriate on a corporate-owned device? Community member Duane Herring found the Apple support document below that shows Apple has been thinking about this too.

iOS 7: Mobile Device Management and Find My iPhone Activation Lock

Learn how to manage Activation Lock feature of Find My iPhone in iOS 7.

With iOS 7, when you turn on Find My iPhone, you enable Activation Lock. Activation Lock prevents anyone else from reactivating your iOS device if it is lost or stolen. Mobile device administrators can manage this setting by supervising devices.

If you use Apple Configurator to supervise an iOS 7 device, Activation Lock will not be enabled when a user turns on Find My iPhone.

If an iOS 7 device is not supervised, Activation Lock will be enabled as soon as a user logs in to iCloud and turns on Find My iPhone. Mobile device management cannot prevent a user from enabling Activation Lock on an unsupervised device.

In any case, only the iCloud user who enabled Activation Lock can disable it.

If the user has access to the iOS device, they can turn it off in Settings > iCloud > Find My iPhone.
If the user doesn't have access to the iOS device, they can log in to icloud.com or the Find My iPhone app on another iOS device, then erase the device and remove it from the device list.
A mobile device administrator cannot disable Activation Lock after it is enabled.

Find more information about Find My iPhone Activation Lock.

Additional Information

If you use Apple Configurator to prepare a device that has Find My iPhone enabled, you will see the message "Unable to check iOS."

If the device was previously unsupervised, Activation Lock is enabled and the iCloud user who enabled Find My iPhone must disable it before you can prepare the device.

If the device was previously supervised, either the iCloud user who enabled Find My iPhone can disable it, or you can put the device into recovery mode and then prepare it.

This can be a sticky problem. Does Apple's solution work for you? Please continue the comment thread...

Streamlined enrollment:US only?

tlippert's picture
No votes yet

I have heard rumors, that the streamlined enrollment as announced for iOS 7 will be available in North America only. Europe and Asian will get support for this feature next year. Anyone can confirm that?

Does the iPhone 5s Give Passcodes the Finger? No, Not Yet. (Updated)

No votes yet

There is a lot to like about Apple's new iPhone 5s announced Tuesday. The faster and 64-bit chip, the battery-saving M7 motion processor, the really nice camera. And gold, if that's what rings your bell. But for enterprises, the headline features seems to be "Touch ID", the fingerprint sensor built into the home button of the top-end phones.

It is clearly a leap forward, and journalists are getting very excited. But we need a reality check here, as there are some subtle but critical details that don't seem to be getting attention. Touch ID is not going to replace your passcode, it isn't more secure than your passcode, and it isn't two-factor authentication. If used properly, it can improve security for many of us. And in truth, it is a hell of a lot better than nothing.

Let me 'splain what I'm thinking.

Passcode required

Today, the key info about this feature comes from an article in the Wall Street Journal. An unnamed Apple representative says this:

Apple customers who wish the use Touch ID also have to create a passcode as a backup. Only that passcode (not a finger) can unlock the phone if the phone is rebooted or hasn’t been unlocked for 48 hours.

The way I interpret this statement is this: the passcode is, as today, the primary means of securing the device. The passcode is always available. The fingerprint sensor is an alternate means on unlocking the device, but the passcode will always be there. The fingerprint sensor is, in a sense, a shortcut to the passcode.

No additional security (unless you add it)

An iPhone with no passcode is like leaving the door to your house wide open.

Use a passcode, and you've closed and locked that door.

Not only is the phone locked, but you are now encrypting the data on your phone. So even if someone breaks open the hardware and removes the chips, your encrypted data is safe.

Introduce Touch ID, and here's what you have:

Now you have two ways into your house: Use the same passcode door as before or use the fingerprint door. If one door doesn't let you in maybe the other will. To me, it is clear this is not more secure than one door. If your passcode is "1-1-1-1" then I don't care about your fingers, I'll just enter through the passcode.

The standard 4-digit numeric passcode is pretty easy to crack. There are only 10,000 combinations, after all, and if you enter them through a tethered connection you can try them pretty quickly. But if you don't use a 4-digit numeric passcode, you get a lot more secure.

But there is a way Touch ID can enable stronger security. Since the fingerprint is effectively a shortcut around a passcode, I can now make a really difficult passcode to get into my phone. A passcode with 18 characters and symbols and caps and emoji and stuff. A passcode that was so difficult to enter that it would drive me crazy if I needed to enter it every 5 minutes. But if I need to enter the complex passcode only when rebooting the phone (almost never) or after 48 hours idle (absolutely never) then I can live with that.

Better security, but only indirectly enabled by biometrics.

Not two-factor authentication

Maybe you can see by now that the fingerprint sensor on the iPhone 5s does not provide two-factor authentication. 2FA is like two locks on the same door.

I use Google 2-Step Verification for my Google accounts — you should too — and that makes me happy. When I use that I need to enter BOTH my password and my 1-time code. [Experts will say this isn't true 2FA, but it keeps me feeling warm and fuzzy.]

Way better than nothing

Greater improvements to security are to come in iOS 7. On setup, users are prompted — actually encouraged even — to enter a passcode. And apps used to have to opt-in to use the protected data store; now it is on by default.

In truth, we should remember that not enough iOS users enter any passcode. Instead they leave their door wide open. Maybe having the fingerprint sensor is going to be just cool technology and smart shortcuts to get people to lock their front doors.

Update: You may know that using Mobile Device Management, configuration profiles, and/or ActiveSync, an administrator can require a passcode. I've heard many people asking if there will be a similar key to require a fingerprint. If I'm right in my thinking, we won't see that. If I'm right that the current implementation otherwise diminishes security (slightly), we'll see a key to disable fingerprint sensing instead.

Update 9/22: Yup, right. The new Configuration Profile Reference has a key "allowFingerprintForUnlock" that defaults to true. So you can disable fingerprint unlock, but not enforce it. Oh, and the CCC claims it has just cracked Touch ID using a high-resolution photo.

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Comparison of MDM Providers

Recent Activity

Who's New