A handful of our 700 users have started upgrading their iPads to iOS7 (even though we've told them not to, but I'm not surprised).
These users are enrolled onto our MDM, and have various apps and restrictions enforced.
Some of these users have come back to report that "everything has disappeared" post upgrade. Including the enterprise app we've deployed and the MDM agent. Which means to me that the device has become unenrolled.
Some other users have actually updated their devices to iOS7 and their apps/restrictions have remained post update.
So what we're doing is either manually re-enrolling the devices if they're close enough to come into the office, or we're walking the users through it over the phone (which isn't easy).
We're doing some testing now to try and figure out what has happened to the first user, but what I'm wondering is how do others with large deployments of managed iOS devices handle such a significant OS upgrade?
In your experience, do you see this as a smooth transition, or are there common problems which occur?
In iOS 7 VPP is all brand new. I haven't yet seen a demo of MDM that works with the new VPP system (I may on Monday). But here is how I understand it is all supposed to work.
The process still begins by visiting http://vpp.itunes.apple.com, searching for and purchasing apps. Before iOS 7 you would need to download a spreadsheet of redemption codes. Now there is nothing to download. Instead, the iTunes VPP store keeps a record of your purchases. Then...
- You use your MDM system to send VPP program invitations to your devices.
- You use MDM to register users with VPP
- MDM import your app catalog. This tells MDM which apps you have purchased and which, if any, licenses have been used.
- You use MDM to assign any unused licenses with users, and tell Apple about these associations
- You may now push out these apps to devices
The key here is step 4. When you associate the app "PCalc" with user "George Washington," Apple adds "PCalc" to George's App Store purchase history. George can now use PCalc on all his devices. What's more, George doesn't need to enter his Apple ID and password to download. After all, he's not purchasing it, he's just downloading it. There is, however, a confirmation on the device that George needs to accept. (On supervised devices there is no confirmation and the app installs silently.)
What's more, you can now use MDM to revoke an app from a user. This allows the institution to reassign PCalc to someone else, while allowing George a grace period. Pretty nifty.
If the entire process is much smoother, there are still some quirks. Not only does the institution not need the user's Apple ID to assign an app, Apple has seemingly bent over backwards to avoid revealing the Apple ID to the institution. Apple IDs are, apparently, private to Apple's relationship with the user.
Since this is merely a set of APIs I'm curious how MDM vendors implement it in different ways. Who will have the smoothest implementation?
Hey you guys! All 30,000/month of you. I have something to say, and I want the world to know.
I ❤️ Apple Configurator!
Don't you too? No? I understand. Configurator could very well be Apple's most misunderstood software. Most people who try Configurator will be under the impression that Configuration's forte is "accidentally erasing my iPhone." But when used properly Configurator does stuff with iPhones and iPads that no other software will do.
For starters, Configurator is the only way to supervise iOS devices. I'm going to write more about supervision in an upcoming article, because it is a really important concept in iOS 7. Briefly, supervision is Apple's way of saying that an iOS device is institutionally owned. Supervision unlocks additional management features that would be inappropriate on an individually-owned device (in Apple's opinion).
(A note of caution: in order to underline the gulf between institutional and personal devices, Configurator will always erase your device when either supervising and unsupervising. In fact it erases EVERY DEVICE that is plugged into your Mac when you hit "Prepare." Did you hear that? So unplug your newly-updated iPhone and iPad now, and plug in a spare iPod or something like that. Because when you are testing Configurator I promise you will be erasing lots of devices.)
If your devices are institutionally-owned and supervised, Configurator 1.4 packs a lot of new goodness:
- Disallow AirDrop
- Disallow iMessage
- Disallow manually installing configuration profiles
- Disallow modifying mail & calendar settings
- Disallow modifying Find My Friends
- Configure Web Filtering to whitelist or blacklist any sites -- pretty powerful stuff.
- Allow or disallow pairing with other computers
Did you catch that last one? Previous versions of Configurator would always allow pairing only by the Mac it was originally supervised with. All other computers would be prevented from connecting to the device. That was good for many smaller implementations. But it was a big obstacle in some larger deployments. Now you have the option of allowing supervised devices to connect with any host.
Even if your devices aren't supervised, Configurator 1.4 is a very powerful tool. It has always been helpful with large deployments. Now it can automatically enroll devices it prepares into MDM without user interaction, and it even waits until WiFi is up to do that. It can manage new iOS 7 features such as managed open in, configure AirPlay and AirPrint, and install fonts.
So try it, and maybe you'll ❤️ Configurator too.
With Find My iPhone turned on in iOS 7, your Apple ID password will always be required before anyone can Erase the iphone or reactivate and use the device.
So if we fire someone and they fail to give us their Apple ID password, they have effectively locked out of the phone preventing it from being re-used.
How are enterprises going to deal with this? Is there an MDM solution out there that can circumvent this or load a profile that prevents this scenario from happening?
In case you need another reason to update to iOS 7, here is a really long list of its security fixes
Apple has posted a remarkably long list of security vulnerabilities friend iOS 6, and fixed in iOS 7. See this link: http://support.apple.com/kb/HT5934
You may have noticed how Apple's servers were a little stressed today. To overcome thin bandwidth, we used Apple Configurator and copies of the iOS 7 GM we'd previously downloaded (they are identical to the final release). And here's what it looked like:
Cribbed from the always useful http://ios.e-lite.org:
|device||current version||date found|
|AppleTV(2G) (AppleTV2,1)||5.3 (10B809)||06/19/2013 18:04:01|
|AppleTV3,1 (AppleTV3,1)||5.3 (10B809)||06/19/2013 10:11:01|
|AppleTV3,2 (AppleTV3,2)||5.3 (10B809)||06/19/2013 10:11:01|
|iPad (iPad1,1)||5.1.1 (9B206)||05/07/2012 13:13:01|
|iPad2(wifi) (iPad2,1)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad2(at&t) (iPad2,2)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad2(vz) (iPad2,3)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad2,4 (iPad2,4)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad2,5 (iPad2,5)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad2,6 (iPad2,6)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad2,7 (iPad2,7)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad3,1 (iPad3,1)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad3,2 (iPad3,2)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad3,3 (iPad3,3)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad3,4 (iPad3,4)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad3,5 (iPad3,5)||7.0 (11A465)||09/18/2013 13:54:01|
|iPad3,6 (iPad3,6)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone (iPhone1,1)||3.1.3 (7E18)||04/08/2010 21:05:48|
|iPhone3G (iPhone1,2)||4.2 (8C148)||11/22/2010 13:08:57|
|iPhone3GS (iPhone2,1)||6.1.3 (10B329)||03/19/2013 13:00:01|
|iPhone4 (iPhone3,1)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone3,2 (iPhone3,2)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone4(vz) (iPhone3,3)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone4S (iPhone4,1)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone5,1 (iPhone5,1)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone5,2 (iPhone5,2)||7.0 (11A465)||09/18/2013 13:54:01|
|iPhone5,3 (iPhone5,3)||7.0.1 (11A470a)||09/18/2013 13:54:01|
|iPhone5,4 (iPhone5,4)||7.0.1 (11A470a)||09/18/2013 13:54:01|
|iPhone6,1 (iPhone6,1)||7.0.1 (11A470a)||09/18/2013 13:54:01|
|iPhone6,2 (iPhone6,2)||7.0.1 (11A470a)||09/18/2013 13:54:01|
|iPodTouch(2G) (iPod2,1)||4.2 (8C148)||11/22/2010 13:08:57|
|iPodTouch(3G) (iPod3,1)||5.1.1 (9B206)||05/07/2012 13:13:01|
|iPodTouch(4G) (iPod4,1)||6.1.3 (10B329)||03/19/2013 13:00:01|
|iPodTouch(5G) (iPod5,1)||7.0 (11A465)||09/18/2013 13:54:01|
|last updated: 09/18/2013 16:28:01 EDT|
We've spent a good number of hours over the last week updating our Comparison of MDM Providers for iOS 7. We've removed some of the more arcane sections that were getting in the way and have made the list easier to navigate. This was no small feat: there are over 100 points of comparison and 48 MDM providers.
Here are some of the many new fields we're now including:
- Info Last Updated (date)
- Supports iOS 7 (Y/N)
- Enrollment by Configurator
- Enrollment by Apple Device Enrollment Program
- Allow Custom XML profiles
- Supervised MDM features: Prevent Game Center, Prevent iMessage, App Lock (iOS 6), Global HTTP Proxy (iOS 6), Web Site White & Black-Listing (iOS 7), Prevent Manual Profile Installation
- App Management: Push Enterprise Apps, Separate Managed and Unmanaged Data, Per-App VPN, Push App Configuration, Pull App Feedback, App Wrapping, App Developer SDK
- VPP Licensing Integration
- Reassign VPP Licenses
- Support for other devices: Apple TV, Samsung, Nexus, HTC
So how do we learn about every MDM provider on the planet? Our secret is that we crowd-source the data. Much of it comes from the providers themselves, but other parts are added by a dedicated group of MDM aficionados. And if you see an incorrectly-ticked box, please edit the page and fix it. Hey, it's a wiki!
So I'm extra proud that here, on Day 1 of iOS 7, our chart has been updated for the following MDM providers:
If your favorite isn't on this list, just log in and update it! I'll announce updates as you do.
[updated 6:16 PM EDT]
iOS 7 is arriving tomorrow. Those of you with many devices and little bandwidth (I'm looking at you, education) may be worried about those multiple 1GB+ downloads. Apple's caching server (currently in beta) isn't going to help yet — iOS 6 doesn't know how to use it. So here is something that may help.
iOS devices check for new versions by polling the server mesu.apple.com. This is done via HTTP, port 80. Specifically, the URL is:
If you block or redirect mesu.apple.com, you will inhibit the check for software updates. If you are really ambitIous, you could redirect the query to a cached copy of the XML, but I haven't tried that. Please remove the block soon; you wouldn't want to prevent those security updates, would you?
Good luck. For the rest of you, happy updating tomorrow! We be here with plenty of news.
According to a story in 9to5mac.com, the iOS App Store is allowing downloads of older versions of apps if the newer versions would be incompatible. So say you are running the iPod touch 4 and you won't be able to upgrade to iOS 7. Even if your apps are upgraded to iOS 7-only, you'll still be able to download and use the older iOS 6 versions.
Anyway, the picture explains it better than I can.
- Close Configurator
- In Terminal type:
defaults write com.apple.configurator LogLevel ALL
- Open Configurator
- View logs in Console
To go back to normal logging use the command
defaults delete com.apple.configurator LogLevel.
I am working in a company that is extremely interested in deploying an in house MDM solution to administer iPhones for our employee. After a day of work, I have set up a Mac Mini with the server app and successfully enrolled an iPhone to the MDM and able to push profiles over the air.
However, using the server app provides us with an web interface which we believe to be not as flexible. As such I am wondering are there SDK or API which I can use to write some programs to automate the process. Currently, I do not have an Enterprise Account with Apple yet and I want to confirm if all these are available before signing up.
Why do the consumer features get all the attention? Join us in the land of make believe as we imagine what an enterprise focused Apple keynote event would have been like....
These are the slides from my presentation at the 2013 MacIT Conference and AirWatch Connect conference. Thanks to everyone who attended! A packed room each time!
About This Site
- Comparison of MDM Providers (488,596)
- Complete List of iOS User-Agent Strings (181,917)
- How to get remote viewing/control of the IPAD screen via internet or preferably 3G? (108,991)
- Apple Configurator vs. MDM (94,581)
- Mobile Device Management (64,606)
- AirWatch (52,873)
- Absolute Manage (50,533)
- Apple Profile Manager (48,783)
- Gartner Magic Quadrant for MDM (2012, 2011) (43,594)
- iOS Device Management Open Source Way (39,593)
Comparison of MDM Providers
Story added by Aaron Freimark 8 hours ago
Forum topic comment by cjackson 8 hours ago
Forum topic comment by cjackson 13 hours ago
Forum topic comment by daybreaker01 14 hours ago
Forum topic comment by pinkyponk 15 hours ago
Forum topic comment by usher.br 15 hours ago
Forum topic comment by pinkyponk 15 hours ago
Forum topic comment by usher.br 15 hours ago
Forum topic comment by OmegaApex 17 hours ago
Forum topic comment by usher.br 2 days ago
Forum topic comment by daybreaker01 4 days ago
Forum topic comment by usher.br 4 days ago
Forum topic comment by coombes69 4 days ago
Forum topic comment by daybreaker01 5 days ago
Forum topic comment by dronf 5 days ago