While importing a placeholder for some iPads I was peeking through profilemanager.log , when I found this gem.
 [2014/05/22 16:17:21.942] I: Imported placeholder device "MH-Gary Ho_iPad Mini45", SerialNumber=F7NMXXXXXX84, IMEI=, MEID=, UDID=, DeviceID=, AirplayPassword=
What I did next was add a new column AirplayPassword= to the placeholder CSV and put a password in.
Uploaded the placeholder for an AppleTV and it added the Airplay password to my AppleTV Device in ProfileManager.
Just yesterday I added 20 AppleTVs to Profile Manager, I could have saved a few steps.
Following the uncharacteristically brief information found in this Support document, I have had no luck at all.
I've been trying to successfully move Apple Configurator and all its data from an old, slow Mac Mini to a much faster Mac Mini with more RAM, a more robust processor, etc. Using Migration Assistant, I've restored everything from a Time Machine backup - all user accounts, applications, etc. I verified that all the required directories & whatnot were copied over.
Nothing worked from the very beginning. I first continually got the "Unable to attach device to Apple Configurator" while running Configurator, and "iTunes could not connect to this iPad. Could not allocate a resource" when attaching a new iPad.
Doing some investigating, I came across tidbits of information which lead me to the /var/db/lockdown folder, which seems to contain a plist file for every supervised iPad connected to the Mac. This folder was correctly transferred with Migration Assistant.
But another file, /var/db/lockdown/SystemConfiguration.plist, contains only the UUID of the old Mac. When I changed the contents of this file to hold the UUID of the new Mac, I was finally able to get the 'Trust this computer?' message on the iPad, which then allowed it to be visible in Configurator.
In the long run, the most essential feature - loading up and removing paid apps from supervised iPads - does not work.
Every other Configurator task works as expected, from installing profiles to updating iOS. It correctly shows all the apps in our catalog, free and paid, but it fails when attempting to use a paid code, indicating that I must login to the VPP-linked AppleID in iTunes. Naturally, that does not fix anything.
Has anybody here @ enterpriseiOS successfully moved configurator from one Mac to another?
We are using supervised iDevices managed by Datomo.
User have the opportunity to install private apps in the unmannaged sector of the devices.
Our business apps are in the managed sector without opportunity for the user to move data between the sectors.
We are looking for a opportunity to deny the use of airprint on the iDevices because we don't want the user to redirect printjobs of business-data to a privat pc in wlan with airprint-simultator like "Presto Collobos".
Any ideas? Airprint is configurable but i can't deny the use.
Is there a posibility to deny the bonjour-protocol? Or to redirect it to dev/nul?
Maybe a proxy-setting for bonjour?
Is there a app who will catch the airprint-traffic before leaving the iDevice?
Apple has published a list of security content in iOS 7.1.1, which was released this afternoon. Here are the highlights:
- 'CFNetwork HTTPProtocol:' An attacker in a privileged network position can obtain web site credentials
- IOKit Kernel: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization
- Security - Secure Transport: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL
- WebKit: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Quite a bit for a dot-dot-one release. Set your compliance rules accordingly and encourage updates.
I'm curious: do any of you have stats on how quickly your users update?
MobileIron and Good confirm invulnerability to "Heartbleed" OpenSSL attack (updated with more providers)
We've been following the recent disclosure of a massive OpenSSL bug and its affect on MDM. This is a potentially major issue for device management. Due to the trust chain of Apple's APNS, an exposed MDM server may require all devices to be unenrolled and reenrolled by hand.
We've heard good news so far (excuse the pun) from
two three four providers:
Good Technology says:
Good Technology has confirmed that the versions of OpenSSL used by all Good servers and applications are not subject to the Heartbleed vulnerability.
- All released versions of VSP, Sentry, Connector, Atlas, Connected Cloud and cloud-hosted BYOD portal are NOT affected by the vulnerability and NO action is required by our customers.
- The on-premise BYOD Portal MAY by affected by the vulnerability, depending on the version of OpenSSL that is packaged with your version of Linux currently installed on your BYOD Portal server.
Update 4/10 5:50p: Maas360 is also fine.
I've reached out to other vendors but have not yet heard a response. If you have any news please share below, and I will update the thread.
It is worth repeating that the vulnerability is not the fault of the MDM vendor and not the fault of Apple. It's in a library of cryptographic functions that is very commonly used within other applications.
Having been involved in the Enterprise Mobility Management (EMM) sector for nearly two years, I have seen these technologies mature and evolve. The recent news of VMware purchasing AirWatch has left Gartner’s Leaders Quadrant with only two independent vendors, namely MobileIron and Good Technologies. What this means remains to be seen, but it certainly validates the importance of EMM technologies. With all the progress and changes in this space, choosing the right EMM for your business is becoming increasingly difficult.
Making sense of it all
With close to 50 EMM solutions out there, how does one identify the right one for your business? To simplify matters let’s start with similarities. All Mobile Device Management (MDM) vendors promote their features and benefits, which in reality are almost identical across all solutions because they are closely tied to application point interfaces (API’s) made available by the operating system (OS) vendors like Apple, Google and Microsoft. Every vendor has their own app for all these platforms, and most make use of third-party apps like TouchDown to manage Email on Android devices. In addition most provide an enterprise app store, which links to public apps and custom-developed apps and makes management and deployment of apps easier.
So how do they differ?
Managed Configuration is a feature introduced with iOS 7, and increasingly supported by MDM providers. It allows an iOS app to receive configuration from an MDM service. The MDM service sends a plist dictionary of keys and values to the app on installation. Some MDM services allow token substitution in the values. This enables a username, for example, to be automatically sent to the app so the user does not need to type it in manually.
In theory any app supporting the native preferences system will automatically support managed configuration. In practice some apps are designed with the feature in mind. Below is a list of apps we have found to support this feature.
Please feel free to edit this wiki page and add to the list.
|Acronis Access formerly GroupLogic mobilEcho|
|Box for EMM|
|FileBrowser for Business||instructions|
|Foldr||Airwatch Instructions, JAMF Capser Instructions|
Yesterday a vulnerability came to light in OpenSSL, which underpins much of the security infrastructure on web servers and application servers around the Internet. Today the technology world is on fire about the bug. Basically, any server running OpenSSL versions 1.0.1 through 1.0.1f is at risk to a simple query. There is an online tool available to check your servers.
The bug, however, doesn't only affect SSL. OpenSSL is also commonly used for generating the asymmetric encryption keys that are the foundation of, oh, the Apple Push Notification Service. And APNS is the foundation for MDM.
If your MDM service happens to be vulnerable, or was vulnerable any time in the last two years the bug has been available, then it is possible someone has stolen your server's private APNS key. And if they do that then your MDM is compromised. But since the attack leaves no trace, well it may be better to err on the safe side.
The "safe side" for MDM means revoking your APNS certificate, and re-enrolling all devices. By hand. That is going to be a huge a bucket of pain.
So here is hoping your particular MDM service is not and was not vulnerable. I've heard from a few already, but will wait for official statements to become available before posting. Watch this thread for more as this develops.
Late last year Apple dropped the price of its suite of productivity apps to precisely zero dollars. Well, that is if you purchased a device after September 13, 2013. That was all well and good for individuals. But if you signed up for the institutional iTunes Volume Purchase Program (VPP) it wasn't so easy to send these "free" apps to devices.
Apple has simplified this — somewhat — and published the new information in a Knowledge Base article. Here is the beef:
- You need to be enrolled in VPP.
- You need to have an invoice or purchase order showing you purchased devices after September 13, 2013.
- Includes Keynote, Pages, Numbers, iPhoto, GarageBand, and iMovie. (Keynote is Apple's PowerPoint alternative and is pretty damn good.) Each of these are normally $10.
See the document for the step by step. By the way, it appears this isn't all you can eat. You will be eligible for a quantity of free apps matching the quantity of devices purchased after the cutoff date. Let us know in the comments what your experience is.
My company Tekserve has helped a number of enterprises distribute in-house apps to their employees. All too commonly, the distribution is delayed due to problems with the app provisioning profile. Below is the test we use to make sure apps have a correct provisioning profile and can be distributed correctly.
Step 1: Prepare the iOS device
Make sure the device is not registered on the Apple Developer Portal. Devices registered here may be used for ad-hoc distribution, but that is more limited than Enterprise.
Also, in Settings > General > Profile, the device should not have any provisioning profiles. Delete any profiles that may be listed. (The example below has lots of profiles that should be deleted.)
Step 2: Prepare the app
You should use Xcode to distribute and Save for Enterprise deployment. Select the provisioning profile that matches your app ID. You can not use a team provisioning profile here. Export as an IPA file.
Step 3: Launch Apple Configurator
Use only the “Prepare” pane for the following steps.
Step 4: Set up Apple Configurator as follows
To avoid erasing your device, be sure Supervision is off, and Update iOS is “Never”.
Step 5: Drag the IPA into the “Apps” tab
Check the checkbox when done.
Step 6: Connect the iOS device and click “Prepare”
If there are provisioning errors or bundle ID errors, Configurator will present an error at this step.
Step 7: When done, disconnect the iOS device and tap the app to launch.
The app may present a certificate to confirm that you want to run the app. That is OK. The app should launch successfully and not immediate quit to the home screen.
Microsoft today woke up and smelled the iPads. Now available on the App Store: Excel, Word, and PowerPoint. We are told these are not Lite versions or ported from desktop, but full featured and robust. Free to download, they promise faithful read-only access to your Office docs. Document editing and sharing is unlocked with an Office360 subscription.
(Microsoft also announced an MDM offering that ties into Active Directory. That should be interesting to explore soon.)
Watch a video of the event (viewable on iPad!) or check out the reviews on several prominent sites:
Word, via Ars Technica
Excel, via TUAW
Like it? Tell us in the comments.
We have a fleet of devices out that are supervised by our dedicated terminal and provisioned with MDM in line with CESG guidelines.
My question is that it seems a user has wiped the device by entering the passcode too many times wrong, then taken the liberty to reinstall the mdm etc (in this case symantec app store). So in terms of reporting from our admin side the device looks normal, but in actual fact some of the restrictions have been removed such as game center, allowing connection to other macs, and allowing installation of other certificates due to the Supervision profile being removed!?..
How would we get around this and how can we enforce policy that stops users being able to do this.
About This Site
- Comparison of MDM Providers (632,943)
- Complete List of iOS User-Agent Strings (263,875)
- How to get remote viewing/control of the IPAD screen via internet or preferably 3G? (175,556)
- Apple Configurator vs. MDM (124,277)
- Mobile Device Management (82,719)
- Apple Profile Manager (72,475)
- Batch Apple ID Creator (67,519)
- Gartner Magic Quadrant for MDM (2014, 2012, 2011) (67,172)
- AirWatch (67,083)
- iOS Devices (66,355)
Comparison of MDM Providers
Forum topic comment by duffjay 4 hours ago
Forum topic added by SDCCS_Tech 3 days ago
Forum topic comment by Kees 4 days ago
Forum topic added by dkingsho 4 days ago
Wiki Page comment by zarpu 6 days ago
Forum topic added by ScottBenson 1 week ago
Forum topic comment by Mansoorsharifi 1 week ago
Forum topic added by Foldr 1 week ago
Forum topic comment by HCCSC John H 1 week ago
Forum topic comment by HCCSC John H 1 week ago
Forum topic comment by jvolzer 1 week ago
Mobile Management Provider changed by JAMFSoftware 1 week ago
Forum topic added by jerthebear 1 week ago
Forum topic comment by jerthebear 2 weeks ago
Mobile Management Provider changed by gabriellehoyt 2 weeks ago
Mobile Management Provider changed by simon.bonello 2 weeks ago
Forum topic comment by ianrichie 2 weeks ago
Forum topic added by cgunawan 2 weeks ago
Forum topic comment by Aaron Freimark 2 weeks ago
Forum topic comment by ENickRyan 2 weeks ago