VPP/MDM Not a Happy Combo anyone?

Submitted by HCCSC John H on September 14, 2014 - 5:51pm
HCCSC John H's picture
No votes yet

That may seem like a vendor complaint but truly seeking answers to who else on other MDM platforms is experiencing this.
For the first month of school our MDM is truely struggling with pushing out paid VPP apps to devices and continually has major VPP licensing issues. As in it thinks that we do not have any licenses to distribute VPP apps normally and we need to go thru a long time consuming procedure per unit to get paid apps on devices involving 'retiring' the current VPP user in MDM, recreating that units VPP 'user' in our MDM and then doing a manual association of paid apps to that device, plus many other 'workarrounds'. So far our MDM provider has indicated issues with VPP syncing with their product and has issued 2 Server SW patches to address issues in the last month, both of which we have limited success with. Other K-12 Districts have similar VPP issues with this particular MDM product. Up to this point we have been extremely happy with our MDM providers support, but this month of basically silence while we suffer with this issue with very little communication has left a very bad taste in out mouth for their product and honestly looking other directions for a MDM solution.
Anyway, all of that to ask with your MDM have you had any issues where the VPP licenses under normal conditions about 60-70% of the time will not associate correctly with a iOS device and an Apple ID 'user' unless you do a long drawn out procedure per device to address? With over 3500 devices at this pace it will be past Christmas break before we get the paid apps issues addressed on units.

iOS 8 will be available September 17

Submitted by Aaron Freimark on September 9, 2014 - 2:55pm
Your rating: None (2 votes)

At a press event today, Apple announced that iOS 8 will be publicly available on Wednesday September 17. The update is free and compatible with:

  • iPhone 5S
  • iPhone 5C
  • iPhone 5
  • iPhone 4S
  • iPad Air
  • iPad with Retina Display
  • iPad 2
  • iPad mini with Retina Display
  • iPad mini
  • iPod touch 5th Generation

So test out those caching servers (and if inclined those DNS blocks).

Introducing GroundControl: USB Setup for iPads and iPhones, Managed in the Cloud

Submitted by Aaron Freimark on September 8, 2014 - 12:00pm
Your rating: None (12 votes)

[Editor's note: Folks, for the last nine months or so I've been working on a pretty big project, and today I'm happy to help reveal it to you. Much of what I've learned has come from this community. Thank you! And if you are in Atlanta at AirWatch Connect, please stop by the expo and say hi.]

GroundControl is a new system for streamlining iOS deployment, launching today. Plug in a USB cable, and GroundControl supervises, restores a base image, and installs configuration profiles, on out-of-the-box iPhones and iPads and without a screen touch. The multiple "Launchpad" base stations are managed by the cloud, helping ensure a consistent experience no matter how large your deployment is. If you like, think of it as "Configurator in the cloud".

Perhaps the best way to get a feel for the product is to take a look at the demo video below:

Visit the site http://www.groundctl.com for an FAQ and a signup for a trial. If you have questions please ask.

-- Aaron

The press release follows.

What does "Expanded data protection" actually mean?

Submitted by banthafodder on September 4, 2014 - 11:40am
banthafodder's picture
Your rating: None (2 votes)

I've been wondering this for quite some time and haven't been able to figure it out. Apple has touted the following as a new feature coming in iOS 8.

"In addition to Mail and third-party apps, the Calendar, Contacts, Reminders, Notes, and Messages apps as well as user credentials are protected with a passcode until after the device is unlocked following a reboot."

What does that actually mean? It seems incredibly vague. Does that mean those applications will be able to have their own passcode at the application level instead of the device level? If not, then what is actually different from how passcodes worked before? Hasn't "protected with a passcode until after the device is unlocked following a reboot," always been the case when a passcode is being used?

Reselling of iPad to end user - Apple ID is stuck

Submitted by cmasonrun on September 3, 2014 - 12:36pm
cmasonrun's picture
No votes yet

We have a program that is just getting off the ground that allows our franchised users to purchase an iPad from us with good financing terms and the company specific apps to be preloaded when they receive it.

The problem we are running into is, since we are using Configurator to setup the iPads (download Google Chrome and Podcasts among others). When the user receives the iPad, it is not tied to an Apple ID but when Google Chrome releases an update, then the update screen prompts for the password that was originally used to download the app.

Is there any way to avoid this?

We currently,
Setup email, download apps, and download some content within the apps. Some of this is automated through Configurator and some is manual. If we move to a completely manual process we still get the same issue as an Apple ID is required to download the free stuff.

The devices will not be supervised nor will they be ever touched again by our IT staff. These are resold to the end user and setup as a value added service.

Apple expands iTunes VPP to 16 new countries

Submitted by Aaron Freimark on August 24, 2014 - 9:28pm
Your rating: None (7 votes)

Apple has announced that its iTunes Volume Purchase Program is now available in 16 additional countries. The full list is now:

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

In addition, Apple is now allowing VPP credits to be purchased through resellers (at least in the U.S.). Previously, credits were sold direct only. Support your favorite reseller and purchase locally!

can a sideloaded app with apple configurator be independantly updated by another apple id?

Submitted by dvincent on August 14, 2014 - 12:17pm
dvincent's picture
No votes yet

i have a question about the nature of app updates on iOS7 that are sideloaded using the apple configurator. Is there any technical reason why apps sideloaded on an iOS 7 device cannot be later updated with another signed in apple id?

i looking into sideloading the MobileIron MDM client using the apple configurator, but only if the mobileiron mdm client can be updated from the apple app store using the owner's own personal apple id?

Does anyone have any experience with sideloading MDM client ipa files using the apple configurator?

Regards,

Dave

Zdziarski's Backdoor: A Roundup of Articles

Submitted by Aaron Freimark on July 28, 2014 - 6:28pm
Your rating: None (2 votes)

About a week ago, security researcher Jonathan Zdziarski revealed what apparently is a number of "backdoors" to iOS. These allow access to data on even encrypted devices, as long as a pairing record is available from a trusted source (not trivial). Although Jonathan took pains to qualify the announcement, several reports have seemed to exaggerate the issue.

In response, Jonathan has compiled a list of more reputable tech articles on the topic. I've reprinted the list below.

iOS Lockdown “Backdoors” (TL;DR)
Dino Dai Zovi, Co-Author “iOS Hacker’s Handbook”

Surveillance Mechanisms in iOS Devices – Don’t Panic but… Do Read This
Elissa Shevinsky, CEO of Glimpse

Apple iPhones allow extraction of deep personal data, researcher finds
Reuters / Joseph Menn

Is Apple’s iOS Backdoor Not a Backdoor
Wall Street Cheat Sheet / Nathaniel Arnold

iOS slurp ware brouhaha: It’s for diagnostics, honest, says Apple
The Register / Iain Thomson

Any questions?

Upgrading iOS devices enmasse...

Submitted by TechTimm on July 15, 2014 - 11:51am
TechTimm's picture
Your rating: None (2 votes)

All, I have an oddity that hopefully someone has some ideas.

My infrastructure does not support traditional IP structures.
When we set up Apple Server to do Caching it instantly disables and errors out that we are using a public network. Which we are not, we just (as I said) don't use the traditional 10.*.* approach.

We need to upgrade multiple devices in multiple locations and don't / can't tie up the bandwidth needed to do them all over the air.
Here is an example:
One location may have 300 iPads.
iOS 8 is going to come in ~1.7 gb.
You don't have to be a network genius to see that 510gb of data, is going to drop traffic to a crawl!
Especially when other traffic gets the majority of the bandwidth and these device scavenge for what they get.

Has anyone tackled this, if so... please elaborate.
Are there other offerings Casper or SCCM come to mind in my quandry.

Any and all assistance is a boon at this point,
Thanks!

Updated version of the Apple ID-creating Script

Submitted by usher.br on July 14, 2014 - 2:20pm
usher.br's picture
Your rating: None (4 votes)

I have updated the script to work with versions 11.2.2 and 11.3

You can find the updated version here: https://github.com/brandonusher/Apple-ID-AppleScript

I have tested the creation process with the updated version while creating ~3,000 IDs and I only ran into one issue I couldn't fix, which is as follows:

  • Sometimes AppleScript won't be able to find the iTunes window, so it breaks. To fix this, just edit the spreadsheet to remove the IDs it has already created and run the script again.

If you have any questions, feel free to ask and I can try to help you out Smile

About the security content of iOS 7.1.2

Submitted by Aaron Freimark on July 1, 2014 - 5:51am
Your rating: None (2 votes)

iOS 7.1.2 was released yesterday, and it includes a long list of security improvements. See the details here: http://support.apple.com/kb/HT6297

From the horse's mouth: Apple posts pre-release iOS 8 Configuration Profile Reference

Submitted by Aaron Freimark on June 18, 2014 - 9:34am
Your rating: None (8 votes)

It seems Apple has made the prerelease Configuration Profile Key Reference available to the public. This the technical documentation for much of the iOS and Mac enterprise management capabilities Apple makes available via MDM vendors, Configurator, etc. (The other main document, the MDM Protocol Reference, remains behind the developer site authentication wall.)

I've done a diff with the documentation for iOS 7, and here are the highlights. Remember, this is prerelease and may change before release.

  • SMIMEEnablePerMessageSwitch (Email Payload): Optional. If set to true, enable the per-message signing and encryption switch. Defaults to false.
  • allowManagedAppsCloudSync (Restrictions Payload): Optional. If set to false, prevents managed applications from using cloud sync.
  • allowEraseContentAndSettings (Restrictions Payload): Supervised only. If set to false, disables the “Erase All Content And Settings” option in the Reset UI.
  • allowSpotlightInternetResults (Restrictions Payload): Supervised only. If set to false, Spotlight will not return Internet search results.
  • allowEnablingRestrictions (Restrictions Payload): Supervised only. If set to false, disables the "Enable Restrictions" option in the Restrictions UI in Settings.
  • allowActivityContinuation (Restrictions Payload): If set to false, Activity Continuation will be disabled. Defaults to true.
  • allowEnterpriseBookBackup (Restrictions Payload): If set to false, Enterprise books will not be backed up. Defaults to true.
  • allowEnterpriseBookMetadataSync (Restrictions Payload): If set to false, Enterprise books notes and highlights will not be synced. Defaults to true.
  • EAPFASTUsePAC (WiFi Payload): Clearer fallback rules
  • AlwaysOn VPN
  • IKEv2 VPN
  • Web Content Filter Plugins
  • Managed Domains: New Email domains and Web domains. This payload defines web domains that are under an enterprise’s management.

Apple Device Enrollment Program for iPhones

Submitted by ChrisTx on June 14, 2014 - 4:56am
ChrisTx's picture
Your rating: None (2 votes)

Is anyone here using the new Apple Device Enrollment Program (DEP) for iPhones? I can see it being used for iPads since you can normally buy these direct from Apple however iPhones are a bit more challenging because I would think most enterprises buy the phones from their wireless provider. Can anyone please provide any insight they may have regarding DEP and iPhones? Thanks!

3 common pitfalls when developing Enterprise Mobile Apps

Submitted by Arun Nedunchezian on June 10, 2014 - 5:50pm
Your rating: None (2 votes)

This has been said and heard over many times but I thought it will be good to reiterate since many enterprises will dive into creating their first mobile App and my goal is for them to avoid these pitfalls

1) Taking over 6 months from start to deploying the mobile App's first version: Everyone is very comfortable with traditional water flow implementation approach where you take 2 to 3 months to gather requirements and then go into design and build phases. You even extend the timeline to accommodate all the requirements. However this model is lethal for several reasons. First, mobile space is fast growing space where the OS sees a major version upgrade 3 to 4 minor upgrades every year. Second, you have plethora of new devices and accessories coming in everyday and current model become absolute in less than 2 years. So if your App is somewhat dependent on a particular device type then the device may become absolute even before you deploy the first version. At times, device compatibility becomes an issue if your App utilizes accessories to work
Solution: Take the traditional development approach and reverse it. Identify 1 to 2 must have requirements and reverse engineer the timeline. Identify and develop foundational elements such as logins, navigation, UI design items and create a template so that new view controllers and additional page can be easily developed later. Deploy that 1 functionality to the end users and get their feedback. 1st deployment should be within 10-12 weeks and after the first deployment go into 3-4 week update cycle where incremental functionality is introduced

2) Connecting the mobile App to existing backend systems sitting inside corporate data center: I have seen this scenario many times. The requirement goes like this...You have a desktop application that is connected to your On premise backend system such as SAP or Oracle or even mainframe. Now the requirement is to develop a mobile App that uses the integration web services to send and receive data directly to the backend system. The App is developed in xcode by instantiating the web service directly to send and receive data. In theory everything should work great because users can use either mobile App or desktop to access the backend system data and update them at the same time. However it screws up the user experience because the integration to the web service is not optimized for mobile traffic.
There are huge differences between how a desktop application sends data and mobile device send the data. In desktop application,
○ Bandwidth is not an issue so the payload size (actual data size) is always big.
○ Mostly they are request/reply interfaces where the data is sent and it waits for confirmation before "Success/failure" status is returned and the connection is closed
○ There are minimum of 2 to 3 hops before the data is handed off (it may hit gateway, application server and then the database)
Now this is opposite for mobile App… Mobile App requires small payload, multi-threaded, reduced connection time, and least no. of hops
When user open the App it takes at least 30 sec to get to the main screen because it is getting all the data in a single thread. During updates the user sees the loading spinner for more than 30 sec because it is waiting for the backend system to provide confirmation before the App can let the user go. Imagine a user trying to use the App while not on Wi-fi but with their wireless network. That might be the last time the user will ever use the App...
Solution: Do not connect your mobile App directly to your backend system but introduce a staging area where the data can be stored and retrieved by the App. The staging area can be even housed within a cloud provider outside of corporate network as long as there is VPN connectivity to the corporate network. This provides great user experience when the user opens the App and within seconds all the data is already loaded. Use background App refresh to preload the data where applicable. When saving the record, the data updates goes into this staging and then the sync occurs between staging and the backend system. The App will be really fast and the end users will love it.

3) Using existing business process with mobile App rather than creating a new one: it is hard to manage change and expensive to change the existing tried and tested business process. When creating mobile App the same business process is extended rather than changing it or introducing a new one. It is totally wrong if the goal is to create a mini me version of desktop so that the users can use mobile device.
Solution: Take advantage of new assets on the mobile device such as Camera, GPS, Bluetooth and add change time consuming business process. In this article American Airlines CIO talks consumerization, the CIO talks about how baggage mishandling was reduced by 65% by scanning the bags.

Overall, I think there is a lot of disruption to be made with enterprise mobility if the right solution is developed and implemented the way the employees can use them effectively. As always feel free to correct me and add your comments.

Beyond the Keynote: Apple's Detailed Enterprise Presentation Videos from WWDC 2014

Submitted by Aaron Freimark on June 8, 2014 - 10:28pm
Your rating: None (4 votes)

WWDC has always been the one time each year when Apple peels back the curtain of secrecy and previews what is to come. That is if you were one of the lucky ones to score a ticket. But in 2014, in what I think is an unprecedented display of openness, Apple has released every video of every WWDC session online and to the public. Last year, you needed to be at least a member of the developer program to view these. This year everyone can see.

Here are the three most directly focused on Enterprise. I hope you take the time to watch and comment. They really are worth your time.

Managing Apple Devices


Learn about the latest developments in managing Apple devices in an enterprise environment. Learn how MDM can be used to wirelessly configure settings, monitor compliance with policies, install apps, and remotely wipe devices, and how these capabilities can be integrated with in-house or third-party server solutions.

Building Apps for Enterprise and Education


Learn about data security, enterprise authentication, integration with back-end systems, app configuration methods, and the latest technologies for interacting with documents, accessories, and more. Get helpful tips for constructing your apps to meet the needs of schools and educators, as well as key requirement from IT. Perfect for everyone looking to get their apps in the hands of business professionals, educators, and students worldwide.

Distributing Enterprise Apps


Learn how to provision and deploy apps across your enterprise. Leverage key Apple programs such as the Volume Purchase Program and the iOS Developer Enterprise Program to get the right apps in the hands of your employees, contractors, and partners. Learn how to manage certificates and provisioning profiles to deploy your apps, and take advantage of mobile device management (MDM) tools to provide a seamless experience for your users. Gain insight into the complete app management lifecycle; from signing your in-house apps in Xcode, to distributing, managing, and revoking apps across your workforce.

Popular content

more

Recent Activity