Using AirWatch 8.0.5, is there a way to include AirWatch MDM Agent app in staging of > 10K iPads without requiring Apple IDs?

  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/ on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/ on line 61.
Patrick Dawson's picture

Patrick Dawson

Joined: Nov 6, 2015
Your rating: None (1 vote)

We have a large-scale iOS 9 device deployment project in our pipeline. As part of the project, we will use an MMS vendor to stage and kit over 10K DEP'd iPads for one of our highly mobile employee groups. Once staged, the iPads will be shipped by the vendor to addresses specified by the employees (usually home addresses).

A requirement of the project is that each iPad arrive at the employee's address ready to use by the employee. The plan is to treat these iPads as COPE devices: though corporate-owned, the employees will be encouraged to create a personal Apple ID (if they don't already have one) and use it to personalize the device (install personal apps, use iCloud for personal content, and so on). As an enterprise, we do not want to pre-create a second "enterprise" Apple ID for use by each Flight Attendant (because of privacy, usability, and so on). In keeping with Apple's strategy of separating "personal" from "enterprise", we want to stay out of the business of creating, supporting, or even being aware of employees' Apple IDs on these COPE iOS devices.

All enterprise apps, profiles, and configurations will have been applied via MDM as part of the DEP'd iPads' staging. This includes a core enterprise B2B VPP app already widely used by other employee groups in the company. Prior to iOS 9, pre-installing this B2B VPP app as part of a staging process for thousands of iPads, and thereafter being able to manage all updates to the app and device remotely over the air via MDM, would have required the use of an Apple ID in order to download and install the app, either through the older VPP token code approach or the newer VPP managed license approach (both via MDM). But with the WWDC's announcement of VPP app "device assignment" in iOS 9, the use of an Apple ID to install this app during iPad staging would seemingly no longer be required.

We currently use AirWatch Admin Server 8.0.5 in three dedicated SaaS environments (DEV, QA, and PROD).
Unfortunately, we have not yet received any indication from AirWatch Enterprise Support when they will release a version of their Admin Server that will support iOS 9 VPP app "device assignment" (no Apple ID required). October 9th was our deadline to get an answer on this from AirWatch Enterprise Support if we were going to upgrade our AirWatch environments in Q4. Now that the deadline has passed, we are not planning to upgrade the AirWatch environments any sooner than Q1-2016. We have already undertaken three major upgrades of these environments over the past 13 months, and each upgrade requires significant regression testing for employee groups throughout the company.

So for the moment, the absence of a date when VPP app "device assignment" will be supported by AirWatch is forcing our project to fall back to “Plan B” for staging the iPads with the enterprise apps they need. Fortunately, it appears that we might have successfully lobbied the vendor of the legacy B2B VPP app mentioned above to directly provide us an *.IPA as an alternative to using B2B VPP. If they can give us an *.IPA, then we'll just load it in the AirWatch app catalog and set it to automatically install. Then we'll be good for including the app in the iPads' staging: obviously no Apple ID will be required or involved for the app.

But here’s my remaining question: what are my options for handling installation of the public AirWatch MDM Agent app during staging if I only have AirWatch Admin Server 8.0.5 at my disposal? How can I include the AirWatch public app in the staging without again requiring the use of an Apple ID? Remember, we're talking about over 10K COPE iPads being delivered all over the US to employees who move all over the country and don't really have an office (at least not one with any sort of company tech support). So this isn't like the education space in which the iPads will have a cart-based home to which they can return periodically in order to update apps, etc. Once staged and shipped, these iPads and their apps have to be manageable remotely over the air via AirWatch for the next ~3 years.

And finally, we have always required the AirWatch MDM Agent app for iOS device enrollment in AirWatch because of the additional jailbreak detection and compliance checking it provides. "Web enrollment" in AirWatch has not been seriously considered previously, but I'm wondering if we might be forced to pursue that route for this project.

I appreciate any suggestions or guidance you can offer.

techlife's picture


Joined: Oct 29, 2015

Airwatch Enterprise Support says that's not possilble

Your rating: None

I came across the same type of question when I was going through our DEP deployment design. I wanted to have all apps pushed to the devices automatically, without any user intervention of any kind (after DEP was complete). Because jailbreak detection relies on the Airwatch MDM agent being installed, asking for an Apple ID during enrollment is required. Furthermore, once the MDM agent is installed, the user will need to launch the Agent in order for the device compliance status to be verified with the Airwatch server. Once the device has passed security compliance verification, the additional settings and apps will be pushed to the device.

The only way to get around this is to remove the device compliance check as a requirement before issuing corporate settings and apps. If this check is removed, after the DEP portion is complete, the enterprise's store will be accessible on the device, it will be enrolled in Airwatch (without the Agent being present) and any auto-push policies or apps that you have configured will be delivered to the device.

JD's picture


Joined: Dec 4, 2014

I believe with iOS9 and AW

Your rating: None

I believe with iOS9 and AW 8.x you can do a VPP assignment of the AW Agent that won't require an Apple ID.
DEP with <9.0 still prompts for AppleID.
Look into that possibility, and the Console and iOS versions that are required for no Apple ID installs.


Who is online?

There are currently 0 admins, 0 users and 150 guests online. Connected users: .

Recent Activity