I am quite new to MDM & iOS profile configuration. Please bear with me.
I am creating an application for school management who wants blocks all non-system iOS applications (starting with iOS then later android) on a the campus during school hours. Students install the iOS profile by going to my website or through an app. I have scheduler running on my server which at specified time & based on their location applies restriction and all non-system apps will be hidden from iPhone (this is for non-supervised iPhone/iPad).
I have couple of questions in this regard
Will iOS developer license (99$) work for above scenario or requires an enterprise license (299$)?
ws02 EMM is the right choice for me or should I use MDM-Server
This will be low-cost product so can't invest in external MDM servers.
MDM Capability has nothing to do with how you distribute the application , it doesn't matter if it's an AppStore app or Enterprise app if the device is registered to MDM and the app uses MDM api (NSUserDefaults with "com.apple.configuration.managed" key) then it will work.
An application can't "hide" itself , it totally depends on the DEVICE restrictions enforced by MDM SERVER.
If you intend to apply this to android then use one that allows multiple platforms.
Related
I used to work on an Enterprise iOS product which our company used to sell to big enterprise companies for their employee to use.
The app was made available via the AppStore and the enterprise users were provided company specific profiles (containing app config files) to enable the respective feature that they were entitled to and use the iOS software. This app is only meant for enterprise customers and their employees only.
I would want to know/understand what is the difference between Enterprise iOS app and a normal retail app (an individual publishing an iOS app in store for retail consumers to buy and use) as I was asked this question in one of the interviews.
One thing I know is the for Enterprise apps, you will have tons of paper work, T&C and NDA's to be signed between the Enterprise customer's IT and the app providing organization.
Apart from this is are there any differences? I mean any differences with respect to the way app is submitted to the store? Or any additional security requirements for an app as it is an enterprise app? Is there something that differentiates and enterprise app from an normal app?
Thanks & Regards
Your app cannot have been developed using an Apple enterprise account and Enterprise distribution profiles because Enterprise apps cannot be placed in the app store.
There is no difference in terms of development of an Enterprise app versus a non enterprise app, there's nothing additional to do (there's a little extra to do to distribute it, see last paragraph).
The only differences are you have to have an Apple Enterprise developer account and its gets signed with a different set of certificates and profiles.
As an Enterprise app does not go onto the App store is is not subject to Apple app store review and therefore you can implement more functionality that you could with a regular app (for example, you could use background modes, use private apis etc.).
There is additional work required to distribute the app, you typically might host it on a web site and make it available for download by the Enterprise users, you have to set up a few bits and pieces and create a manifest file to enable all that.
Is it possible to deploy an APP to apple app store, but only allow internal company user to download the APP by their own? Thanks.
Yes it is possible with Apple Enterprise Developer Program.
The Apple Developer Enterprise Program allows large organizations to develop and deploy proprietary, internal-use apps to their employees. This program is for specific use cases that require private distribution directly to employees using secure internal systems or through a Mobile Device Management solution.
Just to augment what others have said there. The Enterprise program is what you want. It allows you to distribute your app to as many devices as you like. But as it's not going through the Apple app store, you will have to work out how you want to do it. There are third party servers out there for doing this sort of thing.
You can also simply "roll your own" by simply creating a web page on your LAN with a like to the downloadable app. The Apple documentation has the details on doing that.
Also note one difference between an Enterprise app and a app store app, is that the Enterprise app certificates will need to be renewed every year. Which means that you will need to update the app every year or it will stop working.
We are a small IT team that needs to purchase between 20-100 iOS devices (iPhones) to hand out to external partners. These devices will be setup once, and then leave the premises to pretty much never ever come back physically.
The devices needs to be fully locked to our application. We won't allow surfing, emailing, phonecalls, text messages etc.
I need to set this up as easy as possible. Then I need to install our application (developed in-house) and once I create an update for this app all devices needs to be updated OTA. Updates to the iOS firmware should only be available if I say so. I don't want the user to be prompted to update iOS in case our application is not compatible yet.
From my understanding, I know I need some kind of MDM solution (Preferably Apple Configurator or the MDM server built into OS X Server in Yosemite) as well as an Apple Enterprise Developer account.
I'm looking for step by step instructions on how to set this up to be failproof. If any certificate is messed up, or expired at a later stage and the devices would end up "useless" it is nearly impossible for me to get to the devices physically.
Thank you for any responses, I'm in charge of quite a important part of the business, and I have no previous experience of this (I don't want to f' up)
Your question is very large, so I'm going to only address a few specific points that should get you going in the right direction.
If the devices are bought by a company or institution, you should look into supervising the device (a process which asserts that this device is owned by a company or institution and so certain restrictions normally unavailable to BYOD are available on this device for MDM). Ideally, you'll purchase your devices straight from Apple in the US and then enroll them in the Device Enrollment Program (https://www.apple.com/education/it/dep/). This will allow you to configure the devices so that every time they are erased, they will become supervised again and re-enrolled with your chosen MDM server and configuration (and also give you the option to lock MDM so that it is unremovable).
Configurator is not your friend if you're not going to have physical access to the device. You'll want to use a MDM server and should look at a third-party vendor for the best experience (see AirWatch and MobileIron to start with). An MDM server will be able to push install and update profiles and apps on the devices and so you should look heavily into this.
If the devices will be locked into a single application, look at Single App Mode. By pushing down a profile by MDM, you can lock the device into a single app, but only on SUPERVISED devices. You'll also want to look at the restrictions available for disabling things like Safari and such. The Mobile Device Management Protocol Reference and the Configuration Profile Reference are both your friends here.
You will NOT be able to prevent devices from updating iOS itself. This is a purposeful design choice from Apple and so you need to be testing your software against the developer betas to ensure it works before release or else you're out of luck.
Go check out the Apple Enterprise page (https://developer.apple.com/enterprise/). Some good videos are the WWDC 2014 "Managing Apple Devices" and "Building Apps for Business and Education".
I am trying to develop an enterprise environment where the specified app in the app store gets installed in all the iOS devices connected to the company infrastructure, which has a windows based AD to verify the users.
I went through various materials, and I found over the air profile delivery and few other methods like MDM to push the configuration. But it seems only the configuration can be pushed using these features.
In Apple Configurator and iPhone Configuration Utility, the devices should be connected to the computer physically. I would like to install the app in all the company-owened devices (around 1000 devices) without asking any permission from the user. Is there any way to do this?
You can't take over people's devices without their permission. Nor can you stealth-install an app. You can use MDM to register devices on which you can do this, but they need to be registered first. Apple is currently making MDM features more powerful for the Enterprise environment. As an Enterprise developer, you don't have to use the app store for your app - you can distribute it over your own web server. So even if you go the MDM route, you'll have to register those 1000 devices first. Once you do that, you have a lot more control.
I programmed an app for a company and would like to install the app on their iPads without having to submit the app to the App Store since its a commercial app for just this company. Is this possible without connecting each iPad to my MacBook and putting a developer certificate on it.
Is there another way? What about using an URL-link or QR-Code (linking to this url)?
Thanks in advance
Your question is about installing apps without iTunes and the Apple App Store. This is entirely possible and supported by Apple but you are still bound by your developer account's ability to only build signed binaries for 100 devices for testing purposes only.
You can distribute your apps over the air via services like hockeyapp.net and testflightapp.com (free) but these services are just hooking into the iOS system's ability to install signed binaries over the air which has been possible since iOS4. There are several open source projects that provide the bare bones HTML and Javascript/meta tags to install signed binaries over the net - one such one is iOS Beta Builder
If you are creating Enterprise apps for clients (that will exist in production, not just a development environment) then your only legitimate way to provide your clients with apps that won't expire is to use Enterprise Developer Account. The enterprise account has no device limits but the apps you sign with enterprise certs phone home to Apple each time they're launched and are strictly only allowed to be used for a single company and their current employees.
It is because of Apple takes 30% of all the payments, isn't it?
The only way I see is to create usual web-site which runs via browser without installing