I have found following network requirements for OTA deployment:
https://help.apple.com/deployment/ios/#/apda0e3426d7
Network configuration requirements
If the devices are connected to a closed internal network, you should let iOS devices access the following:
ax.init.itunes.apple.com: The device obtains the current file-size limit for downloading apps over the cellular network. If this website isn’t reachable, installation may fail.
ocsp.apple.com: The device contacts this website to check the status of the distribution certificate used to sign the provisioning profile.
I want to ask is it possible to deploy through intranet without access above website? Any work around?
Thanks.
We have OTA setup in our intranet. Works fine. Only requirement is that the device installing the app should be connected to the VPN or in the intranet.
Related
So we have a white-labeled apps, and one of our client distributes their app through MDM server instead of the Apple's AppStore.
For some reason this client reported that the app is "slow/freeze" when open, he provided some videos that show the issue and the app is indeed "slow/freeze" in the videos. But when we let them install the app through AppStore the app runs properly without the "slow/freeze" issue.
Is there a difference when the app installed via MDM vs AppStore? Should the app performance get affected/reduced if installed with MDM server? If MDM server weren't setup properly can possible cause this?
As of now we don't have access to the client's MDM server does we can't investigate if the issue is on their MDM server setup.
We are developing an app with Per-App VPN runs on iOS. This container app is designed for our some specific apps to connect network through VPN at certain times, while all the other apps not.
We want these specific apps connect network normally before VPN is turned on, after the container app and configuration profile are installed. And these specific apps connect network through VPN once VPN is manually turned on in the container app.
I have some questions can not find answers.
I've added NETestAppMapping key to Info.plist of my container app in Development. And Bundle Identifiers of those specific apps are added to NETestAppMapping. After building the container app and installing configuration profile by Apple Configurator 2, I found those specific apps can not connect to Internet until I turned on VPN in the container app. Is that normal?
NETestAppMapping is a way to config those specific apps in Development. I wonder the production mechanism for specifying app mappings.
Moreover, something really weird once happened. I deleted the configuration profile from iPhone, and NETestAppMapping from the container app. Then I turned on VPN in the container app by normal way. After done this, I found the function we want is implemented.
Thank you very much.
An app that is associated with a Per-App VPN, will only have its traffic routed through the Per-App VPN. If On-Demand is disabled, and the VPN is turned off, then no traffic will flow from the app.
As such, I see two ways to achieve having the apps route through the Per-App VPN only some of the time:
Implement the VPN using NEPacketTunnelProvider in such a way the VPN always launches On-Demand and continues to be 'active', but the VPN app can be used to toggle whether the NEPacketTunnelProvider actually routes the traffic through the VPN or whether it simply acts as a TCP/UDP forwarder.
Utilise an MDM and its SDK (assuming support) to associate and disassociate your applications from the Per-App VPN when a toggle is switched in the VPN app. Note that this will likely be clunky, with a time delay and may cause your app to be killed if it is running. I won't recommend this approach.
It's worth noting that NETestAppMapping only works for development builds and won't work for distribution builds (e.g. Enterprise (In-House) or App Store). You will need to use an MDM to utilise a Per-App VPN.
For an example of using an NEPacketTunnelProvider with packet forwarding, I would take a look at this paper: Does your phone spy on you? by Severin Amrein.
In my project, I need to install application to iOS devices using a desktop EXE. I use libimobiledevice command to install the application and it works fine. As I use enterprise developer profile, I know I need to trust profile from Settings. To trust a profile it needs internet connection as per Apple.
iOS9 Untrusted Enterprise Developer with no option to trust
But on my case, there will not be any internet connection in device, but we have internet connection in Desktop PC where the EXE runs. Is there any option to launch Enterprise IPA file without having internet connection.
I learn MDM Apple Enterprise distribution but not sure whether it will survive my purpose.
Is there any possible way to launch the enterprise IPA without having internet connection in iOS device.
You need to be able to verify the Enterprise Certificate in the app with Apple, as they are the ones giving you a licence to install apps outside the appstores.
That's just the way these Enterprise ID's work.
if the desktop PC's have iTunes, you could try dropping the ipa in there and see if this antique program can help you out.
This would definitely require some hacking. One approach may be to edit the hosts file of the computer when installing using the executable, launching your own server to listen to the port specified in the hosts file, and replicate the response given by server in a real life scenario. (you can probably use charles or fiddler to trace the response which is suppose to be given by the server.
Basically, the verification of the cert would be done by the local server you are running.
This, of course, is quite complex as a task... good luck!
I'm researching about MDM in iOS, and find out information about Apple’s native iOS mobile device management. Once the device is enrolled into a MDM server, server can manage the device by sending commands. I tested on a MDM server and saw that without installing MDM agent app on device, server can still send profiles and apply policies to the device.
Could anyone help me to address:
Is Apple’s native iOS mobile device management built inside the iOS itself?
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
Do I need an enterprise account to use iOS MDM service?
Where can I find documents about MDM API and how to use it?
Is Apple’s native iOS mobile device management built inside the iOS itself?
Yes - as of iOS4 devices become MDM-capable.
Can MDM server manage device (install apps, disable camera, iTunes...) without installing a MDM agent app?
Yes. The only thing an MDM Agent app will get you is the ability to report back on the device's IP address / network information, custom logging, etc. By default iOS does not allow for "tracking" a user's network details.
How can the device itself can communicate with MDM server and install profiles sent from server automatically?
This is what I refer to as "the circle of hell". Your MDM sends command/installation packets to the APNs server, the APNs server tells the device it has a pending command from the MDM, the device reaches out to the MDM for its instructions and acknowledges. My nickname is for the trouble it takes to get firewall permissions setup in large enterprises.
Do I need an enterprise account to use iOS MDM
service? Where can I find documents about MDM API and how to use it?
To use an MDM service you do not need an Enterprise account. To create an MDM service and access its documentation you do need an Enterprise account at $299/year.
Yes.
N/A as the 'agent' is already built in iOS
To manage a device by MDM, the device must be enrolled manually first. During the enrollment process, a configuration file will be installed in the device containing the information of the MDM server. The MDM framework also make use of push notification to communicate with the device.
Yes. In addition, you also need the ability to generate MDM Vendor Certificate on Apple's Developer Portal.
Is Apple’s native iOS mobile device management built inside the iOS
itself?
Yes , Apple has secured mdm-client bundled in each Apple product . We can make use of the client upon enrolling . There is supervised enrollment where mdm-client can perform more privileged task .
Can MDM server manage device (install apps, disable camera, iTunes...)
without installing a MDM agent app?
Yes , Once device is enrolled you can apply restrictions on iOS and macOS , install apps silently using VPP etc . Refer Configuration-Profile-Reference.pdf Page 67 for list of all restrictions
How can the device itself can communicate with MDM server and install
profiles sent from server automatically?
Like iOS apps , mdm-client responds to notifications through APNS . The server in which device is enrolled will have push-magic string,device token and a topic device listens to these helps the server to notify device . Device will then ping the server. I have attached Official MDM guide that you can refer for more details.
Do I need an enterprise account to use iOS MDM service?
Here you have two options , if you want to build your own MDM solution then like i said before you would need to notify device so that it contacts your MDM server upon enrollment . Similar to building iOS app , you need an developer account to create a APNS certificate (refer here) to notify default mdm-client.
Or you you just wish to manage your device , you need not require a developer certificate. MDM vendors would use their certificate for signing, and you would need an apple id account to use upload certificate provided by your MDM to notify devices.
Where can I find documents about MDM API and how to use it?
Refer below links to getting started with MDM . Comment your queries for any help.
1. Setting up MDM and MDM Protocol
2. Restrictions and other MDM profiles
3. Apple business manager
I am trying to develop an enterprise environment where the specified app in the app store gets installed in all the iOS devices connected to the company infrastructure, which has a windows based AD to verify the users.
I went through various materials, and I found over the air profile delivery and few other methods like MDM to push the configuration. But it seems only the configuration can be pushed using these features.
In Apple Configurator and iPhone Configuration Utility, the devices should be connected to the computer physically. I would like to install the app in all the company-owened devices (around 1000 devices) without asking any permission from the user. Is there any way to do this?
You can't take over people's devices without their permission. Nor can you stealth-install an app. You can use MDM to register devices on which you can do this, but they need to be registered first. Apple is currently making MDM features more powerful for the Enterprise environment. As an Enterprise developer, you don't have to use the app store for your app - you can distribute it over your own web server. So even if you go the MDM route, you'll have to register those 1000 devices first. Once you do that, you have a lot more control.