We are a small IT team that needs to purchase between 20-100 iOS devices (iPhones) to hand out to external partners. These devices will be setup once, and then leave the premises to pretty much never ever come back physically.
The devices needs to be fully locked to our application. We won't allow surfing, emailing, phonecalls, text messages etc.
I need to set this up as easy as possible. Then I need to install our application (developed in-house) and once I create an update for this app all devices needs to be updated OTA. Updates to the iOS firmware should only be available if I say so. I don't want the user to be prompted to update iOS in case our application is not compatible yet.
From my understanding, I know I need some kind of MDM solution (Preferably Apple Configurator or the MDM server built into OS X Server in Yosemite) as well as an Apple Enterprise Developer account.
I'm looking for step by step instructions on how to set this up to be failproof. If any certificate is messed up, or expired at a later stage and the devices would end up "useless" it is nearly impossible for me to get to the devices physically.
Thank you for any responses, I'm in charge of quite a important part of the business, and I have no previous experience of this (I don't want to f' up)
Your question is very large, so I'm going to only address a few specific points that should get you going in the right direction.
If the devices are bought by a company or institution, you should look into supervising the device (a process which asserts that this device is owned by a company or institution and so certain restrictions normally unavailable to BYOD are available on this device for MDM). Ideally, you'll purchase your devices straight from Apple in the US and then enroll them in the Device Enrollment Program (https://www.apple.com/education/it/dep/). This will allow you to configure the devices so that every time they are erased, they will become supervised again and re-enrolled with your chosen MDM server and configuration (and also give you the option to lock MDM so that it is unremovable).
Configurator is not your friend if you're not going to have physical access to the device. You'll want to use a MDM server and should look at a third-party vendor for the best experience (see AirWatch and MobileIron to start with). An MDM server will be able to push install and update profiles and apps on the devices and so you should look heavily into this.
If the devices will be locked into a single application, look at Single App Mode. By pushing down a profile by MDM, you can lock the device into a single app, but only on SUPERVISED devices. You'll also want to look at the restrictions available for disabling things like Safari and such. The Mobile Device Management Protocol Reference and the Configuration Profile Reference are both your friends here.
You will NOT be able to prevent devices from updating iOS itself. This is a purposeful design choice from Apple and so you need to be testing your software against the developer betas to ensure it works before release or else you're out of luck.
Go check out the Apple Enterprise page (https://developer.apple.com/enterprise/). Some good videos are the WWDC 2014 "Managing Apple Devices" and "Building Apps for Business and Education".
Related
I am quite new to MDM & iOS profile configuration. Please bear with me.
I am creating an application for school management who wants blocks all non-system iOS applications (starting with iOS then later android) on a the campus during school hours. Students install the iOS profile by going to my website or through an app. I have scheduler running on my server which at specified time & based on their location applies restriction and all non-system apps will be hidden from iPhone (this is for non-supervised iPhone/iPad).
I have couple of questions in this regard
Will iOS developer license (99$) work for above scenario or requires an enterprise license (299$)?
ws02 EMM is the right choice for me or should I use MDM-Server
This will be low-cost product so can't invest in external MDM servers.
MDM Capability has nothing to do with how you distribute the application , it doesn't matter if it's an AppStore app or Enterprise app if the device is registered to MDM and the app uses MDM api (NSUserDefaults with "com.apple.configuration.managed" key) then it will work.
An application can't "hide" itself , it totally depends on the DEVICE restrictions enforced by MDM SERVER.
If you intend to apply this to android then use one that allows multiple platforms.
I am relatively new to iOS development. I have recently acquired an Individual Apple Developers Account so I can test an app I developed for an individual in my community on his own tablet.
After disconnecting the USB cable I found that the app continues to function. According to this stackoverflow post I have gathered that I have either 9 or 12 months to get feedback from the user of the app and smooth off the rough edges and add some more features before I have to upload the app to the App-Store.
I wasn't actually interested in marketing the app through the App-Store. I developed it for the learning experience it would provide -- and it was definitely an excellent learning experience. I fail to understand why people cannot develop their own apps and upload them their own devices and bypass the App-Store.
Could someone provide some clarity on this?
I think it's for security reasons that Apple prevents direct installation to prevent unauthorized / malicious software to be widespread and some developers who didn't like this idea broke that security barrier and called it "jailbreaking."
However, this voids your device warranty (most likely if you bring a jailbroken phone to an Apple Store).
Apple probably doesnt want people to bypass the app store, otherwise you could have sketchy apps floating around that didnt get vetted by Apple. and you dont have to upload to the app store, its just your provisioning profile that signed the app that you installed to your device would have expired and then it wouldnt run anymore, so would need to reinstall it to the device with an updated provisioning profile (which could require you to renew your developer licence, if thats what you are worried about)
I am trying to develop an enterprise environment where the specified app in the app store gets installed in all the iOS devices connected to the company infrastructure, which has a windows based AD to verify the users.
I went through various materials, and I found over the air profile delivery and few other methods like MDM to push the configuration. But it seems only the configuration can be pushed using these features.
In Apple Configurator and iPhone Configuration Utility, the devices should be connected to the computer physically. I would like to install the app in all the company-owened devices (around 1000 devices) without asking any permission from the user. Is there any way to do this?
You can't take over people's devices without their permission. Nor can you stealth-install an app. You can use MDM to register devices on which you can do this, but they need to be registered first. Apple is currently making MDM features more powerful for the Enterprise environment. As an Enterprise developer, you don't have to use the app store for your app - you can distribute it over your own web server. So even if you go the MDM route, you'll have to register those 1000 devices first. Once you do that, you have a lot more control.
I spend the whole day installing and configuring a Mac Mountain Lion with the server app to provide some MDM capability to allow pushing of configuration profiles over-the-air to some iPhones to disable some functions like using camera and safari. Everything was set up and running till I encountered a very troubling problem.
Even though I have set a password for the restriction profile, there is no password set for the MDM profile. Effectively, anyone using the phone will be able to remove the MDM profile which would also removes every restrictions as well, rendering the whole process useless. I found out from some old posts that it is not possible to set a password on the MDM profile. Is this even real? What is the point of restrictions if anyone could remove it when they want.
That's specifically designed like it. Apple has this idea thata user should always decide what he/she wants. So, the user may enroll into MDM and unenroll from MDM any time.
However, in the case, if you remove MDM profile you loose both restrictions and access to your enterprise data (your exchange profile will be removed, if it was installed through MDM. The same is true for VPN access, WiFi access and so on).
It's described pretty well in MDM documentation.
Generally speaking, they weren't good in supporting devices which belongs to enterprise and which suppose to be restricted all the time. Now, they are gradually move into this direction.
BTW. Some new changes are coming in iOS 7 for supervised devices. I believe you may get what you are looking for. If you have an access to WWDC 2013 videos, take a look at managing mobile devices session.
Update 1
I haven't tried it, but as I understand, you can installed locked MDM profile on a supervised device, so this MDM profile can't be removed.
That seems slated to change. I was just reading this article about it yesterday.
Excerpt:
Most crucially, these management profiles can be made mandatory,
preventing users from uninstalling the profiles themselves.
According to the article it's going to allow us to force configure devices without ever needing the device in hand and preventing the users from removing the profiles. There are some nice new features, but it makes me wonder about the ability to force lock down anyone's device with just their serial number. It's something I'll need to spend more time looking into.
All:
My employer believes they have a legal loophole to distribute Enterprise signed apps to our customers, but I'm uncertain it will be technically feasable. ( We are in the infancy of IOS in our enviroment)
"Internal Use Applications developed under [the Apple Enterprise Agreement] may be deployed on Deployment Devices in two ways: (1) deployment for internal use by Employees, and (2) deployment for use by Customers either on Your physical premises or under the direct supervision and physical control of Your Employees in other locations, subject to Appleās right to review and approve such deployment as set forth herein. The App Store approval process is not required."
In our case, it is true -- customers will be on our remote physical site. (Personally, I believe clause 2 is really intended for corporate-provided devices to a customer -- think museums, etc, or contractors, and that even if this is a loophole, is one that is likely to be locked down. But that is moot for now.)
Our location are without cellular service is not available, AND where we provide the only available Wifi which is restricted to our intranet-- we do not allow not customers free internet access, except at very expensive cost to the customer which we do not wish to do here). So, the idea was to locally host the app (IPA) and profile in our local LAN, have the customer install a Enterprise provisioning profile, and then install our apps from a local source.
So my question is if this TECHNICALLY feasable --- Is is possible to install a povisioning profile over the air (Wifi) WITHOUT calling back to Apple?. And if so, can a Enterprise signed app also be installed, again without calling back to Apple. Does an end user get anything more scary than a "Do you want to install MegaCorps Enterprise Provisoning Profile on your device"?
You can allow for installing apps from a secure web page. Just follow the directions here:
https://developer.apple.com/library/ios/#featuredarticles/FA_Wireless_Enterprise_App_Distribution/Introduction/Introduction.html
It's in the section In-house apps > Deploying apps > Installing apps wirelessly. Apple doesn't say anything about needing to add individual UDIDs to the provisioning profile. I think they don't want to make a big deal of it lest misuse becoming rampant.
I don't have any legal advice, though.