I am trying to develop an enterprise environment where the specified app in the app store gets installed in all the iOS devices connected to the company infrastructure, which has a windows based AD to verify the users.
I went through various materials, and I found over the air profile delivery and few other methods like MDM to push the configuration. But it seems only the configuration can be pushed using these features.
In Apple Configurator and iPhone Configuration Utility, the devices should be connected to the computer physically. I would like to install the app in all the company-owened devices (around 1000 devices) without asking any permission from the user. Is there any way to do this?
You can't take over people's devices without their permission. Nor can you stealth-install an app. You can use MDM to register devices on which you can do this, but they need to be registered first. Apple is currently making MDM features more powerful for the Enterprise environment. As an Enterprise developer, you don't have to use the app store for your app - you can distribute it over your own web server. So even if you go the MDM route, you'll have to register those 1000 devices first. Once you do that, you have a lot more control.
Related
I wonder if it is possible to force an iOS Device to download an app.
I have a 1 Year Apple Developer Account and i can create Profiles.
I heard that if Users install your Profile Configuration you can do some actions.
Now i thought instead of connecting a Device over USB to PC and Load an IPA to the Device , to Force a Device UDID (with a Installed Profile) to download an App without having it to be connected to pc
You cannot do this with a normal app.
However you may want to look into:
Entreprise apps. If you distribute an enterprise app, and setup MDM (mobile device management) you can push an app to a device
MDM, if you own the set of devices, you can setup mobile device management on them and push app updates.
You could look at solutions like rollout.io which provide a wrapper for the JS bridge into iOS to allow you to deploy simple updates and bug fixes to a live app.
You cannot, force push an app or update to a live app store user.
I am quite new to MDM & iOS profile configuration. Please bear with me.
I am creating an application for school management who wants blocks all non-system iOS applications (starting with iOS then later android) on a the campus during school hours. Students install the iOS profile by going to my website or through an app. I have scheduler running on my server which at specified time & based on their location applies restriction and all non-system apps will be hidden from iPhone (this is for non-supervised iPhone/iPad).
I have couple of questions in this regard
Will iOS developer license (99$) work for above scenario or requires an enterprise license (299$)?
ws02 EMM is the right choice for me or should I use MDM-Server
This will be low-cost product so can't invest in external MDM servers.
MDM Capability has nothing to do with how you distribute the application , it doesn't matter if it's an AppStore app or Enterprise app if the device is registered to MDM and the app uses MDM api (NSUserDefaults with "com.apple.configuration.managed" key) then it will work.
An application can't "hide" itself , it totally depends on the DEVICE restrictions enforced by MDM SERVER.
If you intend to apply this to android then use one that allows multiple platforms.
We are a small IT team that needs to purchase between 20-100 iOS devices (iPhones) to hand out to external partners. These devices will be setup once, and then leave the premises to pretty much never ever come back physically.
The devices needs to be fully locked to our application. We won't allow surfing, emailing, phonecalls, text messages etc.
I need to set this up as easy as possible. Then I need to install our application (developed in-house) and once I create an update for this app all devices needs to be updated OTA. Updates to the iOS firmware should only be available if I say so. I don't want the user to be prompted to update iOS in case our application is not compatible yet.
From my understanding, I know I need some kind of MDM solution (Preferably Apple Configurator or the MDM server built into OS X Server in Yosemite) as well as an Apple Enterprise Developer account.
I'm looking for step by step instructions on how to set this up to be failproof. If any certificate is messed up, or expired at a later stage and the devices would end up "useless" it is nearly impossible for me to get to the devices physically.
Thank you for any responses, I'm in charge of quite a important part of the business, and I have no previous experience of this (I don't want to f' up)
Your question is very large, so I'm going to only address a few specific points that should get you going in the right direction.
If the devices are bought by a company or institution, you should look into supervising the device (a process which asserts that this device is owned by a company or institution and so certain restrictions normally unavailable to BYOD are available on this device for MDM). Ideally, you'll purchase your devices straight from Apple in the US and then enroll them in the Device Enrollment Program (https://www.apple.com/education/it/dep/). This will allow you to configure the devices so that every time they are erased, they will become supervised again and re-enrolled with your chosen MDM server and configuration (and also give you the option to lock MDM so that it is unremovable).
Configurator is not your friend if you're not going to have physical access to the device. You'll want to use a MDM server and should look at a third-party vendor for the best experience (see AirWatch and MobileIron to start with). An MDM server will be able to push install and update profiles and apps on the devices and so you should look heavily into this.
If the devices will be locked into a single application, look at Single App Mode. By pushing down a profile by MDM, you can lock the device into a single app, but only on SUPERVISED devices. You'll also want to look at the restrictions available for disabling things like Safari and such. The Mobile Device Management Protocol Reference and the Configuration Profile Reference are both your friends here.
You will NOT be able to prevent devices from updating iOS itself. This is a purposeful design choice from Apple and so you need to be testing your software against the developer betas to ensure it works before release or else you're out of luck.
Go check out the Apple Enterprise page (https://developer.apple.com/enterprise/). Some good videos are the WWDC 2014 "Managing Apple Devices" and "Building Apps for Business and Education".
I programmed an app for a company and would like to install the app on their iPads without having to submit the app to the App Store since its a commercial app for just this company. Is this possible without connecting each iPad to my MacBook and putting a developer certificate on it.
Is there another way? What about using an URL-link or QR-Code (linking to this url)?
Thanks in advance
Your question is about installing apps without iTunes and the Apple App Store. This is entirely possible and supported by Apple but you are still bound by your developer account's ability to only build signed binaries for 100 devices for testing purposes only.
You can distribute your apps over the air via services like hockeyapp.net and testflightapp.com (free) but these services are just hooking into the iOS system's ability to install signed binaries over the air which has been possible since iOS4. There are several open source projects that provide the bare bones HTML and Javascript/meta tags to install signed binaries over the net - one such one is iOS Beta Builder
If you are creating Enterprise apps for clients (that will exist in production, not just a development environment) then your only legitimate way to provide your clients with apps that won't expire is to use Enterprise Developer Account. The enterprise account has no device limits but the apps you sign with enterprise certs phone home to Apple each time they're launched and are strictly only allowed to be used for a single company and their current employees.
It is because of Apple takes 30% of all the payments, isn't it?
The only way I see is to create usual web-site which runs via browser without installing
TestFlight offers over-the-air beta distribution of iOS apps (on non-jailbroken devices). How can this be done? Is this an iOS feature, or a vulnerability exploit?
This article showed how Apples OTA implementation works and can be used outside enterprises as well: ios wireless app distribution
The complete process is documented by Apple.
Apple also published documentation and sample code for registering devices and get the UDID by using profiles, so your website can detect which device is calling.
Some additional solutions with different strenghts:
iOS Beta Builder, a Mac Application to create the website by using a build. Simply upload the resulting files to your webserver.
Diawi: Simple Web service. Upload your IPA file, optionally set a password and send a link to your testers.
AppSendr: Web service for beta build hosting, similar to Testflight, but does not include the device registration process. But provides deployment utilities to automatically upload new versions.
HockeyKit: Open source project for hosting beta versions on your own PHP5 server with additional functionalities like an client for In-App-Updates, automatic device specific web sites and handling multiple applications. Completely file and directory based.
HockeyApp: Web Service for beta build hosting, In-App-Updates, Statistics, and including device registration, invite and recruitment. Also provides server side crash report collection, symbolication (for all threads) and crash grouping for beta and app store apps (iOS + Mac). SDKs are open source, using HockeyKit, QuincyKit and PLCrashReporter (which is the only safe solution on how to do crash report collection on iOS, see this article.
Note: I am the main developer of HockeyKit and QuincyKit, and one of the developers of HockeyApp.
This was possible before TestFlight rolled out a service. The technique stemmed out of the enterprise distribution mechanism. Since 4.0 devices have supported install from web.
Remember - you still need to sign the beta distribution for a select set of UDIDs you can't just willy nilly install it on any device. All they are doing is taking the email the IPA step out of things.
See:
http://www.alexcurylo.com/blog/2010/08/27/wireless-ad-hoc-distribution/
Update: I want to say that Test Flight is one of the most helpful tools I've used when developing though. Just taking the IPA emailing out of the picture was an understatement- I was just trying to call out the technical mechanism. They do a fantastic job managing the whole beta process. Getting new devices enrolled. Notifying users etc.
Testflight basically uses the normal Ad Hoc as already stated.
For this to work, you need the UDID for every device in order to add it to the Ad Hoc profile, re-compile the app with the new profile an redistribute the new build.
You can get the UDID with the help of the OTA Authentication Request. This is actually a step that is done in MDM before the actual profile is rolled out to the device. It basically asks the device for further information about itself and send it back to a self specified server.
The first step is documented here: Apple OTA Configuration
I guess Testflight uses this right after the registration process to collect the UDID, phone name, ...
Yes this is a core feature of iOS for Enterprise Customers who wish to distribute OTA.
Presumably you would pass your UDID over to TestFlight along with the app and they use their Enterprise Licence to send the app to you. I'm sure I'm missing a lot of the technical details but if you want to know more, Apple has a video on this from WWDC 2010.
Login to developer.apple.com, go to WWDC 2010 Videos and use the link to get to the vidoes. The video you want is "Session 108 - Managing Mobile Devices". It is very informative about what is possible with OTA and the steps you have to take to do OTA provisioning.
Stock iOS devices are "vulnerable" to running the user loading Ad Hoc apps from any developer who has that device's UDID, and registers that UDID among their 100 allowed devices on Apple's developer portal.
OTA distribution is just another way to install an Ad Hoc beta test distribution from an enrolled developer.