Centrally managing Apple devices in an enterprise is always a challenge. In this guide we will cover the most important concepts and describe what is possible and what is not, so that you have an overview of the most important features.
Apple devices are managed mainly through a so called profile on a device. To register a device in an MDM software like Relution it is necessary to install such a profile on a device. In Relution this is done by creating an enrollment, which consists mainly of a link to a landing page, where a wizard guides the user or the admin through the process. After installing the profile on the device, the Relution app is pushed automatically on the device. In this app the user can check his compliance status and access the enterprise apps, the organization is offering him. Additionally it informs the user with push messages about compliance violation, like for example installed forbidden apps.
First of all, we need to understand a few concepts from the Apple MDM ecosystem - supervision is one of them. Supervising an Apple device gives you more possibilities to control the device and enables a lot more restrictions and possibilities. The best way to understand the concept is to read Apple's definition here. Excerpt:
Supervision gives schools and businesses greater control over the iOS devices they own. With supervision, your administrator can apply extra restrictions like turning off AirDrop or preventing access to the App Store. It also provides additional device configurations and features, like silently updating apps or filtering web usage. By default, your iPhone, iPad, or iPod touch isn’t supervised. Supervision can only be turned on when you set up a new device. If your iPhone, iPad, or iPod touch isn’t supervised now, your administrator needs to completely erase your device to set up supervision
With iOS 10 apple does not introduce as many MDM features as with iOS 9.3. One big new feature is the possibility to change the default phone app which is used for VOIP calls. Additionally Apple marks a lot of MDM features as "deprecated" which means, in a future version they will be removed. For nonsupervised devices following restrictions are changed to only be available on supervised devices:
- Disable App installation and removal - Disable FaceTime - Disable Siri - Disable Safari - Disable iTunes - Prohibit explicit content - Disable iCloud documents and data - Disable multiplayer gaming - Disable adding GameCenter friends
These features are still working on nonsupervised devices, but in one of the next iOS version they will only be available on supervised devices. Other new features are relevant for enterprises but do not affect the management of devices such as: - CallKit API: Make and receive calls from apps like Skype for Business - Universal Clipboard: Share clipboard with your Mac over the iCloud - Multitasking on the iPad Pro - Smart Notifications - MacOS, watchOS and tvOS
Administrator can define the layout of apps, folders and all webclips on the launch screen. Like most of the other MDM features in iOS 9.3 this is for supervised devices only. Additionally administrators are able to specify the text on the lockscreen to something like "If lost, please return to ...". Notifications can be defined and restricted as well. In fact administrators can specify which apps are allowed to notify the user in which manner. The most desired feature for a long time now comes to iOS. The new app blacklist in the restrictions allows to prevent selected apps from being launched or shown. The same logic applies to app whitelists, where administrators can decide which apps are shown - all other apps not on the whitelist are forbidden to use. Please be aware of the fact that this is also a supervised feature. This means the administrator has to supervise the device with a usb cable and the Apple Configurator or order supervised devices through the DEP (Device Enrollment Program). Another new MDM feature is the ability to whitelist a set of URLs that users can save in Safari. This means users can only save passwords in Safari from URLs matching the defined patterns. Additional restrictions for the iTunes Radio are available in supervised mode, too. The Apple School Manager service will make managing iOS devices used for school much easier and can be accessed through any web browser. All of them can be checked out in the Configuration Profile Reference by Appleand will be integrated into Relution.
When Apple announced iOS 9 during 2015’s WWDC, they talked a lot about improvements for the end user like:
- Multitasking - Improved Search - Gaming - App Thinning - App Transport Security - Extension Points - Contacts and Contacts UI - Watch Connectivity - Swift Enhancements - Additional Framework Changes
Some of these features are really nice gimmicks, but I do not think that multitasking will have a big effect in the enterprise world – people like to focus on one task at a time. Tablets have been in enterprises for years now, in different kinds of contexts. People using touch ID might start to complain after the update to iOS 9 because they are now forced to have a 6-digit passcode instead of 4. The biggest effects on the market - and especially on App Management Tools (like we are) –will probably be caused by opening Xcode to everyone. In iOS 9, no longer only registered developers but everyone can write apps and install them on their devices. This might even change the way enterprise will be building and signing apps. Will they still use Enterprise certificates? Are apps that are signed by an unregistered developer still safe to use? Will the black market on the internet for iOS apps explode because of this functionality? We will see.
In this video session Apple talks about MDM (Mobile Device Management), VPP (Volume Purchase Program) and DEP (Device Enrollment Program). Let’s start with VPP, which is already released and it’s a great way of buying and distributing app licenses in bulk. But until now, every single Enterprise Mobility administrator struggles with Apple IDs and distribution models, because either one iOS device is used by multiple people or there is just one Apple ID for all the devices. It looks like this could be over with iOS 9. VPP app licenses can be assigned to devices instead of users and no Apple ID is needed at all. From my point of view this will give VPP a real push and it makes administrators’ lives a lot easier. Another great news is the possibility to convert apps manually installed by the user into managed apps. Only managed apps can be installed and - more importantly - uninstalled by the administrator. This means that managed app configurations can now be applied without reinstalling the app (on supervised devices, this even happens silently, on unsupervised devices the user hast o confirm the management oft he app). In the classic MDM space there are some news, too. New restrictions are available, administrators can now treat Airdrop as an unmanaged destination, new enterprise app authors can be trusted automatically (which is great if a company works with a trusted agency for app development) and screen recording is now possible. Apple also added new restrictions that only work on supervised devices: automatic app downloads, further iCloud restrictions, keyboard shortcuts, device name changes, passcode, wallpaper, news and pairing with the apple watch. Apple also made some features deprecated - like app installation and removal, which will have an effect on a lot of enterprises. When this is no longer possible, I can already hear administrators complaining loudly because they will not be able anymore to roll their apps out quickly.
All of these changes are incremental, but some of them will have a huge effect on companies relying on some of the features. From an administrator point of view, the „mark as managed app“ functionality is great, the deprecation of „install/remove app“ will freak them out. All other changes are really good improvements.
Last update: October 2016