7 Replies Latest reply on May 19, 2016 7:30 AM by robert.morton

    Managing iOS

    philcebutv Apprentice

      Hi All,

       

      Is there any step by step instruction on how to manage iOS.

       

      What we wanted to achieve are:

      Automatic Lanrev agent ipad enrollment - around a 100 ipads

      push iOS app using VPP or without requiring each student to create an AppleID.

      TurnOff Apple's "Find my iPhone/iPad"

       

      Optional

      Automati wifi enrollment

      Automatic email configuration

       

      I am new to managing iOS and would love to get hands on it.

       

      We are by the way on version 6.3 and I know the server needs to be updated to the latest.

       

       

      Phil

        • 1. Re: Managing iOS
          patgmac1 Expert

          Enrolling in Apple's DEP is probably the best first step. Then devices are enrolled out of the box.

          1 of 1 people found this helpful
          • 2. Re: Managing iOS
            robert.morton Apprentice

            Step 1 is to update the server. Luckily, this is an easy process to go from 6.3 to 7.2. Having said that, since you are on 6.3 I seriously doubt your MDM server is still working if it was ever configured. You Apple Push cert would have expired by now and would not have been renewable with 6.3.

             

            Step 2 as Patrick mentioned is enroll in DEP and VPP. Start at http://deploy.apple.com for both.

             

            What DEP does is as a device is reset or powered on for the first time, you pick a wifi, and then the device just knows and binds to your LANrev MDM server. You can supervise the device this way, push iOS apps using VPP to the device, and do everything else you wanted with the exception of wifi sort of.

             

            So, how tO do this...

            I am assuming that you have MDM configured correctly, are running the at least 7.2, and are enrolled in DEP and VPP and you have gotten those tokens from Apple and put them in the Server Center > Server Settings > MDM tab.

             

            First, go to the Mobile Devices Window

            On the left scroll down until you get to ASSIGNABLE ITEMS

            Select Device Enrollment Profiles

            Right click on the right to create a new one.

            Here are the General settings I would suggest for a device that would not have an AD account associated to it

            Screenshot 2016-05-17 14.58.55.png

            Decide which Setup Assistant Options you want to allow the user to skip as well.

            In the same area (ASSIGNABLE ITEMS) is Third-Party Applications

            Assuming you setup your VPP token correctly, apps you purchase on Apple's VPP site will automatically appear here.

            Now go to Actions under ASSIGNABLE ITEMS

            Right click on the Right hand side and create a New Enable Activation Lock Action

            Screenshot 2016-05-17 15.06.20.png

             

            This will make it so even if they student figures out a way to lock the device, you can always override it and gain control of the device again.

            Now select Configuration Profiles under ASSIGNABLE ITEMS

            Create a new iOS profile.

            Under the Restrictions area, look for Allow modifying account settings (Supervised devices only) [iOS 7+] and uncheck it. This will prevent the user from entering an Apple ID to even enable Find My iPhone.

             

            For email you would also create a configuration profile, but it will depend on what type of email server you have. If the device was enrolled using AD Authentication during the DEP process, an email configuration profile can be created that will really simplify the setup.

             

            Now everything is created that you want to assign, you just need a policy to assign it to.

            On the left hand side click on POLICIES

            On the right hand side, right click and create a New Smart Policy: Mobile Devices...

            Create a policy for all your devices you want these items applied to. This would be all iOS devices...

            Screenshot 2016-05-17 15.15.32.png

            Now if you open up that policy, you will see the same sections as ASSIGNABLE ITEMS

            Open them up and you can make automatic assignments to the devices. This is where you will want to assign your Device Enrollment Profile, Configuration Profiles, Actions and Third-Party Applications that you created under ASSIGNABLE Items. You can drag the items to the category you want.

            Screenshot 2016-05-17 15.17.28.png

             

            Anyway, that should get you started. It may make sense for you to talk to your sales person about getting some professional services to assist with some of this to simplify your life, make sure your old server is still good and give you some best practices guidance.

            • 3. Re: Managing iOS
              philcebutv Apprentice

              Thank you Rob and Patrick for sharing your knowledge on this topic.

               

              This is a good start. Lots of reading and testing on my side.

              • 4. Re: Managing iOS
                sthon Apprentice

                Rob Morton schrieb:

                ... You can supervise the device this way, push iOS apps using VPP to the device, and do everything else you wanted with the exception of wifi sort of.

                Yea - WiFi works as well but it's a pain in the neck to set up. We have a special server just for this, it generates automatically all the neccessery wifi certificates to connect to our network and renews them automatically. I myself am unsure about the details of this, since my colleague set it up. But, we have a profile which tells the phone to connect to our certificate distribution-server which then creates a certificate, gives it to the mdm and this pushes it to the phone.

                • 5. Re: Managing iOS
                  robert.morton Apprentice

                  Yeah, that sounds much more complicated than I was even referring to. The basic issue most see is...

                  MDM pushes everything wirelessly

                  Oh can you configure WiFi?

                  Sure, you join it to your WiFi and then we can push out a profile to configure it to your WiFi.

                  Oops.

                   

                  In General with a school, it won't be that extreme for certificates. You can basically use Apple Configurator 2 to install the WiFi and hand off to DEP/MDM Server for everything else if you want a close to 0 touch deployment. You can also configure a staging area with an access point called AppleStore or Apple Store. Evidently iOS devices will auto join a wireless with that SSID.

                  1 of 1 people found this helpful
                  • 6. Re: Managing iOS
                    sthon Apprentice

                    We Push the certificates over the air, they all have cellular data, so no problems there. Only thing is that we have personalized certificates, and in order to get such a certificate the device must already be in the wifi network - circle of doom. So we push a general certificate to join the company wifi and then generate a user specific one.

                    • 7. Re: Managing iOS
                      robert.morton Apprentice

                      Yeah, so very similar issue, just with an added complication to include.