MDM

Posted by Charles Edge on November 9th, 2015

Enter Apple Configurator 2, a free tool on the Mac App Store. This tool basically fixes most setup challenges for iOS, but does so over USB. This means that Apple Configurator is not  a replacement for Bushel. In fact, we get a lot of questions from experienced Apple administrators about how to use profiles that we don’t yet support. So Apple Configurator is great way to get settings on devices that you don’t need to update over the air (e.g. initial setup options). Apple Configurator 2 is a tool that can help to manage iOS devices during a mass deployment and do so in a manner that is easy enough that you don’t need a firm background in IT to manage devices on a day-to-day basis.

Here is what Apple Configurator can do:

  • Update iOS devices to the latest version of iOS.
  • Rename devices using a numbered scheme (e.g. iPad 1, iPad 2, etc).
  • Erase (wipe) iOS devices.
  • Backup and Restore iOS devices.
  • Deploy profiles/policies (e.g. no Siri for you, disable cameras, setup wireless, etc) to iOS devices.
  • Export profiles.
  • Activate devices (after all a restore of a freshly activated device is an activation).
  • Push any kind of app to devices.
  • Track Volume Purchase Program (VPP) codes used on devices.
  • Manage the wallpaper on “Supervised” devices (more on supervision later).
  • Manage the names of devices en masse.
  • Load content to apps on devices.
  • Skip initial Activation steps on devices.

Apple Configurator 2 does have some caveats, including the following:

  • In order to push apps through Apple Configurator, the system running Configurator needs access to Apple’s servers and Apple Configurator needs an AppleID associated with it that is not the VPP facilitator if you are leveraging any paid apps.
  • You can use Apple Configurator “off-line” or without an AppleID to Prepare devices with Profiles, just not to Activate devices. For the initial device activation process, Macs running Apple Configurator will need to be online. Additionally, you’ll be prompted to enter your Apple ID routinely.
  • If you push Trust and Enrollment profiles to automatically join an MDM, the device isn’t associated with a user unless the MDM has been prepped to designate each UDID or Serial Number to a given user. Bushel doesn’t yet support mass enrollment in this fashion but will.
  • If you accidentally plug in your iPhone to a machine and you’re using Apple Configurator on it and you’ve chosen to Erase in the application, then it will wipe your phone along with the 30 iPads you’re wiping. It’s awesome and scary like that (yes, I’ve accidentally wiped my phone).

I see a number of uses for Apple Configurator. Some of these use cases include:

  • Company and education labs: manage devices end-to-end (no MDM, iTunes iPhone Configuration Utility or other tools needed), managed by the lab manager.
  • One-to-One environments (schools): Manage the distribution of infrastructure settings (mail, wireless networks, etc) for devices as well as Trust Profiles to make it faster to enroll in MDM environments and Web Clips to manage the links for enrollment.
  • Device distribution: Pre-load applications (that can’t be updated unless they’re cradled again), renaming, profiles, activation, iOS software updates, etc.
  • Backup and Restore only stations where you don’t interfere with later iTunes use.

These can enhance practically every environment I’ve worked with. But unless it’s a small environment (e.g. the labs), Apple Configurator isn’t a replacement for the tools already in use in most cases, like an MDM solution. Instead, it just makes things better. Overall, Apple Configurator 2 is a welcome addition to the bat belt that we all have for iOS management and deployment. Now that we’ve looked at the when/where of using it, let’s look at the how.

At this point, we’ll explore the Profiles options in Apple Configurator 2. To create profiles, use the File menu and click on New Profile.

Screen Shot 2015-11-04 at 10.23.16 PM

At the Untitled profile name, enter a name in the Name field. This is how it will appear in the Profiles section of Apple Configurator. Because you can deploy multiple profiles, I’m just going to configure the SSID and Web Clip and call it MDM Enrollment Staging. Optionally, give it some notes, organization name, etc.

Screen Shot 2015-11-04 at 10.25.29 PM

Click on Wi-Fi and then click on the Configure button. Here, enter the SSID of the deployment network (MDMEnroll in this example). We’ll use the Hidden Network field to indicate the SSID is suppressed and we’ll use the network type of WEP and throw the password into the Password field as well. Now, before we move on, notice that there’s a plus and minus sign in the top right of the screen? You can deploy multiple of each, so if you have 10 wireless networks, 4 Email accounts, 9 VPN connections, 29 SSL Certs etc, you could deploy them all easily with multiple entries of each.

Screen Shot 2015-11-04 at 10.27.04 PM

Next, we’ll go ahead and enter a name for our Web Clip and the URL that the device will point to.

Screen Shot 2015-11-04 at 10.36.06 PM

We’ll also disable certain features of iOS. To do so, click on Restrictions, and uncheck various boxes in order to disable features you don’t wish to use.

Screen Shot 2015-11-04 at 10.39.22 PM

Go ahead and close the window and you’ll be prompted to save the profile.

Screen Shot 2015-11-04 at 10.29.55 PM

You’ll then see MDM Enrollment Staging.mobileconfig in the Finder where you selected to store it.

Conclusion

Apple Configurator 2 is really a great tool when used in the right scenarios. In learning how it works and interacts I actually learned a lot about both iOS and Mac OS X that I didn’t know before. I hope I did the tool justice with how easy it is to use. This is a fairly long article and it’s probably more complicated than it needs to be in parts, but that’s more my method of trying to figure out what it’s doing than the tool being complicated. It’s not hard to figure out at all. I am sure I could teach any non-technical iOS admin basic use of Apple Configurator 2 in less than an hour.

Overall, in Apple Configurator 2, we have a new, powerful iteration in our arsenal that makes up the iOS administration ecosystem. I also hope that no matter what, if you manage iOS devices, that you’ll take a look at it. I expect you’ll find it useful in some part of your management toolkit!

Posted by Charles Edge on October 30th, 2015

A common question we get in the media is whether or not an employer can look at email on an employees device. The answer is that an employer cannot use Bushel to see mail or content on a device. This isn’t to say that you can’t use your Exchange, Office 365, or Google Apps administrative accounts to view your email. But Bushel doesn’t have anything to do with that.

Apple has a strong sense of privacy around devices. Devices should be able to be used to access your data (email, app content, etc) in such a way that you have no concern about the privacy of that data. You cannot view what someone is doing on a device unless that user specifically AirPlays their display to another device. You cannot see data as it’s being transferred to devices. You cannot see what Apple ID is used on a device.

But you can secure the data. You can silo your organizations data using Managed Open-In. This allows you to flag all data coming through mail accounts and apps that your organization gave a device so that those files cannot be copied to mail accounts and apps that your organization did not give a device. This doesn’t mean you can see those files, or access them. Only that you can control how they move within devices.

Screen Shot 2015-10-30 at 8.56.08 AM

Overall, the privacy controls for iPads and iPhones are the most well thought out and well orchestrated security controls in the industry. A user can have a solid sense that their data is only able to be viewed by them, without concern that prying eyes are creeping on their devices. And an employer can have a sense of security that their data can be pulled from devices they own and BYOD devices, in the event that there is turnover or a device falls outside of their control.

Posted by Charles Edge on August 17th, 2015

More and more mobile devices are making their way into the workplace. In response to this influx of technology assets, companies keep track of their hardware in a number of different ways. Some may file purchase receipts while others log serial numbers. Many companies take organization a step further and assign some sort of standardized asset tag to company-owned devices. This makes keeping everything in order much easier. Of course, then the challenge becomes keeping track of this centralized list. For these kinds of chores, every company has a slightly different process.

We’ve got some good news! You can now keep your digital records in sync with your physical hardware. The new Asset Tag field within the Device view of Bushel helps by further simplifying your inventory management. Now you can simply enter your company’s asset tag (or tracking information of your choice) directly into that device record. This asset tag information is even included when you export your full inventory information to csv. Oh the power of simplicity.

Questions about Bushel? Check out our new Bushel Help Center for tips and tricks on the different capabilities found within Bushel.

Posted by Charles Edge on July 15th, 2015

We’ve all been there, or spoken with someone who’s been there: you’re looking at a locked device and someone doesn’t know the PIN to unlock the device. On an iPad, iPhone, iPod Touch a Mobile Device Management product such as Bushel can unlock that device by resetting the PIN and allowing you to configure a new PIN. It’s kinda’ awesome when someone forgets a PIN they assigned a device, leaves the company or just plain forgets. But, there are a few things we should probably mention about this feature of Bushel:

  • The device must be online in order to accept our command to reset the PIN. By default, when locked, it should still be on your networks if it remembers them.
  • If no remembered networks are nearby, you could create a new wireless network (e.g. using Internet Sharing on your laptop) and spoof the name and password of a stored network.
  • Wi-Fi information is stored in the secure enclave. If you restart the device then the device will not re-attach to a wi-fi network.
  • You can use a thunderbolt to USB adapter and then a USB to Ethernet adapter in order to physically plug the device into a network and allow the unlock command to process.
  • You can always wipe a device while in the locked state, but most don’t want to do this, so if possible try all the above options first.