Getting a bunch of iOS and Mac devices setup is more of a logistical challenge than a technical hurdle. When you buy a couple iPads, it’s pretty simple to set them up for the email, security settings and apps that you need those devices to have. You can put them all on a table, give them an Apple ID and then set them up identically to give to users. But the first time someone wipes a device, or looses a device that you need to wipe, you’ll have to do that manual labor again. And if you’re buying more than a couple of Apple devices, then the amount of time becomes amplified to manage all of these tasks. This is where a management solution comes into play.
The first management solution that many look at is Apple Configurator. Apple Configurator is a free download off the Mac App Store and allows you to setup “profiles” for devices. These profiles then get applied to devices, automatically configuring settings on the devices: for example, disabling access to the App Store or configuring an email address. Apple Configurator has a lot of cool things that it can do, but you have to connect a device to a computer running the same instance of Apple Configurator that you used to setup devices initially, so over time it becomes pretty labor intensive and logistically challenging to manage a growing or permanent set of devices.
Apple Configurator, the first step towards managing Apple devices for many organizations
Next, many look to Mobile Device Management, or MDM for short. MDM allows you to manage devices over the air, instead of over USB. MDM can push settings to devices wirelessly. So if you decide you’d like to switch mail services, you can change the settings on all of your devices without plugging them into a computer, having users manually enter new mail settings or worse, manually entering those settings for the users when they bring you the iPad.
Bushel, MDM for the masses
The point of management solutions was once to restrict what people could do. This made sense, because with viruses running rampant in corporate networks and users accidentally clicking on a button and blowing up their computer, doing so helped to further secure devices while also reducing the support burden for those devices. With iOS devices and even the Mac, it’s getting harder and harder for a user to break a device. Therefore, we’re in a place now where we want to empower users rather than restrict them.
We worry less about security vulnerabilities on devices where the operating system isn’t able to be altered. This allows us, as with Apple, to improve the experience for the people who use devices. Which invariably leads to a mixed use of those devices. Facebook coexists with the work apps. But then, when people take devices home they’re often responding to mail and working a little at home to make up for any wasted time working on personal items in the office. By using the Apple deployment programs as they are designed, we can reduce the amount of manual effort required to manage devices while making for the most graceful user experiences possible!
I’ve recently read that some have a few security concerns surrounding what’s available in the lock screen on an iOS device. To be clear, you can’t do much with these features without authenticating. The way we’re going to disable them is using a Profile, created in Apple Configurator (a tool that is very helpful during the setup of Apple devices), and installing that profile on an iOS device. Download Apple Configurator on the App Store and open.
Once open, click on Supervise and then click on the Plus sign icon (+) in the Profiles section of the screen. At the General screen, we need to set the profile as non-removable without special password. To do so, scroll down and then choose With Authorization in the Security field. Then provide a password.
Next, we’ll set the specific policy. To do so, click on the Restriction option in the sidebar. Then click on Configure to see the options.
Uncheck the boxes for the following if you so choose:
Allow Passbook notifications in Lock screen: Disables notifications sent using the Passbook app from appearing on the lock screen.
Show Control Center in Lock screen: Disables the Control Center app (used to change songs, enable/disable Wi-Fi, enable/disable Bluetooth, enable Airplane mode, lock portrait orientation mode, AirDrop Contacts, enable the flashlight, enable and disable Do Not Disturb, access the camera app (not old pictures, mind you), access the clock/alarm/stopwatch, etc.
Show Notification Center in Lock screen: Shows notifications (emergency alerts, calendar appointments, etc. If you try to open any apps you’ll need to enter a passcode or provide a fingerprint.
Show Today view in Lock screen: Disables the Today tab of the Notification Center.
Click on the Save button to save your profile. Click on the Export button to Export your profile.
Provide a name and a location to save the profile to and click on the Save button. Once saved, open the profile on an iOS device (you can send it to the iOS device using Messages, an Email or even using Apple Configurator). Once installed, you cannot remove the profile without providing the password we just gave it. Don’t forget that password or it will be hard to manage those Apple devices in the long term. Enjoy!
At Bushel, we use Apple Configurator for all kinds of things. We also used Apple Configurator for all kinds of deployment techniques before we came together like Voltron to form Bushel. So we feel like there are some simple things to keep in mind when using Apple Configurator that we’d like to share:
What is Apple Configurator? Apple Configurator is a tool provided by Apple for managing iOS devices. Install profiles, enable Device Supervision, assign devices to users, send some data to devices (via check-in and check-out) and update/wipe devices for reuse.
When will you use Apple Configurator? You can use Apple Configurator to manually manage iOS devices over USB. If you are using Bushel then you could use Apple Configurator to enable Supervision when needed if you’re not using DEP enrollment for devices (DEP devices automatically have Supervision enabled). You can also use Apple Configurator to mass update devices quickly (you can update devices using an ipsw file on the computer running Apple Configurator rather than over the air) and you can use Apple Configurator to re-deploy devices because Apple Configurator has an option to wipe devices.
Do you have to use Apple Configurator? No, but when you’re working with a lot of devices it helps. You can skip the learning curve though, if you’re using Bushel or another 3rd party Mobile Device Management (MDM) solution. Apple Configurator is a great supplement but not a replacement to MDM. And an MDM like Bushel is a great supplement but not a replacement to Apple Configurator.
What can Apple Configurator do that an MDM can’t do? Because it connects via USB, Apple Configurator can update devices, set backgrounds, enable Device Supervision on non-DEP devices, restore actual data to devices and switch between operating systems. None of these features are available via a Mobile Device Management (MDM) suite. Supervision enables certain MDM features beyond what Bushel might support. These include managing AirDrop, iMessages, disabling the ability to manually install profiles, controlling the Global Proxy setting and Single App Mode. Currently, Bushel doesn’t manage any of these features.
Can Apple Configurator force an enrollment Profile? No, the only way to force an enrollment profile is through Apple’s Device Enrollment Program (DEP).
What is the relationship between MDM and Apple Configurator? These two tools complement one another. One is used for initial deployment and wired connectivity (Apple Configurator) and the other is used for long-term management over the air (e.g. an MDM like Bushel).
Disadvantages of Apple Configurator? Apple Configurator requires a wired connection to run. This is easy when you’re working with a cart of iPads but difficult when you have a large cohort of devices distributed globally or even within a single office.
Is Apple Configurator required for supervision? Devices leveraging Apple’s Device Enrollment Program (DEP) will not require Apple Configurator to enable Device Supervision. Devices that are not purchased under DEP will require Apple Configurator to enable Device Supervision. You would only need Device Supervision if you want to provide unattended app installations or allow a Find My iPhone Override.
When you add a bunch of devices to an MDM, we call it mass enrolling. Adding iPads, iPhones and iPods to your Bushel can be done through Apple Configurator. Apple Configurator automates the enrollment process, but when working with Bushel the enrollment profile has the username and email address, if you’re using email. This means that you would only want to use a mass enrollment option with Bushel if you are not using email, if all of your users will have the same generic email address or if your users will enter their own email information.
As mentioned, an enrollment profile automatically adds your devices to your Bushel. To obtain the enrollment profile:
Log into your Bushel.
Click on Devices.
Click on Enroll for Enroll This Device.
Click on Enroll This Device.
Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
Click on Cancel.
Click on the downloads link in Safari.
Click on your Downloads folder.
You have now downloaded the .mobileconfig file that will enroll devices into your Bushel
Add the Profile To Apple Configurator:
To deploy the profile through Apple Configurator:
Open Apple Configurator.
Click on Supervise in the row of icons along the top of the screen.
Drag the profile (by default currently called MDM-iOS5.mobileconfig) from the Finder into the list of Profiles.
The profile then appears in Apple Configurator (in this example, called jasper Bushel Profile but would be called your organization’s name followed by Bushel Profile for you).
Deploy The Bushel Enrollment Profile Through Apple Configurator
Once the profile is installed in Apple Configurator, let’s deploy it. In this example, don’t configure any other options. To deploy:
Open Apple Configurator.
Click on Prepare.
Click on the Install Profiles button in the Profiles section of the Settings pane.
Check the box for the enrollment profile.
Follow the prompts on the screen of the device to install the profile.
If you then wish to remove the device from your Bushel (aka unenroll), simply remove the enrollment profile by opening the Settings app, scrolling down to the Profiles section and tapping on the Remove button for the profile you just installed.
Let’s talk about enrolling devices. Bushel has a few ways for you to enroll your devices to be managed. One way is to use Apple’s Device Enrollment Program. DEP has come out of necessity to make devices easier to deploy to the end user. When you use DEP with Bushel, your user’s will turn their computer on for the first time, connect to Wi-Fi during set up, and when the initial set up is done, the device will prompt the user to accept the Bushel management profile. All they need to do is click accept, and there you go! The device is enrolled in Bushel. For more information on DEP, visit Apple Device Enrollment Program
Bushel’s most popular enrollment method would be Open Enrollment. Open Enrollment allows your users to enroll their device in Bushel by visiting your Bushel URL and inputing the pin you created for set up. To learn more about Open Enrollment, visit Turn on Open Enrollment, Open Enroll a Mac, Open Enroll iOS devices
Lastly, you can enroll any device by logging into your Bushel account on the device you would like to enroll. Simply visit login.bushel.com on the device to enroll. After you log in, you will be on the Devices page. Click on the Enroll this Device box, and it will begin the enrollment process for that device. It’s that simple!
With Bushel, you have flexibility for device enrollment. Bushel is easy for anyone to enroll a device into your account at any time!