Today, when you login to SimpleMDM, you’ll be greeted with a new design. Manage your assets with ease with an updated and simplified, yet powerful interface.
Begin managing your Apple desktop and laptops computers in the same interface as your other Apple assets with SimpleMDM. Simply complete the enrollment process on the OS X device itself to place it under management.
Today, all SimpleMDM accounts have access to additional VPP enhancements including the ability to release and use licenses previously managed by other MDM services. Other improvements include:
If you have a question about this update, to provide feedback, or to give a feature suggestion, visit the SimpleMDM help center.
After strong community requests and feedback, we’ve added a programmatic API to SimpleMDM, allowing you to integrate your existing infrastructure and SimpleMDM account. Automate app deployment, trigger actions like device lock and wipe, and retrieve device inventory information.
Complete documentation is available in our API Reference. We also have a ruby library available to jump start your integration.
Feel free to reach out to us with any development ideas or questions. We’re all ears!
Today we rolled out public support for Apple’s Device Enrollment Program (DEP). You now have the ability to automatically enroll new Apple devices with SimpleMDM during the initial device setup screens.
Organizations purchasing Apple iPhones, iPads, and Macintosh computers previously had to spend a significant amount of time configuring these new devices before they were ready to be used. In response, Apple created DEP, allowing a company to preconfigure a large number of new devices so that they can simply be unboxed and turned on, ready to go.
SimpleMDM allows you to configure your DEP devices before they are turned on. Once a device is powered on for the first time, it will appear in SimpleMDM and will be manageable by you.
In addition to MDM, here are just a few of the settings that you can control:
Yes. Previously, the only way to put a device in Supervised mode was to connect it via USB to an OS X computer running Apple Configurator or Apple Configurator 2 software. DEP allows you to force devices to automatically start in Supervised mode upon initial power-on.
Supervised mode allows for a much higher amount of control of the device via MDM. Some of the features available on Supervised devices are:
Apple has prepared outstanding documentation on the DEP program. We encourage you to peruse it if you are considering using DEP in your organization.
SimpleMDM can deploy Apple Volume Purchase Program (VPP) apps and licenses directly to Apple devices running iOS 9 and higher without requiring an Apple ID.
Previously, Apple VPP only allowed app licenses to be assigned to Apple ID accounts. This method has the benefit of allowing a single app license to be shared across all of the devices an individual is using. Since the license is assigned to the Apple ID, the app can be licensed and used across more than one device.
A major caveat of this method is that an Apple ID must exist on a device before a licensed app can be installed to it. To illustrate the pain of this method, the workflow for most companies utilizing VPP looks like this:
The new method of distributing licenses by device is much faster:
For organizations where users generally have a single device or where the administrative overhead of Apple ID configuration and management is significant, per-device VPP assignment is a huge win.
Moving forward, SimpleMDM accounts, by default, utilize VPP assignment at the device level. Existing accounts will continue to use VPP assignment with Apple ID, but can easily change to device-level assignment at any time without disturbing their existing Apple ID license assignments. To change modes, navigate to the “Apps” section and then the “Settings” tab.
If you aren’t already, you can sign up for a SimpleMDM account and manage your first five devices for free. If you are interested in utilizing Apple VPP, additional enrollment information is available at Apple’s Volume Purchase Program website.
The Device Enrollment Program was developed by Apple to help businesses and educational institutions easily deploy iOS and OS X devices. The workflow involved in configuring newly purchased iOS and OS X devices traditionally was complicated, even when utilizing mobile device management. DEP was created to reduce the number of steps required before a newly purchased device is ready for use by the organization.
If your organization has even one of these requirements, DEP is worth utilizing:
This benefits IT in that it greatly reduces the number of ‘touches’ that need to be performed on each device.
DEP is a great boon for non-technical employees in an organization as well. As soon as they unbox their device and turn it on, it’s ready to go after a few screens. There’s no waiting for IT to configure the device, and, there’s less confusion during the setup process. An employee is able to use their device without delay.
A DEP account must be created with Apple. Once this account is created, an organization can purchase devices through Apple or through a third party such as a cellular carrier or a reseller partner. These devices are then registered with the DEP account.
When you pair SimpleMDM with a DEP account, SimpleMDM will allow you to select how your devices will be configured. These selections, when saved, will be pushed to your DEP account.
When a device that’s registered with your DEP account is turned on for the first time, it contacts the Apple DEP program and checks for a configuration. When it sees the SimpleMDM configuration that you created, it applies it to the device.
Configuring DEP within SimpleMDM allows for a number of options, such as:
There are a number of setup panes that you can also disable or modify. Specifically, you can opt to:
That’s it. Once you’ve received your Apple devices, they will receive their configuration as soon as you power them up for the first time.
We hope that this guide has been helpful. Feel free to leave a comment with any questions you may have. We’ll be sure to answer them.
Apple released the first beta of iOS 9.3 last week to developers, revealing a number of new features. Some of the more substantial of these features are Night Shift, the ability to protect your notes with TouchID, News and Health enhancements, CarPlay enhancements, and further improvements to 3D Touch technology.
What has yet to be discussed are the many enhancements on the mobile device management front that are also expected to be included. We’ll mention them now.
Hotly tracked on the web (here, and here, and here, and more) iOS 9.3 adds two additional labels to its interface to remind the user that their device is under supervision. This reminder isn’t an indicator that MDM somehow has substantially more control over your device than it did before. It is, however, a good way to remind a user that they may want to use the device differently than their personal device.
Interestingly enough, one of the notifications states: “[company name] can monitor your Internet traffic and locate this device.” While using MDM in conjunction with an APN configuration (via a service like Wandera), using a Global HTTP configuration, or using a VPN configuration makes it possible to track internet traffic, MDM does not inherently allow a company to monitor a device’s internet traffic. Likewise, while MDM allows a company to track the IP address of a device or install an app that tracks location, MDM does not have any device location tracking built in.
On supervised devices, iOS will support the ability to create an app whitelist or blacklist. An administrator will be able to use either of these lists to control which apps are allowed to run on a device and which will be disabled.
Previously, the best way to accomplish this feature was to punish users who installed unauthorized apps by taking away certain iOS controls if an unauthorized app was detected. There was no way to forcefully keep a user from running an app, except to disable the App Store. This is a tremendously useful function and a big win for IT departments that require a high amount of control.
iOS MDM will now support remotely controlling the layout of apps, folders, and web clips on the home screen. For supervised devices only.
MDM will support the configuration of notifications. Namely, an administrator will be able to specify the apps that are allowed to create notifications and the type of notification they can create, such as a banner, modal alert, badge, or sound. It will also support setting whether a particular app notification can appear in the notification center and/or lock screen.
iOS will allow administrators to disable iTunes Radio as well as disable the user’s ability to change their notification settings (the latter available for supervised devices only).
iOS 9.3 will support the ability for an administrator to create a whitelist of domains that a user is allowed to save passwords for in Safari. If the domain does not exist on this list, the user will not be permitted to save their username and password to Safari. For supervised devices only.
Apple’s iOS Education push will be seen in iOS 9.3. This includes the ability to configure devices to be used in the classroom and shared among multiple students. A complete rundown of the functionality to be made available can be seen at Apple’s Education Preview site.
Looking for a mobile device manager? Give SimpleMDM a try. You can enroll up to five devices for free in just minutes, only requiring an email address.
Apple Configurator, which is currently on version 2, is an OS X application that allows for the create configurations and then apply them to iOS devices. It also allows the installation of apps to an iOS device. Before Apple Configurator, Apple had an application named iPhone Configuration Utility. Apple Configurator (1 and 2) are essentially the continuation of the iPhone Configuration utility, which is no longer distributed.
The range of configuration options in Configurator cover the gamut of what you might imagine is possible: minimum security requirements for passcodes, VPN configurations, on-device certificates, and even fonts. Generally, any configurations that can be applied via mobile device management (MDM) are also available in Apple Configurator 2.
Apple Configurator 2 provides the ability for an administrator to select which apps to have installed to iOS as well. Once signed in with an Apple ID, any app ever downloaded or purchased under that Apple ID will be available for selection.
Apple Configurator 2 combines these two abilities, configurations (actually called profiles, which are made of up individual payloads) and apps into a parent object called a blueprint. An administrator is able to create multiple blueprints within Apple Configurator 2, whether they are role based (executive, manager, contributor), department based (sales, marketing, support), or some other division. Blueprints can also be layered on a device, allowing devices to have more than just a single blueprint.
Once blueprints have been configured, Apple Configurator 2 can be placed in a mode called ‘prepare’. As iOS devices are connected to the computer running Apple Configurator 2 with a USB to lightning connector, Apple Configurator 2 pushes the configuration to the device. Optionally, devices can also be wiped, have iOS upgraded to the latest version, be placed into supervision mode, enroll with an MDM, among others.
Since the process from plug in to unplug can take some time, especially if wiping, upgrading iOS or switching to supervised mode (which requires a system wipe), many administrators use high-capacity USB hubs. Though we haven’t used it personally, the Cambrionix PowerPad15 is an example of such a USB hub that is used quit extensively for this very purpose. A side note: if looking to purchase a hub, check what capacity of power the hub is capable of providing. If the wattage is too low, devices may not charge whilst plugged in, which may or may not matter depending upon your workflow.
After explaining the functionality of Apple Configurator 2, an often asked question is: So why do I need MDM if I can manage configurations and apps this way? The question is a fair one, and the the answer largely depends upon your organizational needs.
Apple Configurator 2 can provide parity with MDM for some organizations with limited requirements. The big difference is in the ability to control configurations after deployment. With Configurator, once a device is unplugged from its lightning connection, no further communication is possible unless the device is plugged back in. With MDM, configuration can be controlled over-the-air, meaning wirelessly via WiFi or cellular connection.
Apple Configurator’s ability to manage apps is also very limited. Whereas the Configurator doesn’t extend far beyond allowing you to select apps to install, most MDMs will allow you to distribute company owned app licenses as well as remotely update and remove apps, too. MDM is even capable of pushing app-specific configurations, allowing app developers and IT to work together to automatically sign a user into their app, for instance. If you’re interested in how MDM can be used to simplify app deployment, we strongly recommend this read: Install Apps Remotely to iPads and iPhones which provides a comprehensive view of the many ways to deploy apps, each having their own strengths.
MDM provides a multitude of additional features. Actions are possible, like locking the device, wiping its contents, and monitoring what apps are installed, all remotely. MDM also allows you to access advanced functionalities, like forcing a device to only display a single app. This is great for situations where a device needs to act like an appliance: for instance, a Square point of sale system.
Organizations, if using both of these technologies, will establish a balance between the two. Apple Configurator 2 may be used to make sure all devices are running the latest iOS version, are supervised, and have an initial WiFi network connection, whereas MDM is then used for all further configurations and management. For some organizations, additional tooling, such as GroundControl provides even more control and automation between where Apple Configurator ends and MDM starts.
The path of least resistance when enrolling a device with MDM is generally using a link, sent to the device by SMS, email, or manually typed. This is a reasonable “get it done” method if you only have a few devices or if employees will be enrolling their devices on their own. It absolutely does not scale for companies with a large number of company-owned devices that to be set up. Instead, an organization will generally use the relatively newer Apple Device Enrollment Program (read Explained: The Apple Device Enrollment Program) to have devices automatically configured with their MDM out-of-the-box, or they’ll use Apple Configurator 2.
We’ll now explain how to configure a device with MDM using Apple Configurator 2. To start, if you haven’t already, download Apple Configurator 2 from the Mac App Store. It’s a free download. Install the app and then run it.
Once the application is running, create any blueprints that you desire to. It isn’t required that blueprints are used, so feel free to skip this step.
Next, click the ‘Prepare’ button from the app top bar.
Configurator will ask you which mode you’d like to use. Select ‘Manual’ unless you are enrolled with Apple DEP, in which case you probably don’t need to use Apple Configurator 2 in the first place.
Apple Configurator will ask you if you’d like to assign the device to an MDM. Select ‘New server…’ if you haven’t completed this process before. The following screen will allow you to specify a name for your MDM as well as the enrollment URL.
The process for getting an enrollment url varies between MDM vendors. For SimpleMDM, sign in and click the ‘Enroll Devices’ button. Select a group for group enrollment and click ‘Show Enrollment’. An enrollment link will be provided on the screen and will likely look similar to the one in our screenshot. Copy this URL from SimpleMDM and paste it within Configurator. On the next screen, Configurator will allow you to add anchor certificates. When using SimpleMDM, you can leave this as-is.
The remaining steps do not deal with MDM specifically. You will be asked if you’d like to:
1. Supervise the device and block other computers from managing it.
2. Provide information about your organization to be displayed on the device.
3. Skip certain set-up screens during the initial iOS startup.
4. Create or use an existing configurator identity. This is essentially a certificate that allows you to re-access these devices down the road with Apple Configurator on the same or on a different computer.
Once you’ve completed these steps, Configurator will begin setting up the devices you selected initially or plug in subsequently. As these devices are configured, they will appear in your MDM software automatically. Not bad, right?
The strict answer is ‘no’. Apple Configurator software is only for OS X; Apple does not distribute a Windows version.
The nitty gritty answer is ‘sort of’. None of these methods are recommended and may provide more pain than gain, so we generally recommend that organizations in this scenario purchase a Mac Mini to have as a resource for around the office. If interested in going down the rabbit hole, here are some methods that we’ve heard employed:
1. Apple used to distribute a Windows version of the iPhone Configuration Utility. It’s still available on c|net here. Note that the last version of this software was released in January of 2013. At best it’s missing many features and at worse it won’t work at all.
2. Run OS X as a virtual machine on Windows. We’re pretty sure this breaks Apple OS X software licensing rules, so we cannot recommend this methodology. We’ve heard some reports that most virtual machine software handles USB emulation in a manner that causes issues when connecting and disconnection iOS devices, but we cannot confirm this.
3. Use Apple DEP instead. Apple DEP can generally be used as a substitute to Apple Configurator when MDM is also being used. Apple DEP devices are ready out-of-the-box, eliminating the need for USB connections and extra touches. Referenced earlier, you can learn more about Apple DEP via this article. If you’d like to use DEP, apply for an account at deploy.apple.com.
If you aren’t already using MDM, manage your first five devices for free with a SimpleMDM account. If you have any questions, feel free to ask them in the comments section. We’re here to help!
Consider the diversity of mobile apps developed and distributed: free apps, buy-once apps, apps that allow in-app purchases, apps created by businesses for internal use, apps developed by contractors for their clients, and many more. It’s both understandable and fortunate that Apple has created an extensive number of programs to aid in iOS distribution of apps.
This article will mention all methods of currently distributing apps to iOS, whether distributing custom apps within the enterprise or apps for the public app store. Worth noting is that the different methods can be generally characterized by two qualities: how the app binary is delivered to a device and how the licensing is handled.
We provide an at-a-glance diagram of the different programs. Generally, one program (and one program only) will lend itself as the appropriate choice for your distribution needs.
| Method | Binary Distribution | Licensing |
|---|---|---|
| Ad Hoc | manual, TestFlight, or MDM | Developer must register the UDID of each device before it will install. |
| Enterprise | manual or MDM | Works on all devices within an organization without registration. Not permitted for use outside of an organization. |
| App Store | Public App Store | Works on all devices that have an Apple ID. |
| B2B VPP | MDM | Managed within VPP program. |
For details on each program, including the pros and cons, read on!
The most common way of distributing an app is by using the public app store. This method has a lot going for it. For one, your app becomes available to anyone with an iOS device and an Apple ID. Additionally, it’s easy to monetize your app by setting a price for purchase, utilizing in-app purchasing, or taking advantage of the iAd network.
While it helps ensure a good experience for customers of the app store, Apple’s app approval process is notoriously painful for app developers. The delay between when an app is submitted for review and when feedback is available can be long, especially for new app submissions (as opposed to updates). We’ve seen up to a month delay before receiving feedback for particularly involved apps. Subsequent responses can be additional days or weeks even. This website provides an estimate on the current wait time.
The app approval process makes sure that apps follow proper guidelines for the app store. There may be issues with an app, such as a bug or a security vulnerability that Apple will require you to patch. Your app may also have a behavior that, while not unsafe, Apple doesn’t like for one reason or another. You may have to change your app in ways you would prefer not to in order to get Apple’s blessing.
Distributing through the app store is a great choice if you need the visibility and availability that it provides. If this isn’t important to you, one of the other distribution options will be much less troublesome by avoiding the Apple app review process.
Apple provides the ad-hoc distribution method for developers that wish to share an app for a private beta or small temporary distribution. With ad-hoc deployment, the developer is responsible for delivering the app binary to each device, such as using email or a URL download. The binary will not work on just any device. A developer will need to add the UDID of each device and register the device in the Apple Member Center before iOS allows the binary to install to the device.
This is a good mechanism to use for intermediate stages of your app, such as a private beta or a temporary deployment situation. To use it, simply export your app from Xcode with the Ad Hoc Deployment option.
Enterprise distribution is an option that hasn’t always existed. It came out of the need for enterprises to build an app and internally distribute it to staff without dealing with the headache of registering all device UDIDs as you would need to with ad hoc deployment.
Enterprise deployment is when an app is signed and exported from Xcode in such a way that it can be installed on any device without registering the device or publishing the app to the app store. The company is responsible for the distribution of the app within their organization. As with Ad-Hoc distribution, this can be performed via email, a URL, or by using a Mobile Device Management (MDM) service, which allows a company to upload the binary and then send installation requests to MDM-enrolled devices remotely from a web administration console. SimpleMDM is a cloud MDM service that supports this.
Worth noting is that enterprise deployment is strictly for use by organizations creating their own apps for their own consumption. It is a violation of the Apple program to use enterprise-signed IPAs for app distribution to any devices outside of the organization.
That’s a mouthful! If you aren’t familiar with Apple’s Volume Purchase Program (VPP), this resource will help you understand it.
Enrolling in Apple VPP allows your business to essentially have its own private app store. From within the program, you can make internal app binaries available to any device that has joined the program. You can also share your apps with other businesses using VPP, and vice versa. There is an app approval process before an app can be made available in the VPP program, but it is much more flexible in what it will allow, since the apps won’t be available for general consumption.
Since Apple VPP is essentially a private store, app distribution is handled by the program itself. VPP is almost always used in conjunction with an MDM service, allowing a company to push VPP invitations and apps to devices from an administration console. SimpleMDM supports extensive app distribution and VPP functionality.
Once you’ve chosen a program to use, equally important is how the actual app deployment is planned. We highly recommend reading the article Install Apps Remotely to iPads and iPhones before deciding on a deployment methodology. There are seemingly small details that, when navigated appropriately, will make an otherwise painful experience quite painless and automated.
Questions about your deployment? Feel free to leave a comment. We’re happy to help!
Among a number of enhancements released with iOS 9.3, a security vulnerability discovered by the SimpleMDM team has also been patched.
The vulnerability CVE-2016-1766, discovered in October of last year, allowed an untrusted MDM profile to be considered as trusted. This permitted third parties to falsely identify themselves and appear as trusted by iOS. The vulnerability was rated CVSS 10, the highest vulnerability score possible based on impact and exploitability.
Upon identifying this vulnerability, we verified our service was not and would not be affected. We then followed responsible disclosure guidelines, which involves notifying appropriate parties of the issue privately and providing them time to patch the vulnerability.
We’re excited to share the latest iOS 9.3 enhancement in SimpleMDM: support for home screen layouts.
Home Screen Layouts allows you to uniformly organize app icons across a group of supervised iOS devices. A unified interface makes switching between devices easier as users can expect apps to be in the same location. Apps that aren’t used very often can be moved to latter pages, leaving only the important apps on the first page.
All native apps and all apps installed to devices using SimpleMDM can be organized. This includes built-in, app store, enterprise, and custom B2B apps.
Apps that have not been assigned a screen position and apps that have been installed on the device manually will appear after the assigned apps, on a separate screen.
Once a home screen layout has been applied, the app icon layout cannot be modified on the device itself. Your home screen layout will remain intact until you remove the configuration from SimpleMDM.
Sign in to your SimpleMDM account. On the “Configs” tab in the “Settings” section, add a home screen layout. When you are ready to assign it, simply edit any device group and select your home screen layout under the “Configurations” tab.
If you haven’t signed up yet, create an account instantly. SimpleMDM allows up to 5 enrolled devices for free, including all features.
This article described the Single App Lock feature for iOS when using SimpleMDM. If you don’t already have a SimpleMDM account, you can create one instantly. Your first five devices enrolled are free.
Single App Lock is a feature for supervised devices that restricts the device to running only one app. While Single App Lock is enabled, the selected app will stay in the foreground.
This feature includes a number of additional options, such as the ability to:
Single App Lock is enabled by the MDM administrator in the SimpleMDM interface. To enable Single App Mode, complete the following steps:
Once you compete these steps, your supervised devices will enter Single App Mode.
iOS allows some apps to provoke Single App Lock themselves, under certain scenarios. Apps need to have this functionality included in them, or if the app is developed internally, developers will need to add the functionality.
Since enabling Single App Mode is a powerful ability, an app needs to be given permission to do so. To give an app permission through MDM, complete the following steps in SimpleMDM:
If you don’t already have a SimpleMDM account, you can create one instantly. Your first five devices enrolled are free.
We added a number of functionalities to SimpleMDM that we’d like to share with you today.
MDM Lost Mode provides useful facilities if a device is lost or stolen. Lost mode allows you to remotely put a device in a special lock state- one that can only be unlocked via SimpleMDM. You can optionally specify a phone number that the device is allowed to dial, usually yourself, if the phone is found.
Lost Mode also includes the ability to ping a device for its location. The location feature is provided by iOS, meaning that the SimpleMDM app does not need to be installed for this function to work when Lost Mode is enabled. You can request a location update at any time from the SimpleMDM administrator interface.
In the event that a device cannot be recovered, SimpleMDM remote erase can be used to wipe all sensitive information from the device.
Lost Mode is available for all supervised devices running iOS 9.3 or newer. Lost Mode is not dependent upon an Apple ID. For companies enrolled in the Apple Volume Purchase Program (VPP) and using device-level app license assignment, this is a big win. Previously, an Apple ID was needed on each device in order to use the Apple iCloud Find My iPhone, iPad, or iPod touch service.
Lost mode can be enabled from the “Actions” drop down on the device details screen.
You can now directly add devices to app groups in SimpleMDM. This allows you to assign apps to a device independent of the device group a device belongs to.
The SimpleMDM API has been expanded to support per-device assignment management to app groups. The SimpleMDM ruby bindings have also been updated and are ready for use today.
Due to popular request, we’ve added a notes field to all devices in SimpleMDM. Use this field to track specifics about a device: asset information, maintenance notes, and more.
Access these new functionalities today by signing in to your account. If you would like to try SimpleMDM, create a new account in less than a minute. You can manage up to five devices for free.
Apple release iOS version 9.3.2 this afternoon. A notable fix for SimpleMDM customers is listed in the update notes:
“Fixes an issue that prevented MDM servers from installing Custom B2B apps”
Previously, iOS 9 had a bug that prevented Custom B2B VPP licenses from being assigned directly to devices using device-based license assignment. Devices would simply respond with a misleading “The iTunes Store ID of the application could not be validated” message.
As a workaround, MDM administrators were forced to use Apple ID User-based VPP assignment or redemption codes, the latter not being supported for devices and organizations in some countries. This bug affected all MDM solutions offering device-based VPP licensing support.
Want to try device-based VPP license assignment? Learn more about SimpleMDM or create a free account in less than a minute and enroll up to five devices for free.
We’ve received numerous inquiries asking how SimpleMDM can aide in achieving HIPAA and HITECH compliance. There isn’t a great deal of information available on how HIPAA and HITECH relate directly to mobile device management, so we’ve addressed the question here, for you!
HIPAA, which stands for the Health Insurance Portability and Accountability Act of 1996 has two purposes. First, it protects heath insurance coverage for workers and their families in the event that they change jobs or lose their employment. Second, it requires the establishment national standards for electronic health care transactions. The latter purpose, detailed under Title II of the act, creates requirements for the privacy and security of individually identifiable health care records as well as outlining the civil and criminal penalties for violations of these standards. This latter title applies to the discussion of this article.
HITECH, which stands for Heath Information Technology for Economic and Clinical Health Act was enacted to further promote the adoption and meaningful use of health information technology. It details the requirements for notification in the event of a data breach, how electronic health records can be accessed, and what agreements need to be in place between the associates of a business.
SimpleMDM aides your effort in being HIPAA compliant. Below we’ve outlined areas of concern for HIPAA compliance and the SimpleMDM functionality we suggest using.
SimpleMDM allows you to enforce passcode requirements on all devices. Require users to create a passcode that meets the complexity requirements of your company. Automatically lock devices after a specified duration of inactivity. Automatically self-destruct on-device data if it’s detected that someone is attempting a brute-force attach to break into a device.
Track the location of a device at any time using SimpleMDM’s location tracking feature. In the event that a device is lost, enable iOS Lost Mode which locks a device and enables OS-level location tracking without requiring an Apple ID. If a device cannot be found and/or recovered, optionally wipe the device data remotely.
Both iOS and installed apps can become outdated and contain security risks. Use SimpleMDM to track software versions of both iOS and the apps installed as well as update iOS and mobile apps remotely if they become outdated.
SimpleMDM’s inventory functionality also allows administrators to verify that encryption is enabled on devices, keeping data secure in the event that a device falls into the wrong hands.
SimpleMDM allows you to configure VPN connections as well as enforce a global HTTP proxy on devices. Using these technologies allows a company to encrypt the data transmissions that are occurring between devices and web services.
Using SimpleMDM, administrators can take advantage of Open In Management, which is an iOS feature that allows one to restrict documents in managed apps from being opened elsewhere on the device. If medical records are being used in one app, this feature can make it difficult for medical records to be opened in unauthorized apps or distributed in ways that are against policy.
If you already have a SimpleMDM account, just sign in. If not, it takes less than a minute to create an account. You can manage up to five devices for free. Click here to get started.
Alternatively, contact us if you would like to discuss your organization. We’re happy to help.
Supervision was introduced by Apple in iOS 5 as a special mode that gives a SimpleMDM administrator more control of a device than is typically permitted. Supervised mode is intended to be used on devices that are institutionally-owned. Whereas many companies use SimpleMDM to control devices owned by employees in a bring-your-own-device (BYOD) fashion, some companies own the devices themselves and necessitate control of the device which would otherwise be considered overbearing.
As of iOS 9.3, the following features are made available when a device is placed under supervision:
Additionally, you can block/disallow:
There are two ways that a device can be placed in supervision. The best method to use depends upon your deployment.
Note: Placing a device in supervision will result in the device being completely reset. All data and settings will be deleted. If you restore the data after switching to supervised mode, the device will reset to the mode (supervised or unsupervised) that the device was in during the backup. Apple does this presumably to prevent companies from supervising employee owned devices.
Apple Configurator is an OS X application. To supervise a device with Apple Configurator, you must have an OS X computer and USB cable available. Each device that is to be supervised will need to be connected to the computer. This is a good method if you have just a few devices to supervise, or, you can’t use the other method for some reason.
Apple has a program called the Device Enrollment Program (DEP) which is used to bootstrap brand new devices with a working configuration. For instance, DEP can be used to automatically enroll devices in SimpleMDM when they are first unboxed and turned on. It can also be used to place devices in Supervision mode automatically. This process is the way to go if your organization has a non-trivial number of devices that need to be placed under supervision.
More information on Apple DEP is available here: Explained: The Apple Device Enrollment Program
To configure DEP to supervise your new devices, complete the following steps from within SimpleMDM:
SimpleMDM will automatically update your DEP account so that all future devices are set to be supervised. Simply turn on any devices registered in your DEP account. During boot, they will communicate with Apple DEP and switch to supervised automatically.
The Apple Worldwide Developer Conference is happening this week and Apple has been gradually sharing product, platform, and service changes that we can expect to see in the coming months. Here’s what they’ve shared so far regarding mobile device management.
Keep in mind that iOS 9.3, released two months ago, included a tremendous number of MDM enhancements (read: iOS 9.3 MDM enhancements) relative to the typical iOS release. As a natural effect, iOS 10 is light on MDM changes.
CallKit API allows third party VoIP (Voice over Internet Protocol) apps to utilize the native iOS phone call interface, previously reserved for cellular carrier service only. Specifically, third party VoIP apps can present calls on the lock screen like a normal phone call would be presented, contribute to the recent call list, and include contacts on the favorites list. MDM will be able to specify the default VoIP app used for calls to enterprise-managed contacts and accounts.
CallKit API is a boon for organizations already using a VoIP capable phone system as it allows corporate telephone usage on iOS as a first-class service. Previously, VoIP apps were forced to operate on the same playing field as any notification-enabled mobile app.
Apple plans to deprecate some non-supervised restrictions at some point, though not immediately, in the iOS 10 series. The restrictions slated for deprecation are:
These restrictions will become available only for supervised devices.
If you’d like to watch a recording of the presentation at WWDC, a video is available.
We will keep you posted with any further details as they break.
SimpleMDM supports 2 factor authentication, allowing you to enable an extra layer of security for your SimpleMDM administrator account. Enabling two-factor authentication is easy and we recommend doing so if you haven’t already.
SimpleMDM now supports setting the lock screen and home screen wallpaper for supervised iOS devices. This feature is useful for organizations that wish to unify the look across a fleet of devices by setting a company logo or image to display.
Configuring the wallpaper setting is similar to configuring other shared settings.
Apple’s Device Enrollment Program (DEP) allows businesses to enroll new iOS and macOS devices in SimpleMDM automatically when they are turned on for the first time. This is a tremendous time saver for organizations as they can ship devices directly to their final destination, without requiring IT staff setup beforehand. More information on Apple DEP is available here: Explained: The Apple Device Enrollment Program.
Though DEP is traditionally reserved for new device purchases, in some cases it is possible to add devices that were purchased previously.
Whether an existing device is eligible for DEP enrollment or not depends upon how it was originally purchased. In the eyes of Apple, devices can be purchased one of two ways:
As a hard rule, only devices purchased through an Apple business account can be added to a DEP account. If, for instance, you walk into an Apple Store and buy an iPad as an individual, Apple will not be able to add that iPad to your DEP account. If, however, you purchased the iPad through an Apple business account that you set up, Apple will be able to add your device to your DEP account.
The answer gets a little tricker. As mentioned above, devices not purchased through an Apple business account aren’t eligible. The good news is that many equipment vendors purchase the devices themselves through their own Apple business account, meaning that any devices purchased through these vendors is potentially eligible. Examples may be:
In general, if a device was purchased directly from an Apple Store or the Apple website without a business account, you’re out of luck. If it was purchased otherwise, you may still be able to add your device to DEP.
At the moment, Apple must manually add your devices to your DEP account. Simply entering the device serial number within the DEP portal will not work. Apple is also able to help determine whether your devices are eligible for DEP. If you are unsure, it’s worth checking.
If you’d like to add your existing iOS or macOS devices to your DEP account that is linked to SimpleMDM, feel free to email us. We are happy to put you in touch with an Apple resource that can assist you.
If you haven’t had a chance to try SimpleMDM yet, create an account and enroll up to five devices for free.
