iOS 10 MDM Deployment Reference p1

ios10

Looks like Apple documentation got released for iOS 10 MDM. It’s a high level document that covers the basic updates to the iOS 10 deployment scenarios. There are some interesting new features covered:

  • Wi-fi optimization when an iOS device connects to a Cisco network : This is pretty cool if the company is using a Cisco network.
  • Calendar invites can now be forwarded officially using the mail app : This one is hilarious! I’ve seen many users have this problem since 2012. I even bought a third-party app to get around this problem! Funny to see this finally get fixed, over four years later.
  • Exchange can now wipe just the specific Exchange data instead of the entire device : This one is interesting. What sucks is that this feature is not available to MDM admins, only Exchange admins. I wonder how Exchange is supposed to utilize this though? Maybe powershell command?
  • MDM can force the device to stay in “Setup Assistant” until it is fully configured : What! Hopefully I can try this out asap. Tons of users that fiddle around when the device is not fully configured actually mess up their own provisioning. This upgrade is genius if it works for non-supervised devices.
    • Update: Sigh, only works with DEP or School Manager. Link.
  • App management updates can block or allow apps : This is very interesting…theoretically maybe we can block users from installing stuff like Angry Birds maybe?
l0004_howmdmworks_ios
Barebones MDM diagram

Some other things I noticed from the documentation:

  • As always, supervised mode is far superior when it comes to administrative control.
  • Apple, on top of allowing Mac OS MDM, now has a new program called “Apple School Manager” mainly for enrolling school devices into MDM. I’m not exactly sure how this is different from enterprise MDM. A lot of the documentation seems very “education” focused now. There doesn’t seem to be any difference except for the name, but I’ll be looking more into this.
  • According to the doc, there are 11 SSL VPN apps supported by Apple (Pulse Secure, AirWatch, MobileIron, etc). I wonder if there are more that are not officially supported, or if you must be supported in order for your VPN solution to work on iOS?
  • Per App VPN can make it so that only certain apps kick off the VPN, or even have different VPNs being used by different apps. This is cool for companies that don’t want to use certificate authentication. If you do use certificate authentication, then VPN On-Demand is way better, in my opinion. You can configure specific domains to auto-start VPN. That’s how I’ve always done it in the past.
  • I thought this tidbit was funny. I still don’t really understand why Apple won’t give enterprises full control over their own devices. I’m guessing some financial benefit to Apple:

    In most cases, users decide whether or not to enroll in MDM, and they can disassociate their devices from MDM at any time. Therefore, you should consider incentives for users to remain managed.

  • There is actually a way to force the config payload to never be removed. However, it requires DEP. It doesn’t say outright, but I believe they will put the device in supervised mode in order to do this.
  • MDM still does not allow admins to see browser history, call logs, personal mail, photos, etc. Apple wants to make sure that user experience comes first always, over enterprise security.
  • For a lot of MDM control features, Apple still won’t let you “force” users to turn settings on. You can only force users to turn settings off, for example Location Services. Also, the document doesn’t make clear which settings require supervised mode. Apple lists a bunch of MDM commands, but some I know for sure require supervised mode.
  • Lost Mode: So a while back, Apple made it so that MDMs can display messages and phone numbers on a Lock Screen. Looks like there is one step further called “Lost Mode,” but it only works on supervised devices. In Lost Mode, you can not only display a phone number and message on the lock screen, but also constantly ping the location of the device. The user also gets notified about the Lost Mode status of the device (not sure how, possibly iCloud email).
  • Activation Lock capabilities
    • For a supervised device, you can enable Activation Lock on a device remotely through MDM, even if iCloud is not signed in. You will have to set up a MDM bypass code.
    • The document doesn’t say, but I believe MDMs can also remove activation lock from supervised devices with a MDM bypass code.
  • Config payloads can still only be installed in one of three ways: through USB (with Configurator), wirelessly using OTA (web portal), or via MDM solution (MDM app).
  • If you use DEP (or School Manager), you can keep users within Setup Assistant until the device is fully configured.
  • You can prevent the config payload from being removed if you use DEP or Apple School manager.

Useful factoids:

  • Mail, Contacts, Calendars is split into each of their own separate categories in iOS 10.
  • 5 GHz don’t share frequencies with things like mobile phones or microwaves, but they also don’t penetrate walls as well as 2.4 GHz.
  • For 2.4 GHz channels, the designated 1, 6, and 11 channels do not overlap.
  • Apple’s APNS network is 17.0.0./8. Port 5223 for mobile devices, and 2915/2196 for servers.
  • Bonjour is Apple’s network protocol used to discover services on the same network, like Airplay or Airprint.
  • “Data Protection” is a feature of iOS that adds additional encryption to data on the device, but requires that a passcode be set.
  • Encryption is always enabled, and cannot be disabled on iOS. Uses 256-bit AES.
  • iOS MDM by design cannot see browser history, phone logs, reminders, notes, app use, or text messages.