By how much can you restrict an iPad using only MDM?

Why?

There may be a business case where an iPad must be locked down as much as possible. For example, users may only be using an iPad for one function, so how can we restrict it so that it can literally only be used for that single application? The problem is that we can only lock down a device as much as Apple allows us to.

There are two ways to lock down a device: supervised mode and regular MDM. This post will cover regular MDM, and what the users will see when we lock down their device as much as possible.

How

​If a device is locked down via regular MDM, then it must be locked down using the standard MDM “Restrictions” configuration policy. There are many different options, but the ones to focus on are:

  1. Allow Facetime
  2. Allow voice dialing
  3. Allow Siri
  4. Allow the Apple App Store
  5. Allow Safari
  6. Allow Youtube
  7. Content restrictions
  8. Allow Camera
  9. Allow screenshots and screen recording
For the purpose of locking down a device, we can go ahead and disable the first 7 options. We will allow camera and screenshots for functionality and troubleshooting purposes.

Logic

When we lock down the Apple App Store and Safari, we are effectively eliminating almost all non-business options for the device. The user will be unable to download any app unless it is an in-house app provided by their company. They will be unable to browse websites, and will not be able to download any browsers unless it is provided through their company (through sideloading or an MDM app).

Loopholes

MDM does not allow the restriction of the Messages, Mail, or Settings application. Here are possible loopholes of each app:
  • Mail: users can configure their own personal email.
  • Messages: users can configure their own personal iCloud account and message other iCloud users on the internet.
  • Settings: users can effectively factory reset the iPad and update the operating system version.

What will users see

As you can see, what users can do on the iPad now is fairly limited. Business apps can be pushed to the device using MDM or sideloaded.

Requirements

In order for the device to be locked down like this via MDM, there are some requirements:
  • Enrollment
    • The device must be enrolled into a mobile device management system.
    • For enrollment, the device must have a working internet connection.
  • Post-enrollment work
    • There are multiple apps that cannot be deleted by MDM. These apps must be deleted manually.
    • Once these apps are deleted, they will not be able to be downloaded again because the Apple App Store functionality has been removed.
    • Apps that should be deleted are:
      • Tips
      • Podcasts
      • Photo Booth
      • Find Friends
      • TV
      • Music
      • Files
      • Contacts
      • News
      • iBooks
      • Home

What is the Appleseed program?

Apple has a new program called the AppleSeed program. It’s actually publicly available already, but you won’t be able to see much unless you have been provided credentials. It is an invite-only program that seems to be only for Apple enterprise partners and customers. It is different than the Apple Development Portal and the Apple Beta Software Program.

I recently got invited to the program to test out some new features that are coming out. The very first thing that they make you do is sign a confidentiality agreement, so I won’t be giving out any details here. But the purpose of this portal is very interesting: Apple wants feedback and recommendations from its customers.

Apple has historically but known to ignore feedback and requests for improvement from customers. Even if you pay $25,000 for their enterprise support, it usually ends up being not useful from a technical standpoint (but very useful from a CYA standpoint). Hopefully this is an earnest attempt from Apple to improve its relationship with its enterprise customers. It is definitely an interesting first step!