iOS 10.3 New MDM Features

It looks like an MDM provider, SimpleMDM, just released some new MDM features that they found in the iOS 10.3 beta. This is what they found so far:

  • Restart a device
  • Shut down a device
  • Download, but not install iOS update. (Supervised, DEP-enrolled devices only).
  • Play a sound on the device while in MDM lost mode. (Supervised only)
  • Determine altitude, speed, and direction of travel while in lost mode. (Supervised only)
  • Force a device to only use the wireless networks that have been preconfigured on the MDM. (Supervised devices only.)
  • iOS 10.3 also includes the ability to restrict dictation controls.

The new Shut down and Restart commands are nice. These are actually the first security commands to made by available Apple since the Unlock and Factory Reset commands, which have been available since the very beginning of iOS MDM. That said, I don’t see these commands being very useful for an enterprise. If a user loses their phone, the standard security procedure should be to send a remote wipe. I would say 99% of users already know how to shut down and restart their phone, so these commands aren’t really useful from a support perspective either. The only way I can see these features really be utilized is at a retail store, where kiosks or secured devices may be difficult to reboot. In those scenarios, these MDM commands will probably be a godsend.

Downloading but not installing an iOS update seems to be very useful for the type of companies that provide Wifi to their users. This should help field techs or employees be able to have their update available whenever they are ready to install. This should also help from a support perspective, for companies that require users to be on the latest version of iOS.

It’s a shame that Apple still continues to keep the best commands available for Supervised devices only. Like I was telling a colleague the other day, it seems like Apple hasn’t really had a strong focus on supporting large enterprises yet. For large companies, putting tens of thousands of devices in Supervised mode will only be possible with the DEP program, but if the DEP program is not feasible, then supervised configurations are ruled out. In this case, that would be the new Wifi restriction configuration, which is very interesting. I can see many companies restricting the wifi capability of devices to only allow the company wifi. This would make supporting the user experience a lot simpler (as long as the user is okay with not connecting to their home wifi). This would also be great for retail MDM devices, as most of those should only connect to one access point anyways.