By how much can you restrict an iPad using only MDM?

MDM, Technology

Why?

There may be a business case where an iPad must be locked down as much as possible. For example, users may only be using an iPad for one function, so how can we restrict it so that it can literally only be used for that single application? The problem is that we can only lock down a device as much as Apple allows us to.

There are two ways to lock down a device: supervised mode and regular MDM. This post will cover regular MDM, and what the users will see when we lock down their device as much as possible.

How

​If a device is locked down via regular MDM, then it must be locked down using the standard MDM “Restrictions” configuration policy. There are many different options, but the ones to focus on are:

  1. Allow Facetime
  2. Allow voice dialing
  3. Allow Siri
  4. Allow the Apple App Store
  5. Allow Safari
  6. Allow Youtube
  7. Content restrictions
  8. Allow Camera
  9. Allow screenshots and screen recording
For the purpose of locking down a device, we can go ahead and disable the first 7 options. We will allow camera and screenshots for functionality and troubleshooting purposes.

Logic

When we lock down the Apple App Store and Safari, we are effectively eliminating almost all non-business options for the device. The user will be unable to download any app unless it is an in-house app provided by their company. They will be unable to browse websites, and will not be able to download any browsers unless it is provided through their company (through sideloading or an MDM app).

Loopholes

MDM does not allow the restriction of the Messages, Mail, or Settings application. Here are possible loopholes of each app:
  • Mail: users can configure their own personal email.
  • Messages: users can configure their own personal iCloud account and message other iCloud users on the internet.
  • Settings: users can effectively factory reset the iPad and update the operating system version.

What will users see

As you can see, what users can do on the iPad now is fairly limited. Business apps can be pushed to the device using MDM or sideloaded.

Requirements

In order for the device to be locked down like this via MDM, there are some requirements:
  • Enrollment
    • The device must be enrolled into a mobile device management system.
    • For enrollment, the device must have a working internet connection.
  • Post-enrollment work
    • There are multiple apps that cannot be deleted by MDM. These apps must be deleted manually.
    • Once these apps are deleted, they will not be able to be downloaded again because the Apple App Store functionality has been removed.
    • Apps that should be deleted are:
      • Tips
      • Podcasts
      • Photo Booth
      • Find Friends
      • TV
      • Music
      • Files
      • Contacts
      • News
      • iBooks
      • Home

Leave a Reply

Your email address will not be published. Required fields are marked *