Active Directory (50)
Articles and Books (96)
Final Cut Server (44)
Home Automation (15)
Mac OS X (933)
Mac OS X Server (764)
Mac Security (456)
Mass Deployment (371)
Microsoft Exchange Server (66)
Network Infrastructure (83)
Network Printing (4)
On the Road (58)
public speaking (63)
Social Networking (32)
Time Machine (7)
Wearable Technology (11)
Windows Server (124)
Windows XP (109)
- None Found
- Active Directory
- Articles and Books
- Final Cut Server
- Home Automation
- Mac OS X
- Mac OS X Server
- Mac Security
- Mass Deployment
- Microsoft Exchange Server
- Network Infrastructure
- Network Printing
- On the Road
- public speaking
- Social Networking
- Time Machine
- Wearable Technology
- Windows Server
- Windows XP
- December 2013
- November 2013
- October 2013
- September 2013
- August 2013
- July 2013
- June 2013
- May 2013
- April 2013
- February 2013
- January 2013
- December 2012
- November 2012
- October 2012
- September 2012
- August 2012
- July 2012
- June 2012
- May 2012
- April 2012
- March 2012
- February 2012
- January 2012
- December 2011
- November 2011
- October 2011
- September 2011
- August 2011
- July 2011
- June 2011
- May 2011
- April 2011
- March 2011
- February 2011
- January 2011
- December 2010
- November 2010
- October 2010
- September 2010
- August 2010
- July 2010
- June 2010
- May 2010
- April 2010
- March 2010
- February 2010
- January 2010
- December 2009
- November 2009
- October 2009
- September 2009
- August 2009
- July 2009
- June 2009
- May 2009
- April 2009
- March 2009
- February 2009
- January 2009
- December 2008
- November 2008
- October 2008
- September 2008
- August 2008
- July 2008
- June 2008
- May 2008
- April 2008
- March 2008
- February 2008
- January 2008
- December 2007
- November 2007
- October 2007
- September 2007
- August 2007
- July 2007
- June 2007
- May 2007
- April 2007
- March 2007
- February 2007
- January 2007
- December 2006
- November 2006
- October 2006
- September 2006
- August 2006
- July 2006
- June 2006
- May 2006
- April 2006
- March 2006
- February 2006
- January 2006
- December 2005
- November 2005
- October 2005
- September 2005
- August 2005
- July 2005
- June 2005
- May 2005
- April 2005
- March 2005
- February 2005
- January 2005
- December 2004
TagsActive Directory Apple Command line defaults DNS Final Cut Server Football Georgia georgia football Google howto Interview Tips ios iPad iPhone LDAP Linux Lion lion server MAC Mac OS X Mac OS X Server Mac Security Mass Deployment mavericks Mavericks Server mountain lion mountain lion server On the Road Open Directory os x OS X Server powershell profile manager script server 2.2 server 3 Snow Leopard UGA Video windows Windows Server Windows XP WordPress Xsan
Category Archives: iPhone
Apple began rolling out new features with the new Volume Purchasing Program (VPP) program this week. There are lots of good things to know, here. First, the old way should still work. You’re not loosing the stuff you already invested in such as Configurator with those codes you might have used last year with supervision. However, you will need an MDM solution (Profile Manager, Casper, Absolute, FileWave, etc) to use the new tools. Also, the new token options are for one to one (1:1) environments. This isn’t for multi-tenant environments. You can only use these codes and options for iOS 7 and OS X 10.9 and above.
But this article isn’t about the fine print details of the new VPP. Instead, this article is about making Profile Manager work with your new VPP token. To get started, log into your VPP account. Once logged in, click on your account email address and then select Account Summary.
Then, click on the Download Token link and your token will be downloaded to your ~/Downloads (or wherever you download stuff).
Once you have your token, open the Server app and click on the Profile Manager service.
The rest of the configuration of Profile Manager is covered in the article I did earlier on Profile Manager 3.
Note: The account used to configure the VPP information is not tracked in any serveradmin settings.
About Apple Configurator 1.4.1 is now out, to complement iOS 7.0.3 and OS X 10.9 Mavericks. Configurator 1.4.1 is available from the Updates tab of the Mac App Store and requires OS X Mountain Lion or later, as well as iTunes 11.1 or later.
What’s new in Configurator 1.4.1
• Options to configure which Setup Assistant steps display during device setup
• Fixes an application quitting issue that could occur when saving a profile with invalid options
• No longer removes Mobile device management (MDM) enrollment profile from a supervised device when refreshing it
• Fixes creation of Font profiles for iOS 7
• Renames the Supervision Profile which appears on devices to Configurator Trust Certificate. For more information, see this article.
Profile Manager first appeared in OS X Lion Server as the Apple-provided tool for managing Apple devices, including Mobile Device Management (MDM) for iOS based devices as well as Profile management for OS X based computers, including MacBooks, MacBook Airs, Mac Minis, Mac Pros and iMacs running Mac OS X 10.7 and up. In OS X Mountain Lion, Apple added a number of new features to Profile Manager and revved the software to Profile Manager 2.0, most notably adding the ability to push certain types of apps to mobile devices. In Mavericks Server (Server 3), Apple provides new options and streamlines a bunch of things, most notably App Store and VPP integration. But we can talk about this stuff all day long, instead let’s just show ya’!
Preparing For Profile Manager
Before we get started, let’s prep the system for the service. This starts with configuring a static IP address and properly configuring a host name for the server. In this example, the IP address will be 192.168.210.135 and the hostname will be mlserver3.pretendco.com. We’ll also be using a self-signed certificate, although it’s easy enough to generate a CSR and install it ahead of time. For the purposes of this example, we have installed Server from the App Store (and done nothing else with Server except open it the first time so it downloads all of its components from the web) and configured the static IP address using the Network System Preferences. Next, we’ll set the hostname using scutil.
sudo scutil --set HostName mavserver.pretendco.lan
Then the ComputerName:
sudo scutil --set ComputerName mavserver.pretendco.lan
And finally, the LocalHostName:
sudo scutil --set LocalHostName mdm
Now check changeip:
sudo changeip -checkhostname
The changeip command should output something similar to the following:
Primary address = 192.168.210.201
Current HostName = mavserver.pretendco.lan
DNS HostName = mavserver.pretendco.lan
The names match. There is nothing to change.
dirserv:success = "success"
f you don’t see the success and that the names match, you might have some DNS work to do next, according to whether you will be hosting DNS on this server as well. If you will be hosting your own DNS on the Profile Manager server, then the server’s DNS setting should be set to the IP address of the Server. To manage DNS, start the DNS service and configure as shown in the DNS article I did previously:
Provided your DNS is configured properly then changeip should work. If you’re hosting DNS on an Active Directory integrated DNS server or some other box then just make sure you have a forward and reverse record for the hostname/IP in question.
Profile Manager is built atop the web service, APNS and Open Directory. Next, click on the Web service and just hit start. While not required for Profile Manager to function, it can be helpful. We’re not going to configure anything else with this service in this article so as not to accidentally break Profile Manager. Do not click on anything while waiting for the service to start. While the indicator light can go away early, note that the Web service isn’t fully started until the path to the default websites is shown (the correct entry, as seen here, should be /Library/Server/Web/Data/Sites/Default) and a View Server Website link is shown at the bottom of the screen. If you touch anything too early then you’re gonna’ mess something up, so while I know it’s difficult to do so, be patient (honestly, it takes less than a minute, wait for it, wait for it, there!).
Setting Up Profile Manager
Provided the Welcome to OS X Server page loads, click on the Profile Manager service. Here, click on the Configure button.
Assuming the computer is not yet an Open Directory master or Replica, and assuming you wish to setup a new Open Directory Master, click on Create a new Open Directory domain at the Configure Network Users and Groups screen.
Then click on Next. At the Directory Administrator screen, provide the username and password you’d like the Open Directory administrative account to have (note, this is going to be an Open Directory Master, so this example diradmin account will be used to authenticate to Workgroup Manager if we want to make changes to the Open Directory users, groups, computers or computer groups from there). Once you’re done entering the correct information, click Next.At the Organization Information screen, enter your information (e.g. name of Organization and administrator’s email address). Keep in mind that this information will be in your certificate (and your CSR if you submit that for a non-self-signed certificate) that is used to protect both Profile Manager and Open Directory communications. Click Next.
At the Confirm Settings screen, make sure the information that will be used to configure Open Directory is setup correctly. Then click Set Up (as I’ve put a nifty red circle next to – although it probably doesn’t help you find it if it’s the only button, right?).
This can be the certificate provided when Open Directory is initially configured, which is self-signed, or you can select a certificate that you have installed using a CSR from a 3rd party provider. At this point, if you’re using a 3rd party Code Signing certificate you will want to have installed it as well. Choose a certificate from the Certificate: drop-down list and then click on Next.
If using a self-signed certificate you will be prompted that the certificate isn’t signed by a 3rd party. Click Next if this is satisfactory.
You will then be prompted to enter the credentials for an Apple Push Notification Service (APNS) certificate. This can be any valid AppleID. It is best to use an institutional AppleID (e.g. firstname.lastname@example.org) rather than a private one (e.g. email@example.com). Once you have entered a valid AppleID username and password, click Next.
Unless you’re using a 3rd party certificate there should only be one certificate in the list. Choose it and then click on OK. If you are using a 3rd party certificate then you can import it here, using the Import… selection.
One of the upgrades in Profile Manager 2.2 is the ability to distribute objects from the App Store Volume Purchase Program through Profile Manager. To use this option, first sign up on the VPP site. Once done, you will receive a token file. Using the token file, check the box for “Distribute apps and books from the Volume Purchase Program” and then use the Choose button to select the token file.
Once started, click on the Open Profile Manager link and the login page opens. Administrators can login to Profile Manager to setup profiles and manage devices.The URL for this (for mavserver.pretendco.lan) is https://mavserver.pretendco.lan/profilemanager. Use the Everyone profile to automatically configure profiles for services installed on the server if you want them deployed to all users. Use custom created profiles for everything else.
Enrolling Into Profile Manager
To enroll devices for management, use the URL https://mavserver.pretendco.lan/MyDevices (replacing the hostname with your own). Click on the Profiles tab to bring up a list of profiles that can be installed manually.
You can then wipe or lock the device from the My Devices portal. Management profiles from the MDM server are then used. Devices can opt out from management at any time. If you’re looking for more information on moving Managed Preferences (MCX) from Open Directory to a profile-based policy management environment, review this article and note that there are new options in dscl for removing all managed preferences and working with profiles in Mavericks (10.9).
If there are any problems when you’re first getting started, an option is always to run the wipeDB.sh script that resets the Profile Manager (aka, devicemgr) database. This can be done by running the following command:
Automating Enrollment & Random Management Tips
The two profiles needed to setup a client on the server are accessible from the web interface of the Server app. Saving these two profiles to a Mac OS X computer then allows you to automatically enroll devices into Profile Manager using Apple Configurator, as shown in this previous article.
When setting up profiles, note that the username and other objects that are dynamically populated can be replaced through a form of variable expansion using payload variables in Profile Manager. For more on doing so, see this article.
Note: As the database hasn’t really changed, see this article for more information on backing up and reindexing the Profile Manager database.
Once you’ve got devices enrolled, those devices can easily be managed from a central location. The first thing we’re going to do is force a passcode on a device. Click on Devices in the Profile Manager sidebar.
Here, you can configure a number of settings on devices. There are sections for iOS specific devices, OS X specific settings and those applicable to both platforms. Let’s configure a passcode requirement for an iPad.
At the Passcode settings, let’s check the box for Allow simple value and then set the Minimum Passcode Length to 4. I find that with iOS, 4 characters is usually enough as it’ll wipe far before someone can brute force that. Click OK to commit the changes.
Once configured, click Save. At the “Save Changes?” screen, click Save. The device then prompts you to set a passcode a few moments later (screens look the same in iOS 7 pretty much).
The next thing we’re going to do is push an app. To do so, first find an app in your library that you want to push out. Right-click (or control-click) on the app and click on Show in Finder. You can install an Enterprise App from your library or browse to it using the VPP program if the app is on the store. Before you start configuring apps, click on the Apps entry in the Profile Manager sidebar.
At the Apps screen, use the Enterprise App entry to select an app or use the Volume Purchase Program button to open the VPP and purchase an app. Then, from the https://<SERVERNAME>/profilemanager portal, click on an object to manage (in this case it’s a group called Replicants) and click on the Apps tab.
From the Apps tab, click on the plus sign icon (“+”).At the Add Apps screen, choose the app added earlier and then authenticate if needed, ultimately selecting the app. The app is then uploaded and displayed in the list. Click Add to add to the selected group. Then, click on Done. Then click on Save… and an App Installation dialog will appear on the iOS device you’re pushing the app to.
At the App Installation screen on the iPad, click on the Install button and the app will instantly be copied to the last screen of apps on the device. Tap on the app to open it and verify it works. Assuming it does open then it’s safe to assume that you’ve run the App Store app logged in as a user who happens to own the app. You can sign out of the App Store and the app will still open. However, you won’t be able to update the app as can be seen here.
Note: If you push an app to a device and the user taps on the app and the screen goes black then make sure the app is owned by the AppleID signed into the device. If it is, have the user open App Store and update any other app and see if the app then opens.
Finally, let’s wipe a device. From the Profile Manager web interface, click on a device and then from the cog wheel icon at the bottom of the screen, select wipe.
At the Wipe screen, click on the device and then click Wipe. When prompted, click on the Wipe button again, entering a passcode to be used to unlock the device if possible. The iPad then says Resetting iPad and just like that, the technical walkthrough is over.
Note: For fun, you can use the MyDevices portal to wipe your iPad from the iPad itself.
So where are all these new features that justify a new version number? To quote Apple’s Profile Manager 2 page:
Profile Manager simplifies deploying, configuring, and managing them all. It’s one place where you control everything: You can create profiles to set up user accounts for mail, calendar, contacts, and messages; configure system settings; enforce restrictions; set PIN and password policies; and more. Because it’s integrated with the Apple Push Notification service, Profile Manager can send out updated configurations over the air, automatically. And it includes web-based administration, so you can manage your server from any modern web browser. Profile Manager even gives users access to a self-service web portal where they can download and install new configuration profiles, as well as clear passcodes and remotely lock or wipe their Mac, iPhone, or iPad if it’s lost or stolen.
Wait, it did that before… Which isn’t to say that for the money, Profile Manager isn’t an awesome tool. Apps such as Casper MDM, AirWatch, Zenprise, MaaS360, etc all have far more options, but aren’t as easy to install and nor do they come at such a low price point. Profile Manager is a great option if all of the tasks you need to perform are available within the tool. If not, then it’s worth a look, if only as a means to learn more about the third party tools you’ll ultimately end up using. One thing I can say for it is that Profile Manager is a little faster and seems much more stable (in fact, Apple has now published scalability numbers, which they have rarely done in the past). You can also implement newer features with it, including Gatekeeper and Messages.
I’m honored that the good people at AFP548 decided to have me in the second episode of their podcast. Thanks to all the people (@sacrilicious @bruienne etc) involved and hopefully you enjoy it! It’s available at http://www.afp548.com/2013/10/16/episode-two-eco-sphere or:
When Apple showed off the latest and greatest options for managing and tracking iOS devices remotely using iCloud accounts, many an Enterprise and School District said “wait, what?” The reason is that if an iOS device is running Find My iPhone and a device is stolen the device cannot be activated again without logging into the iCloud account that Find My iPhone was installed with. This could represent an issue if an employee is fired or if students turn in their iPads after a year of running Find My iPad. Imagine asking an employee you just fired or a student you just expelled to enter their iCloud password so you can wipe the device and hand it to the next person waiting for one.
This was a hot topic amongst those with large iOS deployments, and at first I didn’t have much to say about it as I was waiting for all the pieces to fall into place. Then came along the latest MDM patches and Apple Configurator 1.4, along with iOS 7.0.2 (11A501). Now there are some options.
The first option is to run all of your devices in Supervised Mode using a system running Apple Configurator 1.4. This option needs to be done proactively, because once Find My iPhone is enabled, you cannot use a device with Configurator.
Supervising a device requires wiping the device, so moving to a supervised model will require some planning. However, if you enable Supervision and then enable Find My iPhone then you can unsupervise a device, which also wipes the device. Let’s try that now.
First, we’ll prepare a very simple supervised environment. Open Apple Configurator, create a backup of an empty device, move the Supervision slider to ON and then click Prepare.
Plug in a device that you don’t mind wiping and the device will reformat, restore and be supervised. Next, let’s look at enabling Find My iPhone/iPad so you can test these things properly. To get started, open the Settings app and tap on Privacy.
At the Privacy screen, tap on Find My iPad.
At the Find My iPad screen, tap the slider for Find My iPad.
If prompted, provide Apple ID information and then tap the OK button to enable Find My iPad.
You can also tap on the slider again, even with an Apple ID installed, to disable the feature. When you disable, you’ll get an email indicating that you did so.
For the purposes of this example, let’s leave Find My iPad on and then let’s plug the device back into our Apple Configurator host. Click on the Supervise tab from Apple Configurator and you’ll notice that the device is shown. Right-click on the device and click Unsupervise…
When prompted that the device will be wiped, click Unsupervise Device again. The device wipes and then comes back up to a standard activation screen, activating as it should. To prove that the device can’t be supervised when Find My iPad is enabled, enable Find My iPad and then plug it into your Apple Configurator host. When you click Prepare, the device won’t register within the application. Next, still with Find My iPad enabled, log into your iCloud account, click Find My iPhone, click on your device and then click on Erase iPad. You’ll be prompted to Erase. The iPad then erases. This is how Find My iPad works.
Enable Location Services again. Then turn off the iPad. While powered off, press and hold the Home button. Then connect the USB cable from a computer running iTunes to the iPad. Hold the Home button while booting up until the Connect to iTunes screen appears.
Open iTunes to see the iPad in recovery mode. iTunes then prompts and restores the iPad.
Once restored, you will be prompted that the iPad will restart.
During the setup process, the device then prompts for activation. You cannot activate the device without providing a username and password.
We wiped with iTunes, but no matter how you wipe, the outcome is consistent. But if you put a device into “Lost Mode” while Supervised and then unsupervise, the device is wiped and will setup as normal, exiting Lost Mode. If you remotely wipe a device while Supervised, the device starts normally and can be supervised again or setup again from scratch. This seems to mean that when a device is being Supervised, while Find My iPad can wipe or lock the device, it’s simple to bypass, whether or not the device will be Supervised again. That’s a very smart way to build that type of interaction on Apple’s part.
We’ve looked at enabling, what Configurator does when enabling, how you can bypass using Configurator, etc. A few key points that might not be clear:
- Provided you have proof of purchase (e.g. a receipt) then you can always unlock an iOS device with Apple. For the foreseeable future it might take awhile but I’d anticipate that eventually someone at the Genius Bar of an Apple retail store would be able to fix this situation.
- In order to use Supervise mode, you must first disable Find My iPhone, meaning if you’re architecting a solution and you have existing data on devices, you must accommodate for backing up and restoring the data on those devices before moving into this type of scenario.
- Even if you’re using Supervise mode, if you wipe a device from Find My iPad the device will require the iCloud password to unlock it. This means you’d likely want to unsupervise a device rather quickly.
- I used to shy away from Supervised mode because it was pretty cumbersome. iTunes and iPhoto now work with supervision and if restoring and enrolling into an MDM provider you can really streamline the setup process using supervision as you don’t have to incessantly tap Accept.
- Location Services is a feature that has been query-able via the MDM API for some time. There are options for Location Services in most MDM providers. We could trigger emails based on the status of this field using standard MDM solutions, such as Casper MDM, FileWave, etc (FYI this link might not be up for another day, just future proofing it).
- Seems as though all of this can change in a point release, so YMMV.
Overall, I think that the Find My iPad stuff is great. It seems to me as though using Supervised mode in conjunction with Find My iPhone is a way to keep the data at rest on a device safe provided you don’t really care about getting a device back. While no one likes losing a device and having to purchase a new one, it could be worse. So now there’s an option, use Supervised Mode and basically undo everything Apple did when they built this new model or don’t and allow an employee to basically trash a device until you can get written info to Apple that you own the device. It’s great and innovative and we have a few ways to work around it if we need to. In a BYOD scenario it’s a non-issue. In a corporate or institution owned scenario it’s manageable according to which model works best for your sensibilities.
Most of my readers have already upgraded from iOS 6 to iOS 7. But, you might need to write some technical documentation on how to do so for your end users. If you find yourself in such a situation, you can just cut-copy-paste this article into your own documentation.
First, backup the device. When I did this upgrade I was flying without a net and didn’t bother to back the device I was upgrading up. Having said that, I also don’t keep any data on my device, so I would strongly recommend backing up before you do your upgrade if you do have content you want to make sure your preserve. The upgrade doesn’t erase your data; however, whenever you’re doing a major update, it’s a good idea to backup (it’s also a good idea to backup when you’re not doing a major update). If you need to backup, check out this article on manually backing up with iTunes.
Most will also want to go ahead and update to iTunes 11.1. This will allow the device to work once it’s been upgraded.
Finally, before you get started, connect your device to a power source as you wouldn’t want the device to possibly die due to a power failure in the middle of running the update.
Once you’ve backed up, open the Settings app on the device.
From within the Settings app, tap on General to open the General pane of the Settings app..
From the General pane of the Settings app, tap on Software Update.
From the Software Update screen tap on Download and Install to start the installation, or let’s tap on Learn More to see what’s in the update.
At the Learn More screen, you’ll see the release note for the software. This is a major OS update, so there are pages and pages of notes about what this update is for. Provided you’re happy with these updates, tap on Software Update at the top of the screen to go back to the Software Update screen and tap on Download and Install to begin the installation process.
From the Terms and Conditions page, tap on Agree to accept the license agreement (obviously provided that you do) and the update will run. This is going to take awhile. You can use the device while the update is running (it will even keep the state of Safari browsing once restarted).
The device will restart automatically once updated.
Now that you’re done with the upgrade, go ahead and back the device up again in iTunes and start exploring some of the awesome new features.
Note for Apple Configurator users, in order to get the power of iOS 7 you’ll need to update to Apple Configurator 1.4, available on the App store as of today. The release notes for it:
Did you know that you can ask Apple Configurator to give you a lot more logs than it does by default? Holy crap. Makes life so much simpler when you’re having problems, to actually get real logs. And then there’s that… To get more logs, close Apple Configurator and then write All into the LogLevel key in com.apple.configurator:
defaults write com.apple.configurator LogLevel ALL
Re-open Apple Configurator and you’re golden. Then, have some problems and be so happy to get some logs, viewable in Console.
Recently I woke up and my daughter was sitting on me watching something on the iPad. As I woke ever so slightly I realized that she was watching Transformers the movie on Netflix. I’m not typically a helicopter dad, hovering over her every move, but I did realize amidst the explosions that ya’, I might want to take some of the things I learned writing the book on locking these things down and put a few very basic measures in place to keep her from seeing something she shouldn’t. After all, she’s gotten about as good at navigating around the thing as I am (and these days she’s getting pretty acclimated with iOS 7).
So let’s look at some basic precautions that parents can take to keep their kids sandboxed into just the material they feel confident with. For starters, the built-in security precautions. These are basically all in the Security app and each comes with repercussions that I’ll go into with each step, so you can decide for yourself if you actually give a crap about them.
The nuclear option is to enable a passcode so the child can only use the device when supervised. I did not do this myself for the home iPad for a variety of reasons: sometimes she locks the device while I’m driving, sometimes she wants to use the device when she wakes up at 6am after I was up hacking stuff ’till 4am and well, because I want the device to be as much hers as mine. So I don’t want to enable a passcode that the she does not know, but you might.
To set a passcode, open the Settings app from the home screen and tap on General in the Settings sidebar (or to not setup a passcode, skip to the next section).
Or to lock the screen when the iOS device goes to sleep, tap Passcode Lock.
If you’re going to enable a passcode, at the Passcode Lock screen, tap on Turn Passcode On and when prompted provide the passcode.
Once you’ve enabled a passcode it’s worth noting that if the passcode is entered improperly too many times the device will be wiped. However, it’s now encrypted and meets certain policy restrictions (e.g. if you use it with an Exchange server at work as well).
Restrictions allow you to disable various features of iOS, including Safari, the Camera, FaceTime, iTunes, iBookstore, App Store, App deletion, Siri and even using explicit language with poor Siri. Additionally, you can control what kind of media can be purchased on the iTunes store. To get started, tap on Restrictions in the General app.
Here, you will see that pretty much everything is allowed by default. You have the option to disable very specific items.
When you enable Restrictions you will be prompted for a Passcode, which can be used to override or disable the restrictions at a later date. This, clearly, you wouldn’t want to share with the child.
Tap Enable Restrictions and note that we’re going to go ahead and enable a few and then postpone a couple of others until the end of the article because they will keep us from completing steps we want to complete later. The restrictions many will want to enable (which disables the feature):
- Safari: It’s not that we don’t want the kids using the web, we just want them to use a specific web browser we give them that doesn’t allow them to screw around.
- Explicit Language: The kids shouldn’t be able to tell siri to use bad words, and trust me, they will if you don’t disable this.
- Deleting Apps: This is more for us. Kids figure out how to do the wackiest things by accident. Including how to delete their favorite Angry Birds app and then crying for you to reinstall it (since later in this article we’re disabling the ability to install apps).
- Music & Podcasts: Move to the Off position to block the device from playing content that is marked as Explicit.
- Movies: I chose to uncheck all but G and PG. You may choose to allow PG-13 or disable PG. These options are different in other countries.
- TV Shows: I chose to allow TV-PG and below. Some of the Saturday morning cartoons have a much higher rating than you might think.
- Books: Move to the Off position to disable the ability for the device to open Explicit Sexual Content.
- Apps: I chose to use 9+ although this is almost a non-issue as we’ll be disabling the App Store later in this article.
- In-App Purchases: I turn this off more so I don’t get random emails from the iTunes Store about buying add-ons for Angry Birds than anything else.
- Require Password: I don’t usually change this option.
- Accounts: I don’t allow changes on my daughters iPad.
Note: You can also lock the volume level here, although I usually don’t with ours as it just causes problems/arguments and a general desire not to use headphones, which I have a general desire to be used when watching many of her shows.
Another Note: You can browse content that you’ve blocked but not purchase/download that content, so know that if you’re not going to put a passcode on devices, or hide them when children aren’t supposed to use them.
Once you’ve enabled all the restrictions you’d like, leave the Restrictions portion of the General app and then go back in, just to verify that the passcode you used earlier still works. Also note that the Accessibility options can be great for those with disabilities, but I usually don’t enable any of them otherwise.
Remove Your Stuff
Still in the Settings app, tap on Mail, Contacts , Calendars. Now this is painful as it basically means that no, the iPad isn’t really yours like you thought it was, but remove your mail accounts. Otherwise, the kids will send mail to the entire Mac Enterprise list like mine did a few years ago. Yup, it will happen and thousands of people will laugh at you (or in my case they’ll just laugh at you more than usual). Once removed the Mail, Contacts, Calendars screen in the Settings app will just show you an option to “Add Account…” as seen here.
Also don’t forget that Facebook, Twitter, Instagram and all the other awesome reasons you bought the thing can end up getting photobombed with pictures she took while sitting in the back seat, tinkering around with Photo Booth. I actually don’t mind these with random characters or pictures my daughter posts of her tinkering with the camera app, so I don’t bother removing them, it’s more email specifically and only because you never know who she’s gonna’ hit up there.
Netflix is one of those funny places where children can spend hours, and while enamored with poster frames of interesting shows, kids can see things you might not want them to see. You can install an App and people can log into each profile and see a queue of shows, but also shows that they might be interested in. Profiles are not password protected, so users can select whichever profile they choose. But, it’s a start. I like to associate a different image with each user. To setup profiles, log into Netflix, hover the mouse over your name and then click on Manage Profiles. Here, create each desired profile and for any children who you want to try and limit, click Edit and then check the “This is a profile for kids under 12″ checkbox.
Note: Profiles have a side benefit which is that you don’t see My Little Pony on your queue and your child doesn’t see Sacha Baron Cohen movies in their queue.
I also like to assign an image for each (click the red image in the lower right corner of the avatar for each user to select their own image. Make sure the whippersnapper knows which image they’re to use, and it will be awhile before they realize they can just switch profiles if something’s blocked and they want to watch it. It will be punishment enough logging into a profile that doesn’t have a bunch of cartoons on it (okay mine does) so they won’t want to use anyone elses profile.
Once you’re done you’ll get a cute login prompt on the device, when you log into Netflix.
Anyway, next is the hard part, move all the stuff you want to watch to your profile and leave the kid stuff in their profile (after all, I’m sure that like me they have more crap in their queue than you do!). I did this by having the iPad in my hand and a laptop. I looked at the list on the iPad to see what I wanted to add to my own queue (whoops, they call them lists now) and deleted things from the other profile with the iPad.
Next, we’ll perform one small change in the Settings for the Netflix app. Open the Settings app and scroll down in the sidebar until you see Netflix. Tap it and then turn the Wi-Fi Only option on.
This keeps you from getting an insanely high bill when the kids decide to watch Netflix using your data plan.
Install a Browser
Next, let’s install a browser so they can use the web with a little filter on it. Using a different browser means a slightly different look and feel, but it means we can limit what they’re able to use. To get started, open the App Store on the iOS device. Then, tap K9 in the search bar and install.
Once installed, try to browse a site you know to be just wrong for the kido from within the browser. Once you see the blocked page, you know you’re good.
K9 is a browser that is provided free of charge (well, there’s an ad bar that you can in app purchase to get rid of for $2.99 but close to free!) from Blue Coat, a company that makes proxy servers that filter and track internet traffic. I’m a big fan of their products and if you happen to do IT in a school district or company it might not be a bad idea to check their stuff out as well!
Now, many kids won’t need a web browser, but since you can’t access YouTube without it, you’ll end up needing one eventually. Once you’ve installed a browser it’s time to disable access to Safari. By disabling Safari you limit accessing the web to the K9 browser. To do so, open the Settings app again and tap on Restrictions.
From the Restrictions option in the Settings app, tap Off for Safari.
Then just close Safari and the app will disappear from the home screen.
Disable the App Store
Once you’ve purchased the K9 browser and all the fun games and educational whatnot that your children should have, it’s time to disable the App Store so that no further apps can be installed, such as another browser to bypass the K9 browser previously installed. To do so, open Settings app, tap General and then tap on Restrictions.
From Restrictions simply move the slider for Installing Apps to the Off position.
Close the Settings app and the App Store icon will disappear from the home screen.
Enable Guided Access (aka Kiosk Mode)
Guided Access locks a user inside a single app. Only use this if you want to hand a kid an iPad that’s in an app and not let them close the app. If you use Guided Access you likely don’t need any of the other restrictions we mentioned in this article; however, every time the kid wants to switch apps you’re going to need to provide a pin code and then open another app and then enable Guided Access mode again, which could get pretty darn annoying after awhile.
Using Guided Access is a two part process. First, enable Guided Access, which does little except set a passcode. It’s never a bad thing to enable Guided Access although I’ve seen a kid set a passcode accidentally and the device had to get wiped to undo it. Oh, did I mention, you don’t want to forget that passcode? Once enabled, we’ll restrict access to the app we no longer want users to be able to leave. Once enabled, the app is locked open until the passcode is tapped.
To enable Guided Access, open the Settings app and tap on General. Scroll down until you see Accessibility.
From the Accessibility screen, tap Guided Access.
From the Guided Access screen, tap ON.
Once enabled, you will invariably want to set a passcode (otherwise, why bother?). To do so, tap Set Passcode.
When prompted, provide a passcode.
For children I usually tap Enable Screen Sleep, which allows the device to go to sleep; however I don’t usually do so when setting these things up to actually be in a kiosk. Once you’re happy with the settings, close the app and Guided Access is working. Next, open an app and then triple-click the home button. A screen will open that allows you to Enable Guided Access, tap that from within the app you’d like to enable Guided Access for and viola, the app is locked open. Now, you can also disable certain parts of the screen and whether or not the app allows shaking the device, etc. But I find that can be a bit difficult so I don’t typically use that feature.
Once you’re done with the app, to disable Guided Access, simply triple-click on the home button again, provide the passcode and tap Disable for Guided Access to close. Managing Guided Access is difficult and I find it best for toddlers or bigger kids that might be finding themselves not-to-be-trusted for a short period of time. I mentioned this earlier, but don’t forget the passcode you use to enable Guided Access or you might find yourself wiping the device by the time all is said and done.
Use Safe DNS Servers
You can use a service like OpenDNS.com to control what Internet addresses that a device can access. To do so, first go to https://store.opendns.com/familyshield and sign up for the free account (unless you want the bells and whistles with their paid accounts).
Open the Settings app and then tap on Wi-Fi in the sidebar. From the Wi-Fi screen, enter 188.8.131.52 and 184.108.40.206 in the DNS field.
Once you enter the DNS servers, close the Settings app. Then close and re-open your browser to delete the cache and open it again to see if the new settings are blocking the naughty sites.
Get a Case
Okay, so none of this is going to matter one little bit the next time the little devil decides to throw a temper tantrum. You know that shirt that says “I’m why mommy and daddy can’t have nice things” is way cheaper than an iPad, but still we let the little tykes play with the things. If we’re gonna’ do that, might as well get a good case for the thing. Otterbox makes good water and shock absorbent cases, as well as others.
Just so you don’t have to re-download all the movies you’ve bought to keep the little Cheerio-eaters busy, configure these settings again, etc. you should make a backup of the device. I wrote that up a long time ago at http://www.krypted.com/?p=8319 but it’s worth noting that you want to encrypt these backups so everything is captured.
Find My iPad/iPhone
Find My iPhone allows you to track the whereabouts of your iPhone, iPad and iPod Touch. To enable, first turn on iCloud if you haven’t already. To do so, open The Settings app and tap on iCloud in the sidebar. Enter the Apple ID you use to buy software along with the Password and then tap Sign In.
Once added, if you don’t want to sync mail, contacts, calendars, etc then flip their sliders from the ON to the OFF position. Set Find My iPad to On (or Find My iPhone if it’s not an iPad). Close the app and within a few shakes you’ll be able to track the whereabouts of devices.
Once installed, install the Find My iPhone app and log into your iCloud account or use your iCloud account to log into the MobileMe site.
When you install Find My iPhone from the App Store, you’ll use an iCloud account to view where the devices are. Mine aren’t really available in the following screen because I suck and wrote this on an airplane. But whatever… Either way, you can now chase down the bully that stole your darlings iPad and beat them with the folded up stroller, running over them four or five times in your Prius. Or maybe that’s just me. But you can’t do it on an airplane. Sorry.
Get Advanced with Profiles
You can actually lock down a lot of what iOS can do. A lot more than what’s available in the GUI. To do so, you would use something known as a profile. These can control the options we discussed in much of this article. But they can also lock down options that you didn’t even know were available, such as disabling apps not otherwise removable and locking users out of certain features of devices.
Profiles are created manually and installed via USB or email using Apple Configurator, which I co-authored a book on, available here, or they can be deployed via an MDM solution, such as Apple’s Profile Manager or some really enterprise class ones such as Casper MDM. This is much more advanced than what I intended to write here, but I’ve written a lot about MDM over the years as have others, so feel free to dive into that if you deem it necessary.
Check On the Device Routinely
No matter what you do, the device can be reset back to factory defaults and set back up. You don’t have to worry about younger kids searching the Internet and finding how to do it (like here on Apple’s site). But with older kids, check out the device every now and then and just make sure your parental controls are still in place.
This article is really meant to be an a la cartè listing of things you can do. If the kid is young enough, they’re not going to try to do anything on purpose but the older the child the more likely they will try to break out of the sandboxed environment you’ve created, if only because they see it as a challenge or simply because they can (kindof like when my daughter writes on the wall). But that isn’t to say that you shouldn’t try to do something. And what you do should be age appropriate with an eye on not letting them spend too much of your money on apps or too much of their time on the devices.
Don’t Do Too Much
But don’t do too much. Especially if the kids are older. If you do too much, then the kidos have a tendency to try and break the sandbox you build. Oddly, the less the restrictions the less they’ll try and break them. This isn’t so much an issue with the really young ones (think kindergarten and below) but as they get older it’s a bit more of a problem.
Also, keep in mind that the devices are meant to allow for a maximum level of creativity. The more you allow to happen on the device, the more creativity you may allow for. Whatever’s appropriate for the age and knowledge level of your little one!
Recently, Safari on my iPhone started finding things I searched for using Yahoo! rather than the previously default Google search engine. Now, I’m not gonna’ hate on Yahoo! here. I actually left it for weeks so I could see the differences and nuances here and there. From the different way it displays movie times to image handling, I just didn’t exactly love Yahoo! (although it gets better all the time). So I decided to switch it back. If you decide to switch back, you do so by first opening the Settings App and then scrolling down to and tapping on Safari.
From the list of available options, select Google, Yahoo! or Bing. Then close the Settings app and you should be good to go.