When Apple showed off the latest and greatest options for managing and tracking iOS devices remotely using iCloud accounts, many an Enterprise and School District said “wait, what?” The reason is that if an iOS device is running Find My iPhone and a device is stolen the device cannot be activated again without logging into the iCloud account that Find My iPhone was installed with. This could represent an issue if an employee is fired or if students turn in their iPads after a year of running Find My iPad. Imagine asking an employee you just fired or a student you just expelled to enter their iCloud password so you can wipe the device and hand it to the next person waiting for one.
This was a hot topic amongst those with large iOS deployments, and at first I didn’t have much to say about it as I was waiting for all the pieces to fall into place. Then came along the latest MDM patches and Apple Configurator 1.4, along with iOS 7.0.2 (11A501). Now there are some options.
The first option is to run all of your devices in Supervised Mode using a system running Apple Configurator 1.4. This option needs to be done proactively, because once Find My iPhone is enabled, you cannot use a device with Configurator.
Supervising a device requires wiping the device, so moving to a supervised model will require some planning. However, if you enable Supervision and then enable Find My iPhone then you can unsupervise a device, which also wipes the device. Let’s try that now.
First, we’ll prepare a very simple supervised environment. Open Apple Configurator, create a backup of an empty device, move the Supervision slider to ON and then click Prepare.
Plug in a device that you don’t mind wiping and the device will reformat, restore and be supervised. Next, let’s look at enabling Find My iPhone/iPad so you can test these things properly. To get started, open the Settings app and tap on Privacy.
At the Privacy screen, tap on Find My iPad.
At the Find My iPad screen, tap the slider for Find My iPad.
If prompted, provide Apple ID information and then tap the OK button to enable Find My iPad.
You can also tap on the slider again, even with an Apple ID installed, to disable the feature. When you disable, you’ll get an email indicating that you did so.
For the purposes of this example, let’s leave Find My iPad on and then let’s plug the device back into our Apple Configurator host. Click on the Supervise tab from Apple Configurator and you’ll notice that the device is shown. Right-click on the device and click Unsupervise…
When prompted that the device will be wiped, click Unsupervise Device again. The device wipes and then comes back up to a standard activation screen, activating as it should. To prove that the device can’t be supervised when Find My iPad is enabled, enable Find My iPad and then plug it into your Apple Configurator host. When you click Prepare, the device won’t register within the application. Next, still with Find My iPad enabled, log into your iCloud account, click Find My iPhone, click on your device and then click on Erase iPad. You’ll be prompted to Erase. The iPad then erases. This is how Find My iPad works.
Enable Location Services again. Then turn off the iPad. While powered off, press and hold the Home button. Then connect the USB cable from a computer running iTunes to the iPad. Hold the Home button while booting up until the Connect to iTunes screen appears.
Open iTunes to see the iPad in recovery mode. iTunes then prompts and restores the iPad.
Once restored, you will be prompted that the iPad will restart.
During the setup process, the device then prompts for activation. You cannot activate the device without providing a username and password.
We wiped with iTunes, but no matter how you wipe, the outcome is consistent. But if you put a device into “Lost Mode” while Supervised and then unsupervise, the device is wiped and will setup as normal, exiting Lost Mode. If you remotely wipe a device while Supervised, the device starts normally and can be supervised again or setup again from scratch. This seems to mean that when a device is being Supervised, while Find My iPad can wipe or lock the device, it’s simple to bypass, whether or not the device will be Supervised again. That’s a very smart way to build that type of interaction on Apple’s part.
We’ve looked at enabling, what Configurator does when enabling, how you can bypass using Configurator, etc. A few key points that might not be clear:
- Provided you have proof of purchase (e.g. a receipt) then you can always unlock an iOS device with Apple. For the foreseeable future it might take awhile but I’d anticipate that eventually someone at the Genius Bar of an Apple retail store would be able to fix this situation.
- In order to use Supervise mode, you must first disable Find My iPhone, meaning if you’re architecting a solution and you have existing data on devices, you must accommodate for backing up and restoring the data on those devices before moving into this type of scenario.
- Even if you’re using Supervise mode, if you wipe a device from Find My iPad the device will require the iCloud password to unlock it. This means you’d likely want to unsupervise a device rather quickly.
- I used to shy away from Supervised mode because it was pretty cumbersome. iTunes and iPhoto now work with supervision and if restoring and enrolling into an MDM provider you can really streamline the setup process using supervision as you don’t have to incessantly tap Accept.
- Location Services is a feature that has been query-able via the MDM API for some time. There are options for Location Services in most MDM providers. We could trigger emails based on the status of this field using standard MDM solutions, such as Casper MDM, FileWave, etc (FYI this link might not be up for another day, just future proofing it).
- Seems as though all of this can change in a point release, so YMMV.
Overall, I think that the Find My iPad stuff is great. It seems to me as though using Supervised mode in conjunction with Find My iPhone is a way to keep the data at rest on a device safe provided you don’t really care about getting a device back. While no one likes losing a device and having to purchase a new one, it could be worse. So now there’s an option, use Supervised Mode and basically undo everything Apple did when they built this new model or don’t and allow an employee to basically trash a device until you can get written info to Apple that you own the device. It’s great and innovative and we have a few ways to work around it if we need to. In a BYOD scenario it’s a non-issue. In a corporate or institution owned scenario it’s manageable according to which model works best for your sensibilities.
krypted September 30th, 2013
Posted In: iPhone, Mac OS X, Mass Deployment
apple configurator 1.4, device stolen, Enterprise adoption, Find My iPad, Find My iPhone, iOS 7, lost mode, mdm api, reset device, supervision, what happens when an Apple ID is employee owned, wipe device