Enable Apple Configurator Debug Logs

Apple Configurator 2 is a great tool. But you need to debug things from time to time. This might mean that a profile is misconfigured and not installing, or that a device can’t perform a task you are sending it to be performed. This is about the time that you need to enable some debug logs. To do so, quit Apple Configurator and then write a string of ALL into the ACULogLevel key in ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist: defaults write ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel -string ALL To disable, quit Apple Configurator and then delete that ACULogLevel key: defaults delete ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel

Add Profiles To Blueprints In Apple Configurator 2

One of the tasks you’ll need to perform in Apple Configurator 2, is to assign Profiles to iOS devices in order to set them up with features or restrict the device from using certain features. I cover creating a profile here. To get started applying a profile to a device, bring up the Blueprints screen. Screen Shot 2015-11-04 at 10.44.35 PM Choose a Blueprint and right-click on it. Choose Profiles… Screen Shot 2015-11-04 at 10.44.53 PM Browse to the profile and then click on Add Profile. Screen Shot 2015-11-04 at 10.45.11 PM The profile is then applied to any devices that the Blueprint is applied to. For more on Blueprints, view this article.

Upgrade Devices And Apps Using Apple Configurator 2

Apple Configurator has always been able to upgrade devices. But it can also now upgrade apps that are on devices. To run an upgrade, first open Apple Configurator 2. Screen Shot 2015-11-03 at 8.14.35 AM Once open, right-click on a device and click on the Update… option. Screen Shot 2015-11-03 at 8.27.11 AM You can update all assets on the device concurrently, using the default option. Here, we’re going to select to update only the items we need to in the drop-down menu. Screen Shot 2015-11-03 at 8.29.52 AM Select Only Some Apps and then you’ll see a list of each app that needs an upgrade on the device. Check the box for the apps to be updated and then click on the Update button. Screen Shot 2015-11-03 at 8.29.59 AM Apps are updated using an iTunes account. Here, you will need to authenticate using an account on the app store that owns these apps. Screen Shot 2015-11-03 at 8.30.08 AM Once entered, Apple Configurator will cache the apps and install them on a device or devices. The apps are only downloaded once, and then applied to many devices. These function even if the app store is disabled on devices.  

Create A Backup In Apple Configurator 2

One of the more common tasks performed in Apple Configurator is to create a backup of a device and restore that backup to multiple devices. This backs up the icon placement on screens, the settings on the device and anything not stored in the operating system or secure enclave of a device. Once you’ve created a backup, you can assign that backup to a blueprint or deploy the backup to individual devices. To create a backup, first open Apple Configurator 2 and tether a device to the computer running Apple Configurator. Screen Shot 2015-11-03 at 8.14.35 AM Next, right-click on a device and then choose the Back Up option. Screen Shot 2015-11-03 at 8.14.23 AM Once you unlock the device (if locked) the backup process will start. Screen Shot 2015-11-03 at 8.14.58 AM That’s it. Nice and easy. You can now use the backup to restore devices or assign the backup to a blueprint so it will be used to restore devices that the blueprint is applied to.

Install Apps To iOS Devices Using Apple Configurator 2

One of the primary use cases for Apple Configurator 1 and Apple Configurator 2 is to get apps on devices. Even with MDM, you can use Apple Configurator 2 for app deployment. The value here might be that you end up transferring 10 gigs of apps over a USB cable, rather than over the air in larger deployments. Here, we’ll look at a basic app deployment using Apple Configurator 2. To get started, first download the app and get it in iTunes. This can be accomplished by copying the .ipa file for an app onto a device, or syncing an iOS device with iTunes that has the app installed. Take care that the Apple ID associated with the app will be applied on the device. Then, open Apple Configurator 2 and choose a Blueprint (View -> Edit Blueprints) you’d like to apply, or deploy, this app to. Once uploaded and assigned, any device that you apply the Blueprint to will receive the app. Right-click on the Blueprint and click on Add and then choose Apps in the submenu. Screen Shot 2015-11-04 at 9.10.58 AM You will need to authenticate to the iTunes Store using an Apple ID. Notice that if you’ve previously connected Apple Configurator 2 to the iTunes Store that you will routinely get prompted to reconnect when the key expires (seems to be after a good 4 hours of inactivity, but not sure yet exactly when to expect – this might be a bit annoying for environments that have students that don’t have that password doing some of the work). Screen Shot 2015-11-04 at 8.42.45 AM The when you authenticate, you’ll be prompted for a list of apps to install. Here, we’re just going to choose some generic app and click on Add Apps (yes, that’s plural, you can choose more than one). Screen Shot 2015-11-04 at 8.43.51 AM The app will be listed. Any device the Blueprint is applied to then receives the app. Screen Shot 2015-11-04 at 8.44.05 AM You can also assign an app to a device manually. To do so, control-click (or right-click) on a device and then use Add to choose the Apps… option. The rest of this process is pretty much the same. Screen Shot 2015-11-04 at 8.46.53 AM Overall, these options are similar but a bit more matured than they were in Apple Configurator 1. There are a few other pretty cool options that we’ll explore soon, but for now this should get you started in getting apps as a part of your Apple Configurator 2 deployment.

Enable Device Supervision On iOS Devices Using Apple Configurator 2

When a DEP device is setup, the device is supervised. By supervising a device, in Apple wisdom, ownership by the organization is proven and so additional options for limiting what a device can do. For example, supervised iOS devices that are enrolled in an MDM solution by a DEP portal cannot then be unenrolled. Supervision also allows an MDM to escrow a key that can be used to unlock a device locked by Activation Lock. And there are plenty of restrictions and other management options that Apple makes available on a device owned by an organization rather than an individual. It’s understandable given the massive consumer market served and the desire to preserve a fantastic user experience on devices. If you purchased iOS devices before DEP was available, then you can still enable supervision on those devices. To do so, we’ll use Apple Configurator 2. Before you do anything, know that this process will wipe a device and reactivate the device. There are a number of reasons for this, including Activation Lock escrow, but the important thing to know is that any time you change the Supervision state on a device (going from DEP to non-DEP, going from Supervised to non-supervised via Configurator) that you will wipe the device. First, plug in a device you’d like to supervise. Once plugged in, right-click on the device. Screen Shot 2015-11-03 at 6.32.48 PM Click on Prepare… At the contextual menu you can select Automatic or Manual configuration. Automatic uses DEP. Since we’re supervising because DEP isn’t available to us, I’ll assume you want to use Manual in this screen. Choose that and then click on Next. Screen Shot 2015-11-03 at 6.32.56 PM   At the Enroll in MDM Server screen, here we’re not going to automate the enrollment. But if you have an enrollment certificate you’d like to export so that you can automate enrollment during the preparation step, you can use that here. Click Next to proceed. Screen Shot 2015-11-03 at 6.33.00 PM Now we’re at the important part (for the purposes of this article at least). Here, at the Supervise Devices screen, you can check the box to “Supervise devices”. This comes with a child option to disable the ability for other devices to pair to the device. Let’s check both, which will Supervise the device while also allowing it to synchronize with computers, and then click Next. Screen Shot 2015-11-03 at 6.33.03 PM When prompted for the Organization information, choose the Organization you configured when setting up Apple Configurator 2, unless you have multiple organizations/certificates. Screen Shot 2015-11-03 at 6.32.56 PM Finally, select which options during activation that should be used. Here, you can choose to skip various options during the activation process, letting the iOS activation for new devices require less screens (streamlining deployment) while implementing default settings on devices. These screens include Language, Region, Location Services, Set Up, Move from Android, Apple ID, Zoom, Siri, Diagnostics, Passcode, Touch ID, and Apple Pay. I’m going to leave the setting for the setup assistant to “Show all steps” but you can choose to skip any you’d like to skip. Screen Shot 2015-11-03 at 6.33.11 PM Click Prepare, unlock your device, and watch it get wiped. If the device is supervised by DEP, the process should fail (don’t try it unless you’re committed to wiping the device) unless you erase the device first.

Automate MDM Enrollment Using Apple Configurator 2

I’ve written a number of articles on automating MDM enrollments using Apple Configurator in the past. In Apple Configurator 2, there are some new options that make the process much easier than it’s ever been in the past. To get started, let’s open Apple Configurator 2 and click on a Blueprint we’d like to apply to devices being prepared during a mass iPad or iPhone enrollment through Apple Configurator. Control-click on the Blueprint to set up for automated enrollment and click on the Prepare button. Screen Shot 2015-11-03 at 11.18.02 PM At the Organization screen, select the organization you’d like to enroll your device in and click on the Next button. Screen Shot 2015-11-03 at 6.32.56 PM At the Server screen, select to enroll in an MDM server. Screen Shot 2015-11-03 at 6.33.00 PM At the Define an MDM Server screen, type the name of a server and click Next. Screen Shot 2015-11-03 at 11.17.22 PM The server is then located and provided the Apple Configurator 2 system can communicate with the server, you’ll get a choice of the MDM service to enroll into. Select the certificate and click Next. Screen Shot 2015-11-03 at 11.17.27 PM At the Supervise Devices screen, select whether you’d like to supervise devices enrolled using Apple Configurator 2. Click Next. Screen Shot 2015-11-03 at 11.17.32 PM At the Configure iOS Setup Assistant screen, choose whether to skip some screens during the initial configuration of the device and click on Prepare. Screen Shot 2015-11-03 at 11.17.38 PM Now, during the preparation in Apple Configurator, you’ll be able to enroll iOS devices into Profile Manager (or another MDM) en masse. Additionally, the traditional method of enrollment (Configurator 1) still works. Here, you’d download a trust profile, done using the name in the upper right corner of the Profile Manager interface and then choosing Download Trust Profile. Screen Shot 2015-11-03 at 11.06.17 PM You’ll also need the Enrollment Profile, accessed using the plus sign (+) in the lower left corner of the screen and choosing Enrollment Profile. Screen Shot 2015-11-03 at 11.06.27 PM The two are then added to the Profiles of a blueprint in Apple Configurator 2. You can also use the Settings for a device group to set placeholders for devices so they’re automatically assigned to a group during mass enrollments like this. Screen Shot 2015-11-03 at 11.07.09 PM   Overall the options in Apple Configurator 2 with Profile Manager or another MDM are way easier to use than in previous versions. I think a lot of new administrators will be able to easily get used to this workflow. Enjoy!    

Install Apple Configurator 2

Apple Configurator 2 is a great tool to manage iOS devices. It’s also a pretty decent tool when you need to create profiles for use on Macs. Apple Configurator is easily installed using the Mac App Store. This involves a number of tasks:
  1. Restore: Restore an operating system to an iOS device
  2. Duplicate: Similar to imaging (but not), restore various options on a device so it is similar to a previous device. There are limitations to this feature as any data stored in the secure enclave will not be duplicated
  3. Application Assignment: Install apps on devices with or without an MDM solution to manage the devices
  4. Supervise: Enable supervised mode on the devices so that you can prove ownership and therefore unlock additional restrictions on devices
  5. Manage: Deploy profiles on devices to control the features used on devices and automate configuration
However you plan on using Apple Configurator, the first step to use the product is to download it for free and install it on an OS X computer. To install Apple Configurator, first open the App Store and search for Apple Configurator. Screen Shot 2015-10-26 at 2.55.34 PM When listed, click on Apple Configurator. Screen Shot 2015-10-26 at 2.57.09 PM Then click on Get, then click on Install App. If prompted for your Apple ID, provide it. Screen Shot 2015-07-27 at 2.52.00 PM This downloads Apple Configurator to the /Applications directory on your computer. Once installed, you can still use Apple Configurator, if you were using it before. The two apps will appear in the Finder, with Apple Configurator 1 showing as Apple Configurator and Apple Configurator 2 appearing as Apple Configurator 2. When you initially open Apple Configurator 2, if you had been running Apple Configurator 1, you’ll be prompted to migrate your data into Apple Configurator 2. I’ve done a series of articles at http://krypted.com/guides/apple-configurator/ to help guide you through the process of getting comfortable with Apple Configurator and Apple Configurator 2. Good luck!

Restrict Access To Sites On iOS Devices Using Apple Configurator 2

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. One is using the content filter option in Apple Configurator 2. The second is using a Global HTTP Proxy. We’ll cover both here, using custom profiles. Both require the device be Supervised. Use the Content Filter To enable the Content Filter, open Apple Configurator and click on the New menu. From there, click on Content Filter in the sidebar. You have three ways you can use the Content Filter. These include:
  • Built-in: Limit Adult Content: A basic profile that allows you to specifically whitelist and blacklist sites. This gives you very basic control of sites. Here, use the plus sign to enter a URL, as you can see here.
Screen Shot 2015-10-26 at 3.43.56 PM
  • Built-in: Specific Websites Only: This option only allows certain sites, and creates a badge for each in the bookmarks list of Safari.
Screen Shot 2015-10-26 at 3.52.40 PM
  • Plug-in: Allows you to install third party plug-ins on iOS devices. If using this, you would likely have instructions for building the profile from the vendor.
Screen Shot 2015-10-26 at 3.54.06 PM The Content Filter is a pretty straight forward profile, except when using the plug-ins. Close the screen to save the profile. Screen Shot 2015-10-26 at 3.56.37 PM Once saved, you can use the filter profile in blueprints, via an MDM solution, or install manually through Configurator. Use the Global HTTP Proxy In Apple Configurator 2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps, and to have that proxy applicable when users go home or if they’re in the office/school. If you have a PAC file, you can deploy the global proxy using that, by selecting Auto as your deployment option. Screen Shot 2015-10-26 at 4.01.47 PM If you don’t use a PAC file, you can also manually define settings to access your proxy. Here, we specify the proxy server address and port, as well as an optional username and password. Additionally, new in Apple Configurator 2, we have the option to bypass the proxy for captive portals, which you’ll want to use if you require joining a network via a captive portal. Screen Shot 2015-10-26 at 3.59.37 PM Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator. Screen Shot 2015-10-26 at 4.03.59 PM I am all about layered defense, though. Or if a proxy is not an option then having an alternative is a great call. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator 2, see the below profile. Screen Shot 2015-10-26 at 4.05.50 PM Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access. In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watchMobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others. While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

Migrate Settings From Apple Configurator 1 to Apple Configurator 2

The first time you open Apple Configurator 2, if you’ve been using Apple Configurator 1, your settings will be upgraded from the old sqlite3 database in Apple Configurator 1 into the Apple Configurator 2 decentralized file structure. To get started, first backup your computer. I’d recommend a clone as with certs and profiles and databases and all that fun stuff. Once you have a solid backup, open the new Apple Configurator 2 app and then click on the Next button at the Introduction screen. Screen Shot 2015-10-07 at 4.25.17 PM At the Library Migration screen, select each of the types of data that you’d like to migrate and click on the Next button. Screen Shot 2015-10-07 at 4.25.30 PM At the Device Backups screen, you will have the option to select any backups that should be migrated to the new location and structure. Check the box for any you’d like to migrate and then click on the Next button (note, there weren’t any on this system as I’d removed them already). Screen Shot 2015-10-07 at 4.25.32 PM At the Convert Device Configurations to Blueprints screen, you’ll have the option to save each of your unique configurations from Apple Configurator 1 (from the prepare screen) to what are now known as Blueprints in Apple Configurator 2. Select any that you’d like to convert and click Next. Screen Shot 2015-10-07 at 4.25.34 PM This is a pretty small amount of data (well, other than backups and apps). You’ll then be shown what is going to get migrated. Click on Next if this is correct. Screen Shot 2015-10-07 at 4.25.43 PM Finally, choose where it all goes. Screen Shot 2015-10-07 at 4.25.54 PM Provided that all the data is migrated properly, you’ll then be shown a beautiful Migration Successful screen. Screen Shot 2015-10-07 at 4.26.00 PM That’s it. Now you’ll be looking at the Getting Started screen. Screen Shot 2015-10-07 at 4.26.40 PM