Tiny Deathstars of Foulness

Enter Apple Configurator 2, a free tool on the Mac App Store. This tool basically fixes most setup challenges for iOS, but does so over USB. This means that Apple Configurator is not necessarily a replacement for MDM. In fact, you can deploy Trust and Entrollment profiles for MDM and automate the MDM enrollment for a device through Apple Configurator 2. Instead, Apple Configurator 2 is a tool that can either help to manage iOS devices during a mass deployment and do so in a manner that is easy enough that you don’t need a firm background in IT to manage devices on a day-to-day basis.

Here is what Apple Configurator can do:

  • Update iOS devices to the latest version of iOS.
  • Rename devices using a numbered scheme (e.g. iPad 1, iPad 2, etc).
  • Erase (wipe) iOS devices.
  • Backup and Restore iOS devices.
  • Deploy profiles/policies (e.g. no Siri for you, disable cameras, setup wireless, etc) to iOS devices.
  • Export profiles.
  • Activate devices (after all a restore of a freshly activated device is an activation).
  • Push any kind of app to devices.
  • Track Volume Purchase Program (VPP) codes used on devices.
  • Manage the wallpaper on “Supervised” devices (more on supervision later).
  • Manage the names of devices en masse.
  • Load content to apps on devices.
  • Skip initial Activation steps on devices.

Apple Configurator 2 does have some caveats, including the following:

  • In order to push apps through Apple Configurator, the system running Configurator needs access to Apple’s servers and Apple Configurator needs an AppleID associated with it that is not the VPP facilitator if you are leveraging any paid apps.
  • You can use Apple Configurator “off-line” or without an AppleID to Prepare devices with Profiles, just not to Activate devices. For the initial device activation process, Macs running Apple Configurator will need to be online. Additionally, you’ll be prompted to enter your Apple ID routinely.
  • If you push Trust and Enrollment profiles to automatically join Profile Manager (or another MDM vendor) the device isn’t associated with a user unless the MDM has been prepped to designate each UDID or Serial Number to a given user.
  • If you accidentally plug in your iPhone to a machine and you’re using Apple Configurator on it and you’ve chosen to Erase in the application, then it will wipe your phone along with the 30 iPads you’re wiping. It’s awesome and scary like that (yes, I’ve accidentally wiped my phone).

I see a number of uses for Apple Configurator. Some of these use cases include:

  • Company and education labs: manage devices end-to-end (no MDM, iTunes iPhone Configuration Utility or other tools needed), managed by the lab manager.
  • One-to-One environments (schools): Manage the distribution of infrastructure settings (mail, wireless networks, etc) for devices as well as Trust Profiles to make it faster to enroll in MDM environments and Web Clips to manage the links for enrollment.
  • Device distribution: Pre-load applications (that can’t be updated unless they’re cradled again), renaming, profiles, activation, iOS software updates, etc.
  • Backup and Restore only stations where you don’t interfere with later iTunes use.

These can enhance practically every environment I’ve worked with. But unless it’s a small environment (e.g. the labs), Apple Configurator isn’t a replacement for the tools already in use in most cases, like an MDM solution. Instead, it just makes things better. Overall, Apple Configurator 2 is a welcome addition to the bat belt that we all have for iOS management and deployment. Now that we’ve looked at the when/where of using it, let’s look at the how.



At this point, we’ll explore the Profiles options in Apple Configurator 2. To create profiles, use the File menu and click on New Profile.

Screen Shot 2015-11-04 at 10.23.16 PM

At the Untitled profile name, enter a name in the Name field. This is how it will appear in the Profiles section of Apple Configurator. Because you can deploy multiple profiles, I’m just going to configure the SSID and Web Clip and call it MDM Enrollment Staging. Optionally, give it some notes, organization name, etc.

Screen Shot 2015-11-04 at 10.25.29 PM

Click on Wi-Fi and then click on the Configure button. Here, enter the SSID of the deployment network (MDMEnroll in this example). We’ll use the Hidden Network field to indicate the SSID is suppressed and we’ll use the network type of WEP and throw the password into the Password field as well. Now, before we move on, notice that there’s a plus and minus sign in the top right of the screen? You can deploy multiple of each, so if you have 10 wireless networks, 4 Email accounts, 9 VPN connections, 29 SSL Certs etc, you could deploy them all easily with multiple entries of each.

Screen Shot 2015-11-04 at 10.27.04 PM

Next, we’ll go ahead and enter a name for our Web Clip and the URL that the device will point to.

Screen Shot 2015-11-04 at 10.36.06 PM

We’ll also disable certain features of iOS. To do so, click on Restrictions, and uncheck various boxes in order to disable features you don’t wish to use.

Screen Shot 2015-11-04 at 10.39.22 PM

Go ahead and close the window and you’ll be prompted to save the profile.

Screen Shot 2015-11-04 at 10.29.55 PM


You’ll then see MDM Enrollment Staging.mobileconfig in the Finder where you selected to store it. You can also save an enrollment profile from Profile Manager as we explained here. We could go that further further and actually enroll the device by exporting the enrollment profile as well, but again, I want each user to provide their username and password so I as an administrator don’t have to go through and attach each device to a user in this scenario. I’ve been looking at importing devices and associating them with users via postgres, but that’s going to be another 3am article, on another night…


Apple Configurator 2is really a great tool when used in the right scenarios. In learning how it works and interacts I actually learned a lot about both iOS and Mac OS X that I didn’t know before. I hope I did the tool justice with how easy it is to use. This is a fairly long article and it’s probably more complicated than it needs to be in parts, but that’s more my method of trying to figure out what it’s doing than the tool being complicated. It’s not hard to figure out at all. I am sure I could teach any non-technical iOS admin basic use of Apple Configurator 2 in less than an hour.

Overall, in Apple Configurator 2, we have a new, powerful iteration in our arsenal that makes up the iOS administration ecosystem. I also hope that no matter what, if you manage iOS devices, that you’ll take a look at it. I expect you’ll find it useful in some part of your management toolkit!

November 13th, 2015

Posted In: Apple Configurator, iPhone, Mass Deployment

Tags: , , , , , , , ,


Apple Configurator has always been able to upgrade devices. But it can also now upgrade apps that are on devices. To run an upgrade, first open Apple Configurator 2.

Screen Shot 2015-11-03 at 8.14.35 AM

Once open, right-click on a device and click on the Update… option.

Screen Shot 2015-11-03 at 8.27.11 AM

You can update all assets on the device concurrently, using the default option. Here, we’re going to select to update only the items we need to in the drop-down menu.

Screen Shot 2015-11-03 at 8.29.52 AM

Select Only Some Apps and then you’ll see a list of each app that needs an upgrade on the device. Check the box for the apps to be updated and then click on the Update button.

Screen Shot 2015-11-03 at 8.29.59 AM

Apps are updated using an iTunes account. Here, you will need to authenticate using an account on the app store that owns these apps.

Screen Shot 2015-11-03 at 8.30.08 AM

Once entered, Apple Configurator will cache the apps and install them on a device or devices. The apps are only downloaded once, and then applied to many devices. These function even if the app store is disabled on devices.


November 12th, 2015

Posted In: Apple Configurator

Tags: , , , , , , ,

Leave a Comment

Blueprints are a new option in Apple Configurator 2. Blueprints allow you setup a template of settings, options, apps, and restore data, and then apply those Blueprints on iOS devices. For example, if you have 1,000 iOS devices, you can create a Blueprint with a restore item, an enrollment profile, a default wallpaper, skip all of the activation steps, install 4 apps, and then enabling encrypted backups. The Blueprint will provide all of these features to any device that the Blueprint is applied to.

But then why not call it a group? Why call it a Blueprint? Because the word template is boring. And you’re not dynamically making changes to devices over the air. Instead you’re making changes to devices when you apply that Blueprint, or template to the device. And you’re building a device out based on the items in the Blueprint, so not entirely a template. But whatever on semantics.

To get started, open Apple Configurator 2.

Screen Shot 2015-11-04 at 1.00.24 PM

Click on the Blueprints button and click on Edit Blueprints.

Screen Shot 2015-11-04 at 1.00.33 PM

Notice that when you’re working on Blueprints, you’ll always have a blue bar towards the bottom of the screen. Blueprints are tiled on the screen, although as you get more and more of them, you can view them in a list.

Screen Shot 2015-11-04 at 1.00.47 PM

Right-click on the Blueprint. Here, you’ll have a number of options. As you can see below, you can then Add Apps. For more on adding Apps, see this page.

Screen Shot 2015-11-04 at 1.00.55 PM

You can also change the name of devices en masse, using variables, which I explore in this article.

Screen Shot 2015-11-04 at 1.01.11 PM

For supervised devices, you can also use your Blueprints to change the wallpaper of devices, which I explore here.

Screen Shot 2015-11-04 at 1.01.21 PM

Blueprints also support using Profiles that you save to your drive and then apply to the Blueprints.

Screen Shot 2015-11-04 at 1.01.29 PM

Blueprints also support restoring saved backups onto devices, as I explore here.

Screen Shot 2015-11-04 at 1.01.39 PM

For kiosk and single purpose systems, you can also enter into Single App Mode programmatically.

Screen Shot 2015-11-04 at 1.02.25 PM


You can also configure automated enrollment, as described here. Overall, Blueprints make a great new option in Apple Configurator 2. These allow you to more easily save a collection of settings that were previously manually configured in Apple Configurator 1. Manually configuring settings left room for error, so Blueprints should keep that from happening.

November 11th, 2015

Posted In: Apple Configurator, Mac OS X, Mass Deployment

Tags: , , , , , , , , , , , , ,


One of the things that Apple Configurator 2, or an MDM solution, can do to make large-scale iOS deployments easier is to disable some of the screens displayed to users during the initial setup of an iOS device. This is critical when trying to get to a zero-touch deployment. On a DEP-based device, most of these steps would be disabled by your MDM solution. However, on a non-DEP-based device, these options would be disabled on the iOS device directly.

To disable the initial configuration screens during activation on an iPhone or iPad and therefore require less steps during the setup of devices, first plug a device into Apple Configurator. Then, right-click on the device and choose the Prepare… option.

Screen Shot 2015-11-03 at 6.32.48 PM

From the prepare wizard, first choose whether the configuration will be automatic or assist during the initial configuration of DEP-based devices. Because there’s no MDM in this scenario, we’ll select Manual.

Screen Shot 2015-11-03 at 6.32.56 PM

As mentioned, there’s no MDM for this deployment, so at the MDM server screen, we’ll elect not to use an MDM and then click on the Next button.

Screen Shot 2015-11-03 at 6.33.00 PM

At the Supervise Device screen, we’ll go ahead and enable supervision, so that we can make use of some other options, such as disabling features in profiles that are only allowed to be disabled using a supervised device. Click Next.

Screen Shot 2015-11-03 at 6.33.03 PM

Finally, we’re at that Apple Configurator 2 screen where we can disable activation screens. Here, choose the following that you’d like to disable:

  • Language: Disables the screen to set the language. The language will default to English, but can be configured after the setup process is complete if English is not the preferred language.
  • Region: Disables the screen to set the region during setup.
  • Location Services: Disables the screen to disable Location Services at setup. Location Services can still be disabled once setup is complete.
  • Set Up: Disables the Set Up screen.
  • Apple ID: Disables the screen to configure an Apple ID during setup. An Apple ID will still be required to install apps manually and can be configured during an app purchase. Apple IDs will not be required for Volume Purchase Program (VPP) purchases using  the device-based deployment options via MDM.
  • Zoom: Disables the screen to enable the zoom options.
  • Siri: Disables the screen to disable Siri, the voice recognition options on the iPhone.
  • Diagnostics: Disables the prompt to send Diagnostic information to Apple.
  • Passcode: Disables the prompt to configure a passcode. Passcodes can still be configured by users once the device has been setup.
  • Touch ID: Disables the prompt to make a fingerprint your passcode. You an still setup Touch ID at a later time. Touch ID will be required in order to use Apple Pay.
  • Apple Pay: Disables the prompt to set up Apple Pay during the activation process. You can still setup Apple Pay manually at a later time.

Screen Shot 2015-11-03 at 10.47.40 PM

Once you click on the Prepare button, you will run the Activation process on the iOS device; albeit without all the extra screens. Note that you can configure this for blueprints and so do this on devices en masse.

November 7th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , ,

One of the things that is awesome and sometimes frustrating about Apple Configurator is that when you do certain tasks, you end up updating the OS on devices. The reason this is awesome is that it allows you to centralize operations. The reason this can be frustrating is that if you’re on a limited bandwidth connection, you may find that you can’t do very basic tasks before downloading a large OS update. And if you’ve got a bunch of Apple Configurator workstations, and you are running a training session, this can get infinitely more annoying.

In these types of lab environments, you’re in luck. If you have an ipsw (the iOS OS update file), you can copy the file from ~/Library/Group\ Containers/ onto another machine. To copy them onto a USB drive called bananarama for example, use the following command:

cp -R ~/Library/Library/Group\ Containers/ /Volumes/bananarama/ipsws/

And once you’ve moved that drive, to then copy them back:

cp -R /Volumes/bananarama/ipsws/ ~/Library/Group\ Containers/

November 6th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , , ,

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. One is using the content filter option in Apple Configurator 2. The second is using a Global HTTP Proxy. We’ll cover both here, using custom profiles. Both require the device be Supervised.

Use the Content Filter

To enable the Content Filter, open Apple Configurator and click on the New menu. From there, click on Content Filter in the sidebar. You have three ways you can use the Content Filter. These include:

  • Built-in: Limit Adult Content: A basic profile that allows you to specifically whitelist and blacklist sites. This gives you very basic control of sites. Here, use the plus sign to enter a URL, as you can see here.

Screen Shot 2015-10-26 at 3.43.56 PM

  • Built-in: Specific Websites Only: This option only allows certain sites, and creates a badge for each in the bookmarks list of Safari.

Screen Shot 2015-10-26 at 3.52.40 PM

  • Plug-in: Allows you to install third party plug-ins on iOS devices. If using this, you would likely have instructions for building the profile from the vendor.

Screen Shot 2015-10-26 at 3.54.06 PM

The Content Filter is a pretty straight forward profile, except when using the plug-ins. Close the screen to save the profile.

Screen Shot 2015-10-26 at 3.56.37 PM

Once saved, you can use the filter profile in blueprints, via an MDM solution, or install manually through Configurator.

Use the Global HTTP Proxy

In Apple Configurator 2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps, and to have that proxy applicable when users go home or if they’re in the office/school. If you have a PAC file, you can deploy the global proxy using that, by selecting Auto as your deployment option.

Screen Shot 2015-10-26 at 4.01.47 PM

If you don’t use a PAC file, you can also manually define settings to access your proxy. Here, we specify the proxy server address and port, as well as an optional username and password. Additionally, new in Apple Configurator 2, we have the option to bypass the proxy for captive portals, which you’ll want to use if you require joining a network via a captive portal.

Screen Shot 2015-10-26 at 3.59.37 PM

Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator.

Screen Shot 2015-10-26 at 4.03.59 PM

I am all about layered defense, though. Or if a proxy is not an option then having an alternative is a great call. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator 2, see the below profile.

Screen Shot 2015-10-26 at 4.05.50 PM

Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access.

In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watchMobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others.

While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

November 1st, 2015

Posted In: Apple Configurator, Mass Deployment

Tags: , , , , , , ,

A great new feature of Apple Configurator 2 is the command line interface for Apple Configurator: cfgutil. Go ahead and click on the Apple Configurator 2 menu and select Install Automation Tools from the menu.

Screen Shot 2015-10-01 at 2.55.05 PM

When prompted,

Screen Shot 2015-10-01 at 2.55.09 PM

Once installed, you’ll find cfgutil at /usr/local/bin/cfgutil.

October 27th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

One of the things that is awesome and sometimes frustrating about Apple Configurator is that when you do certain tasks, you end up updating the OS on devices. The reason this is awesome is that it allows you to centralize operations. The reason this can be frustrating is that if you’re on a limited bandwidth connection, you may find that you can’t do very basic tasks before downloading a large OS update. And if you’ve got a bunch of Apple Configurator workstations, and you are running a training session, this can get infinitely more annoying.

In these types of lab environments, you’re in luck. If you have an ipsw (the iOS OS update file), you can copy the file from ~/Library/Containers/ onto another machine. To copy them onto a USB drive called bananarama for example, use the following command:

cp -R ~/Library/Containers/ /Volumes/bananarama/ipsws/

And once you’ve moved that drive, to then copy them back:

cp -R /Volumes/bananarama/ipsws/ ~/Library/Containers/

August 22nd, 2015

Posted In: Apple Configurator

Tags: , , , , , , , ,

You can easily create a backup of an iOS device using Apple Configurator. Once you’ve created a backup, it can be restored onto a number of devices. This contains iOS data and data outside of the secure enclave. These backups allow you to restore an iOS device, add apps (not using the backup), set backgrounds, set app locations on the home screen, etc.

To do so, open Apple Configurator and then click on the Prepare icon.

Screen Shot 2015-08-15 at 12.02.27 AM

At the Prepare screen, click into the Restore field and then click on the Create Backup button.

Screen Shot 2015-08-15 at 12.02.31 AM

At the pop-up menu, select the device you’re backing up (usually there’s only one) and then click on the Create Backup button.

Screen Shot 2015-08-15 at 12.02.41 AM

Then choose the location you’d like to place the backup file.

Screen Shot 2015-08-15 at 12.04.14 AM

Click Save and the backup starts.

Screen Shot 2015-08-15 at 12.04.30 AM

Once the backup is complete, you will have an iosdevicebackup file in the location you saved the file to. This is stored on the iOS device and can then be restored to other devices.

August 15th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

You may have noticed a few new articles on Apple Configurator 1 recently (which isn’t assuming anyone actually notices what I’m writing about). While preparing for the massive change that is Apple Configurator 2, I’ve taken the liberty to put a page up compiling many of my articles that align into a guide on Apple Configurator 1, to offer up an outline for what I’ll be working on for Apple Configurator 2. This guide is now available at

August 13th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

Next Page »