Recently I woke up and my daughter was sitting on me watching something on the iPad. As I woke ever so slightly I realized that she was watching Transformers the movie on Netflix. I’m not typically a helicopter dad, hovering over her every move, but I did realize amidst the explosions that ya’, I might want to take some of the things I learned writing the book on locking these things down
and put a few very basic measures in place to keep her from seeing something she shouldn’t. After all, she’s gotten about as good at navigating around the thing as I am (and these days she’s getting pretty acclimated with iOS 7).
So let’s look at some basic precautions that parents can take to keep their kids sandboxed into just the material they feel confident with. For starters, the built-in security precautions. These are basically all in the Security app and each comes with repercussions that I’ll go into with each step, so you can decide for yourself if you actually give a crap about them.
The nuclear option is to enable a passcode so the child can only use the device when supervised. I did not do this myself for the home iPad for a variety of reasons: sometimes she locks the device while I’m driving, sometimes she wants to use the device when she wakes up at 6am after I was up hacking stuff ’till 4am and well, because I want the device to be as much hers as mine. So I don’t want to enable a passcode that the she does not know, but you might.
To set a passcode, open the Settings app from the home screen and tap on General in the Settings sidebar (or to not setup a passcode, skip to the next section).
Or to lock the screen when the iOS device goes to sleep, tap Passcode Lock.
If you’re going to enable a passcode, at the Passcode Lock screen, tap on Turn Passcode On and when prompted provide the passcode.
Once you’ve enabled a passcode it’s worth noting that if the passcode is entered improperly too many times the device will be wiped. However, it’s now encrypted and meets certain policy restrictions (e.g. if you use it with an Exchange server at work as well).
Restrictions allow you to disable various features of iOS, including Safari, the Camera, FaceTime, iTunes, iBookstore, App Store, App deletion, Siri and even using explicit language with poor Siri. Additionally, you can control what kind of media can be purchased on the iTunes store. To get started, tap on Restrictions in the General app.
Here, you will see that pretty much everything is allowed by default. You have the option to disable very specific items.
When you enable Restrictions you will be prompted for a Passcode, which can be used to override or disable the restrictions at a later date. This, clearly, you wouldn’t want to share with the child.
Tap Enable Restrictions and note that we’re going to go ahead and enable a few and then postpone a couple of others until the end of the article because they will keep us from completing steps we want to complete later. The restrictions many will want to enable (which disables the feature):
Note: You can also lock the volume level here, although I usually don’t with ours as it just causes problems/arguments and a general desire not to use headphones, which I have a general desire to be used when watching many of her shows.
Another Note: You can browse content that you’ve blocked but not purchase/download that content, so know that if you’re not going to put a passcode on devices, or hide them when children aren’t supposed to use them.
- Safari: It’s not that we don’t want the kids using the web, we just want them to use a specific web browser we give them that doesn’t allow them to screw around.
- Explicit Language: The kids shouldn’t be able to tell siri to use bad words, and trust me, they will if you don’t disable this.
- Deleting Apps: This is more for us. Kids figure out how to do the wackiest things by accident. Including how to delete their favorite Angry Birds app and then crying for you to reinstall it (since later in this article we’re disabling the ability to install apps).
- Music & Podcasts: Move to the Off position to block the device from playing content that is marked as Explicit.
- Movies: I chose to uncheck all but G and PG. You may choose to allow PG-13 or disable PG. These options are different in other countries.
- TV Shows: I chose to allow TV-PG and below. Some of the Saturday morning cartoons have a much higher rating than you might think.
- Books: Move to the Off position to disable the ability for the device to open Explicit Sexual Content.
- Apps: I chose to use 9+ although this is almost a non-issue as we’ll be disabling the App Store later in this article.
- In-App Purchases: I turn this off more so I don’t get random emails from the iTunes Store about buying add-ons for Angry Birds than anything else.
- Require Password: I don’t usually change this option.
- Accounts: I don’t allow changes on my daughters iPad.
Once you’ve enabled all the restrictions you’d like, leave the Restrictions portion of the General app and then go back in, just to verify that the passcode you used earlier still works. Also note that the Accessibility options can be great for those with disabilities, but I usually don’t enable any of them otherwise.
Remove Your Stuff
Still in the Settings app, tap on Mail, Contacts , Calendars. Now this is painful as it basically means that no, the iPad isn’t really yours like you thought it was, but remove your mail accounts. Otherwise, the kids will send mail to the entire Mac Enterprise list like mine did a few years ago. Yup, it will happen and thousands of people will laugh at you (or in my case they’ll just laugh at you more than usual). Once removed the Mail, Contacts, Calendars screen in the Settings app will just show you an option to “Add Account…” as seen here.
Also don’t forget that Facebook, Twitter, Instagram and all the other awesome reasons you bought the thing can end up getting photobombed with pictures she took while sitting in the back seat, tinkering around with Photo Booth. I actually don’t mind these with random characters or pictures my daughter posts of her tinkering with the camera app, so I don’t bother removing them, it’s more email specifically and only because you never know who she’s gonna’ hit up there.
Netflix is one of those funny places where children can spend hours, and while enamored with poster frames of interesting shows, kids can see things you might not want them to see. You can install an App and people can log into each profile and see a queue of shows, but also shows that they might be interested in. Profiles are not password protected, so users can select whichever profile they choose. But, it’s a start. I like to associate a different image with each user. To setup profiles, log into Netflix, hover the mouse over your name and then click on Manage Profiles. Here, create each desired profile and for any children who you want to try and limit, click Edit and then check the “This is a profile for kids under 12” checkbox.
Note: Profiles have a side benefit which is that you don’t see My Little Pony on your queue and your child doesn’t see Sacha Baron Cohen movies in their queue.
I also like to assign an image for each (click the red image in the lower right corner of the avatar for each user to select their own image. Make sure the whippersnapper knows which image they’re to use, and it will be awhile before they realize they can just switch profiles if something’s blocked and they want to watch it. It will be punishment enough logging into a profile that doesn’t have a bunch of cartoons on it (okay mine does) so they won’t want to use anyone elses profile.
Once you’re done you’ll get a cute login prompt on the device, when you log into Netflix.
Anyway, next is the hard part, move all the stuff you want to watch to your profile and leave the kid stuff in their profile (after all, I’m sure that like me they have more crap in their queue than you do!). I did this by having the iPad in my hand and a laptop. I looked at the list on the iPad to see what I wanted to add to my own queue (whoops, they call them lists now) and deleted things from the other profile with the iPad.
Next, we’ll perform one small change in the Settings for the Netflix app. Open the Settings app and scroll down in the sidebar until you see Netflix. Tap it and then turn the Wi-Fi Only option on.
This keeps you from getting an insanely high bill when the kids decide to watch Netflix using your data plan.
Install a Browser
Next, let’s install a browser so they can use the web with a little filter on it. Using a different browser means a slightly different look and feel, but it means we can limit what they’re able to use. To get started, open the App Store on the iOS device. Then, tap K9 in the search bar and install.
Once installed, try to browse a site you know to be just wrong for the kido from within the browser. Once you see the blocked page, you know you’re good.
K9 is a browser that is provided free of charge (well, there’s an ad bar that you can in app purchase to get rid of for $2.99 but close to free!) from Blue Coat, a company that makes proxy servers that filter and track internet traffic. I’m a big fan of their products and if you happen to do IT in a school district or company it might not be a bad idea to check their stuff out as well!
Now, many kids won’t need a web browser, but since you can’t access YouTube without it, you’ll end up needing one eventually. Once you’ve installed a browser it’s time to disable access to Safari. By disabling Safari you limit accessing the web to the K9 browser. To do so, open the Settings app again and tap on Restrictions.
From the Restrictions option in the Settings app, tap Off for Safari.
Then just close Safari and the app will disappear from the home screen.
Disable the App Store
Once you’ve purchased the K9 browser and all the fun games and educational whatnot that your children should have, it’s time to disable the App Store so that no further apps can be installed, such as another browser to bypass the K9 browser previously installed. To do so, open Settings app, tap General and then tap on Restrictions.
From Restrictions simply move the slider for Installing Apps to the Off position.
Close the Settings app and the App Store icon will disappear from the home screen.
Enable Guided Access (aka Kiosk Mode)
Guided Access locks a user inside a single app. Only use this if you want to hand a kid an iPad that’s in an app and not let them close the app. If you use Guided Access you likely don’t need any of the other restrictions we mentioned in this article; however, every time the kid wants to switch apps you’re going to need to provide a pin code and then open another app and then enable Guided Access mode again, which could get pretty darn annoying after awhile.
Using Guided Access is a two part process. First, enable Guided Access, which does little except set a passcode. It’s never a bad thing to enable Guided Access although I’ve seen a kid set a passcode accidentally and the device had to get wiped to undo it. Oh, did I mention, you don’t want to forget that passcode? Once enabled, we’ll restrict access to the app we no longer want users to be able to leave. Once enabled, the app is locked open until the passcode is tapped.
To enable Guided Access, open the Settings app and tap on General. Scroll down until you see Accessibility.
From the Accessibility screen, tap Guided Access.
From the Guided Access screen, tap ON.
Once enabled, you will invariably want to set a passcode (otherwise, why bother?). To do so, tap Set Passcode.
When prompted, provide a passcode.
For children I usually tap Enable Screen Sleep, which allows the device to go to sleep; however I don’t usually do so when setting these things up to actually be in a kiosk. Once you’re happy with the settings, close the app and Guided Access is working. Next, open an app and then triple-click the home button. A screen will open that allows you to Enable Guided Access, tap that from within the app you’d like to enable Guided Access for and viola, the app is locked open. Now, you can also disable certain parts of the screen and whether or not the app allows shaking the device, etc. But I find that can be a bit difficult so I don’t typically use that feature.
Once you’re done with the app, to disable Guided Access, simply triple-click on the home button again, provide the passcode and tap Disable for Guided Access to close. Managing Guided Access is difficult and I find it best for toddlers or bigger kids that might be finding themselves not-to-be-trusted for a short period of time. I mentioned this earlier, but don’t forget the passcode you use to enable Guided Access or you might find yourself wiping the device by the time all is said and done.
Use Safe DNS Servers
You can use a service like OpenDNS.com to control what Internet addresses that a device can access. To do so, first go to https://store.opendns.com/familyshield
and sign up for the free account (unless you want the bells and whistles with their paid accounts).
Open the Settings app and then tap on Wi-Fi in the sidebar. From the Wi-Fi screen, enter 188.8.131.52 and 184.108.40.206 in the DNS field.
Once you enter the DNS servers, close the Settings app. Then close and re-open your browser to delete the cache and open it again to see if the new settings are blocking the naughty sites.
Get a Case
Okay, so none of this is going to matter one little bit the next time the little devil decides to throw a temper tantrum. You know that shirt that says “I’m why mommy and daddy can’t have nice things” is way cheaper than an iPad, but still we let the little tykes play with the things. If we’re gonna’ do that, might as well get a good case for the thing. Otterbox
makes good water and shock absorbent cases, as well as others.
Just so you don’t have to re-download all the movies you’ve bought to keep the little Cheerio-eaters busy, configure these settings again, etc. you should make a backup of the device. I wrote that up a long time ago at http://www.krypted.com/?p=8319
but it’s worth noting that you want to encrypt these backups so everything is captured.
Find My iPad/iPhone
Find My iPhone allows you to track the whereabouts of your iPhone, iPad and iPod Touch. To enable, first turn on iCloud if you haven’t already. To do so, open The Settings app and tap on iCloud in the sidebar. Enter the Apple ID you use to buy software along with the Password and then tap Sign In.
Once added, if you don’t want to sync mail, contacts, calendars, etc then flip their sliders from the ON to the OFF position. Set Find My iPad to On (or Find My iPhone if it’s not an iPad). Close the app and within a few shakes you’ll be able to track the whereabouts of devices.
Once installed, install the Find My iPhone app and log into your iCloud account or use your iCloud account to log into the MobileMe site.
When you install Find My iPhone from the App Store, you’ll use an iCloud account to view where the devices are. Mine aren’t really available in the following screen because I suck and wrote this on an airplane. But whatever… Either way, you can now chase down the bully that stole your darlings iPad and beat them with the folded up stroller, running over them four or five times in your Prius. Or maybe that’s just me. But you can’t do it on an airplane. Sorry.
Get Advanced with Profiles
You can actually lock down a lot of what iOS can do. A lot more than what’s available in the GUI. To do so, you would use something known as a profile. These can control the options we discussed in much of this article. But they can also lock down options that you didn’t even know were available, such as disabling apps not otherwise removable and locking users out of certain features of devices.
Profiles are created manually and installed via USB or email using Apple Configurator
, which I co-authored a book on, available here
, or they can be deployed via an MDM solution, such as Apple’s Profile Manager
or some really enterprise class ones such as Casper MDM. This is much more advanced than what I intended to write here, but I’ve written a lot about MDM over the years as have others, so feel free to dive into that if you deem it necessary.
Check On the Device Routinely
No matter what you do, the device can be reset back to factory defaults and set back up. You don’t have to worry about younger kids searching the Internet and finding how to do it (like here on Apple’s site
). But with older kids, check out the device every now and then and just make sure your parental controls are still in place.
This article is really meant to be an a la cartè listing of things you can do. If the kid is young enough, they’re not going to try to do anything on purpose but the older the child the more likely they will try to break out of the sandboxed environment you’ve created, if only because they see it as a challenge or simply because they can (kindof like when my daughter writes on the wall). But that isn’t to say that you shouldn’t try to do something. And what you do should be age appropriate with an eye on not letting them spend too much of your money on apps or too much of their time on the devices.
Don’t Do Too Much
But don’t do too much. Especially if the kids are older. If you do too much, then the kidos have a tendency to try and break the sandbox you build. Oddly, the less the restrictions the less they’ll try and break them. This isn’t so much an issue with the really young ones (think kindergarten and below) but as they get older it’s a bit more of a problem.
Also, keep in mind that the devices are meant to allow for a maximum level of creativity. The more you allow to happen on the device, the more creativity you may allow for. Whatever’s appropriate for the age and knowledge level of your little one!
krypted September 3rd, 2013
Posted In: iPhone, Network Infrastructure, personal
biff tannen, childproof iphone, DNS, general, ios, iPad, kindergarten, lock, love, nuclear, passcode lock, passcodes, Restrictions, settings
My traditional interpretation of Apple’s vision on how iOS devices are used is that everyone has an AppleID. That AppleID enables them to access their apps from any iOS device they own or Mac that they own. That AppleID enables them to access mail, contacts, calendars and even files through iCloud. That AppleID also allows users to remotely wipe their device through Find iPhone and track their friends iOS devices (as in social networking via breadcrumb tracking) through Find Friends. All of this “Just Works” in a consumer sense. And it even allows for a little sharing of content across devices you own. However, larger organizations need more. They need centralized management, content distribution and most other things you find that you rely on traditional desktop computers for.
Over the years, Apple has added tools for centralized control of devices. This started with ActiveSync compatibility and early forms of Mobile Device Management and has grown into a pretty robust, albeit disconnected, set of tools. Of these, Apple Configurator is the latest. Apple Configurator was released about a week ago and since, I’ve been trying to figure where it fits into the solutions architecture that surrounds iOS integrations. There are a number of other tools already available that can aid in the deployment and management of iOS devices, and Configurator is a great addition.
To me, there are 3 classes of management tools for iOS. These were roughly broken up into Over the Air (OTA), cradled (USB) and content management. Apple Configurator ends up fitting into all of these scenarios in some way. Let’s start by looking at the traditional uses of these three and then look at how they are impacted by Apple Configurator.
Mobile Device Management
Over the Air tools, such as Profile Manager, allow for Mobile Device Management (MDM) without cradling, or syncing a devices. These tools allow you to configure policies via profiles. There is also a bit of App pushing built into most MDM solutions. Apple’s Profile Manager can push applications written in-house, but no content from the App Store. 3rd party solutions, such as JAMF’s Casper Suite, Absolute Manage MDM, AirWatch and about 15 others are able to push apps from the App Store as well, leveraging the Volume Purchasing Program (VPP)
to issue apps to devices. However, when an app is pushed through one of these tools, the app becomes associated with the AppleID for the user who owns the device.
Note: While we use the term push, the user has to accept all App installations on the device.
For large environments, MDM is a must as it allows for centralized command and control. Pushing apps is one aspect of such control. Policies enforceable through MDM include disabling cameras, configuring passcode policies on devices (not pushing passcodes), disabling YouTube, silencing Siri, unstreaming photos, disabling iCloud Backup, forcing encrypted backups, disabling location services, controlling certificates, blocking pop-ups, controlling cookies, disabling access to the iTunes and App Stores, and controlling what kind of media can be accessed on devices.
Additionally, MDM can be used to push SSIDs for wireless networks (and their passwords/802.1x configuration information), setup mail, setup Exchange ActiveSync, configure VPN connections, configure access shared calendars (iCal shared files, CalDAV and Exchange), configure access to shared contacts (LDAP, CardDAV, Exchange and Exchange Global Address Lists), deploy Web Clips and manage certificates (either with cert files or via SCEP). In short, whether you’re using the practically free Profile Manager from Apple, Mobile Iron, Casper, AirWatch, FileWave or one of the many other tools, there are a lot of things that MDM can configure on devices.
Reporting can also play a major role in how MDM tools are used. iOS Apps are owned by AppleIDs, not devices. MDM does not manage AppleIDs, but you can trigger fields in MDM databases to report back unauthorized AppleIDs being used. Reporting can also identify when devices join non-approved wireless networks (which cannot be blocked through MDM), identify devices that have been jailbroken (a major security concern for many organizations) and report on device use.
Because devices can fall outside of our control, MDM also plays an important role in being able to wipe and lock devices. While some of these types of features are available via Exchange, not all people use ActiveSync. Users and administrators alike can wipe, lock and de-enroll devices at will, potentially crippling what any device with an Enrollment Profile can do.
There are really 3 kinds of MDM tools: those that can push apps, those that can’t and Apple’s Profile Manager. The reason I put Profile Manager into its own class, is that it can push some kinds of apps, it’s cheap ($49.99 one time as opposed to per device per month or per device per year billing) and it’s great for some things. But Profile Manager should be used in very specific environments unless the price is the only decision making factor behind a tool. In larger environments, choosing a MDM solution is one of the most important aspects of managing mobile devices and the iOS platform is no different in that manner than other mobile platforms.
MDM has some limitations, though. A good MDM solution can manage the infrastructure side of device configuration. However, content requires a completely separate tool. Additonally, MDM is a completely opt-in experience. If a user wants, they can remove their device from the MDM solution at any time. Rather than a limitation, think about the opt-in experience this way: if a user removes themselves from MDM then all content that was given to them via MDM is then taken away, except that which they have moved to the local device. Therefore, if an administrator pushes an Exchange configuration then all content from that Exchange profile is forbidden fruit, removed alongside the de-enrollment.
MDM also works with Lion. Policies, centralized management, etc can be integrated with Lion. You can’t do app distribution per se, but you can push out a policy to change where the dock is on the screen, add a printer to a Mac and configure a login hook through a Profile Manager-based policy. Many of the MDM providers have begun adding functionality to their tools to allow for Mac management as well as iOS and I would expect that to become the standard in years to come. iOS is a single-user device and OS X is a multi-user device, which completes that paradigm, but Apple has made it no secret that policy-based management for Mac OS X is moving to the realm MDM (even if that is enforced through a traditional lens of directory services based policy-based management).
One of the unique aspects of the iOS platform is that it doesn’t have a file system that is exposed to users. There’s no /Volumes, no C: drive and no home folders. The devices don’t log into a server, because there’s no way to interpret a server connection. The file system that is exposed to iOS devices is through the lens of each application. Sandbox is a technology that limits each application’s access in terms of memory, hard drive, etc. Each application can only communicate with resources outside of itself if there is an API to do so, APIs mostly reserved for Apple (e.g. photos, contacts, etc). Therefore, when you discuss content management from the perspective of building a large iOS solution, you’re talking about apps.
The apps used for content management come in a few flavors. There are those that allow you to edit content and then there are those that allow you to read content. One way to look at this is through Safari. Sharepoint, WebDAV and various document management portals allow users to access data through the Safari browser on an iOS device. Safari will let you view various file types. But to edit the data, you would need to send it to an app, or copy it to the clipboard and access it in an app. Pages is an example of an app that can browse a file tree via WebDAV and edit content. However, planning how each type of file is accessed and what type of editing can be done on each file type or what type of resources need to be accessible can be difficult (e.g. there are a number of transitions in Keynote presentations that do not work in iOS).
Then there’s iTunes. iTunes allows you to backup and restore devices, update devices, etc. iTunes allows you to drop content into each application. If you look into the ~/Library/Mobile Documents, you can drop content, edit default documents and other tasks that can be done through a command line, then perform a cradled sync to an app. If networking is built into an app then you don’t have to plug a device into a computer. If an app can leverage iCloud, SMB or AFP then you can access data over the air. If you are trying to replace computers with iOS devices (a la post-PC) then you would need to plan each business task that needs to be performed and make sure not only that there is an app for that (or an app you build for that) but also make sure that you can round trip data from a shared repository and back to the network storage that the data resides on.
You can also access many of the benefits of MDM without having an OTA element. This can be done with iPhone Configuration Utility. iPhone Configuration Utility can configure the same policies available through Profile Manager but relies on either a cradled or email/web server/manual way of getting policies onto devices and updating. MDM automates this, but iPhone Configuration Utility is free and can be used as well. Additionally, profiles can be exported from Profile Manager and installed in the email/web server/manual way that iPhone Configuration Utility profiles are installed.
This is all probably starting to seem terribly complicated. Let’s simplify it:
- OTA policies and custom app deployment: MDM
- OTA content distribution: Apps
- Cradled policies and custom app deployment: iPhone Configuration Utility (free)
- Cradled content and app distribution: iTunes (free)
- OTA App distribution: AppleID/iCloud
- Backup and restore: iCloud or iTunes
Basically, there’s a few holes here. First, AppleIDs cannot be centrally managed. Second, you need to use gift cards or the Volume Purchasing Program (VPP) to distribute apps, and Third, even when you push an app to an AppleID, the app follows the AppleID to their next organization (which causes many organizations to treat apps like consumables). Fourth, synchronizing content is done primarily through iTunes, which only syncs a device at a time, making preparation of large numbers of systems terribly complicated.
Enter Apple Configurator, a free tool on the Mac App Store
. This tool basically fixes all of the problems that we reference, but does so over USB. This means that Apple Configurator is not necessarily a replacement for MDM. In fact, you can deploy Trust and Entrollment profiles for MDM and automate the MDM enrollment for a device through Configurator. Instead, Apple Configurator is a tool that can either Prepare or Supervise an iOS deployment and do so in a manner that is easy enough that you don’t need a firm background in IT to manage devices on a day-to-day basis.
Here is what Apple Configurator can do:
- Update iOS devices to the latest version of iOS.
- Rename devices using a numbered scheme (e.g. iPad 1, iPad 2, etc).
- Erase (wipe) iOS devices.
- Backup and Restore iOS devices.
- Deploy profiles/policies (e.g. no Siri for you, disable cameras, setup wireless, etc) to iOS devices.
- Export profiles.
- Activate devices (after all a restore of a freshly activated device is an activation).
- Push any kind of app to devices.
- Track Volume Purchase Program (VPP) codes used on devices.
- Revoke VPP codes used on “Supervised” devices (more on supervision later).
- Assign users from directory services to devices.
- Load non-DRM’d content to apps on devices.
- Can work with up to 30 devices simultaneously (think big USB hubs or carts on wheels here).
Apple Configurator has some caveats:
- Paid apps need to use VPP codes to DRM apps. These VPP codes are purchased through a centralized program for an entire organization. To enter the VPP, you need to be a business with a DUNS number or an educational institution. You also basically need to be in the United States.
- Free apps can be deployed but the AppleID is in the IPA, meaning that to do an OTA update through App Store requires entering the password for the Apple ID the app was purchased with.
- In order to push apps through Apple Configurator, the system running Configurator needs access to Apple’s servers and Apple Configurator needs an AppleID associated with it that is not the VPP facilitator if you are leveraging any paid apps.
- You can use Apple Configurator “off-line” or without an AppleID to Prepare devices with Profiles, just not to
- If you push Trust and Enrollment profiles to automatically join Profile Manager (or another MDM vendor) the device isn’t associated with a user unless the MDM has been prepped to designate each UDID or Serial Number to a given user.
- Apple Configurator doesn’t work with Video or Music due to different DRM limitations.
- If you accidentally plug in your iPhone to a machine you’re using Apple Configurator on it and you’ve chosen to Erase in the application, then it will wipe your phone along with the 30 iPads you’re wiping. It’s awesome and scary like that (yes, I’ve accidentally wiped my phone).
I see a number of uses for Apple Configurator. Some of these use cases include:
- Company and education labs: manage devices end-to-end (no MDM, iTunes iPhone Configuration Utility or other tools needed), managed by the lab manager.
- One-to-One environments (schools): Manage the distribution of infrastructure settings (mail, wireless networks, etc) for devices as well as Trust Profiles to make it faster to enroll in MDM environments and Web Clips to manage the links for enrollment.
- Device distribution: Pre-load applications (that can’t be updated unless they’re cradled again), renaming, profiles, activation, iOS software updates, etc.
- Backup and Restore only stations where you don’t interfere with later iTunes use.
These can enhance practically every environment I’ve worked with. But unless it’s a small environment (e.g. the labs), Apple Configurator isn’t a replacement for the tools already in use in most cases. Instead, it just makes things better. Overall, Apple Configurator is a welcome addition to the bat belt that we all have for iOS management and deployment. Now that we’ve looked at the when/where of using it, let’s look at the how.
There are two ways to use Apple Configurator. The first is to Prepare Devices. You would use this mode when you’re going to perform the initial setup and configuration of devices but not when the devices won’t be checking back into the computer running Apple Configurator routinely. Preparation settings do not persist. And while applications can be pushed through Preparation, updates for those applications will be tied to the AppleID that purchased the app.
The second is Supervise. Supervising devices is an option when preparing and allows you to have persistent changes to devices, to layer new settings the next time devices are plugged in, to add applications and the most intriguing aspect of iOS management here is reallocating VPP codes to new devices when a user or device is retired. Supervising devices also allows for assigning a given user to a device and thus pushing data into an application.
Setting Up Apple Configurator
Apple Configurator is installed through the Mac App Store
. When installed, you are presented with three options. The first (going from left to right) is to Prepare Devices.
Before we get started, we’re going to add our AppleID. The computer running Apple Configurator needs to be able to connect to the App Store and it needs to have an AppleID associated with it if you’re going to use VPP codes. So let’s set that up before moving on. To do so, from Apple Configurator, click on the Apple Configurator menu and click on Preferences… From the Preferences menu, click on Set for the Apple ID and provide an AppleID (not the VPP Program Facilitator).
Configuring AppleIDs with Apple Configurator
Then, when prompted, provide the credentials for your AppleID. If you have any problems with this, try Authorizing the computer in iTunes, if you can’t do one it stands to reason you can’t do the other and it’s either an invalid AppleID or that the computer cannot communicate with Apple’s servers (ports, DNS, Internet connectivity, etc might be the issue).
Configuring AppleIDs with Apple Configurator
Also, let’s configure the Lock Screen settings, which is what’s displayed to users when you’re supervising devices. If you have user pictures in Open Directory, this will show each user’s photo at the lock screen (we will discuss device supervision later).
Using Apple Configurator to Prepare Devices
Configuring Lock Screen Settings In Apple Configurator
In this example, we’re going to prepare some devices for deployment. Before we do anything, we’re going to do a backup of the iOS device to use for testing. To do so, simply click Prepare Devices to bring up the main Apple Configurator screen and then click in the Restore field.
Apple Configurator's Prepare Devices Screen
At the Restore menu, click Back Up…
Then choose the device to backup and click on Create Backup… to bring up the screen to select where to save your backup to (by default it should be your Documents but you can save them anywhere, like /iOSBackups). Click Save to make the first backup.
Saving Backups in Apple Configurator
Notice how fast that went (assuming you didn’t load it up with 10 Gigs of crap)? The reason is that we’re not backing up iOS, just the data. This will become a little more obvious the first time we go to restore a device. In the meantime, if you look at your target directory, you’ll see a file with the name you provided followed by .iosdevicebackup. If you aren’t supervising you would need to delete these from the filesystem to remove them from the menu of available backups. If you are supervising then you’ll have a menu to manage the backups. You can also use the Other option in the selection menu to browse to another location and select another backup (e.g. you’re pulling them from other machines, etc.
Now that we have a backup, let’s do some stuff to the device. Let’s join the wireless network, change the wallpaper, create some contacts, make some notes and in general do some of those things that you might do on a base image of a computer, aside from of course configuring local admin (it’s not a multi-user device), installing anti-virus (to date, AV companies for iOS are snake oil salesmen) and other things you might not do. But as with imaging, if you can do something in Profile Manager or Apple Configurator, let’s reserve doing it there. In fact, I would probably try to set everything in Profile Manager or your MDM provider that you can (if you have one) and use Apple Configurator for as little as possible. That goes with imaging as well, do as much in directory services/managed preferences/profiles as you can and keep the image as simple as possible…
Anyway, once you have the device as you want it, make another backup. This is akin to baking an image with DeployStudio or System Image Utility. We can’t asr them out yet, but we’re in a much better place than we were.
Once you have a good backup, let’s leverage Apple Configurator to tell the device erase, update to the latest version of iOS, restore our image, join the SSID of our enrollment network (let’s consider this similar to a supplicant network in 802.1x). Then, let’s add a profile that will throw a Web Clip to our MDM solution and even add a Trust Profile to cut down on the number of taps to enroll (and the confusion of tap here, tap there, etc). From the Prepare screen in Apple Configurator, click on Settings and type the naming convention for your devices (in this case we’re going to call them krypted 1 and up) in the Name field. Then check the box for Number sequentially starting at 1 so it’s going to name them from 1 to 1,000,000 (which is how many iPads my krypted company is going to end up writing off at the testing rate I’m on now). Leave Supervision set to OFF (we’ll look at that later) and set the iOS field to Latest. Then, check the box for Erase all contents and settings and choose your image from the Restore menu.
Preparing Devices in Apple Configurator
Now for something that users of iPhone Configuration Utility, Profile Manager and Casper MDM will find familiar, click on the plus sign in the Profiles field and select Create New Profile. Here, we see what is the standard policy sheet (apologies to HIG if that’s not what those are officially called but I’ve not been able to find the right term) and give it a name in the Name field. This is how it will appear in the Profiles section of Apple Configurator. Because you can deploy multiple profiles, I’m just going to configure the SSID and Web Clip and call it MDM Enrollment. Optionally, give it some notes, organization name, etc.
Naming Your Profile in Apple Configurator
Click on Wi-Fi and then click on the Configure button. Here, enter the SSID of the deployment network (MDMEnroll in this example). We’ll use the Hidden Network field to indicate the SSID is suppressed and we’ll use the network type of WEP and throw the password into the Password field as well. Now, before we move on, notice that there’s a plus and minus sign in the top right of the screen? You can deploy multiple of each, so if you have 10 wireless networks, 4 Email accounts, 9 VPN connections, 29 SSL Certs etc, you could deploy them all easily with multiple entries of each.
Adding Wireless Networks with Apple Configurator
Scroll down in the sidebar a little and then click on Web Clips. Click on the Configure button. The Label is how the web clip’s name will appear on the device. We’re going to enter Enroll Here. In the URL field, provide the URL for your MDM server (e.g. When using a Profile Manager server called mdm.krypted.com the URL would be https://mdm.krypted.com/MyDevices). Not to get off topic, but did anyone else notice that Profile Manager in 10.7.3 now requires SSL certs? Anyway, you’ll also choose whether the web clip should be Removable (I think it should if it’s to enroll) and optionally choose an Icon. We’ll skip that (if we were using a 3rd party tool, I’d throw their logo in here; otherwise I usually like to use the company logo. I also like enrollment links to be Full Screen.
Go ahead and click Save and you’ll see MDM Enrollment listed in the Settings. If you notice, you can also click on the profile and then click on the export menu to export the profile or under the plus sign (“+”) you can Import Profile…, which is how we’ll bring in our Trust Profile from Profile Manager. From Profile Manager we already downloaded the Trust Profile. Now we’re going to click on Import Profile… and browse to it on the desktop, clicking on Trust profile.mobileconfig (or whatever name yours may have). Click Open.
Importing a Trust Profile Into Apple Configurator
We could go a step further and actually enroll the device by exporting the enrollment profile as well, but again, I want each user to provide their username and password so I as an administrator don’t have to go through and attach each device to a user in this scenario. I’ve been looking at importing devices and associating them with users via postgres, but that’s going to be another 3am article, on another night…
Next, check the box for each profile and click on Apps. This is where things start getting kinda’ cool. For this you’re going to need some app ipas. Each app in iTunes is stored as an .ipa file. We’re going to look at two different kinds of apps. The first is a free one and the second is a paid for app, both we’ll pull from iTunes. To do so, open iTunes and click on an app (iBooks in our example) and click on Show in Finder.
Note: Not all app .ipas are called the same thing as the filename. If you Show in Finder from the contextual menu of an app in iTunes it will automatically highlight the correct app in the Finder when it opens a Finder screen.
Show Apps in iTunes
From the Finder you can either copy the app to the machine running Apple Configurator or if you’re using iTunes on that machine, you can go ahead and drag it to the Apple Configurator apps list. We’re also going to add an App that we used a purchase code from the VPP store to buy. You’ll get an error when you drag the paid app in (or browse to it if you so choose) that indicates the app is paid and in order to deploy it you’ll need to use VPP codes. Once added, you’ll notice it has an error indicator and the number 0 beside it.
Install Apps in Apple Configurator
Click on the numerical indicator beside the app name and you’ll be able to import redemption codes. These are emailed to you when you buy apps through the Volume Purchasing Program. BTW, no drag and drop in this screen, use the Important Redemption Codes button to browse to the XLS files.
Adding VPP Codes in Apple Configurator
Once the codes are imported, you’re ready to configure a device.
App Indicator Counts In Apple Configurator
When you import an application, you are creating a file with a GUID in /Users/admin/Library/Application Support/com.apple.configurator/Resources. These files represent applications that have been prepared for distribution. When importing, it will take as long as it takes to copy from the source to that directory. The entry in that directory is roughly the same size as the app. Therefore, you likely don’t want to copy every app you have in there, just the ones you plan to distribute.
Now for the dangerous part. Make sure you don’t have any devices plugged into the computer. I love to start with a device at the activation screen. That thing requires so many taps I jump at any 0 touch deploy type of options I can get my hands on to skip it (not that you’re going to get 0 touch if you have profiles). The reason we want to make sure there aren’t any devices plugged in is that they’ll be wiped if they are… Provided there aren’t any, click on the Prepare button and any devices plugged in wills tart configuring immediately. The application count will go down for VPP apps as each device is configured. It can do 30 in parallel.
Imaging Devices in Apple Configurator
You’ll see a green checkmark when each device is done. When you’re ready to stop configuring devices, click on Stop. The only other way to do any in parallel is through Xcode Organizer’s restore feature, but that was never very stable for this type of purpose and this is a much more object oriented approach to device imaging. The caveat for these apps is that the password for the AppleID is needed to update them, so this is not a means to deploy paid apps to BYOD or self-managed types of devices (IMHO). Also, the iOS version for devices is downloaded at this point from Apple. If you notice that the first time each type of device is imaged that it takes awhile, this is why. The second time this step is skipped (another reason we need Internet access on our Apple Configurator computer). These are located in /Users/admin/Library/Application Support/com.apple.configurator/IPSWs and if you need to run a beta version of iOS you can do so by dropping their ipsw versions in here manually, but I haven’t gotten device supervision to work when doing so.
Using Apple Configurator to Supervise Devices
Now, supervising devices may seem more complicated, but it isn’t. Back at the Prepare screen, we set Supervision to OFF. Change the iOS field to No Change. Now, let’s turn it ON. When you do so, the iOS field automatically switches to Latest. This means that supervision is going to require updates (which is fine in my book as updates have yet to break a single app for me). Get all the same settings the same as they were previously.
Supervising Devices in Apple Configurator
Once you enable Supervision, click on Prepare in Apple Configurator and connect a device again. The device will then be imaged as with the same settings that you’ve given it from before. However, once it’s done, you’ll be able to click on the Supervise tab and see devices (Note: You supervise devices rather than users
Device Supervision in Apple Configurator
The subsequent Starts and Stops will now allow you to enable and disable profiles and apps on the fly, as well as restore backups, update devices and as you can see in this screen, reclaim those valuable VPP codes!
Do a Get Info on a device and you’ll also see a bevy of information about that device.
Get Info on Devices in Apple Configurator
You can also click on Assign, once you’ve enabled Supervision. Assigning devices requires directory services. When you click on Assign, click on the plus sign (“+”) to add the first user. Type the first few letters of the users name and they should appear in the list. Click on them and they’ll be added. You can then use the right panel to assign content to the apps that you assign to that user’s devices.
Pushing Content in Apple Configuration Utility
Once added, the user will by default have no device. To assign a device to a user, use the Check Out box at the bottom of the screen and then match the users with the devices you want them to have.
Checking Devices Out To Users
The final piece of this application is to assign content to users. As I mentioned earlier in this article, the file system of an iOS device is through the lens of the applications that the device has installed. Therefore, we’ll be associating files to applications. DRMd content is not distributed through Apple Configurator. So iBooks, etc, aren’t applicable. The various third party applications can open and therefore host file types that they support, as with iTunes. From the Assign pane of Apple Configurator, click on a user and then click on the plus sign (“+”) to add documents. At the Choose A Target Application screen, choose the application you’ll be loading content into.
Choosing An App For Content
When you click Choose, you’ll then be able to select files to use with that application.
Then just dock the iOS device, sync and viola you’ve got content distribution over USB all handled. You can also add groups of devices and groups of users and distribute content to groups of users rather than to one at a time.
Apple Configurator is really a great tool when used in the right scenarios. In learning how it works and interacts I actually learned a lot about both iOS and Mac OS X that I didn’t know before. I hope I did the tool justice with how easy it is to use. This is a fairly long article and it’s probably more complicated than it needs to be in parts, but that’s more my method of trying to figure out what it’s doing than the tool being complicated. It’s not hard to figure out at all. I am sure I could teach any non-technical iOS admin to use it in less than an hour.
My wish list includes logs and OTA. You can’t use iPhone Configuration Utility while you’re using Apple Configurator and therefore, you can’s see up-to-the second logs about things like key bags to figure out why this isn’t working or that. This makes it kinda’ difficult to figure out why a profile doesn’t get installed with an image if you’re not using an AppleID with the tool or other weird little things like that. I’d love to see a little more logging. Obviously, if you could run this thing Over the Air then it would be nerd nirvana. I guess the OTA isn’t as much as wish list for this tool, but features that could be imported into Profile Manager and other tools.
One of the more important aspects is the impact on AppleID use and app ownership. I started this off by saying “My traditional interpretation of Apple’s vision on how iOS devices are used is that everyone has an AppleID.” Well, when using this tool an AppleID is no longer necessary for app deployment.
Overall, we have a new, powerful tool in our arsenal that makes up the iOS administration ecosystem. I hope that I’ve managed to dispel a few rumors with this article and look at some great uses for where this tool should and should not be used. I also hope that no matter what, if you manage iOS devices, that you’ll take a look at it. I expect you’ll find it useful in some part of your management toolkit!
krypted March 15th, 2012
Posted In: iPhone, Mac OS X, Mac OS X Server, Mac Security, Mass Deployment
802.1x, ActiveSync, AFP, API, Apple, Apple Configurator, AppleID, applications, apps, carddav, company, content management, cradle, deployment, devices, distribution, DRM, DUNS, education, encrypted backups, Exchange, iCloud, ios, iPad, iPhone, iphone configuration utility, ipod touch, itunes, LDAP, lock, management, mdm, mobile device management, mobility, ota, over the air, Prepare, reporting, restore, revoke apps, Safari, SCEP, schools, serial number, sharepoint, SMB, Supervise Devices, Trust Profile, UDID, volume purchasing program, vpn, vpp, Web Clip, webdav, wipe, Wireless