krypted.com

Tiny Deathstars of Foulness

Blueprints are a new option in Apple Configurator 2. Blueprints allow you setup a template of settings, options, apps, and restore data, and then apply those Blueprints on iOS devices. For example, if you have 1,000 iOS devices, you can create a Blueprint with a restore item, an enrollment profile, a default wallpaper, skip all of the activation steps, install 4 apps, and then enabling encrypted backups. The Blueprint will provide all of these features to any device that the Blueprint is applied to. But then why not call it a group? Why call it a Blueprint? Because the word template is boring. And you’re not dynamically making changes to devices over the air. Instead you’re making changes to devices when you apply that Blueprint, or template to the device. And you’re building a device out based on the items in the Blueprint, so not entirely a template. But whatever on semantics. To get started, open Apple Configurator 2. Screen Shot 2015-11-04 at 1.00.24 PM Click on the Blueprints button and click on Edit Blueprints. Screen Shot 2015-11-04 at 1.00.33 PM Notice that when you’re working on Blueprints, you’ll always have a blue bar towards the bottom of the screen. Blueprints are tiled on the screen, although as you get more and more of them, you can view them in a list. Screen Shot 2015-11-04 at 1.00.47 PM Right-click on the Blueprint. Here, you’ll have a number of options. As you can see below, you can then Add Apps. For more on adding Apps, see this page. Screen Shot 2015-11-04 at 1.00.55 PM You can also change the name of devices en masse, using variables, which I explore in this article. Screen Shot 2015-11-04 at 1.01.11 PM For supervised devices, you can also use your Blueprints to change the wallpaper of devices, which I explore here. Screen Shot 2015-11-04 at 1.01.21 PM Blueprints also support using Profiles that you save to your drive and then apply to the Blueprints. Screen Shot 2015-11-04 at 1.01.29 PM Blueprints also support restoring saved backups onto devices, as I explore here. Screen Shot 2015-11-04 at 1.01.39 PM For kiosk and single purpose systems, you can also enter into Single App Mode programmatically. Screen Shot 2015-11-04 at 1.02.25 PM   You can also configure automated enrollment, as described here. Overall, Blueprints make a great new option in Apple Configurator 2. These allow you to more easily save a collection of settings that were previously manually configured in Apple Configurator 1. Manually configuring settings left room for error, so Blueprints should keep that from happening.

November 11th, 2015

Posted In: Apple Configurator, Mac OS X, Mass Deployment

Tags: , , , , , , , , , , , , ,

One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. One is using the content filter option in Apple Configurator 2. The second is using a Global HTTP Proxy. We’ll cover both here, using custom profiles. Both require the device be Supervised. Use the Content Filter To enable the Content Filter, open Apple Configurator and click on the New menu. From there, click on Content Filter in the sidebar. You have three ways you can use the Content Filter. These include:
  • Built-in: Limit Adult Content: A basic profile that allows you to specifically whitelist and blacklist sites. This gives you very basic control of sites. Here, use the plus sign to enter a URL, as you can see here.
Screen Shot 2015-10-26 at 3.43.56 PM
  • Built-in: Specific Websites Only: This option only allows certain sites, and creates a badge for each in the bookmarks list of Safari.
Screen Shot 2015-10-26 at 3.52.40 PM
  • Plug-in: Allows you to install third party plug-ins on iOS devices. If using this, you would likely have instructions for building the profile from the vendor.
Screen Shot 2015-10-26 at 3.54.06 PM The Content Filter is a pretty straight forward profile, except when using the plug-ins. Close the screen to save the profile. Screen Shot 2015-10-26 at 3.56.37 PM Once saved, you can use the filter profile in blueprints, via an MDM solution, or install manually through Configurator. Use the Global HTTP Proxy In Apple Configurator 2 there’s an option for a Global HTTP Proxy for Supervised devices. This allows you to have a proxy for HTTP traffic that is persistent across apps, and to have that proxy applicable when users go home or if they’re in the office/school. If you have a PAC file, you can deploy the global proxy using that, by selecting Auto as your deployment option. Screen Shot 2015-10-26 at 4.01.47 PM If you don’t use a PAC file, you can also manually define settings to access your proxy. Here, we specify the proxy server address and port, as well as an optional username and password. Additionally, new in Apple Configurator 2, we have the option to bypass the proxy for captive portals, which you’ll want to use if you require joining a network via a captive portal. Screen Shot 2015-10-26 at 3.59.37 PM Each Wi-Fi network that you push to devices also has the ability to have a proxy associated as well. This is supported by pretty much every MDM solution, with screens similar to the following, which is how you do it in Apple Configurator. Screen Shot 2015-10-26 at 4.03.59 PM I am all about layered defense, though. Or if a proxy is not an option then having an alternative is a great call. Another way to disable access to certain sites is to outright disable Safari and use another browser. This can be done with most MDM solutions as well as using a profile. To see what this would look like using Apple Configurator 2, see the below profile. Screen Shot 2015-10-26 at 4.05.50 PM Now, once Safari has been disabled, you then need to provide a different browser. There are a number of third party browsers available on the App Store. Some provide enhanced features such as Flash integration while others remove features or restrict site access. In this example we’re using the K9 Web Protection Browser. This browser is going to just block sites based on what the K9 folks deem appropriate. Other browsers of this type include X3watchMobicip (which can be centrally managed and has a ton of pretty awesome features), bSecure (which ties in with their online offerings for reporting, etc) and others. While this type of thing isn’t likely to be implemented at a lot of companies, it is common in education environments and even on kiosk types of devices. There are a number of reasons I’m a strong proponent of a layered approach to policy management for iOS. By leveraging proxies, application restrictions, reporting and when possible Mobile Device Management, it becomes very possible to control the user experience to an iOS device in such a way that you can limit access to web sites matching a certain criteria.

November 1st, 2015

Posted In: Apple Configurator, Mass Deployment

Tags: , , , , , , ,

You may have noticed a few new articles on Apple Configurator 1 recently (which isn’t assuming anyone actually notices what I’m writing about). While preparing for the massive change that is Apple Configurator 2, I’ve taken the liberty to put a page up compiling many of my articles that align into a guide on Apple Configurator 1, to offer up an outline for what I’ll be working on for Apple Configurator 2. This guide is now available at http://krypted.com/guides/apple-configurator/.

August 13th, 2015

Posted In: Apple Configurator, iPhone

Tags: , , , , ,

Apple Configurator is a great tool to manage iOS devices. It’s also a pretty decent tool when you need to create profiles for use on Macs. Apple Configurator is easily installed using the Mac App Store. This involves 3 workflows:
  1. Prepare: Setup a device initially.
  2. Supervise: Manage a device using Apple Configurator long-term.
  3. Assign: Manage content on devices using Apple Configurator.
However you plan on using Apple Configurator, the first step to use the product is to download it for free and install it on an OS X computer. To install Apple Configurator, first open the App Store and search for Apple Configurator. Screen Shot 2015-07-27 at 2.46.26 PM When listed, click on Apple Configurator. Screen Shot 2015-07-27 at 2.47.28 PM Then click on Get, then click on Install App. If prompted for your Apple ID, provide it. Screen Shot 2015-07-27 at 2.52.00 PM This downloads Apple Configurator to the /Applications directory on your computer. Once installed, open Apple Configurator and click on Prepare to get started with the product. I’ve done a series of articles at http://krypted.com/guides/apple-configurator/ to help guide you through the process of getting comfortable with Apple Configurator.

August 12th, 2015

Posted In: Apple Configurator

Tags: , , , , , , ,

When Apple showed off the latest and greatest options for managing and tracking iOS devices remotely using iCloud accounts, many an Enterprise and School District said “wait, what?” The reason is that if an iOS device is running Find My iPhone and a device is stolen the device cannot be activated again without logging into the iCloud account that Find My iPhone was installed with. This could represent an issue if an employee is fired or if students turn in their iPads after a year of running Find My iPad. Imagine asking an employee you just fired or a student you just expelled to enter their iCloud password so you can wipe the device and hand it to the next person waiting for one. This was a hot topic amongst those with large iOS deployments, and at first I didn’t have much to say about it as I was waiting for all the pieces to fall into place. Then came along the latest MDM patches and Apple Configurator 1.4, along with iOS 7.0.2 (11A501). Now there are some options. The first option is to run all of your devices in Supervised Mode using a system running Apple Configurator 1.4. This option needs to be done proactively, because once Find My iPhone is enabled, you cannot use a device with Configurator. Screen Shot 2013-09-28 at 11.18.35 PM Supervising a device requires wiping the device, so moving to a supervised model will require some planning. However, if you enable Supervision and then enable Find My iPhone then you can unsupervise a device, which also wipes the device. Let’s try that now. First, we’ll prepare a very simple supervised environment. Open Apple Configurator, create a backup of an empty device, move the Supervision slider to ON and then click Prepare. Screen Shot 2013-09-28 at 9.31.45 PM Plug in a device that you don’t mind wiping and the device will reformat, restore and be supervised. Next, let’s look at enabling Find My iPhone/iPad so you can test these things properly. To get started, open the Settings app and tap on Privacy. IMG_0002 At the Privacy screen, tap on Find My iPad. IMG_0003 At the Find My iPad screen, tap the slider for Find My iPad. IMG_0004   If prompted, provide Apple ID information and then tap the OK button to enable Find My iPad. You can also tap on the slider again, even with an Apple ID installed, to disable the feature. When you disable, you’ll get an email indicating that you did so. Screen Shot 2013-09-28 at 9.13.38 PM   For the purposes of this example, let’s leave Find My iPad on and then let’s plug the device back into our Apple Configurator host. Click on the Supervise tab from Apple Configurator and you’ll notice that the device is shown. Right-click on the device and click Unsupervise… Screen Shot 2013-09-28 at 9.30.05 PM When prompted that the device will be wiped, click Unsupervise Device again. The device wipes and then comes back up to a standard activation screen, activating as it should. To prove that the device can’t be supervised when Find My iPad is enabled, enable Find My iPad and then plug it into your Apple Configurator host. When you click Prepare, the device won’t register within the application. Next, still with Find My iPad enabled, log into your iCloud account, click Find My iPhone, click on your device and then click on Erase iPad. You’ll be prompted to Erase. The iPad then erases. This is how Find My iPad works. Enable Location Services again. Then turn off the iPad. While powered off, press and hold the Home button. Then connect the USB cable from a computer running iTunes to the iPad. Hold the Home button while booting up until the Connect to iTunes screen appears. Open iTunes to see the iPad in recovery mode. iTunes then prompts and restores the iPad. Screen Shot 2013-09-28 at 11.12.23 PM Once restored, you will be prompted that the iPad will restart. Screen Shot 2013-09-28 at 11.12.32 PM During the setup process, the device then prompts for activation. You cannot activate the device without providing a username and password.

IMG_0001

We wiped with iTunes, but no matter how you wipe, the outcome is consistent. But if you put a device into “Lost Mode” while Supervised and then unsupervise, the device is wiped and will setup as normal, exiting Lost Mode. If you remotely wipe a device while Supervised, the device starts normally and can be supervised again or setup again from scratch. This seems to mean that when a device is being Supervised, while Find My iPad can wipe or lock the device, it’s simple to bypass, whether or not the device will be Supervised again. That’s a very smart way to build that type of interaction on Apple’s part. We’ve looked at enabling, what Configurator does when enabling, how you can bypass using Configurator, etc. A few key points that might not be clear:
  • Provided you have proof of purchase (e.g. a receipt) then you can always unlock an iOS device with Apple. For the foreseeable future it might take awhile but I’d anticipate that eventually someone at the Genius Bar of an Apple retail store would be able to fix this situation.
  • In order to use Supervise mode, you must first disable Find My iPhone, meaning if you’re architecting a solution and you have existing data on devices, you must accommodate for backing up and restoring the data on those devices before moving into this type of scenario.
  • Even if you’re using Supervise mode, if you wipe a device from Find My iPad the device will require the iCloud password to unlock it. This means you’d likely want to unsupervise a device rather quickly.
  • I used to shy away from Supervised mode because it was pretty cumbersome. iTunes and iPhoto now work with supervision and if restoring and enrolling into an MDM provider you can really streamline the setup process using supervision as you don’t have to incessantly tap Accept.
  • Location Services is a feature that has been query-able via the MDM API for some time. There are options for Location Services in most MDM providers. We could trigger emails based on the status of this field using standard MDM solutions, such as Casper MDM, FileWave, etc (FYI this link might not be up for another day, just future proofing it).
  • Seems as though all of this can change in a point release, so YMMV.
Overall, I think that the Find My iPad stuff is great. It seems to me as though using Supervised mode in conjunction with Find My iPhone is a way to keep the data at rest on a device safe provided you don’t really care about getting a device back. While no one likes losing a device and having to purchase a new one, it could be worse. So now there’s an option, use Supervised Mode and basically undo everything Apple did when they built this new model or don’t and allow an employee to basically trash a device until you can get written info to Apple that you own the device. It’s great and innovative and we have a few ways to work around it if we need to. In a BYOD scenario it’s a non-issue. In a corporate or institution owned scenario it’s manageable according to which model works best for your sensibilities.

September 30th, 2013

Posted In: iPhone, Mac OS X, Mass Deployment

Tags: , , , , , , , , , , ,