iOS Deployment Reference
KKApple Inc. © 2015 Apple Inc. All rights reserved. Apple, the Apple logo, AirDrop, AirPlay, Apple TV, Bonjour, FaceTime, FileVault, iBooks, iLife, iMessage, iPad, iPad Air, iPhone, iPod, iPod touch, iTunes, iWork, Keychain, Keynote, Mac, MacBook Air, MacBook Pro, Numbers, OS X, Pages, Passbook, Safari, Siri, Spotlight, and Xcode are trademarks of Apple Inc., registered in the U.S. and other countries. AirPrint, Apple Pay, Apple Watch, Handoff, iPad mini, iTunes U, and Touch ID are trademarks of Apple Inc.
Contents 6 6 Chapter 1: iOS Deployment Reference 8 8 8 8 9 11 13 15 15 15 17 19 Chapter 2: Deployment models 21 21 21 22 22 23 24 25 Chapter 3: Wi-Fi 27 27 27 29 30 31 32 33 34 34 35 35 36 38 38 38 39 Chapter 4: Infrastructure and integration Introduction Overview Education deployment models Overview Institution-owned one-to-one Student-owned Shared use Enterprise deployment models Overview Personalized device (BYOD) Personalized device (corporate-owned) Non-personalized device (shared) Overvie
39 40 41 41 41 42 43 Rules and actions Backward compatibility Always-on VPN Overview Deployment scenarios Always-on VPN configuration profile Always-on VPN payload 45 45 45 46 47 47 48 48 49 49 49 49 50 Chapter 5: Internet services 51 51 51 51 51 52 52 52 53 53 53 53 54 54 54 55 Chapter 6: Security 57 57 57 58 58 58 60 60 60 61 61 62 Chapter 7: Configuration and management Overview Apple ID Find My iPhone and Activation Lock Continuity iCloud iCloud Drive iCloud Keychain iMessage FaceTime Siri Ap
63 63 64 64 64 66 Managed books Managed domains Profile Manager Supervise devices Device Enrollment Program Apple Configurator 67 67 67 67 68 68 68 69 69 70 71 71 71 71 72 Chapter 8: App and book distribution 74 74 74 74 75 75 75 75 Chapter 9: Planning for support 76 76 76 76 77 78 80 81 82 82 83 Chapter 10: Appendices Overview Volume Purchase Program (VPP) Overview Enroll in the Volume Purchase Program Purchase apps and books in volume Managed distribution Custom B2B apps In-house apps In-house
iOS Deployment Reference 1 Introduction This reference guide is for IT administrators who want to support iOS devices on their networks. It provides information about deploying and supporting iPad, iPhone, and iPod touch in a largescale enterprise or educational organization.
Security considerations iOS is designed to securely access corporate services and protect important data. iOS provides strong encryption for data in transmission, proven authentication methods for access to corporate services, and hardware encryption for all data stored on iOS devices. Read this section for an overview about the security-related features of iOS.
Deployment models 2 Overview There are several ways to distribute and set up iOS devices, from pre-configuration to employee or student self-service setup. Explore the possibilities before you get started. The tools and process you use to deploy will also be determined by your particular deployment model. •• In education, there are typically three deployment models for iOS devices: Institution-owned one-to-one, Student-owned, and Shared use.
•• A K-8 school may deploy both an institution-owned one-to-one model for fifth through eighth grades, and a shared use model for kindergarten through fourth grades. •• In higher education it is common to see the student-owned model at the campus or multi-campus levels. Exploring these models in more detail will help you identify the best deployment model for your unique environment.
The following table illustrates the responsibilities of both the administrator and the user for an institution-owned one-to-one deployment: Prepare Administrator: •• Investigate, procure, and deploy an MDM solution. •• Enroll in DEP, VPP, and the Apple ID for Students program. •• Unbox and (optionally) asset tag the iOS device. •• Initiate creation of Apple IDs for students under 13 (if applicable). Users: •• Create Apple IDs, iTunes Store, and iCloud accounts.
Student-owned In higher education, students typically arrive on campus with their own iOS device. And while not as prevalent, in some K-12 institutions, students bring their own iOS devices to school. In this model, iOS devices are set up and configured by the student or a parent.
The following table illustrates the responsibilities of both the administrator and the user for a student-owned deployment: Prepare Administrator: •• Investigate, procure, and deploy an MDM solution. •• Enroll in VPP. Users: •• Unbox and activate the iOS device. •• Create Apple ID, iTunes Store, and iCloud accounts, if applicable. Set up and configure Administrator: •• No action necessary at this stage.
Shared use In a shared use model, iOS devices are purchased for use in a classroom or lab, and may be shared among students throughout the day. These devices have limited personalization, and therefore can’t take full advantage of a personalized learning environment for each student. In addition to rotating devices with a shared use model, this approach could be used for a one-to-one deployment in a highly controlled context, such as a lower grade level deployment.
The following table illustrates the responsibilities of both the administrator and the user for a shared use deployment: Prepare Administrator: •• Investigate, procure, and deploy an MDM solution. •• Enroll in VPP. •• Unbox and (optionally) asset tag the iOS device. •• Create institutional Apple ID(s) for each instance of Apple Configurator. Users: •• No action necessary at this stage. Set up and configure Administrator: •• Use Apple Configurator to configure and supervise devices.
Enterprise deployment models Overview iOS devices can transform your business. They can significantly boost productivity and give your employees the freedom and flexibility to work in new ways, whether in the office or on the go. Embracing this new way of working leads to benefits across the entire organization. Users have better access to information, so they feel empowered and are able to creatively solve problems.
An advantage of using MDM to enroll personal iOS devices is that it keeps corporate resources separate from the user’s personal data and apps. You can enforce settings, monitor corporate compliance, and remove corporate data and apps, while leaving personal data and apps on each user’s iOS device.
Additional Resources •• VPP Overview •• MDM Overview •• Apple ID •• Caching Server Personalized device (corporate-owned) You can use the personalized device model to deploy iOS devices owned by your organization. You can configure the iOS devices with basic settings before giving them to the user, or (as with BYOD) provide instructions or configuration profiles for users to apply themselves.
The following table illustrates the responsibilities of both the administrator and the user for a personalized device (corporate-owned) deployment: Prepare Administrator: •• Evaluate your existing infrastructure including Wi-Fi, VPN, and mail and calendar servers. •• Investigate, procure, and deploy an MDM solution. •• Enroll in the Device Enrollment Program (DEP) and the Volume Purchase Program (VPP). Users: •• Create Apple ID, iTunes Store, and iCloud accounts, if applicable.
Additional Resources •• VPP Overview •• MDM Overview •• Device Enrollment Program •• Apple ID •• Caching Server •• Apple Configurator Non-personalized device (shared) If iOS devices are shared by several people or used for a single purpose (such as in a restaurant or hotel), they’re typically configured and managed by you rather than by an individual user. With a non-personalized device deployment, users generally don’t store personal data or have the ability to install apps.
The following table illustrates the responsibilities of both the administrator and the user for a non-personalized device (shared) deployment: Prepare Administrator: •• Evaluate your existing infrastructure including Wi-Fi, VPN, and mail and calendar servers. •• Investigate, procure, and deploy an MDM solution. •• Enroll in the Volume Purchase Program (VPP). Users: •• No action necessary at this stage. Set up and configure Administrator: •• Unbox and (optionally) asset tag the iOS device.
Wi-Fi 3 Overview When preparing the Wi-Fi infrastructure for an Apple device deployment, there are several factors to consider: •• Wi-Fi throughput •• Wi-Fi trigger threshold •• Required coverage area •• Number and density of devices using the Wi-Fi network •• Types of Apple devices and their Wi-Fi capabilities •• Types and amount of data being transferred •• Security requirements for accessing the wireless network •• Encryption requirements Although this list isn’t exhaustive, it represe
Join Wi-Fi Users can set Apple devices to join available Wi-Fi networks automatically. Wi-Fi networks that require login credentials or other information can be quickly accessed without opening a separate browser session, from Wi-Fi settings, or within apps such as Mail. And low-power, persistent Wi-Fi connectivity lets apps use Wi-Fi networks to deliver push notifications.
The table below shows which iOS devices can support 802.11k and 802.11r with iOS. Even if an iOS device doesn’t support 802.11r, iOS 5.1 added support for “pairwise master key identifier caching” (PMKID caching), which can be used with some Cisco equipment to improve roaming between APs. Additional SSIDs might be necessary to support both FT-capable iOS devices and PMKID-caching iOS devices. iOS device 802.
Important: Avoid using hidden Service Set Identifiers (SSIDs), because Wi-Fi devices must actively seek out hidden SSIDs. This leads to delays when rejoining the SSID, potentially impacting data flow and communications. There’s also no security benefit in hiding the SSID. Users tend to change location frequently along with their Apple devices, so hidden SSIDs often delay network association time and hinder roaming performance.
The Wi-Fi network design for high density is more complex, due to the higher density of mobile devices. Because of the large number of devices in each classroom, one access point per classroom might be required. Multiple access points should be considered for the common areas, to provide adequate coverage and capacity. The number of access points for the common areas may vary, depending on the density of Wi-Fi devices in those spaces.
•• Channel width: The maximum channel width. Beginning with 802.11n, channels can be combined to create a wider channel that allows for more data to be transmitted during a single transmission. With 802.11n, two 20 MHz channels can be combined to create a 40 MHz channel. With 802.11ac, four 20 MHz channels can be combined to create an 80 MHz channel. •• Guard interval (GI): The guard interval is the space (time) between symbols transmitted from one device to another. The 802.
Infrastructure and integration 4 Overview iOS supports a wide range of network infrastructures, including the following: •• Local networking using Bonjour •• Cable-free connections to Apple TV using AirPlay •• Digital certificates to authenticate users and secure communications •• Single Sign-On to streamline authentication to networked apps and services •• Standards-based mail, directory, calendar, and other systems •• Popular third-party systems like Microsoft Exchange •• Virtual private n
Microsoft Exchange Autodiscovery iOS and OS X support the Autodiscover service of Microsoft Exchange Server 2007 or later. When you manually configure an Apple device, Autodiscover uses your email address and password to determine the correct Exchange Server information. For more information, see Autodiscover Service at the Microsoft website.
When the build number is sent to the Exchange Server, it’s converted from the format NANNNA (where N is numeric and A is an alphabetic character) to the Exchange format NNN.NNN. Numeric values are kept, but letters are converted to their position value in the alphabet. For example, “F” is converted to “06” because it’s the sixth letter in the alphabet. Numbers are padded with zeros if necessary, to fit the Exchange format. In this example, the build number 7E18 is converted to “705.018.
AirPlay iOS 8 and OS X Yosemite support the ability to stream content from an Apple device to Apple TV even if the devices are on different networks or there’s no network available. The Apple device uses Bluetooth® Low Energy (BTLE) to begin the discovery process of available Apple TV devices and then establishes a connection directly to Apple TV using Wi-Fi. Bluetooth Low Energy discovery is a distinct subset of peer-to-peer AirPlay.
•• iPad 3rd generation or later •• iPad mini 1st generation or later •• iPod touch 5th generation or later Discovered AirPlay receivers appear in the AirPlay menu. Bonjour services _airplay._tcp and _raop._tcp need to be advertised on Bonjour gateway products. Contact your gateway vendor to make sure these services are advertised. Connectivity Infrastructure and peer-to-peer are the two supported modes of AirPlay connectivity.
In a typical deployment, Apple devices establish direct access to IMAP and SMTP mail servers to send and receive mail over the air (or in the case of a Mac, over the air or Ethernet), set VIP status in their message threads, and can also wirelessly sync notes with IMAP-based servers. Apple devices can connect to your organization’s LDAPv3 corporate directories, giving users access to corporate contacts in the Mail, Contacts, and Messages apps.
The list of supported certificate and identity formats on Apple devices are: •• X.509 certificates with RSA keys •• Certificate: .cer, .crt, .der •• Identity: .pfx, .p12 Deploy certificates to establish trust with Certification Authorities (CA) that are not trusted by default (such as an organizational-issuing certification authority). Distribute and install certificates Manually distributing certificates to iOS devices is simple.
With iOS 7 or later, apps can take advantage of your existing in-house Single Sign-On infrastructure via Kerberos. The Kerberos authentication system used by iOS 7 or later is the most commonly deployed Single Sign-On technology in the world. If you have Active Directory, eDirectory, or Open Directory, it’s likely to already have a Kerberos system in place that iOS 7 or later can use. iOS devices need to be able to contact the Kerberos service over a network connection to authenticate users.
iOS and OS X also support industry-standard technologies such as IPv6, proxy servers, and splittunneling, providing a rich VPN experience when connecting to corporate networks. And iOS and OS X work with a variety of authentication methods including password, two-factor token, digital certificates, and for OS X, Kerberos.
For more information, see the F5 technical brief Secure iPhone Access to Corporate Web Applications. •• Juniper Junos Pulse SSL VPN: iOS supports Juniper Networks SA Series SSL VPN Gateway running version 6.4 or later with Juniper Networks IVE package 7.0 or later. Install the Junos Pulse app, available on the App Store. For more information, see Junos Pulse on the Juniper Networks website. •• Mobile Iron SSL VPN: For information, see the Mobile Iron website.
•• Username with password •• RSA SecurID •• CRYPTOCard Authentication groups The Cisco Unity protocol uses authentication groups to group users based on a common set of parameters. You should create an authentication group for iOS users. For pre-shared key and hybrid authentication, the group name must be configured on the device with the group’s shared secret (pre-shared key) as the group password. When using certificate authentication, there’s no shared secret.
•• ASA Address Mask: Make sure all device address pool masks are either not set, or set to 255.255.255.255. For example: asa(config-webvpn)# ip local pool vpn_users 10.0.0.1-10.0.0.254 mask 255.255.255.255. If you use the recommended address mask, some routes assumed by the VPN configuration might be ignored. To avoid this, make sure your routing table contains all necessary routes and make sure the subnet addresses are accessible before deployment.
VPN On Demand is configured using the OnDemandRules key in a VPN payload of a configuration profile. Rules are applied in two stages: •• Network Detection Stage: Defines VPN requirements that are applied when the device’s primary network connection changes. •• Connection Evaluation Stage: Defines VPN requirements for connection requests to domain names on an as-needed basis.
•• URLStringProbe: Optional. A server to probe for reachability. Redirection isn’t supported. The URL should be to a trusted HTTPS server. The device sends a GET request to verify that the server is reachable. Action This required key defines VPN behavior for when all of the specified matching rules evaluate as true. Values for the Action key are: •• Connect: Unconditionally initiate the VPN connection on the next network connection attempt.
To create a profile that works on both iOS 7 and earlier releases, use the new EvaluateConnection keys in addition to the OnDemandMatchDomain arrays. Earlier versions of iOS that don’t recognize EvaluateConnection use the old arrays; iOS 7 or later uses EvaluateConnection. Old configuration profiles that specify the Allow action should work on iOS 7 or later, with the exception of OnDemandMatchDomainsAlways domains.
Cellular and Wi-Fi devices If your organization chooses to deploy Always-on VPN for iOS devices with both cellular and Wi-Fi interfaces, two simultaneous IKEv2 tunnels will be established from the device.
Certificate payloads •• Server CA Certificate: If the IKEv2 tunnel authentication method is to use certificates, the IKEv2 server sends its server certificate to the iOS device, which validates server identity. In order for the iOS device to validate the server certificate, it needs the server’s Certificate Authority (the issuer of the server certificate) certificate. The server CA certificate may have already been installed onto the device previously.
•• AllowAllCaptiveNetworkPlugins: A key to allow traffic from all entitled thirdparty Captive Apps outside the tunnel. This key takes precedence over the AllowedCaptiveNetworkPlugins dictionary. •• AllowedCaptiveNetworkPlugins: A list of bundle IDs of entitled third-party Captive Apps. Traffic from this list of third-party Captive Apps is allowed outside the tunnel. If the AllowAllCaptiveNetworkPlugins key is also configured, this list won’t take effect.
Internet services 5 Overview Internet services from Apple have been built with the same security goals that iOS promotes throughout the platform–secure handling of data, whether at rest on the iOS device or in transit over wireless networks, protection of users’ personal information, and threat protection against malicious or unauthorized access to information and services. Each service uses its own powerful security architecture without compromising the overall ease of use of iOS.
To get the most out of these services, users should have their own Apple ID. If they don’t have one, they can create one even before they receive an Apple device or use Setup Assistant. Using Setup Assistant gives the user an easy and streamlined way to create an Apple ID right from their Apple device. Apple IDs can also be created without the need for a credit card. For one-to-one and student-owned deployments (or BYOD deployments), each user should have their own Apple ID.
Continuity Continuity is a suite of features that allow a Mac and iPhone or iPad to communicate together seamlessly. Continuity requires iOS 8 or later and OS X Yosemite or later, and it may require the devices to be registered with the same Apple ID. Note: Some features may not be available in all countries, regions, or all languages. Phone calls An iPhone and Mac work seamlessly together when making or answering phone calls.
For more information about iCloud, see the iCloud website. For more information about iCloud security and privacy, see the Apple Support article iCloud security and privacy overview. For more information about system requirements for iCloud, see the Apple Support article System requirements for iCloud. Note: Some features require a Wi-Fi connection. Some features aren’t available in all countries. Access to some services is limited to 10 devices.
iMessage iMessage is a messaging service for both iOS devices and Mac computers that enables oneto-one or group chats. iMessage supports text and attachments such as photos, contacts, and locations. Messages appear on all of a user’s registered iOS devices and Mac computers, so the user can continue a conversation on any one of them. iMessage uses the Apple Push Notification Service (APNs) and end-to-end encryption with keys known only to the sending and receiving iOS devices and Mac computers.
Apple Push Notification Service (APNs) Many services rely on Apple Push Notification Service (APNs). APNs is a key part of how Apple devices learn of updates, MDM policies, and incoming messages. In order for your Apple devices to work with these services, you need to allow network traffic from the device to Apple’s network (17.0.0.0/8) on port 5223, with a fallback option of port 443. This traffic is a secured, binary protocol specific to APNs, and can’t go through a proxy.
Security 6 Overview iOS and OS X are built with multiple layers of security, so Apple devices can securely access network services and protect important data. iOS and OS X also provide secure protection through the use of passcode and password policies that can be delivered and enforced with MDM. And if an Apple device falls into the wrong hands, a user or IT administrator can use a remote command to erase all private information.
•• Passcode history •• Grace period for device lock •• Maximum number of failed attempts before the iOS device will be erased Policy enforcement You can distribute policies in a configuration profile that users install. You can also define a profile so that deleting the profile is possible only with an administrator password, or you can define the profile so that it’s locked to the iOS device and can’t be removed without completely erasing all of the device’s contents.
Users can make sure that data protection is enabled on their device by looking at the passcode settings screen. Mobile device management solutions are able to query the device for this information as well. There are also data protection APIs for developers, which can be used to secure data within App Store apps or custom-developed in-house apps. With iOS 7 or later, data stored by apps is, by default, in the security class “Protected Until First User Authentication.
When Touch ID is enabled, the device immediately locks when the Sleep/Wake button is pressed. With passcode-only security, many users set an unlocking grace period to avoid having to enter a passcode each time they use the device. With Touch ID, the device locks every time it goes to sleep, and requires a fingerprint—or optionally, the passcode—on waking. Touch ID works with the Secure Enclave, a coprocessor in the Apple A7 chip.
VPN Many enterprise environments have some form of virtual private network (VPN). These secure network services typically require minimal setup and configuration to work with Apple devices, which integrate with a broad range of commonly used VPN technologies. For details, see the Virtual Private Networks (VPN) Overview. IPSec iOS and OS X support IPSec protocols and authentication methods. For details, see Supported protocols and authentication methods.
Mandatory code signing All apps from the App Store must be signed. The apps provided with Apple devices are signed by Apple. Third-party apps are signed by the developer, using an Apple-issued certificate. This ensures that apps haven’t been tampered with or altered. Runtime checks are made to ensure that an app hasn’t become untrusted since it was last used. You can control the use of custom in-house apps with a provisioning profile. Users must have the provisioning profile installed to start the app.
Configuration and management 7 Overview You can streamline Apple device deployments through management techniques that simplify account setup, configure institutional policies, distribute apps, and apply restrictions. You can configure iOS and OS X preferences and accounts manually, or with an MDM solution. Users can then do most of the initial setup themselves through the Setup Assistant built into the Apple devices.
•• Display Zoom (iOS only): Doesn’t enable Display Zoom •• Registration (OS X only): Doesn’t permit registration •• FileVault (OS X only): Doesn’t enable FileVault Unless these items are also permanently restricted using the MDM solution, users can perform any of these after the Apple device is set up.
With an MDM solution in place, you can securely enroll Apple devices in an organization, configure and update settings, monitor compliance with organizational policies, and remotely wipe or lock managed devices. MDM for iOS and OS X gives you a simple way to let users access network services while ensuring Apple devices are properly configured—no matter who owns them.
To enable management, Apple devices are enrolled with an MDM server using an enrollment configuration profile and can be done by the user directly. For company-owned devices, MDM enrollment can be automated using the Device Enrollment Program (described in this chapter). When an administrator initiates an MDM policy, option, or command, the Apple devices receive notification of the action through the APNs. With a network connection, devices can receive APNs commands anywhere in the world.
•• Mail •• Subscribed Calendars •• VPN •• 802.1X Managed mail and calendar accounts respect the Managed Open In restrictions in iOS 7 or later. Queries An MDM server has the ability to query Apple devices for a variety of information. This includes hardware information, such as serial number, device UDID, Wi-Fi MAC address, or FileVault encryption status (for OS X).
Managed apps Distributing apps to your users can help them be more productive at work or in the classroom. However, depending on your organization’s requirements, you may need to control how those apps connect to internal resources, and how data security is handled when a user transitions out of the organization–all while coexisting alongside the user’s personal apps and data.
•• Prevent Backup: This restriction prevents managed apps from backing up data to iCloud or iTunes. Disallowing backup prevents managed app data from being recovered if the app is removed via MDM but later reinstalled by the user. iOS 8 adds these management capabilities: •• Safari downloads from managed domains: Downloads from Safari are considered managed documents if they originate from a managed domain.
Profile Manager In addition to third-party MDM solutions, Apple offers an MDM solution called Profile Manager, a service of OS X Server. Profile Manager makes it easy to configure Apple devices so they’re set up to your organization’s specifications. Profile Manager provides three components: •• Over-the-air configuration of Apple devices: Streamline the configuration of institutionallyowned Apple devices.
The process is simple: After enrolling in the program, administrators log into the DEP website, link the program to their MDM server or servers, and “claim” the Apple devices purchased from Apple or a participating Apple Authorized Reseller or carrier. The devices can then be assigned to an MDM server. Once the device is enrolled, any MDM-specified configurations, restrictions, or controls are automatically installed.
After a device has been assigned to an MDM server in the program, profiles and additional features may be applied using your organization’s MDM server.
App and book distribution 8 Overview iOS comes with a collection of powerful built-in apps that let people in your organization easily accomplish everyday tasks—from managing email and calendars to keeping track of contacts and web content. And the additional functionality users need in order to be productive comes from the hundreds of thousands of third-party apps available on the App Store, or from custom enterprise apps developed in-house or by third-party developers.
MDM solutions can be integrated with VPP, enabling your organization to purchase apps and books in volume and assign them to specific users or groups. When a user no longer needs an app, you can use MDM to revoke and reassign it to a different user. And each app or books is automatically available for download on user’s Apple device. Once distributed, books remain the property of the recipient and aren’t revocable or reassignable.
Once an app is assigned to a user via MDM, it appears in the purchase history of the App Store for that user. The user can be prompted to accept installation of the app or, in the case of a supervised iOS device, the app can be silently installed. If any apps that aren’t already installed on a device are pushed using the Push VPP Apps task, they’ll be automatically removed when a user unenrolls from MDM.
Register for app development Once you register for the iOS Developer Enterprise Program, you can request a developer certificate and developer provisioning profile. You use these during development to build and test your app. The development provisioning profile lets apps signed with your developer certificate run on registered iOS devices. The ad hoc profile expires after three months and specifies which devices (by device ID) can run development builds of your app.
Deploy apps and books Overview You can use the following ways to deploy apps and books: •• Use your MDM server to instruct managed Apple devices to install an in-house or App Store app, if your MDM server supports it. •• Post the app on a secure web server, so users can access and perform the installation wirelessly. For information, see Install in-house apps wirelessly. •• You can install the app on iOS devices locally using Apple Configurator.
Caching Server iOS and OS X make it easy for users to access and consume digital content, and some users may request many gigabytes of apps, books and software updates while connected to an organization’s network. The demand for these assets comes in spikes—first with initial Apple device deployment, and then sporadically, as users discover new content or as content is updated over time. These content downloads can cause surges in demand for Internet bandwidth.
Here’s an explanation of the Caching Server workflow: 1 When an Apple device on a network with one or more Caching Servers requests content from the iTunes Store or Software Update server, the device is referred to a Caching Server. 2 The Caching Server first checks to see whether it already has the requested content in its local cache. •• If it does, it immediately begins serving the content to the device.
Planning for support 9 Overview A deployment of Apple devices should include support.
AppleCare for Enterprise AppleCare for Enterprise includes comprehensive hardware and software for your business or educational institution. Your AppleCare Account Manager will help review your IT infrastructure, track issues you may be having, and provide monthly activity reports for both support calls and repairs. You’ll get IT department–level support by phone or email for all Apple hardware and software.
Appendices 10 Restrictions Overview Apple devices support the following policies and restrictions, which you can configure to meet the needs of your organization. Depending on your MDM solution, the names of these restrictions may vary slightly. Note: Not all restrictions are available for all Apple devices. Device Enrollment Program settings The following restrictions apply to Apple devices assigned to MDM servers using the Device Enrollment Program.
•• Allow user to select whether diagnostic data is sent to Apple and developers: When this option is off, the user can’t select whether to send diagnostic data to Apple and app data to developers. •• Allow user to enable Location Services: When this option is off, the user can’t enable Location Services. •• Allow the user to enable Touch ID (iOS-only): When this option is off, the user can’t enable Touch ID to unlock the device or authenticate to apps that use Touch ID.
•• Allow Notification Center access from Lock Screen: When this option is off, users can’t swipe down to see Notification Center in the Lock screen. •• Allow Today view from Lock Screen: When this option is off, users can’t swipe down to see Today View in the Lock screen. •• Allow Passbook notifications in Lock Screen: When this option is off, users must unlock the device to use Passbook.
•• Allow spell check: When this option is off, users won’t see potentially misspelled words underlined in red text. •• Allow Define: When this option is off, users can’t double-tap to search for a word’s definition. •• Allow user-generated content in Siri: When this option is off, Siri can’t obtain content from sources that allow user-generated content, such as Wikipedia.
Security and privacy settings iOS and OS X security and privacy settings The following security and privacy restriction is for both iOS and OS X: •• Allow diagnostic data to be sent to Apple: When this option is off, diagnostic data about a device will not be sent to Apple. iOS security and privacy settings The following security and privacy restrictions are iOS-only: •• Allow Internet search results in Spotlight: When this option is off, Spotlight won’t return any results from an Internet search.
If any profile is encrypted and this option is turned off, encryption of backups is required and enforced by iTunes. Profiles installed on the device by Profile Manager are never encrypted. OS X security and privacy The following security and privacy restriction is for OS X-only: •• Allow AirDrop: When this option is off, users can’t use AirDrop with other Mac computers. You can restrict the use of AirDrop for iOS devices, however they must be supervised first.
•• •• Allow specific Dashboard widgets to run: When this option is on, you can select which Dashboard widgets the user can enable. Game Center restrictions: •• Allow Game Center: When this option is off, the Game Center app and its icon are removed. •• Allow Game Center account modification: When this option is off, users of Game Center can’t modify their user name or password. iCloud settings •• Allow backup: When this option is off, device backup is only performed in iTunes.
•• Restrict enrollment to placeholder devices: When this option is on, only devices that have a placeholder with one of the following can enroll in Profile Manager’s MDM service: •• Serial Number •• UDID •• IMEI •• MEID •• Bonjour device ID (Apple TV only) Note: The following is a subset of this restriction. •• Restrict enrollment to assigned devices: When this option is on, only devices that have been assigned to a user can enroll in Profile Manager’s MDM service.
About the wireless manifest file The manifest file is an XML plist. It’s used by an iOS device to find, download, and install apps from your web server. The manifest file is created by Xcode, using information you provide when you share an archived app for enterprise distribution. The following fields are required: •• URL: The fully qualified HTTPS URL of the app (.ipa) file. •• display-image: A 57-by-57-pixel PNG image that’s displayed during download and installation.
Set server MIME types You may need to configure your web server so the manifest file and app file are transmitted correctly. For OS X Server, add the following MIME types to the web service’s MIME Types settings: application/octet-stream ipa text/xml plist For IIS, use IIS Manager to add the MIME type in the Properties page of the server: .ipa application/octet-stream .
If users already have the app, you may want to time your next released version so that it includes the new provisioning profile. If not, you can distribute just the new .mobileprovision file, so users won’t have to install the app again. The new provisioning profile overrides the one already in the app archive. Provisioning profiles can be installed and managed using MDM and then downloaded and installed by users through an app update or using MDM.
md5-size 10485760 md5s 41fa64bb7a7cae5a46bfb45821ac8bba 51fa64bb7a7cae5a46bfb45821ac8bba kind software subtitle Apple
