Bulk-Management of iOS devices (without an Apple ID in sight)
So, you’ve got a company fleet of iPhones and iPads. Some of these belong to individual users, some are shared devices, and you might even have some providing kiosk-style functionality. Each device requires a common set of apps, and based on their function or the person using them, maybe a few department-specific ones too. You want to be able to track and manage devices, know who’s got what, disable and wipe lost devices, make sure employees can access their email and so on.
Kickin’ it old school
Easy solution, right? We just get someone in IT to provision the device out-of-the-box with the user’s email, apps, put the company Apple ID into the device, hand it off to the user and log the serial in a spreadsheet. Aren’t spreadsheets great?
Until one day, when Kevin from accounting decides to send his Tinder date an unsolicited picture on iMessage – let’s say of his dog. What Kevin forgot is that he’s not the only one with that Apple ID on his phone. Suddenly, everybody has seen Kevin’s dog, HR are involved, Kevin’s being fired, and everyone knows he’s got a small dog.
There’s a better way.
We’re not here to shame Kevin or his dog. Small dogs can be cute, right? But Kevin should have known better. Even so, this could have been avoided, but it’s obviously impractical to set up an Apple ID for every employee. We could let them use their own Apple ID, but this requires IT to get these details from the users to perform device setup, and there’s a lot of photos of people’s dogs, cats and birds that have been uploaded to iCloud that they might not want IT seeing. So how do we fix this?
By now, you’ve probably heard of MDM or EMM, and even know a bit about it, or maybe you’re even already using it! VMware have run furthest with the MDM/EMM ball in the form of Workspace ONE UEM. In a nutshell, Workspace ONE UEM simplifies your mobile management workflows by providing a central management console to enable an admin to provision apps (both public and private), install profiles (such as email or Wi-Fi configuration), enforce device compliance (such as application blacklist – we’re looking at you, Kevin…)
Workspace ONE deeply integrates with the Apple ecosystem, as well as Android and Windows (but they’re a story for another day.) On top of being able to actually manage the device with Workspace ONE, Apple provide us with a few tools to fix the Kevin problem.
Kevin, we need to talk.
The first is the Device Enrolment Program. DEP extends the Apple out-of-box setup process and seamlessly integrates it with Workspace ONE, without IT ever having to touch the device. You simply add the serial of a DEP-enabled device to your Apple Business Portal (a super simple interface that provides the link between Apple and Workspace ONE) and the device enrolment becomes a single seamless step in the out-of-the-box device setup process. Better still, this means that the phone is essentially a brick to anybody other than someone with valid corporate credentials.
Even if the device is reset – either by the user or remotely through Workspace ONE, it can’t be set up again without the right credentials. This turns out to be quite handy, because so busy was everyone dealing with the Kevin problem that nobody remembered to actually ask him to return the offending device.
The next tool we have at our disposal is the Volume Purchase Program. VPP was originally designed to enable admins to bulk-purchase and provision licenses for paid App Store apps without having to assign them to an individual Apple ID, meaning that the licenses could be freely redistributed and didn’t disappear with Kevin as he was marched out the door. We can leverage VPP for free applications too – meaning that we can assign any public application to any device as soon as it’s out of the box, without the user ever needing to enter an Apple ID.
We’ve only just begun…
This only just scratches the surface of what you can do with iOS and Workspace ONE UEM. By integrating it with your on-premise Active Directory or equivalent, we can begin to leverage your existing groups to target apps, profiles and policies by business unit, function or location, integrate with your existing certificate authorities for enhanced authentication, enable multi-factor, conditional Single-Sign On for your enterprise applications and so much more. You can read more about Workspace ONE here: https://techzone.vmware.com/resource/what-workspace-one
Sadly, this all comes a bit too late for Kevin, but reach out to us for a chat to see how we can make Workspace ONE work for you.