1 2 Previous Next 19 Replies Latest reply: Jun 6, 2014 12:43 PM by jbitzW
Hermits Level 1 Level 1 (0 points)

I'm currently running into an issue with Mobile Device Management in Lion Server with remotely managing the new 30 unit iPad cart our school just purchased.

 

I'm able to attached the iPad's to the MDM server and the profile applies just fine. But I'm able to easily REMOVE the profile(s) from the iPad without the need for a password, even though I've configured one.

 

Three profiles get applied. 1) The organization profile 2nd) The Remote Management profile 3rd) the iPad specific settings I've set.

 

The 3rd profile has a password set so that removal requires me entering the password. But I'm able to remove profile 1 and 2 WITHOUT the need for a password and then profile 3 automatically removes along with it.

 

Has anyone else run into this issue? According to Apple Care, this is by design. Maybe it is, but it seems like a HUGE design flaw in my opinion.


iPad 2, iOS 5.1, Lion Server - Mobile Device Manager
  • 1. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    Why don't you require a password for the removal of all three?

  • 2. Re: Able to remove profile without the need for a password
    Hermits Level 1 Level 1 (0 points)

    I'd LOVE to gyrhead... I only see the ability to set a password for removal on the 3rd profile. Do you know of a way I can set one for profiles 1 and 2?

  • 3. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    On iOS devices, you can mark a profile as being locked to the device, so when installed it can removed only by wiping the device of all data (or by entering a passcode). Go into your device list, settings for new device, general, security, with authorization, and set password.

  • 4. Re: Able to remove profile without the need for a password
    Hermits Level 1 Level 1 (0 points)

    gyrhead...

     

    Maybe I'm doing something wrong. In the Profile Manager on the server, I've set the following:

     

    Under Devices -> iPad 01 (name of iPad unit ) -> Profile -> Edit -> Settings for iPad 01 -> General -> Security WITH Authorization and I've set a password

     

    Under Device Group -> iPad Cart ( Name of Group ) -> Porfile -> Edit -> Settings for iPad Cart -> General -> Security WITH Authorization and I've set a password

     

    Under User -> My User Name -> Profile -> Edit -> Settings for My User Name -> General -> Security WITH Authorization and I've set a password

     

    I then goto http://<myservername.tld>/mydevices -> Profiles -> Trust Profile for <My Organization> -> Install... It then installs the certificate

     

    I then go back to http://<myservername.tld>/mydevices -> Devices -> and I click Enroll -> it now enrolls the device

     

    When I goto General -> Profile, I see three certicates:

     

    - Trust relationship for My Organization

    - Remote Management

    - iPad Cart Settings

     

    iPad Cart Settings requires me to enter a password to remove it. But removing the Trust Relationship or Remote Management does NOT. And after removing Remote Management, iPad Cart Settings are automatically removed as well, without needing the password I set.

     

    What am I doing wrong?

  • 5. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    Unfortunately you are not doing anything wrong, even with the high end MDM providers such as Airwatch there is not a way to password protect the primary trust certificate to prevent its removal. Once the upper level certificate is removed the rest go with it.

    This is an Apple issue, driven by the philosophy that the end user should have ultimate privacy and control.  In your case you will have to go in and manually enable restrictions if you want to ensure that controllable settings can't be changed if the profiles are removed. You may also be able to make it so the iPad can't connect to the network if its profiles have been deleted, this might deter students from deleting them. 

  • 6. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    The one advantage of a higher end MDM is that the system will tell you if a profile has been removed from a device.  You may want to use the free Meraki MDM at https://account.meraki.com/secure/login/dashboard_login to use instead of or in addition to Lion.

  • 7. Re: Able to remove profile without the need for a password
    Hermits Level 1 Level 1 (0 points)

    I'll take a look at this gyrhead... While knowing if a device was removed from the MDM is good, I need to prevent it all together.

     

    The I.T. Department at my school is small. If even one iPad per class peroid was removed from the MDM, it would be extremely troublesome for us.

     

    If even they made it where the Settings app was password protected, in order to access it, that would help greatly!

  • 8. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    We have an IT department of 1 (yours truly).   Over 600 mobile devices (ipads and laptops) to manage.  I feel your pain.   I looked at Airwatch and the rep said the end user could delete the profile and the Airwatch MDM agent app unless I went on each iPad and manually enabled restrictions with deleting apps disabled.  I may end up doing this just to save time in the long run.

  • 9. Re: Able to remove profile without the need for a password
    Hermits Level 1 Level 1 (0 points)

    So if I understand you correctly, you can prevent MDM removal using AirWatch by setting restrictions on the iPad that they cant delete apps?

     

    If the answer to this is yes, you might have just found my solution! I dont see where restricting users from being able to delete apps will be a problem at all. Infact, it might be an additional plus!

  • 10. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    Airwatch has an MDM agent app ( see it in itunes) that works with their console.  Some MDM solutions don't use an agent app, just a profile.  You should definitely verify and see a demo or trial - this is just based on a question I asked when viewing an Airwatch webinar.  I always go in and manually enable restrictions in environments like the middle school to prevent adding and deleting apps.   I am probably going to go ahead with Airwatch as soon as budget conditions allow.  They have a free trial. 

    http://www.air-watch.com/solutions/apple-ios

  • 11. Re: Able to remove profile without the need for a password
    Hermits Level 1 Level 1 (0 points)

    gyrhead...

     

    I just wanted to update this thread. After spending some time looking into AirWatch, it doesn't look like its a solution for what we've been discussing here. Unfortunately, there doesn't appear to be ANY solution to this problem. Not until Apple decides to either allow 3rd party solutions to be implamented, or implaments it themselves, will there be a solution to it.

     

    I dont want to make it sound like AirWatch is not a good product. From my research, they appear to be a very good solution... Just not a solution to this particular problem.

  • 12. Re: Able to remove profile without the need for a password
    gyrhead Level 3 Level 3 (785 points)

    Thank you for the update.  I agree with you, Apple needs to make changes, or we will always be facing time consuming issues in educational deployments, especially in middle school type environments.

  • 13. Re: Able to remove profile without the need for a password
    cryohazard Level 1 Level 1 (0 points)

    I've ran into these same issues myself. I'm currently using Meraki to manage our 450+ iPads now, but may be transitioning to Microsoft System Center 2012 once we finish planning and roll out that monster. MDM is supposed to be a decent part of the package.

     

    Just chiming in though because you're not alone in this struggle. What I also found extermely annoying is that I can disable App installs through the MDM which would save teachers time since their students wouldn't install crap (read: games) on the devices, but at the same time I found that it would not even let me sync "install" the Apps which made it a no-go for us.

  • 14. Re: Able to remove profile without the need for a password
    Hermits Level 1 Level 1 (0 points)

    Cryohazard...

     

    Thanks for the solidarity

     

    I'm currently running SCCM 2007... I wasn't aware that SCCM 2012 was going to have a MDM built into it

     

    Unfortunately, I dont expect that even if SCCM 2012 will have MDM, that will solve this issue. It appears that its not a problem that 3rd party developers have slacked on adding, but that Apple refuses to allow it to happen. So long as that's the case, I dont see anything changing anytime soon.

1 2 Previous Next