Currently Being ModeratedMay 2, 2012 8:55 AM (in response to Hermits)
Why don't you require a password for the removal of all three?
Currently Being ModeratedMay 2, 2012 9:12 AM (in response to gyrhead)
I'd LOVE to gyrhead... I only see the ability to set a password for removal on the 3rd profile. Do you know of a way I can set one for profiles 1 and 2?
Currently Being ModeratedMay 2, 2012 9:36 AM (in response to Hermits)
On iOS devices, you can mark a profile as being locked to the device, so when installed it can removed only by wiping the device of all data (or by entering a passcode). Go into your device list, settings for new device, general, security, with authorization, and set password.
Currently Being ModeratedMay 2, 2012 10:00 AM (in response to gyrhead)
Maybe I'm doing something wrong. In the Profile Manager on the server, I've set the following:
Under Devices -> iPad 01 (name of iPad unit ) -> Profile -> Edit -> Settings for iPad 01 -> General -> Security WITH Authorization and I've set a password
Under Device Group -> iPad Cart ( Name of Group ) -> Porfile -> Edit -> Settings for iPad Cart -> General -> Security WITH Authorization and I've set a password
Under User -> My User Name -> Profile -> Edit -> Settings for My User Name -> General -> Security WITH Authorization and I've set a password
I then goto http://<myservername.tld>/mydevices -> Profiles -> Trust Profile for <My Organization> -> Install... It then installs the certificate
I then go back to http://<myservername.tld>/mydevices -> Devices -> and I click Enroll -> it now enrolls the device
When I goto General -> Profile, I see three certicates:
- Trust relationship for My Organization
- Remote Management
- iPad Cart Settings
iPad Cart Settings requires me to enter a password to remove it. But removing the Trust Relationship or Remote Management does NOT. And after removing Remote Management, iPad Cart Settings are automatically removed as well, without needing the password I set.
What am I doing wrong?
Currently Being ModeratedMay 2, 2012 11:12 AM (in response to Hermits)
Unfortunately you are not doing anything wrong, even with the high end MDM providers such as Airwatch there is not a way to password protect the primary trust certificate to prevent its removal. Once the upper level certificate is removed the rest go with it.
This is an Apple issue, driven by the philosophy that the end user should have ultimate privacy and control. In your case you will have to go in and manually enable restrictions if you want to ensure that controllable settings can't be changed if the profiles are removed. You may also be able to make it so the iPad can't connect to the network if its profiles have been deleted, this might deter students from deleting them.
Currently Being ModeratedMay 2, 2012 11:27 AM (in response to gyrhead)
The one advantage of a higher end MDM is that the system will tell you if a profile has been removed from a device. You may want to use the free Meraki MDM at https://account.meraki.com/secure/login/dashboard_login to use instead of or in addition to Lion.
Currently Being ModeratedMay 2, 2012 11:35 AM (in response to gyrhead)
I'll take a look at this gyrhead... While knowing if a device was removed from the MDM is good, I need to prevent it all together.
The I.T. Department at my school is small. If even one iPad per class peroid was removed from the MDM, it would be extremely troublesome for us.
If even they made it where the Settings app was password protected, in order to access it, that would help greatly!
Currently Being ModeratedMay 2, 2012 11:50 AM (in response to Hermits)
We have an IT department of 1 (yours truly). Over 600 mobile devices (ipads and laptops) to manage. I feel your pain. I looked at Airwatch and the rep said the end user could delete the profile and the Airwatch MDM agent app unless I went on each iPad and manually enabled restrictions with deleting apps disabled. I may end up doing this just to save time in the long run.
Currently Being ModeratedMay 2, 2012 11:58 AM (in response to gyrhead)
So if I understand you correctly, you can prevent MDM removal using AirWatch by setting restrictions on the iPad that they cant delete apps?
If the answer to this is yes, you might have just found my solution! I dont see where restricting users from being able to delete apps will be a problem at all. Infact, it might be an additional plus!
Currently Being ModeratedMay 2, 2012 12:17 PM (in response to Hermits)
Airwatch has an MDM agent app ( see it in itunes) that works with their console. Some MDM solutions don't use an agent app, just a profile. You should definitely verify and see a demo or trial - this is just based on a question I asked when viewing an Airwatch webinar. I always go in and manually enable restrictions in environments like the middle school to prevent adding and deleting apps. I am probably going to go ahead with Airwatch as soon as budget conditions allow. They have a free trial.
Currently Being ModeratedMay 10, 2012 4:37 AM (in response to gyrhead)
I just wanted to update this thread. After spending some time looking into AirWatch, it doesn't look like its a solution for what we've been discussing here. Unfortunately, there doesn't appear to be ANY solution to this problem. Not until Apple decides to either allow 3rd party solutions to be implamented, or implaments it themselves, will there be a solution to it.
I dont want to make it sound like AirWatch is not a good product. From my research, they appear to be a very good solution... Just not a solution to this particular problem.
Currently Being ModeratedMay 10, 2012 4:51 AM (in response to Hermits)
Thank you for the update. I agree with you, Apple needs to make changes, or we will always be facing time consuming issues in educational deployments, especially in middle school type environments.
Currently Being ModeratedMay 14, 2012 11:04 AM (in response to gyrhead)
I've ran into these same issues myself. I'm currently using Meraki to manage our 450+ iPads now, but may be transitioning to Microsoft System Center 2012 once we finish planning and roll out that monster. MDM is supposed to be a decent part of the package.
Just chiming in though because you're not alone in this struggle. What I also found extermely annoying is that I can disable App installs through the MDM which would save teachers time since their students wouldn't install crap (read: games) on the devices, but at the same time I found that it would not even let me sync "install" the Apps which made it a no-go for us.
Currently Being ModeratedMay 14, 2012 11:14 AM (in response to cryohazard)
Thanks for the solidarity
I'm currently running SCCM 2007... I wasn't aware that SCCM 2012 was going to have a MDM built into it
Unfortunately, I dont expect that even if SCCM 2012 will have MDM, that will solve this issue. It appears that its not a problem that 3rd party developers have slacked on adding, but that Apple refuses to allow it to happen. So long as that's the case, I dont see anything changing anytime soon.