3 Replies Latest reply: May 13, 2012 2:41 AM by alexanderstein
Stu109 Level 1 Level 1

Hi all


This is my first post so apologies if this has already been asked but I can't seem to find a suitable answer.


We have just started to rollout iPads at the company I work for. Unfortunately as new projects go it is rushed, last minute and the goal posts are constantly being moved on a weekly basis.


We have been provisioning the iPads with two separate  3rd party mdm solutions, one for the configuration profiles, policies etc and one for a secured email, both of which have their own app listed in the Apple App store that we preinstall before deploymet. These are installed using the one Apple ID whose credentials we will not be disclosing to the users as they will be encouraged to use their own Apple ID for any additional apps they wish to use. The problem I can foresee is that once the two apps we initially installed are due updates. Is there any way we can initiate these updates over the air without disclosing our own Apple IDs credentials to the users?

It had also been suggested to create a new ID for each user and linking it to their company email account but this would mean increased help desk support queries and a lot more management of hundreds maybe thousands of accounts.


Any ideas would be appreciated.


  • AR1AN Level 1 Level 1

    You will not be able to have a different Apple ID for each member without payment methods and purchase abilities for each member. What you can do, is keep the account logged in on all iPads, disable app purchases and anything else from the settings app (which will hide the AppStore app) and have all iPads periodically connected to a PC/Mac for updates (requiring a passcode because of the disabled app purchasing). This cannot be done over the air without the password for the apple account, but Apple will likely release a firmware update enabling this in the very distant future.

  • Stu109 Level 1 Level 1

    Thanks for the reply Ar1an.

    If we leave all devices with the corporate account logged in then our users won't be able to make their own purchases/app downloads etc, also recalling all devices periodically for updates wouldn't be viable either as there could potentially be thousands of devices and whose to say after one update, another might be released shortly afterwards for the other apps. This would end up as a continuous process.


    Ideally what we need is the ability to push out maybe an updated config profile of some kind (over the air) which contains encrypted account credentials so the users can accept the updates without the need to reveal our ID password to them. Thus still retaining the users freedom for their own purchases with their own personal IDs.


    I wonder if there are any MDMA solutions that currently offer this.  Surely this scenario will be affecting most companies at some point especially as bring your own device is now on the agenda.

  • alexanderstein Level 1 Level 1

    You should read the iOS 5 Education Deployment Guide, and search/grok the info associated with the concept of the "Layered Ownership Model" put forth in that paper.  For the perpetually lazy, like myself, see the quote below.


    While a Personal Ownership deployment allows the individual to own all content and an

    Institutional Ownership deployment allows the institution to retain ownership of all

    content, the Layered Ownership deployment allows for both parties to own their

    respective content on the same device.


    The Layered Ownership model offers the end user full control over his or her content

    while allowing the institution to retain ownership of purchased apps. This makes it an

    excellent deployment strategy for all users age 13 and over.


    Syncing with an institution’s iTunes account allows an organization to ensure that a

    prescribed set of apps exists on all iOS devices. These apps are synced to a device that

    has not yet completed iOS 5 Setup Assistant. Typically, the device is new or at factory

    defaults and must be running iOS 5.0 or later.


    The end user then uses his or her personal Apple ID to complete iOS 5 Setup Assistant,

    which configures built-in apps and services to use the personal Apple ID, including a

    personal iTunes account. The institution continues to manage apps from iTunes while

    the end user manages personal apps and content directly on the device. In the Layered

    Ownership model, the end user does not sync with any iTunes computer other than the

    institution’s sync station.


    Allowing end users to download personal apps and content is more likely to give them

    a sense of ownership so they may be more apt to protect the iOS devices. This may be

    helpful in a model where the devices are taken home, and the goal is to both guide and

    empower the end users. It may also be preferred for iOS devices provided to instructors

    and administrators.


    It is not just applicable to educational institutions, but enterpises as well.  Long story short, you have the admin server/technican workstation with Apple Configurator installed managing the deployed apps (through VPP or other means for paid apps).  Users can make their own changes so long as they do not sync their account via iTunes on another computer.  With the advent of on-device App Store and iCloud, this is by design now.  I do not think it is a positive development, but that is the way they envision it.


    Again, I recommend you read the PDF I link to.  The information in it is quite useful for understanding what Apple expects of administering their devices, although I would appreciate more detailed scenarios instead of very summarized, eagle-eye views.