User profile for user: PVSDTech
PVSDTech Author
User level: Level 1
0 points

Step by step MDM configuration?

We are piloting a batch (36) of iPads in our school district. I am looking to manage these using MDM. Initially I was looking at using Meraki for the management capabilities but found that the inability to push apps to the ipads without having to enter passwords was not going to work for us. So, I am now embarking on getting the Profile Manager setup in OSX Mountain Lion. I believe I have most of the pieces in place. However, I cannot push any configurations or apps to the ipads.


Here is what I have setup and done so far:


I have a Macbook Pro running the server and Profile Manager.

I have two local users setup in the server for management.

I have self signed certificates installed though I am not 100% sure they are correct. They are valid and I set them up according to instructions from others who have done this. I do not have a purchased SSL certificate.

In Profile Manager I have the New Enrollment Profile installed and that has been downloaded into Configurator.

I have the Trust Profile loaded in Configurator as well.

Our server is on an internal network and has been configured with a private host name. We will not be managing devices outside of the network.

I have opened the ports in our firewall as required.

Our server has a static IP on our wired network and the DNS for the server name is working fine.


I am able to prepare and supervise the ipads and load the trust and enrollment profiles. After much tinkering I worked out some of the bugs that prevented that.

One issue I am not sure of is if the device is enrolling in the MDM automatically. In one case I saw the device show up in Profile Manager without any intervention. Later I did one that did not show up. Just testing, I went to the mydevices profile manager on the ipad and enrolled it. It showed up in profile manager. So, something is not correct there.


Last, when the device is showing in profile manager, I cannot push anything out to the device. It just says "sending" and that is it.


What I would love to see is a step by step from someone who has been through this in a similar situation. Or, at least give me an idea as to what I might be missing. I am thinking the server side is setup ok, with the possible exception of the certificates. Configurator seems to be doing what it is supposed to albiet not consistently.


If anyone has some ideas I could try I would really appreciate it!

Thanks!

MacBook Pro, OS X Server

Posted on Feb 19, 2013 4:47 PM

Reply
7 replies
User profile for user: iToaster
iToaster
User level: Level 3
739 points

Feb 19, 2013 6:27 PM in response to PVSDTech

err you still have to enter itunes password if your pushing apps out

regardless of MDM.the apps have to be authorized on the device

even VPP


personally I think your making a mistake not using a real domain name on the server

and setting it up for both inside and outside IOS management.

you don't have to use it but it's there if needed later

rather than having to start all over again


when you say supervise ipads I'm not sure if you can both supervise (apple configutor)

and use a MDM solution, I would think not


I use apple configurator to update IOS if needed, install Auto enrollment profile

enrollment wireless and MDM trust cert.

in apple configutator you should have auto join device enrollment, trust cert, whatever profile your using to install wireless profile



if the device is enrolling automatically

you'll get prompted to install profiles on the device

and the device will appear in PM

this is without visiting the device enrolment website


after successful enrollment you should have

trust cert

remote management

whatever profile name you used to add the enrollment wireless (from apple configurator)


then I push everything from the MDM, user settings, device setting user wireless etc.


the enrollment wireless is for enrolling devices only

if depending on what profies a user deletes I can use enrollment wireless to push settings back out

if needed. once enrollment wireless is turned off the devices will join the correct pushed user wireless

Reply
User profile for user: PVSDTech
PVSDTech Author
User level: Level 1
0 points

Feb 19, 2013 8:16 PM in response to iToaster

Thanks for the input iToaster


I have been able to push apps via Configurator without entering the password on the ipads. This was done using a process I found the other day where a free app was authorized, pushed and then the configuration was backed up. I don't have all of the details right now but it worked. I did not have to enter passwords when pushing out future apps. If the case is that the Apple MDM still requires authentication for pushed apps, why use it when other, easier ways are available? Having to authorize those apps potentially opens up risks with security in my opinion.


I would consider an outside domain if I knew we would be using it. But for the forseeable future all of our devices will be in-house.


I read that the ipads need to be supervised in order to manage them in the profile manager. If that is wrong I would like to know if anyone else has had to deal with that. Unfortunately Apple doesn't provide any useful instruction in the area which makes it even more frustrating.


When I setup the ipad I do see the remote management and trust profiles. However, the only time I was prompted to enroll one of them was in an initial test and it did appear in profile manager. However, nothing could be pushed to it.


I would be curious to know the steps you take to get the configuration setup in the server. I am at the point where I can reload it all and start over. I am not adverse to that if it will remedy this.

Reply
User profile for user: iToaster
iToaster
User level: Level 3
739 points

Feb 20, 2013 5:34 AM in response to PVSDTech

Last time I looked at apple configurator Supervising iOS devices with apple Configurator "binds" them to the machine that was used to supervise them

you can't manage them with another machine or a mdm as far as I'm aware


Sorry i didn't explain the app authorisation fully

The reason your able to push apps out is you've already authorised them

With an iTunes account and password same thing applies to the MDM

Once you've authorised an app that authorisation you've done allows other apps to be installed

Providing your using the same iTunes account


You might find problems if users try to install /sync apps on the devices with iTunes on a machine and a users personal iTunes account

This seems to cause an authorisation conflict. the users iTunes on their computer will not have authorisation for the apps you've pushed

And the pushed apps will be disabled and will not open

If the users only update and install apps on the device it's self you won't have this problem

You may also come across a similar thing when authorisation expires I'm not sure what the phone home time limit is on apps

I'm not sure if this behaviour is still inherent in iOS 6.xx I'm yet to update the majority of iOS devices

I have only updated some test devices

It's relatively easy to fix if it does happen, just delete one of the apps installed on the corp iTunes account

And reinstall it, that will re authorise the apps


Pushing out apps from the mdm requires user input, each app has to be OK'ed by the user

They will see a popup window with server name wants to install bla bla OK cancel, or words to that effect


Something doesn't sound right if your auto enrolment works sometimes and not others

auto enrolment you have to enable it in profile manager

And get the auto enrolment profile into apple Configurator if that's not there auto enrol won't work

There are also restrictions you can apply to enrolment process which maybe effecting you

And sometimes the enrolment process can go awry if it does remove the device from PM if it's there

And removal all profiles and start again


Re your PM profile not sending

Do you have the correct ports open

And server push iTunes account working

Is the server able to phone home to apple

Reply
User profile for user: bubblegoose
bubblegoose
User level: Level 1
0 points

Feb 21, 2013 2:53 PM in response to PVSDTech

Have you checked out MokiMobility? With our platform, we are able to leverage the technology of Apple Configurator and give you full control to push and remove apps. Not only control the app/content that is being displayed on the iPad, but also give you the ability to monitor the iPad itself, i.e. battery life, wifi connectivity, push apps to the device, security, and even physical location of the iPad.


Let me know if you want to check it out and I can do an online demo for you.


<Personal Information Edited by Host>

Reply
User profile for user: smutho
smutho
User level: Level 1
0 points

Apr 17, 2013 4:40 AM in response to bubblegoose

I already configured some iPads with "Configurator" and put them under supervision. Configurator created a self signed certificate and put it under the "Supervision Profile" on every iPad. When u look at the expiration date of the certificate you can see that it will expire exactly after one year after installation of "Configurator", the day when the self signed certificate was automatically created by "Configurator".


I plan to configure the iPads over the air with a MDM and I wont have access to the devices after deployment anymore. What will happen after one year once the self signed certificate of the "Supervision Profile" expired, will I still be able to change setting via MDM for which supervison mode is needed and push new profiles to the devices?


How can I renew the certificates within the "Supervision Profile", seems like "Configurator" doesnt do that automatically?

Reply

This thread has been closed by the system or the community team. You may vote for any posts you find helpful, or search the Community for additional answers.

Step by step MDM configuration?

Welcome to Apple Support Community
A forum where Apple customers help each other with their products. Get started with your Apple Account.
Learn more Sign up