Happy Trails iOS 10: Apple stops signing 10.3.3

Your rating: None (1 vote)

In the 15 days since September 19, Apple has released two patch updates. Today they stopped signing iOS 10.3.3, meaning you may no longer downgrade devices to iOS 10.

“Signing” is a colloquial term. When Apple is signing a particular iOS version, it is monitoring and permitting iOS devices to be upgraded (or downgraded) to that iOS version. During the iOS install process, a cryptographic request is sent to Apple with information about the iOS device and iOS version. The response from Apple must be cryptographically “signed” for the install process to proceed. No signing, no install. No woman, no cry.

When Apple releases a new iOS version, it usually does not immediately stop signing the preceding version. iOS 10.3.3 was signed for 15 days after iOS 11 was released. For a period of about 24 hours, Apple was signing a full FOUR versions for many iOS devices: 10,3.3, 11.0, 11.0.1, and 11.0.2.

So for a period of a few days, you can upgrade to, or even downgrade to, a not-so-new version. The process to do that can be a bit tricky: you need to obtain the correct IPSW file first, and use a special key combination (Option) in iTunes to select the file.

We recommend the site [https;//ipsw.me IPSW.me] to check signing statuses and download individual IPSW files for a particular device and version.

GroundControl users: we automatically take care of this process, simply enable iOS Update Delay to use the previous version for as long as possible.

Apple releases a white paper on “Face ID Security”

No votes yet

Apple has released a white paper on the security of Face ID — it’s new facial recognition and unlocking system in the upcoming iPhone X. You should get the PDF from here: https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

Here’s a bit I thought was interesting: “Face ID data, including mathematical representations of your face, is encrypted and only available to the Secure Enclave. This data never leaves the device. It is not sent to Apple, nor is it included in device backups.”

Impress everyone with these eleven iOS 11 tricks

Your rating: None (3 votes)

The Wall Street Journal's Joanna Stern compiled eleven iOS 11 features into this cute video. My favorite was the new "large attachments" list.

About the security content of iOS 11

Your rating: None (2 votes)

https://support.apple.com/en-us/HT208112

I count 15 vulnerabilities fixed.

Configurator 2.5 has been released

Your rating: None (4 votes)

Apple has released Configurator 2.5 on the Mac App Store.

The most important feature of this new release is the ability to provisionally add devices to Device Enrollment Program (DEP). We wrote about the ins-and-outs of provisional DEP a few days ago.

Other features of AC2.5:

  • Skip Tap to Setup and Keyboard Chooser panes in iOS Setup Assistant
  • Skip Sign in to TV Provider pane in tvOS Setup Assistant
  • Optionally preserve data plan when erasing device
  • New profile payloads and restrictions for iOS including Restrict VPN Creation, AirPrint Security, DNS Proxy, and Managed class behavior on supervised student devices for Classroom
  • New tvOS payload for AirPlay Incoming Security
  • Support for configuring tvOS devices running tvOS 11 on the local network subnet

Deep dive podcast on iOS 11 in the enterprise

Your rating: None (1 vote)

A few days ago I joined Russ Mohr and Jack Madden, for a discussion of iOS 11 in the enterprise. That discussion is now a podcast, hosted by brianmadden.com.

Here's how Jack summarized the discussion:

  • First, we recapped some of the improvements in iOS 10.3 (and 9.3) and how customers have been using them—iOS really has a lot for kiosk and enterprise-owned use cases.
  • iOS 11 is coming out tomorrow. You can watch the WWDC session about MDM, the deployment guides should be updated soon, and now you can even read the full MDM protocol documentation without a developer login.
  • We gave an overview of the Device Enrollment Program, or DEP (as well as the merits of pronouncing it “Dep” versus “D - E - P”).
  • With iOS 11, any device can be brought into DEP. This could be big for refurbished devices.
  • Tethered management has a lot of advantages in many corporate-liable use cases; we also covered caching in macOS 10.13 High Sierra, as well as the future of potential caching hardware.
  • Blocking iOS updates is still an often-requested feature, and there’s no MDM control for it—and likely there won’t ever be. So for network admins that have to deal with a bunch of 2GB iOS 11 downloads on Tuesday, good luck!
  • Aaron talks a bit about Ground Control, a unique (and EMM-neutral) tool in our industry.
  • Is it time for Apple to make some improvements on the BYOD side? How about connecting devices to multiple MDM servers, with limited rights? Or making privacy more explicit? This is one of Jack’s soapbox topics (see here); we’ll see what comes up in a dot version or iOS 12 or 13.
  • We talk Face ID—many of the questions and answers that we had around Touch ID should apply here. MDM can prevent Touch ID from being used to unlock devices, we should find out soon if this will apply to Face ID.
  • The Apple Watch Series 3 has its own cellular connection, but for now, all signs point to it being dependent on a host iPhone. As such, it will inherit a few MDM controls: IT can enforce wrist detection mode, and on supervised phones, IT can block pairing. But it’s also easy to see that this device will evolve to be independent in another generation or two, and then probably have its own MDM support.

It was fun to record, and I hope this becomes a recurring feature.

iOS 11 & Provisional DEP: Questions and Answers

Your rating: None (3 votes)

What is Provisional DEP?
Apple Configurator 2.5 can add any iOS device to Apple’s Device Enrollment Program (DEP), so you can use this streamlined process for setup and enrollment.

Before this change, Apple required proof of ownership of a device in order to approve DEP enrollment. In practice, this usually meant that only new devices purchased from specific resellers were eligible. Now any iOS device can be enrolled into DEP. But there are some specific conditions to pay attention to.

What are the requirements?

  • Your devices must be updated to iOS 11.
  • The process will erase devices. It will not preserve data.
  • You need to plug in devices into a Mac (once) to start the process.
  • The technicians running the process will need credentials to the DEP portal.
  • You may need to manually assign devices in the Apple DEP portal and/or MDM server to complete the process.
  • For 30 days after enrollment, users may choose to leave DEP (and MDM). DEP is permanent only after the 30 day provisional period has elapsed.

What? Users may leave DEP within 30 days?
For a period of 30 days after provisional enrollment, users are able to remove MDM and opt out of DEP. The lock screen will display small text, instructing users that they can “leave remote management in Settings:”

And in Settings > General > Device Management, users have the ability to “Leave Device Management.”

These options appear even if you set MDM enrollment as mandatory. After 30 days, these notices disappear. At that point the device is permanently in DEP.

What happens when a user decides to leave remote management?
When a user ops out of DEP the device erases itself, removing any corporate (and personal) data. The device also removes itself from your MDM server. Finally, the device serial number no longer appears in the DEP portal.

After a user leaves remote management, you may use Apple Configurator 2 to add the device to DEP again. The device will begin a new 30-day provisional enrollment.

Is there a way to remove that button and notice, so users can’t opt out?
No. The notice and button are there for 30 days.

While provisional, if I erase the device does it remain in DEP?
Yes. The device remains in DEP after it is erased, just like standard DEP.

Does Configurator allow me to assign an MDM server to the device?
No. MDM server assignment must be done in the DEP portal (deploy.apple.com) just like standard DEP. Within the DEP portal, devices are placed in a container called “Devices Added by Apple Configurator 2.” You must log into the DEP portal and manually assign devices to an MDM server. Until you do that, devices will not behave as DEP devices.

There is a checkbox in Configurator to “Activate and complete enrollment.” This checkbox can be confusing, since it takes the newly-added DEP device and enrolls it as a non-DEP device. You may find it simplest to perform the actions in the following steps:

  1. Use Configurator to add devices to DEP, but do not “Activate and complete enrollment”
  2. Log into the DEP portal, find the serial numbers of the recently added devices, and assign these to your MDM server
  3. Continue setting up the devices, which should now use streamlined enrollment, as usual

I have multiple DEP profiles in my MDM. Does Configurator allow me to assign a profile to the device?
No. Profiles must be assigned using your MDM server, just like standard DEP. But if you have a default profile assigned, the choice is respected.

If I “disown” a device using the DEP portal, can I use provisional DEP enrollment to return it to DEP?
Yes. This is good news, since previously “disown” was permanent.

Does this help with BYOD or personal devices?
No. DEP and supervision remain appropriate only for corporate-owned devices.

I have 1,000 devices that I want to put into DEP. What can I expect from the process?
Provisional DEP is intended to deal with exceptional devices, a small percentage of an otherwise all-DEP fleet. If you want to enroll a large number of devices, you may expect some challenges.

First, devices will need to tether devices to a Mac. Provisional DEP is not an over-the-air operation. You may, however, use a USB hub to work on several devices at once.

Second, be aware that Configurator will prompt for a DEP portal login. Most companies restrict employee access to the portal, for good reasons. You will need to provide credentials to your technicians. Note that Apple requires all DEP portal logins to use two-factor authentication, typically via SMS, so you may not be able have technicians share an account.

Third, the enrollment process will erase devices. So you must expect to re-provision devices as part of this process. If you already have a streamlined provisioning process for DEP devices, you’ll be in good shape. But if DEP is new to your organization, or to this particular use case of your devices, you may need to architect a new process. (A tool like GroundControl can dramatically speed device provisioning, especially for shared DEP devices.)

Finally, all devices will need to be updated to iOS 11 before the process begins. Configurator or GroundControl can update devices efficiently. You will want a high quality USB hub for this part, to make the process as robust as possible. Hubs from Datamation and Cambrionix are recommended.

Do these provisional devices work with GroundControl’s DEP workflows?
Yes. To GroundControl, these devices behave like every other DEP device, during and after the 30-day provisional period. Once you use Configurator to add these to DEP, you may use GroundControl to image the devices, restore a common backup, manage your MDM, etc. Add a supervision identity to your DEP profile to streamline GroundControl’s management.

Will GroundControl incorporate these new Configurator features?
Provisional DEP enrollment is a one-time operation. Today, we recommend you plan to use Configurator for this one-time addition of devices, then use GroundControl to provision the devices and for ongoing automated maintenance.

We are looking at options to support this without Configurator. The requirement for DEP portal login, with two factor authentication, makes this process difficult to incorporate at scale. But we continue to do research, because we understand our customers don’t always have Macs available.

Apple could easily improve the process with a spreadsheet upload to the DEP portal, or a public API. Perhaps you’ll help us make a feature request?

Tethered Caching is much better in macOS High Sierra

Your rating: None (1 vote)

Apple has posted an article detailing changes to tethered caching in macOS 10.13 "High Sierra." Caching used to require a Mac running their $20 Server app, but no longer.

  • Content Caching is now built into every Mac
  • Prior to macOS 10.13, Tethered Caching was launched from the command line. Now it's a simple checkbox in the "Sharing" preference pane
  • Caching recommends Ethernet, but Ethernet is no longer required
  • A number of advanced options are available if you hold down the Option key, including specifying parents to create a hierarchical caching system
  • Tethered continues to work great with GroundControl for mass-device provisioning

I'll post more info and screenshots when we get closer to release.

Alert: Apple requires action on September 19 for DEP to keep working

Your rating: None (3 votes)

Apple has posted a notice that new Terms and Confiditions for the Device Enrollment Program (DEP) will be posted on September 19. This is a big deal, because until the agreement is accepted, new DEP devices will not automatically enroll into MDM. (Existing DEP devices won't be affected.)

DEP administrators can't approve the new agreement; it must be approved by your DEP "agent." The agent is the person who originally set up DEP for your organization. There is only one agent per organization.

You may want to log into the DEP portal today, so you can be absolutely sure you know who your organization's agent is. And make sure that person isn't on holiday next Tuesday.

Apple says:

If you don’t accept the agreements

Devices that were assigned to a Mobile Device Management (MDM) server in Apple School Manager or the Device Enrollment Program won’t be affected. If you Erase all content and settings on a device, the device is still assigned to the same MDM server and the same settings are applied during setup.

However, these conditions apply until the new agreements are accepted:

  • Apple School Manager instructors and managers can reset user passwords and send or print login information, but other site functions will be disabled.
  • Device Enrollment Program admins (other than the Agent) won’t be able to log into the Device Enrollment Program portal until the Agent accepts the updated agreements.
  • In ASM and DEP, you can’t assign new devices to your MDM server, even if you have selected the option to * automatically assign new purchases to a specific MDM server.
  • Your MDM server might report an error message like "403 T_C_NOT_SIGNED” when communicating with Apple’s device management servers.

The third bullet is the one to pay attention to. Most organizations automatically assign new devices to an MDM server. This will stop working on September 19, until you accept the new agreement.

It seems impossible to accept or even review the new agreement prior to September 19. Hopefully your organization can be prepared to halt deployments during this period.

A curated list of enterprise mobility articles and resources

Your rating: None (13 votes)

Mobile Crusaders: bookmark this page right now. Jack Madden, my favorite observer of mobility in enterprise, has compiled his favorite resources into an indispensable guide. And I don't say that only because he mentions me! It's up to date (despite the URL) and almost perfect — if only GroundControl was included next to Configurator it would be. Smile

Apple’s new Tethered Caching is so good you may want to buy some Macs

Your rating: None (7 votes)

Tethered caching is a major new system from Apple to speed up device provisioning, app installs and app updates. It’s most helpful in places where many iPhones and iPads are clustered together, such as healthcare, retail, and hospitality. But it only works if you have updated iPhones and Macs (yes, Macs).

Tethered caching provides two separate but related features: tethered networking & app caching.

  • Tethered Networking: When active, all network traffic from the iOS device will be routed through the USB connection and out the Mac’s Ethernet connection. This includes web pages, MDM instructions, and push notifications.
  • App Caching: App Caching dramatically speeds up app installs if you are doing repetitive provisioning. As your tethered devices download apps, the Mac inserts itself as middleman, and will save copies of each installed app. Subsequent installs of the same apps (on the same or other tethered devices) are much quicker, since the apps load from the Mac’s hard drive instead of the Internet.

Continue reading our analysis at groundctl.com.

Running tethered-caching at Startup

Your rating: None (6 votes)

Apple’s new tethered-caching service is an extremely powerful new addition to iOS management, at least if you are using Macs to aide your deployments. Once you get it running properly (see this article), you’ll probably want it running all the time. But it is not quite obvious how to get the service to launch at startup. The service actually requires an interactive Terminal, so normal launchd daemons can’t be used.

Over at groundctl.com, we're really excited because it complements our device provisioning software so well.

We figured out how to launch tethered-caching at startup, by using a Terminal command document and a little visudo magic. Check out our step-by-step instructions for launching tethered-caching at startup.

Push notifications to iOS require WiFi link when Ethernet used

Your rating: None (5 votes)

There appears to be a bug in iOS (10.3.1) with push notifications and Ethernet. We use the Apple Lightning to USB 3 Camera Adapter and a USB Ethernet adapter to provide network to devices in the field. During a troublesome deployment we discovered that the Apple Push Notification Service (APNS) does not establish a connection if the WiFi radio is off or not joined to a known network. That WiFi network does not need to have valid internet, or even DHCP available, the device will choose a self assigned IP and then the APNS connection will use the Ethernet adapter.

I imagine this has something to do with how APNS behaves when both Cellular and WiFi are available. I'm curious if Apple TV has a similar bug, I imagine not, given the fact the Ethernet is built in and likely a more common scenario. Although a seldom used feature, the Lightning to USB to Ethernet configuration was feature in a past keynote (https://sixcolors.com/post/2016/03/apples-lightning-to-usb-3-adapter-bri...).

MDM commands are triggered by APNS messages which means MDM is not functional in an Ethernet only environment.

It was a tricky one to discover, requiring packet captures, and other network analysis to isolate, I hope this helps someone else in the future.

Radar:
http://www.openradar.me/31494325

More about tethered caching

Your rating: None (7 votes)

Apple had posted a knowledge base article on the new tethered caching service in macOS 10.12.4: https://support.apple.com/en-us/HT207523

Apple releases iOS 10.3 with some improvements for the enterprise

Your rating: None (5 votes)

Apple today release iOS 10.3 for iPhones, iPads, and iPods. The update includes a few features of interest for enterprise users:

  • Wi-Fi Restrictions prevents users from manually selecting Wi-Fi networks (that's a big one!) — supervised devices only
  • The ability to tether devices to a Mac to proxy network connections through the Mac
  • A caching server built into the Mac to support tethered app and iOS updates
  • Lots of new MDM features aimed at Apple TV
  • OAuth 2.0 support for Microsoft Exchange
  • More fine-grained settings for cellular configuration profiles
  • A few changes for education users
  • Configurator 2.4 — supporting iBooks, ePubs, and PDFs

Want to know more? I recorded a podcast with Russ Mohr from MobileIron. Have a listen below!

Listen to "The Impact of iOS 10.3 on the Enterprise" on Spreaker.

Recent Activity