Apple Firewall Issues

jesselvella's picture
No votes yet

Everyone,

Just a heads up that it looks like Apple may be using a different service now to load the App Store. I ran into the issue today where the App Store was blocked for all of our students' iPads. I ran a trace on the HTTPS traffic coming from the device when it said it couldn't connect and I found it trying to hit this IP: 69.192.18.217

That IP also resolves to the domain name of:

http://a69-192-18-217.deploy.akamaitechnologies.com/

I hope this helps anyone that may be having issues connecting to the App Store or maybe some can provide us with info on why the App Store seems to want to connect to that IP now.

Thanks!
Jesse

Third Party Keyboards.... Beware!

Jakey's picture
No votes yet

I just thought i would insert a quick note, as this isn't really documented anywhere on the internet yet that i can see...

The issue with Third party apps is that you can grant them full system access, which is great for those who want third party keyboards.

However, with that setting comes big consequences, as a result of this a keyboard can now interact with applications on a much deeper level, it can also now report home to the internet. This gives genuine applications visibility of what is being typed, most give privacy agreements around credit card and password fields which is fine.
But for those of us in the enterprise who are using these "secure containers" this is a serious breach of security, you could be unaware of the fact you are leaking sensitive information out to a third party.

Its important to know in order to prevent this all you need to do is make sure you have your corporate applications set as "Managed". Luckily our applications are already managed, so providing we never chose to manage third party keyboards.

There is an important extract in the latest Apple Security document detailing this;

For devices enrolled in mobile device management, document and keyboard extensions obey Managed Open In rules. For example, the MDM server can prevent a user from exporting a document from a managed app to an unmanaged Document Provider, or using an unmanaged keyboard with a managed app. Additionally, app developers can prevent the use of third-party keyboard extensions within their app.


Ensure that in your policy "Allow opening managed app documents in unmanaged apps" is unchecked to prevent third party keyboards. Resulting in the restriction named "Opening documents from managed to unmanaged apps not allowed" being set on the device under General > Profiles > Restrictions.
The setting of "Allow opening unmanaged app documents in managed apps" has no impact on third party keyboard, so this can stay set to suit your current corporate policy.

Hope this helps someone.

Supervision

No votes yet

What is Supervision?

Supervision was introduced by Apple in iOS 5 to differentiate institutionally-owned iPhones and iPads from personally-owned devices. Supervision is enabled using Apple Configurator, Device Enrollment Program — if purchased directly from Apple — or by GroundControl.

Supervision offers tremendous benefits to enterprises and institutions. It unlocks more than 20 additional management features, including single app mode, silent app push, and always-on VPN. Supervision also allows IT departments to restrict many features not appropriate for corporate-owned or shared devices, such as AirDrop, Messages, Handoff, and even Erase.

Despite the benefits, the supervision process had been too cumbersome for most organizations. According to a major MDM provider, fewer than 10% of all institutionally-managed devices are supervised.

Supervision features by iOS release:

  • App Lock (Single App Mode)
  • Global HTTP Proxy
  • Block iBookstore, iMessages
  • Block Game Center

 

  • Block AirDrop, AirPlay, etc.
  • Disallow Host Pairing
  • Activation Lock Bypass
  • Autonomous Single App Mode
  • Web Content Filter
  • Set background & lock screen
  • Silent App Push

 

  • Always-On VPN
  • Prevent Cloud Sync
  • Prevent Spotlight Internet results
  • Prevent Handoff
  • Prevent Erase
  • Prevent Restrictions UI
  • Prevent installation of Configuration Profiles by UI

 

Applescript for verification emails

johnyn's picture
No votes yet

I created an AppleScript to automate clicking the verification link and signing in. The script is messy...I just wrote it and used it today and haven't cleaned it up or commented at all.

The workflow I'm using it with is like this:

Use the Apple ID creator script, using the same password for all of the accounts.
Setup an Outlook rule to move verification emails to a folder named "AppleVerify".
Create another folder named "AppleVerifyDone".
Then I run this script.

The script will scan through AppleVerify to grab the verification link and the apple id, opens safari to that link, input the Apple ID, and inputs the password. Then it closes the safari window and moves the email to AppleVerifyDone.

Again, it's really messy and it will probably break for you since I wrote it specifically for my workflow. But I figure it might help someone out.

Rename .txt to .scpt
Edit the idpassword and emaildomain variables

Apple Configurator 1.6 is out...supports iOS 8

No votes yet

Apple has updated its free tool for supervising and configuring iOS devices. Apple Configurator is available now on the Mac App Store.

Note bullet #1: it may have a big impact on some established workflows.

Quote:

Apple Configurator 1.6 contains improvements and bug fixes including:

  • Devices are erased before restoring a backup
  • Support for new configuration profile payloads and settings introduced in iOS 8
  • Content Filter: Plug-in filter type
  • Domains
  • Email & Exchange: Per-message S/MIME encryption switch
  • Restrictions: Allow Handoff, Allow iCloud sync for managed apps, Allow backup of enterprise books, Allow notes and highlight sync for enterprise books
  • Restrictions (supervised only): Allow Erase all Content and Settings, Allow configuring restrictions, Allow Internet results in Spotlight
  • VPN: IKEv2 connection type and Aways-on VPN

(As an alternative, check out the new GroundControl Smile )

Start downloading: iOS 8 is now available

No votes yet

There you go, folks. iOS 8 is released and available. Good luck!

Update: Build# 12A365, which is the same as the GM released last week.

JavaScript for Automation

Aaron Freimark's picture
Your rating: None (5 votes)

So there's this: https://developer.apple.com/library/prerelease/mac/releasenotes/Interapp...

Now who wants to port the Apple ID creator? Smile

How to efficiently update many devices to iOS 8 using Apple Configurator

No votes yet

[UPDATE: MAKE SURE THERE IS ENOUGH DISK SPACE ON THE DEVICE!! Configurator doesn't handle low disk space gracefully...the device will be forced into recovery and you will need to erase the device.]

Apple is releasing iOS 8 tomorrow, and you know what that means. Gigabytes of data streaming through your WAN connection, making real work next to impossible to get done.

But it doesn't need to be that way. You can use Apple Configurator to download once, and upgrade many devices quickly, safely and efficiently. Be the superhero of the day by getting your colleagues iPhones and iPads updated in the least amount of time possible.

Note: FOLLOW THESE INSTRUCTIONS CAREFULLY. You don't want to be the guy who asks, "Why didn't you have a backup?"

Step 1: Find a Mac. Any Mac will do. Connect it to the biggest USB hub as you can find.

Step 2: Download Apple Configurator from the Mac App Store.

Step 3: Launch Configurator.

Step 4: Make sure the "Prepare" tab is selected.

Step 5: Set up the options EXACTLY as they are here. Pay special attention to make sure "Supervision" is off and "Erase before installing" is UNCHECKED.

Step 6: Make sure you aren't installing any apps and aren't setting anything in setup, in their respective tabs.

Step 7: Double-check the settings. Make sure you have no iOS devices connected via USB.

Step 8: Click the "Prepare" button at the bottom of the screen.

Step 9: Connect the first iOS device. Configurator will download iOS 8 and install it.

Step 10: Connect the second iOS device. It is safe to do this while the first is downloading. It won't download the same file twice, but it will download the unique version for that model when needed.

Step 11: After download and install, disconnect the device.

Step 12: When you have upgraded all the devices you want, click the "Stop" button.

Good luck tomorrow, and let us know how it goes. Who among you will upgrade the most devices?

(Pro Tip: The cached firmware takes up a HUGE amount of space. To clear them out, look in the path /Users/USERNAME/Library/Containers/com.apple.configurator/Data/Library/Caches/com.apple.configurator/Firmware.)

VPP/MDM Not a Happy Combo anyone?

HCCSC John H's picture
No votes yet

That may seem like a vendor complaint but truly seeking answers to who else on other MDM platforms is experiencing this.
For the first month of school our MDM is truely struggling with pushing out paid VPP apps to devices and continually has major VPP licensing issues. As in it thinks that we do not have any licenses to distribute VPP apps normally and we need to go thru a long time consuming procedure per unit to get paid apps on devices involving 'retiring' the current VPP user in MDM, recreating that units VPP 'user' in our MDM and then doing a manual association of paid apps to that device, plus many other 'workarrounds'. So far our MDM provider has indicated issues with VPP syncing with their product and has issued 2 Server SW patches to address issues in the last month, both of which we have limited success with. Other K-12 Districts have similar VPP issues with this particular MDM product. Up to this point we have been extremely happy with our MDM providers support, but this month of basically silence while we suffer with this issue with very little communication has left a very bad taste in out mouth for their product and honestly looking other directions for a MDM solution.
Anyway, all of that to ask with your MDM have you had any issues where the VPP licenses under normal conditions about 60-70% of the time will not associate correctly with a iOS device and an Apple ID 'user' unless you do a long drawn out procedure per device to address? With over 3500 devices at this pace it will be past Christmas break before we get the paid apps issues addressed on units.

iOS 8 will be available September 17

No votes yet

At a press event today, Apple announced that iOS 8 will be publicly available on Wednesday September 17. The update is free and compatible with:

  • iPhone 5S
  • iPhone 5C
  • iPhone 5
  • iPhone 4S
  • iPad Air
  • iPad with Retina Display
  • iPad 2
  • iPad mini with Retina Display
  • iPad mini
  • iPod touch 5th Generation

So test out those caching servers (and if inclined those DNS blocks).

Introducing GroundControl: USB Setup for iPads and iPhones, Managed in the Cloud

Your rating: None (8 votes)

[Editor's note: Folks, for the last nine months or so I've been working on a pretty big project, and today I'm happy to help reveal it to you. Much of what I've learned has come from this community. Thank you! And if you are in Atlanta at AirWatch Connect, please stop by the expo and say hi.]

GroundControl is a new system for streamlining iOS deployment, launching today. Plug in a USB cable, and GroundControl supervises, restores a base image, and installs configuration profiles, on out-of-the-box iPhones and iPads and without a screen touch. The multiple "Launchpad" base stations are managed by the cloud, helping ensure a consistent experience no matter how large your deployment is. If you like, think of it as "Configurator in the cloud".

Perhaps the best way to get a feel for the product is to take a look at the demo video below:

Visit the site http://www.groundctl.com for an FAQ and a signup for a trial. If you have questions please ask.

-- Aaron

The press release follows.

What does "Expanded data protection" actually mean?

banthafodder's picture
No votes yet

I've been wondering this for quite some time and haven't been able to figure it out. Apple has touted the following as a new feature coming in iOS 8.

"In addition to Mail and third-party apps, the Calendar, Contacts, Reminders, Notes, and Messages apps as well as user credentials are protected with a passcode until after the device is unlocked following a reboot."

What does that actually mean? It seems incredibly vague. Does that mean those applications will be able to have their own passcode at the application level instead of the device level? If not, then what is actually different from how passcodes worked before? Hasn't "protected with a passcode until after the device is unlocked following a reboot," always been the case when a passcode is being used?

Reselling of iPad to end user - Apple ID is stuck

cmasonrun's picture
No votes yet

We have a program that is just getting off the ground that allows our franchised users to purchase an iPad from us with good financing terms and the company specific apps to be preloaded when they receive it.

The problem we are running into is, since we are using Configurator to setup the iPads (download Google Chrome and Podcasts among others). When the user receives the iPad, it is not tied to an Apple ID but when Google Chrome releases an update, then the update screen prompts for the password that was originally used to download the app.

Is there any way to avoid this?

We currently,
Setup email, download apps, and download some content within the apps. Some of this is automated through Configurator and some is manual. If we move to a completely manual process we still get the same issue as an Apple ID is required to download the free stuff.

The devices will not be supervised nor will they be ever touched again by our IT staff. These are resold to the end user and setup as a value added service.

Apple expands iTunes VPP to 16 new countries

Your rating: None (5 votes)

Apple has announced that its iTunes Volume Purchase Program is now available in 16 additional countries. The full list is now:

Australia, Belgium, Canada, Denmark, Finland, France, Germany, Greece, Hong Kong, Ireland, Italy, Japan, Luxembourg, Mexico, Netherlands, New Zealand, Norway, Singapore, Spain, Sweden, Switzerland, Taiwan, Turkey, United Arab Emirates, United Kingdom, and United States.

In addition, Apple is now allowing VPP credits to be purchased through resellers (at least in the U.S.). Previously, credits were sold direct only. Support your favorite reseller and purchase locally!

can a sideloaded app with apple configurator be independantly updated by another apple id?

dvincent's picture
No votes yet

i have a question about the nature of app updates on iOS7 that are sideloaded using the apple configurator. Is there any technical reason why apps sideloaded on an iOS 7 device cannot be later updated with another signed in apple id?

i looking into sideloading the MobileIron MDM client using the apple configurator, but only if the mobileiron mdm client can be updated from the apple app store using the owner's own personal apple id?

Does anyone have any experience with sideloading MDM client ipa files using the apple configurator?

Regards,

Dave

About This Site

  • Enterprise iOS is a community for administrators of the iPad, iPhone, and related devices. All content is available to browse. We encourage you to create an account to submit stories, edit wiki pages, and post to our forum.

Comparison of MDM Providers

Recent Activity

Who's New