Apple has published a list of security content in iOS 7.1.1, which was released this afternoon. Here are the highlights:
- 'CFNetwork HTTPProtocol:' An attacker in a privileged network position can obtain web site credentials
- IOKit Kernel: A local user can read kernel pointers, which can be used to bypass kernel address space layout randomization
- Security - Secure Transport: An attacker with a privileged network position may capture data or change the operations performed in sessions protected by SSL
- WebKit: Visiting a maliciously crafted website may lead to an unexpected application termination or arbitrary code execution
Quite a bit for a dot-dot-one release. Set your compliance rules accordingly and encourage updates.
I'm curious: do any of you have stats on how quickly your users update?
Apple has released iOS 7.1 for iPhone 4 and above, and iPad 2 and above. Release notes are below. For direct download links, see our database of iOS Devices (which should be getting an automatic update shortly).
- iOS experience designed for the car
- Simply connect your iPhone to a CarPlay enabled vehicle
- Supports Phone, Music, Maps, Messages, and 3rd-party audio apps
- Control with Siri and the car's touchscreen, knobs, and buttons
- Manually control when Siri listens by holding down the home button while you speak and releasing it when you're done as an alternative to letting Siri automatically notice when you stop talking
- New, more natural sounding male and female voices for Mandarin Chinese, UK English, Australian English, and Japanese
- iTunes Radio
- Search field above Featured Stations to easily create stations based on your favorite artist or song
- Buy albums with the tap of a button from Now Playing
- Subscribe to iTunes Match on your iPhone, iPad, or iPod touch to enjoy iTunes Radio ad-free
- Option to display events in month view
- Country specific holidays automatically added for many countries
- Bold font option now includes the keyboard, calculator, and many icon glyphs
- Reduce Motion option now includes Weather, Messages, and multitasking UI animations
- New options to display button shapes, darken app colors, and reduce white point
For information on the security content of this update, please visit this website:
Apple today released iOS 7.0.6 with an important security fix:
Available for: iPhone 4 and later, iPod touch (5th generation), iPad 2 and later
Impact: An attacker with a privileged network position may capture or modify data in sessions protected by SSL/TLS
Description: Secure Transport failed to validate the authenticity of the connection. This issue was addressed by restoring missing validation steps.
Available, as always, via Software Update. Direct download links for each build are in our database of iOS Devices.
What's the best way to get an App Store app onto many iOS devices? If those devices are supervised, the best way is to use MDM and Apple's new Managed Distribution method. I'll demonstrate how to do that using AirWatch below. (Other MDM providers have similar capabilities. Check with your favorite.)
- Make sure you will meet the requirements: VPP, MDM, Supervision, and a common Apple ID.
- Link your MDM provider to your Apple VPP account
- Invite your MDM "users" to your VPP program
- Use VPP to "purchase" apps (even free ones)
- Use MDM to deploy the apps to your users.
Before we start, are you sure you want to do this? Apple Configurator may be a much better solution for the "getting apps onto iPads and iPhones" problem, at least when all the devices are in the same room. But if the devices will be scattered far from the iGeek, then keep reading.
The setup is quite important.
- Make sure your MDM provider your platform version supports iOS 7's new Managed Distribution system. ("New" means November 2013.)
- You'll need to create an MDM user who will own all those devices. You will want to make sure this user is in a new location group.
- You will need to set up an iTunes Volume Purchase Program account for your business or school. Note this requires a new Apple ID, a DUNS number, a pound of flesh, some eyes of newts and toe of dog, and a few days for processing. OK, it isn't that hard, I'm just having fun.
- You'll need an Apple ID to share among your devices. You will want to use the technique to credit an Apple ID without a credit card. (I'm assuming you will be distributing only free apps to your devices, which means you can share the same Apple ID.)
Got it? Good. Now for every iOS device, you'll need to do a few preparation steps. (Hint: If you play your cards right, you will be able to accomplish all of the below in a single stoke.)
- Supervise it using Configurator
- Sign in to the App Store using the common Apple ID (restore a backup image with the App Store user signed in)
- Enroll into MDM (you can do that automatically using Configurator during the supervision process, at least with Casper Suite, AirWatch, MobileIron, and others.)
- Associate the device with the common MDM user (that should be a setting in MDM prior to generating the enrollment profile)
Link your MDM provider to your Apple VPP account
Sign into your VPP Account. In the upper-right corner, click on your Apple ID and then "Account Summary".
In the "Managed Distribution" section, download the VPP token. This contains the credentials your MDM provider needs to link to VPP.
Now log into AirWatch. Navigate to Settings > Apps > Catalog > License Based VPP. Double check you are looking at the correct location group.
Enter a name to describe this connection (I called it "Tekserve VPP") and upload the token. I strongly recommend "Automatically Send Invites" is NOT checked.
Save this config, and you now have linkage!
Invite your MDM "users" to your VPP program
Next step is to invite your MDM users to participate in the program. There is no assumption that the Apple ID is the same as the MDM user's email. In fact, Apple is pretty clear they don't want MDM (or the employer) to ever know an employee's Apple ID. Therefore the MDM system needs to send an email to the users, who click a link to accept enrollment in the VPP program.
I haven't yet figured out how to invite one user at a time, so we're going to have to invite EVERY user in the MDM location group. Now if you have been following carefully, you are working in a location group with only a single MDM user. Cool. Send the invitations by clicking the "(Re)Invite Users" button. There won't be a confirmation, but email will be sent to all addresses the MDM has on file.
Using your iOS7 device's browser, please click on this https://buy.itunes.apple.com/WebObjects/MZFinance.woa/wa/associateVPPUse... to register for Apple's License Based VPP Program. Registering for the program will enable you to download applications purchased by your organization on your behalf.
Please contact your IT helpdesk if you have any questions: email@example.com
Clicking the link will open the App Store (on an iOS device) or the Mac App Store (on a Mac) and ask for an Apple ID and password.
This organization can now assign apps and books to you.
Use VPP to "purchase" apps (even free ones)
Next step -- there are a lot of steps -- is to use Apple's VPP to purchase an app.
The iTunes VPP store used to have only paid apps. Now it has free apps as well. Today let's install Tiny Death Star, a popular enterprise productivity app. So log into the iTunes VPP store, search for "death star", and "purchase" several copies. You can purchase as many as you want, it's free!
A paid app presents a choice for either downloading old-style redemption codes or new-style managed distribution. Free apps don't get a choice; managed distribution for all.
After purchase, Apple takes a few minutes to prepare your order. Wait until you receive email confirmation before continuing to the next step.
Use MDM to deploy the apps to your users
Back in AirWatch, click on Apps & Books > Applications > Purchased. Now you ask AirWatch to check with Apple, so click the "Sync Licenses" button. This part may take a short time, but in my test I just needed to refresh the page.
Once AirWatch is aware of the app, you can assign it to users. Click the twisted-arrow button.
AirWatch assigns these apps via smart groups only. This article is already way too long, so I won't explain how to create these.
Now decide how many licenses you want allocated to the group.
Now save the assignment. The last step is to publish the app.
In my experience, the app isn't quite ready to publish immediately. So if it doesn't work immediately, wait 15 minutes and try to publish again.
On my test supervised iPod, I get the Tiny Death Star app, automatically downloaded and without any prompts. It works! Woo hoo!
My unsupervised iPhone also received the Tiny Death Star app, and it isn't even enrolled into AirWatch. Hmm.
I understand part of this. I used my personal Apple ID for the test; the same Apple ID I used on my iPhone. Managed distribution works by adding the assigned apps to my Apple ID purchase history. And my iPhone has automatic app downloads enabled. But does this imply that unsupervised devices can also receive silent installs?
Looks like more exploration is needed.
Apple ignores the enterprise! So says the conventional wisdom. But I thought I'd share this slide with you guys. It was part of a presentation I gave yesterday to some business leaders at an Apple event in New York.
Every year Apple releases a new version of iOS. Every version of iOS includes new features focused on the enterprise. Every new release includes more new features than the year before.
Apple may not market to the enterprise, but they most certainly engineer to the enterprise.
Apple recently released iOS 7.0.4, which provides:
- Bug fixes and improvements, including a fix for an issue that causes FaceTime calls to fail for some users.
There's also a security fix, which is:
Impact: App and In-App purchases may be completed with insufficient authorization
Description: A signed-in user may be able to complete a transaction without providing a password when prompted. This issue was addressed by additional enforcement of purchase authorization.
Apple Launches "Managed Distribution" for App Store Volume Purchase Program (VPP) for Business and Education
Apple tonight updated its app Volume Purchase Program with several long-anticipated and important additions. The updates introduce a new "managed distribution" of apps to iOS 7 devices, allowing assignment and revocation' through Mobile Device Management. Here are the highlights:
- Works with most apps available in the public app store (both paid and free), custom B2B apps created for your organization by 3rd parties, and books from the iBooks store
- Either download the legacy redeemable codes, or use managed distribution to link your MDM server to have reassignable apps
- Managed distribution allows your institution to maintain ownership of the apps. Revoke apps from users when no longer needed, and reassign the licenses to different users.
- Managed distribution requires iOS 7 and a suitable MDM.
- MDM providers must be updated to work with the new system. Expect announcements over the next days and weeks.
- App assignment does not reveal the individual's Apple ID to the institution.
- Assigned apps are installed automatically on supervised devices. Unsupervised devices show a prompt to install.
- Education customers will be able to purchase by Purchase Order "coming later this fall". The rest of us need a credit card.
- Education customers are able to set up multiple administrators. The rest of us use a single login.
- Available in Australia, Canada, France, Germany, Italy, Japan, New Zealand, Spain, United Kingdom, and United States.
- Unused codes and codes redeemed by Apple Configurator may be migrated to managed distribution.
We'll have more information coming soon.
Quote from Apple KB article found here:
Users with supervised iOS 6 devices
For devices that have not yet been updated to iOS 7, upgrade from iOS 6 to iOS 7.0.3 over the air. The devices will remain supervised.
Users with unsupervised iOS 7 devices
For devices that have already been upgraded to iOS 7 and lost supervision, AppleCare will create a profile to re-supervise your devices. This profile will require the serial numbers of the affected devices and verification of ownership. To verify that a device is supervised, see this article.
Collect the serial numbers of affected devices. To export the serial numbers of devices supervised by an Apple Configurator station:Optionally, if you want devices to be able to connect to a specific Apple Configurator station, export a Supervision Certificate. To export a certificate in Apple Configurator version 1.4.1 or later, hold down the Option key and choose File > Export > Supervision Certificate.
Go to the Supervise tab.
In the Supervised Devices list, select either All Devices or a Device Group which contains all the devices that have lost supervision. You can include a device even if you are not sure if it has lost supervision.
Choose Devices > Export Info....
Select Device Information and check the box for Serial Number.
Click Export and save the file.
Contact AppleCare and ask to speak to an Enterprise Support Advisor for instructions to submit your serial numbers and any necessary Supervision Certificates. AppleCare will require proof of purchase information if the devices were not purchased directly from Apple.
AppleCare will validate your proof of purchase information and create a customized Re-supervision Profile for your organization.
Update your devices to iOS 7.0.3.
When you receive the Re-supervision Profile, install it on your devices using the enclosed instructions.
After the necessary profiles are installed on your iOS devices, they will again be supervised.
Supervision Certificate A certificate that identifies your Apple Configurator station to an iOS device.
Supervision Profile A profile created by Apple Configurator used to supervise iOS 6 devices.
Re-supervision Profile A custom, Apple-signed profile used to re-supervise specific devices that lost supervision upon upgrading to iOS 7."
Today is a day that has been a long time coming! I will be testing and waiting a few days before I fully deploy!
Along with all the products today, Apple has released iOS 7.0.3 for all iOS 7-capable devices. (For download links, see our database of iOS Devices.) From the release notes:
This update contains improvements and bug fixes, including:
- Adds iCloud Keychain to keep track of your account names, passwords, and credit card numbers across all your approved devices
- Adds Password Generator so Safari can suggest unique, hard-to-guess passwords for your online accounts
- Updates lock screen to delay display of "slide to unlock" when Touch ID is in use
- Adds back the ability to search the web and Wikipedia from Spotlight search
- Fixes an issue where iMessage failed to send for some users
- Fixes a bug that could prevent iMessage from activating
- Improves system stability when using iWork apps
- Fixes an accelerometer calibration issue
- Addresses an issue that could cause Siri and VoiceOver to use a lower quality voice
- Fixes a bug that could allow someone to bypass the Lock screen passcode
- Enhances the Reduce Motion setting to minimize both motion and animation
- Fixes an issue that could cause VoiceOver input to be too sensitive
- Updates the Bold Text setting to also change dial pad text
- Fixes an issue that could cause supervised devices to become un-supervised when updating software
For information on the security content of this update, please visit this website:
That last one about supervision could be very interesting. We've heard of several organizations bitten by that when they first upgraded.
Please post your iOS 7.0.3 experiences here.
I Received this Communication from our Apple rep. I am really glad we have not updated to iOS 7 at our school and would need to provide serial numbers and proof of purchase. I have emailed support and I am waiting on directions. It looks like we will be able to push a profile that will prevent find my iPad activation lock settings in the background (speculation). Once the iOS 7 update is available we can remove our block and upgrade to iOS 7.
Recently some users have reported that their supervised iOS devices have reverted to un-supervised after they were upgraded to iOS 7. We are aware of this issue and will have a fix in an iOS software update coming this month.
If you upgraded your devices to iOS 7, we can help you re-supervise devices wirelessly once the software update is available. If your devices are still on iOS 6, we can help you prep your devices in order to maintain supervision when the software update is installed. Please see below for details. AppleCare is ready to help you with implementing whichever solution works for you.
Devices on iOS 7
For devices that were upgraded to iOS 7, we can create a profile to re-supervise your devices. In order to create this profile, we need two things from you — your device serial numbers and valid proof-of-purchase information. When you contact AppleCare, we will provide details on how to send us this information. AppleCare will also let you know when you will receive the profile and provide deployment instructions.
Devices on iOS 6
If you have devices that haven’t been upgraded to iOS 7, we will give you the ability to generate a profile to install before upgrading. Then your devices will be able to upgrade to the upcoming release of iOS as supervised devices.
Please email firstname.lastname@example.org to obtain more information from AppleCare.
TechHive has an article on several iOS 7 keyboard tips. Here is my favorite:
The old ".com" button is hidden inside Safari's keyboard. Just press and hold the period.
Makes it so much easier to type enterpriseios.com.
A quick tip on a new feature for iOS 7: You can now manage which apps are allowed to use cellular networking and which must be confined to WiFi. Check out Settings > Cellular and scroll to the bottom. Unfortunately this isn't manageable via MDM.
Is Activation Lock appropriate on a corporate-owned device? Community member Duane Herring found the Apple support document below that shows Apple has been thinking about this too.
Learn how to manage Activation Lock feature of Find My iPhone in iOS 7.
With iOS 7, when you turn on Find My iPhone, you enable Activation Lock. Activation Lock prevents anyone else from reactivating your iOS device if it is lost or stolen. Mobile device administrators can manage this setting by supervising devices.
If you use Apple Configurator to supervise an iOS 7 device, Activation Lock will not be enabled when a user turns on Find My iPhone.
If an iOS 7 device is not supervised, Activation Lock will be enabled as soon as a user logs in to iCloud and turns on Find My iPhone. Mobile device management cannot prevent a user from enabling Activation Lock on an unsupervised device.
In any case, only the iCloud user who enabled Activation Lock can disable it.
If the user has access to the iOS device, they can turn it off in Settings > iCloud > Find My iPhone.
If the user doesn't have access to the iOS device, they can log in to icloud.com or the Find My iPhone app on another iOS device, then erase the device and remove it from the device list.
A mobile device administrator cannot disable Activation Lock after it is enabled.
Find more information about Find My iPhone Activation Lock.
If you use Apple Configurator to prepare a device that has Find My iPhone enabled, you will see the message "Unable to check iOS."
If the device was previously unsupervised, Activation Lock is enabled and the iCloud user who enabled Find My iPhone must disable it before you can prepare the device.
If the device was previously supervised, either the iCloud user who enabled Find My iPhone can disable it, or you can put the device into recovery mode and then prepare it.
This can be a sticky problem. Does Apple's solution work for you? Please continue the comment thread...