Can MDM push-install apps over-the-air?

eizymeizy0809's picture

eizymeizy0809

Joined: Jun 3, 2014
No votes yet

Can you push install apps over-the-air with MDM on supervised devices (if you have activated supervision via Apple Configurator, not using Device Enrollment Program)?

Meraki Whitepaper (Deploying Apple iOS in Education - https://meraki.cisco.com/lib/pdf/meraki_whitepaper_ios.pdf - chapter 10) says that on “[s]upervised devices [you] must be re-connected to Apple Configurator for app updates and [...] to remove any unsanctioned apps on the device.”

Does this mean MDM (and specifically Meraki) can't deploy apps over the air? And if so, is it just a limitation to them, or can MDM in general not do this unless they are using Device Enrollment Program?

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

Over the air app installation

Your rating: None

Over the air app installation is part of the MDM specification. On unsupervised devices, the device user is prompted with a confirmation dialog (and often for Apple ID and password). On supervised devices, there is no confirmation (assuming the Apple ID has been set up already).

It does not matter how the device was supervised. We've been doing this for a year, long before DEP was introduced.

I don't know why Meraki is confused.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
MCal27's picture

MCal27

Joined: Sep 4, 2013
WWW

OTA Silent push

Your rating: None

Aaron assuming we're talking Silent push isn't this dependant on MDM solution? I use Meraki with my schools and we nearly always have to enter the Apple ID when pushing apps even on supervised devices...?
Once the Apple ID has been entered you seem to get a window where silent push occurs, but if I push additional apps (say) the next day I have to re-enter the ID password..

Al.

Hey.. It's a party... I want to party too..... Please don't ask me about Macs tonight...

Top
eizymeizy0809's picture

eizymeizy0809

Joined: Jun 1, 2014

Thanks for response

Your rating: None

Thanks Aaron, that answers my question. I guess it's dependent on which MDM is used but at least now I know it's possible.

Do you know where I can get the MDM specification you mention? Would be good to be able to read the full spec and see exactly what's possible.

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

I believe it is available to

Your rating: None

I believe it is available to all members of the Apple Developer Program. Visit https://developer.apple.com/downloads/index.action# and search for "Mobile Device Management"

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
Eddie_Fade's picture

Eddie_Fade

Joined: Nov 14, 2013

You can silently push apps without entering Apple ID

Your rating: None
MCal27 wrote:

Aaron assuming we're talking Silent push isn't this dependant on MDM solution? I use Meraki with my schools and we nearly always have to enter the Apple ID when pushing apps even on supervised devices...?
Once the Apple ID has been entered you seem to get a window where silent push occurs, but if I push additional apps (say) the next day I have to re-enter the ID password..

Al.

If you are asked for Apple ID with every app install, check your restrictions settings. If you enable the App Store restrictions like age rating, then the apple id password will be requested always. removing these restrictions allowed me to silently push apps two days at least after the app store sign in.

Top
klatuu's picture

klatuu

Joined: Apr 11, 2014

Push Apps silently via MDM and VPP

Your rating: None

I tried to push apps via Apple's Profile Manager and VPP silently. It worked first, but after a few days the password was requested.
We assumed the problem could be multiple iTunes Accounts on the device.

So I tried a different approach.
We have iOS devices owned by the company and it is not allowed to install private apps.
So I created a new Apple-ID just for silent installs. After device activation this ID is used for App-Store login.
Then via MDM the payload "allowAccountModification" is disabled.

So there is only one iTunes Account possible on the device and silent app installation works, even after reboot and weeks later, without a password request

Top
Eddie_Fade's picture

Eddie_Fade

Joined: Nov 14, 2013

Well, the password will be

Your rating: None

Well, the password will be required if there's a change to the Terms and Conditions in the app store or I guess if some modification was done to the Apple ID. So the device should not be shipped somewhere else and assume that it can be completely managed with zero touch. Unless it's enterprise apps only.

Top
960Design's picture

960Design

Joined: Aug 5, 2014

Silent Push

Your rating: None

The standards you were reading for Meraki were probably written some time ago. I've been silently pushing apps to iPads for quite some time. I just pushed 1000 apps actually. The end user doesn't have to do anything. The app just appears on their individual device. When the device is "turned in" I silently remove all the apps. Easy peasy.

Top
dstart's picture

dstart

Joined: Sep 26, 2014

Updates

Your rating: None

What about updates to pushed apps. Do they have to enter an apple ID password?

Top
Jakey's picture

Jakey

Joined: Sep 21, 2014

Depends a little on your

Your rating: None

Depends a little on your setup.

If you use a MDM to push an application to a device which a user is signed into with their own Apple ID, and you have not enforced the entry of iTunes password then updates to public pushed applications will not need an Apple ID.

Private Enterprise applications pushed from the MDM never need iTunes password.

There are occasions where a password needs to be entered however.

Top
960Design's picture

960Design

Joined: Aug 5, 2014

Updated password not required

Your rating: None (1 vote)
dstart wrote:

What about updates to pushed apps. Do they have to enter an apple ID password?

No password needed for updates.
iTunes & App Store > Automatic Downloads > Updates = Enabled

Top
Chanel Oxford's picture

Chanel Oxford

Joined: Dec 9, 2014

I find this post very

Your rating: None

I find this post very helpful. The Device Enrollment Program (DEP) from Apple helps you maximize the benefits of iOS devices enrolled in MDM programs. Install a non-removable MDM profile on a device, automatically provision devices over-the-air in Supervised mode and require enrollment for all end-users. End users simply take the device out of the box, complete a custom Setup Assistant and the device is automatically configured with device profiles.

Top
Greg G's picture

Greg G

Joined: Jul 24, 2015

Does this work with in-house apps?

Your rating: None

Does anyone know if this can be done with in-house (enterprise dev signed) apps? I'd like to be able to force update internal apps.

Top
benneta's picture

benneta

Joined: Jul 28, 2015

I am pushing apps to iPads

Your rating: None

I am pushing apps to iPads silently using FileWave. Immediately after the initial DEP setup on an iPad the student is prompted for their itunes login from the filewave app. This links their iTunes account to the VPP setup with FileWave. Once this is done I am able to push apps to the devices.

Top
HamidZaeri's picture

HamidZaeri

Joined: Aug 6, 2015

I need an MDM or configurator

Your rating: None

I need an MDM or configurator with support of these 2 features:

- Push apps from computer to iDevices preferably through USB so no need to be downloaded again.
- Assign apps to End-Users Apple IDs so they could update apps anytime anywhere.

Top

Who is online?

There are currently 0 admins, 0 users and 12 guests online. Connected users: .

Recent Activity