Lockdown MDM profile?

dleven's picture

dleven

Joined: Sep 19, 2012
Your rating: None (1 vote)

Hi,
I'm currently using Mobileiron as my MDM solution and have deployed to about 200 iPad users. The most annoying thing is when users go ahead and uninstall the the MI agent then I get notified and have to contact them to get their iOS device back in compliance. I thought to myself that there has to be a way to lock this down which sounds simple especially since coming from the BES environment which allowed you to do so. Looking deeper into this, a profile pushed via MDM, cannot be locked. Apple's thinking here is that if you have the device in your possession, the user must have given you permission to install a locked profile, so it's allowed. In the MDM scenario, the user has no warning that a locked profile will be installed, and Apple is concerned a user will be locked-into a behavior which they cannot opt-out of. So removing MDM profile with password is not option in our environment since we are using MDM certificate. The configuration profile created in the iPhone Configuration Utility which is pushed to the device over USB, can be locked so that it cannot be removed. Any thoughts? Anyone running into the same situation?

Thanks! Smile

Top
bdogd's picture

bdogd

Joined: Nov 19, 2010

Profile rules

Your rating: None

A device enrolled under management can receive delivered profiles. A user can always un-enroll from that management(User is King).
You are using iPCU as well? Why is that? Can you deliver that profile (Which sounds like it delivers capabilities the user needs) via Mobile Iron, can't behavior be shared by removing any capabilities required to do their job, if the App is deleted or Enrollment removed?
I'd do part of this through policy to the user "Thou shalt not connect to email (or vpn or whatever) without MDM management" and if they remove that management they don't get the benefits of access to your network. (Carrot and Stick style)
You certainly can't do what you did with BES, but since the user is King, you have to encourage them to do what you want, vs force them (since you can't do that anyways)

Top
mbernier's picture

mbernier

Joined: May 19, 2011
WWW

Messages template

Your rating: None (3 votes)

Best thing to do in such case is to customize message templates that are sent to users from MobileIron when the MDM profile is removed.

You should include warnings about loosing connectivity or in-house apps usage when the user removes this profile.

Doing such thing make users avoid doing that mistake again.

Top
dleven's picture

dleven

Joined: Aug 3, 2012

RE: Profile Rules

Your rating: None

Thanks for the reply! No I don't use IPCU just Mobileiron. I have just setup alerts when someone uninstalls as well as they get an email that lets them know about the consequences of uninstalling MDM Agent. There is only so much that you can do but I wish that password protecting that profile would be an option. It's good to be the King! hahaha! Big smile

Top
dleven's picture

dleven

Joined: Aug 3, 2012

Re: Messages Template

Your rating: None

Thanks for your reply! You are righty, creating templates is the most you can do at this point. It is what it is! Smile

Top
hanishi's picture

hanishi

Joined: Jan 19, 2011

This is the company I used to

Your rating: None

This is the company I used to work for and they provide you MDM as cheap as 150 JPY/device.
They actually have succeeded to remove the "remove" option from the MDM profile settings.
This is some feature other MDM providers should also implement and allow their customer "strict mode" whereby the "remove" button is purged from the settings.
I don't have an affiliation with them, by the way.

http://www.mobi-connect.net/en/index.html

Top
JMPATLANTA's picture

JMPATLANTA

Joined: Jun 13, 2012

Forced incentive

Your rating: None (1 vote)

Give the users a "forced" incentive to keep MobileIron and healthy. Provide them an app, weblink, certificate, etc. that is absolutely necessary for the device to remain "usable" but is removed/deleted when MI is removed.

Top
viscafe's picture

viscafe

Joined: Jul 25, 2012

Lockdown MDM profile?

Your rating: None

Use Apple Configurator in conjunction with your preferred MDM. I'm currently using it to enforce device password and other IT policies that can't be removed by the user. Luckily both profiles can coexist in the same iOS device, the only downside is that you have to touch every single device first to apply the profiles from the Configurator then to enroll with the MDM. Its the only way you can prevent your users to remove IT policies but even then if the user wipes the device both MDM and configurator profiles will be wiped out.

Hope it helps...

Viscafe

Top
David Acland's picture

David Acland

Joined: Aug 7, 2012
WWW

Use incentives

Your rating: None

I would go with the approach recommended by JMPATLANTA. If you use the MDM enrolment to provide wi-fi network connectivity, exchange account settings and other useful services they will be less inclined to remove the profile. I would also look to use a short description on the profile to explain to users what they will miss out on if they remove it.

Regards

David Acland
Amsys Plc
http://www.amsys.co.uk

David Acland - Amsys

Top
JMPATLANTA's picture

JMPATLANTA

Joined: Jun 13, 2012

Good idea on profile naming too.

Your rating: None

David, good idea on keeping it simple on the profile naming too. You could also name is something like "COBC" which stands for Code of Business Conduct. Remove it and your backside is toast. Tongue

Top
JMPATLANTA's picture

JMPATLANTA

Joined: Jun 13, 2012

Anyone attempted account creations via script today?

Your rating: None

Anyone attempted account creation via script today? I am awaiting Apple to white-list my mail domain but I attempted to do (2) account run while waiting the 72 hours but never received the Acct. Verification e-mails. Just wondering if anyone else is seeing similar.

Top
JMPATLANTA's picture

JMPATLANTA

Joined: Jun 13, 2012

Wrong topic

Your rating: None

Sorry all, I posted this in wrong topic. Disregard.

JMPATLANTA wrote:

Anyone attempted account creation via script today? I am awaiting Apple to white-list my mail domain but I attempted to do (2) account run while waiting the 72 hours but never received the Acct. Verification e-mails. Just wondering if anyone else is seeing similar.

Top
Ktitude's picture

Ktitude

Joined: Aug 21, 2012

how to detect when MDM profile is removed

Your rating: None

I have been fighting with my mdm provider about setting up “Passcode policy Payload“ and
After few minutes search now that I know you cant restrict user removal it when you apply MDM profile.

We are using 4,000 enterprise iphones and ipads and applies strict MDM policies such as
Wipe device when 15 times wrong password, remote wipe, remote lock screen.

problem is that even when the users remove mdm profile. THey still think they are Under CONTROL OF IT admin.

So user accidently removes MDM profiles And their kids fails to unlock screen in 4-6 times, it is locked down and there is nothing we can do.
since it has no MDM profiles to remote control. And Enterprise PCs are not allowed to install "apple itunes" so they should ship the device to IT dept to unlock it.

so I'd like to setup alert to the user immediately when this profile is removed.
IS it MOBILEIRON PROPRIETARY features or Apple provides such APIs to handle situations?

Please describe in detail so I can pass on to our developers who are not familiar with English.

Top
D80Buckeye's picture

D80Buckeye

Joined: Oct 6, 2012

Global MDM Profile

Your rating: None

Ktitude,
Once the end user deletes the Global MDM profile tying it back to Mobile Iron you have zero capability to communicate to the device via APNs from your console. This goes for all MDM vendors. Apple's stance, which drives most of us crazy, is that it is a consumer device and they should be able to opt-out of being tethered to MDM management at any point in time. They like to refer to it as "carrot and stick". The retail and education sectors have been screaming for the ability to lock it down with a password for upwards of 2 years but it has fallen on deaf ears. As stupid as this sounds I would recommend marching this up to Apple via your account rep like the rest of us.

Top

Who is online?

There are currently 0 admins, 0 users and 9 guests online. Connected users: .

Recent Activity