Users getting around Supervision profiles?...

  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/views/modules/user/views_handler_field_user_name.inc on line 61.
wchestnutt's picture

wchestnutt

Joined: Jul 1, 2016
No votes yet

Hi Everyone.

We have a fleet of devices out that are supervised by our dedicated terminal and provisioned with MDM in line with CESG guidelines.

My question is that it seems a user has wiped the device by entering the passcode too many times wrong, then taken the liberty to reinstall the mdm etc (in this case symantec app store). So in terms of reporting from our admin side the device looks normal, but in actual fact some of the restrictions have been removed such as game center, allowing connection to other macs, and allowing installation of other certificates due to the Supervision profile being removed!?..

How would we get around this and how can we enforce policy that stops users being able to do this.

Kind regards,

Top
bprenger's picture

bprenger

Joined: Mar 7, 2014
WWW

I suggest looking into The

Your rating: None

I suggest looking into The Device Enrollment Program (DEP) recently launched by Apple. (deploy.apple.com) Under DEP devices purchased via apple for education (and I believe directly purchased for Enterprise) can be forced enrollment into whichever MDM you use. This applies to devices that have been "blown away" for lack of a better term.

Details Here:
https://www.apple.com/education/it/dep/

-Brandon Prenger
Zeeland Public Schools
1:1 Device Coordinator

Top
JMPATLANTA's picture

JMPATLANTA

Joined: Jun 13, 2012

DEP

Your rating: None

bprenger is correct. Look into Apple's DEP program. As long as your company meets the requirements and your MDM provider supports DEP (some are currently in development to support it), then you are set. If user wipes iPad, as soon as it hits Apple's Activation Server(Drunk during activation process, it get's auto-enrolled in the target MDM and management is forced. This allows you to enable Supervision OTA and prevent the end-users from getting around the restrictions, etc. I think this is the "magic" that us iOS Admin's have been looking for, for a long time. The only issue is Apple's purchase requirement being directly from them.

Top
superballsdeep's picture

superballsdeep

Joined: May 31, 2014
WWW

Side note

Your rating: None

DEP is the only way to lock down your profile to prevent removal. With DEP you can force devices to enroll during set up.

There used to be an * on the DEP site but I think Apple marketing took it down. It basically summerized that the devices have to be purchased 1. in the US (not a big deal) 2. In the past 3 years (not a big deal) and 3. directly from apple (No ATT, Verizon,Best Buy,CDW, Apple Retail Store). So keep that in mind

Top
Aaron Freimark's picture

Aaron Freimark

Joined: Nov 6, 2010
WWW

There are other ways...

Your rating: None

DEP is the only Apple-Sanctioned way to lock down profiles. But there are other ways. Take a look at the devices in any Apple Store for example.

I'm happy to discuss more off-board if you like.

--
Aaron Freimark, Enterprise iOS founder & GroundControl CEO

Top
wchestnutt's picture

wchestnutt

Joined: Mar 27, 2014

Hi Everyone, thanks for the

Your rating: None

Hi Everyone, thanks for the replies!! Unfortunately we don't have DEP in the UK yet, but it does sounds like the magic we are looking for! just have to wait it out and see I guess.

Best regards, W

Top
Eddie_Fade's picture

Eddie_Fade

Joined: Nov 14, 2013

iOS 8

Your rating: None

great news with iOS 8, now there's a Restriction that locks down the "Erase All Content and Settings" , but of course it doesn't protect against DFU mode or erase after x passcode failures.
However, you can use Activation Lock and sign in with an institutional iCloud account, this way they will need to bring back the device to the IT team to activate it and supervise again. Although not practical in 1:1 personal use deployments, it would work well in shared use environments.

Top
plawrence's picture

plawrence

Joined: Oct 7, 2014

Lock down profiles

Your rating: None
Aaron Freimark wrote:

DEP is the only Apple-Sanctioned way to lock down profiles. But there are other ways. Take a look at the devices in any Apple Store for example.

I'm happy to discuss more off-board if you like.

Hi Aaron

I'd be interested to know more about other ways to lockdown MDM profiles on iOS. Do you know if GroundControl has this feature?

Patrick

Top
dimzen's picture

dimzen

Joined: Aug 22, 2012

What other ways?

Your rating: None
Aaron Freimark wrote:

DEP is the only Apple-Sanctioned way to lock down profiles. But there are other ways. Take a look at the devices in any Apple Store for example.

I'm happy to discuss more off-board if you like.

I like that info too Smile

Top
betolley's picture

betolley

Joined: Oct 16, 2014

Me too

Your rating: None

I would like the info as well.

Top
michael@abovestudio1.com's picture

michael@abovestudio1.com

Joined: May 25, 2015
WWW

I'd like to hear some of that

Your rating: None

I'd like to hear some of that discussion too.

Top

Who is online?

There are currently 0 admins, 0 users and 310 guests online. Connected users: .

Recent Activity