• strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Only variables should be passed by reference in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/captcha/captcha.inc on line 61.
  • strict warning: Declaration of views_handler_field_user_name::init() should be compatible with views_handler_field_user::init(&$view, $data) in /var/sites/e/enterpriseios.com/public_html/sites/all/modules/contrib/views/modules/user/views_handler_field_user_name.inc on line 61.

What's New in iOS 11.3: Podcast Edition with Russ Mohr & Aaron Freimark

Your rating: None (176 votes)

There are several new enterprise-focused features in iOS 11.3, but they aren't always easy to understand. So last week MobileIron's Russ Mohr and I recorded a conversation about it. We discuss in depth:

  • Using appleseed.apple.com to learn about new features
  • Apple Business Manager (in beta)
  • Delayed iOS Updates, how it works and what the user sees
  • Managed Contacts and why they are important
  • New MDM features

I hope this a few people understand these important new features. You can listen on iTunes or Spreaker or via the embedded widget below.

Listen to "Apple’s iOS 11.3 release is ready for business" on Spreaker.

iOS 11.3 will allow companies to delay updates — up to 90 days — on supervised devices

Your rating: None (144 votes)

Apple today released the first beta of iOS 11.3. Although the beta is available only to developers and those registered in the Apple beta program, they did release some some very interesting information.

Notably, the public document Configuration Profile Reference includes a new item, which has been hoped-for for many years by Apple administrators:


Supervised only. This restriction allows the admin to set how many days a software update on the device will be delayed. With this restriction in place, the user will not see a software update until the specified number of days after the software update release date.

The max is 90 days and the default value is 30.

Availability: Available only in iOS 11.3 and later and macOS 10.13.4 and later.

This delay will give companies a window to test, certify, and update any existing apps.

We'll post more information as it becomes public.

Also note, GroundControl has had a similar iOS Update Delay feature, but that relied on a long and unpredictable signing window for non-current releases. Presumably Apple will be extending the IPSW signing window to a minimum of 90 days for any release. That's great news!

Security Content of iOS 11.2.2 (mitigates Spectre)

Your rating: None (158 votes)

Apple has released iOS 11.2.2:, which mitigates the effects of Spectre.

Available for: iPhone 5s and later, iPad Air and later, and iPod touch 6th generation
Description: iOS 11.2.2 includes security improvements to Safari and WebKit to mitigate the effects of Spectre (CVE-2017-5753 and CVE-2017-5715).

Apple releases iOS 11.2; updates DEP software agreements

Your rating: None (182 votes)

This weekend Apple released iOS 11.2, which has been in beta for several weeks. The update includes several new features:

  • Allows an app in single-app mode to be updated by MDM, a long-requested feature. This is sure to make things much better for anyone running kiosks.
  • Fixes a bug where the UI began restarting spontaneously on December 2.
  • Introduces Apple Pay Cash to “send and receive money to friends and family” — this will begin rolling out next week
  • Adds Support for faster wireless charging on iPhone 8 and X (from 5 to 7.5 mA)
  • Fixes an issue that could cause cleared Mail notifications from Exchange accounts to reappear
  • Fixes an issue where you the calculator would give you the wrong answer if you typed too quickly (prior to upgrading, try typing “1 + 2 + 3” quickly)
  • lots more bug fixes

In addition, Apple is requiring DEP program agents to sign in and accept new iOS software license agreements that now reference Apple Pay Cash. This is a critical step for all users of Device Enrollment Program. I hope you can find them on Monday!

No news yet on Security Fixes.

Single App Mode meet your best friend, iOS 11.2beta3

Your rating: None (181 votes)

If you are using Single App Mode in the enterprise, you are going to want to test 11.2b3. For iOS admins it is a pain to update an app while it's launched, locked and running. Well, now (and if you use an OTA MDM) this just got SOOOO much easier.

You can now update the application while it's in Guided Access/Single App Mode, without having to drop the profile, update and relaunch. Sa-weet. Again, with an MDM ... it's as simple as just updating the application. Some MDM's will auto update for you. Hands-free **sigh** "I'm in heaven".

PS ... if you are wi-fi only shops, you should be using ASAM (vs. SAM) which this seems to work for as well.

Apple releases iOS 11.1 with 21 security fixes and "Emojipalooza"

Your rating: None (167 votes)

Apple has released iOS 11.1 for its fleet of devices. The update includes critical security fixes including a fix for the recently-revealed KRACK WiFi exploit. Also included are improvements to managed open-in.

And if you want to see some of the hundreds of new emoji, check out 9to5mac.

Happy Trails iOS 10: Apple stops signing 10.3.3

Your rating: None (177 votes)

In the 15 days since September 19, Apple has released two patch updates. Today they stopped signing iOS 10.3.3, meaning you may no longer downgrade devices to iOS 10.

“Signing” is a colloquial term. When Apple is signing a particular iOS version, it is monitoring and permitting iOS devices to be upgraded (or downgraded) to that iOS version. During the iOS install process, a cryptographic request is sent to Apple with information about the iOS device and iOS version. The response from Apple must be cryptographically “signed” for the install process to proceed. No signing, no install. No woman, no cry.

When Apple releases a new iOS version, it usually does not immediately stop signing the preceding version. iOS 10.3.3 was signed for 15 days after iOS 11 was released. For a period of about 24 hours, Apple was signing a full FOUR versions for many iOS devices: 10,3.3, 11.0, 11.0.1, and 11.0.2.

So for a period of a few days, you can upgrade to, or even downgrade to, a not-so-new version. The process to do that can be a bit tricky: you need to obtain the correct IPSW file first, and use a special key combination (Option) in iTunes to select the file.

We recommend the site [https;//ipsw.me IPSW.me] to check signing statuses and download individual IPSW files for a particular device and version.

GroundControl users: we automatically take care of this process, simply enable iOS Update Delay to use the previous version for as long as possible.

Apple releases a white paper on “Face ID Security”

Your rating: None (138 votes)

Apple has released a white paper on the security of Face ID — it’s new facial recognition and unlocking system in the upcoming iPhone X. You should get the PDF from here: https://images.apple.com/business/docs/FaceID_Security_Guide.pdf

Here’s a bit I thought was interesting: “Face ID data, including mathematical representations of your face, is encrypted and only available to the Secure Enclave. This data never leaves the device. It is not sent to Apple, nor is it included in device backups.”

Impress everyone with these eleven iOS 11 tricks

Your rating: None (161 votes)

The Wall Street Journal's Joanna Stern compiled eleven iOS 11 features into this cute video. My favorite was the new "large attachments" list.

About the security content of iOS 11

Your rating: None (220 votes)


I count 15 vulnerabilities fixed.

Configurator 2.5 has been released

Your rating: None (194 votes)

Apple has released Configurator 2.5 on the Mac App Store.

The most important feature of this new release is the ability to provisionally add devices to Device Enrollment Program (DEP). We wrote about the ins-and-outs of provisional DEP a few days ago.

Other features of AC2.5:

  • Skip Tap to Setup and Keyboard Chooser panes in iOS Setup Assistant
  • Skip Sign in to TV Provider pane in tvOS Setup Assistant
  • Optionally preserve data plan when erasing device
  • New profile payloads and restrictions for iOS including Restrict VPN Creation, AirPrint Security, DNS Proxy, and Managed class behavior on supervised student devices for Classroom
  • New tvOS payload for AirPlay Incoming Security
  • Support for configuring tvOS devices running tvOS 11 on the local network subnet

Deep dive podcast on iOS 11 in the enterprise

Your rating: None (180 votes)

A few days ago I joined Russ Mohr and Jack Madden, for a discussion of iOS 11 in the enterprise. That discussion is now a podcast, hosted by brianmadden.com.

Here's how Jack summarized the discussion:

  • First, we recapped some of the improvements in iOS 10.3 (and 9.3) and how customers have been using them—iOS really has a lot for kiosk and enterprise-owned use cases.
  • iOS 11 is coming out tomorrow. You can watch the WWDC session about MDM, the deployment guides should be updated soon, and now you can even read the full MDM protocol documentation without a developer login.
  • We gave an overview of the Device Enrollment Program, or DEP (as well as the merits of pronouncing it “Dep” versus “D - E - P”).
  • With iOS 11, any device can be brought into DEP. This could be big for refurbished devices.
  • Tethered management has a lot of advantages in many corporate-liable use cases; we also covered caching in macOS 10.13 High Sierra, as well as the future of potential caching hardware.
  • Blocking iOS updates is still an often-requested feature, and there’s no MDM control for it—and likely there won’t ever be. So for network admins that have to deal with a bunch of 2GB iOS 11 downloads on Tuesday, good luck!
  • Aaron talks a bit about Ground Control, a unique (and EMM-neutral) tool in our industry.
  • Is it time for Apple to make some improvements on the BYOD side? How about connecting devices to multiple MDM servers, with limited rights? Or making privacy more explicit? This is one of Jack’s soapbox topics (see here); we’ll see what comes up in a dot version or iOS 12 or 13.
  • We talk Face ID—many of the questions and answers that we had around Touch ID should apply here. MDM can prevent Touch ID from being used to unlock devices, we should find out soon if this will apply to Face ID.
  • The Apple Watch Series 3 has its own cellular connection, but for now, all signs point to it being dependent on a host iPhone. As such, it will inherit a few MDM controls: IT can enforce wrist detection mode, and on supervised phones, IT can block pairing. But it’s also easy to see that this device will evolve to be independent in another generation or two, and then probably have its own MDM support.

It was fun to record, and I hope this becomes a recurring feature.

iOS 11 & Provisional DEP: Questions and Answers

Your rating: None (208 votes)

What is Provisional DEP?
Apple Configurator 2.5 can add any iOS device to Apple’s Device Enrollment Program (DEP), so you can use this streamlined process for setup and enrollment.

Before this change, Apple required proof of ownership of a device in order to approve DEP enrollment. In practice, this usually meant that only new devices purchased from specific resellers were eligible. Now any iOS device can be enrolled into DEP. But there are some specific conditions to pay attention to.

What are the requirements?

  • Your devices must be updated to iOS 11.
  • The process will erase devices. It will not preserve data.
  • You need to plug in devices into a Mac (once) to start the process.
  • The technicians running the process will need credentials to the DEP portal.
  • You may need to manually assign devices in the Apple DEP portal and/or MDM server to complete the process.
  • For 30 days after enrollment, users may choose to leave DEP (and MDM). DEP is permanent only after the 30 day provisional period has elapsed.

What? Users may leave DEP within 30 days?
For a period of 30 days after provisional enrollment, users are able to remove MDM and opt out of DEP. The lock screen will display small text, instructing users that they can “leave remote management in Settings:”

And in Settings > General > Device Management, users have the ability to “Leave Device Management.”

These options appear even if you set MDM enrollment as mandatory. After 30 days, these notices disappear. At that point the device is permanently in DEP.

What happens when a user decides to leave remote management?
When a user ops out of DEP the device erases itself, removing any corporate (and personal) data. The device also removes itself from your MDM server. Finally, the device serial number no longer appears in the DEP portal.

After a user leaves remote management, you may use Apple Configurator 2 to add the device to DEP again. The device will begin a new 30-day provisional enrollment.

Is there a way to remove that button and notice, so users can’t opt out?
No. The notice and button are there for 30 days.

While provisional, if I erase the device does it remain in DEP?
Yes. The device remains in DEP after it is erased, just like standard DEP.

Does Configurator allow me to assign an MDM server to the device?
No. MDM server assignment must be done in the DEP portal (deploy.apple.com) just like standard DEP. Within the DEP portal, devices are placed in a container called “Devices Added by Apple Configurator 2.” You must log into the DEP portal and manually assign devices to an MDM server. Until you do that, devices will not behave as DEP devices.

There is a checkbox in Configurator to “Activate and complete enrollment.” This checkbox can be confusing, since it takes the newly-added DEP device and enrolls it as a non-DEP device. You may find it simplest to perform the actions in the following steps:

  1. Use Configurator to add devices to DEP, but do not “Activate and complete enrollment”
  2. Log into the DEP portal, find the serial numbers of the recently added devices, and assign these to your MDM server
  3. Continue setting up the devices, which should now use streamlined enrollment, as usual

I have multiple DEP profiles in my MDM. Does Configurator allow me to assign a profile to the device?
No. Profiles must be assigned using your MDM server, just like standard DEP. But if you have a default profile assigned, the choice is respected.

If I “disown” a device using the DEP portal, can I use provisional DEP enrollment to return it to DEP?
Yes. This is good news, since previously “disown” was permanent.

Does this help with BYOD or personal devices?
No. DEP and supervision remain appropriate only for corporate-owned devices.

I have 1,000 devices that I want to put into DEP. What can I expect from the process?
Provisional DEP is intended to deal with exceptional devices, a small percentage of an otherwise all-DEP fleet. If you want to enroll a large number of devices, you may expect some challenges.

First, devices will need to tether devices to a Mac. Provisional DEP is not an over-the-air operation. You may, however, use a USB hub to work on several devices at once.

Second, be aware that Configurator will prompt for a DEP portal login. Most companies restrict employee access to the portal, for good reasons. You will need to provide credentials to your technicians. Note that Apple requires all DEP portal logins to use two-factor authentication, typically via SMS, so you may not be able have technicians share an account.

Third, the enrollment process will erase devices. So you must expect to re-provision devices as part of this process. If you already have a streamlined provisioning process for DEP devices, you’ll be in good shape. But if DEP is new to your organization, or to this particular use case of your devices, you may need to architect a new process. (A tool like GroundControl can dramatically speed device provisioning, especially for shared DEP devices.)

Finally, all devices will need to be updated to iOS 11 before the process begins. Configurator or GroundControl can update devices efficiently. You will want a high quality USB hub for this part, to make the process as robust as possible. Hubs from Datamation and Cambrionix are recommended.

Do these provisional devices work with GroundControl’s DEP workflows?
Yes. To GroundControl, these devices behave like every other DEP device, during and after the 30-day provisional period. Once you use Configurator to add these to DEP, you may use GroundControl to image the devices, restore a common backup, manage your MDM, etc. Add a supervision identity to your DEP profile to streamline GroundControl’s management.

Will GroundControl incorporate these new Configurator features?
Provisional DEP enrollment is a one-time operation. Today, we recommend you plan to use Configurator for this one-time addition of devices, then use GroundControl to provision the devices and for ongoing automated maintenance.

We are looking at options to support this without Configurator. The requirement for DEP portal login, with two factor authentication, makes this process difficult to incorporate at scale. But we continue to do research, because we understand our customers don’t always have Macs available.

Apple could easily improve the process with a spreadsheet upload to the DEP portal, or a public API. Perhaps you’ll help us make a feature request?

Tethered Caching is much better in macOS High Sierra

Your rating: None (202 votes)

Apple has posted an article detailing changes to tethered caching in macOS 10.13 "High Sierra." Caching used to require a Mac running their $20 Server app, but no longer.

  • Content Caching is now built into every Mac
  • Prior to macOS 10.13, Tethered Caching was launched from the command line. Now it's a simple checkbox in the "Sharing" preference pane
  • Caching recommends Ethernet, but Ethernet is no longer required
  • A number of advanced options are available if you hold down the Option key, including specifying parents to create a hierarchical caching system
  • Tethered continues to work great with GroundControl for mass-device provisioning

I'll post more info and screenshots when we get closer to release.

Alert: Apple requires action on September 19 for DEP to keep working

Your rating: None (342 votes)

Apple has posted a notice that new Terms and Confiditions for the Device Enrollment Program (DEP) will be posted on September 19. This is a big deal, because until the agreement is accepted, new DEP devices will not automatically enroll into MDM. (Existing DEP devices won't be affected.)

DEP administrators can't approve the new agreement; it must be approved by your DEP "agent." The agent is the person who originally set up DEP for your organization. There is only one agent per organization.

You may want to log into the DEP portal today, so you can be absolutely sure you know who your organization's agent is. And make sure that person isn't on holiday next Tuesday.

Apple says:

If you don’t accept the agreements

Devices that were assigned to a Mobile Device Management (MDM) server in Apple School Manager or the Device Enrollment Program won’t be affected. If you Erase all content and settings on a device, the device is still assigned to the same MDM server and the same settings are applied during setup.

However, these conditions apply until the new agreements are accepted:

  • Apple School Manager instructors and managers can reset user passwords and send or print login information, but other site functions will be disabled.
  • Device Enrollment Program admins (other than the Agent) won’t be able to log into the Device Enrollment Program portal until the Agent accepts the updated agreements.
  • In ASM and DEP, you can’t assign new devices to your MDM server, even if you have selected the option to * automatically assign new purchases to a specific MDM server.
  • Your MDM server might report an error message like "403 T_C_NOT_SIGNED” when communicating with Apple’s device management servers.

The third bullet is the one to pay attention to. Most organizations automatically assign new devices to an MDM server. This will stop working on September 19, until you accept the new agreement.

It seems impossible to accept or even review the new agreement prior to September 19. Hopefully your organization can be prepared to halt deployments during this period.

Recent Activity