iOS MDM Profile cannot be locked down?

StackOverflow https://stackoverflow.com/questions/18763325

  •  28-06-2022
  •  | 
  •  

Question

I spend the whole day installing and configuring a Mac Mountain Lion with the server app to provide some MDM capability to allow pushing of configuration profiles over-the-air to some iPhones to disable some functions like using camera and safari. Everything was set up and running till I encountered a very troubling problem.

Even though I have set a password for the restriction profile, there is no password set for the MDM profile. Effectively, anyone using the phone will be able to remove the MDM profile which would also removes every restrictions as well, rendering the whole process useless. I found out from some old posts that it is not possible to set a password on the MDM profile. Is this even real? What is the point of restrictions if anyone could remove it when they want.

Was it helpful?

Solution

That's specifically designed like it. Apple has this idea thata user should always decide what he/she wants. So, the user may enroll into MDM and unenroll from MDM any time.

However, in the case, if you remove MDM profile you loose both restrictions and access to your enterprise data (your exchange profile will be removed, if it was installed through MDM. The same is true for VPN access, WiFi access and so on).

It's described pretty well in MDM documentation.

Generally speaking, they weren't good in supporting devices which belongs to enterprise and which suppose to be restricted all the time. Now, they are gradually move into this direction.

BTW. Some new changes are coming in iOS 7 for supervised devices. I believe you may get what you are looking for. If you have an access to WWDC 2013 videos, take a look at managing mobile devices session.

Update 1

I haven't tried it, but as I understand, you can installed locked MDM profile on a supervised device, so this MDM profile can't be removed.

OTHER TIPS

That seems slated to change. I was just reading this article about it yesterday.

Excerpt:

Most crucially, these management profiles can be made mandatory, preventing users from uninstalling the profiles themselves.

According to the article it's going to allow us to force configure devices without ever needing the device in hand and preventing the users from removing the profiles. There are some nice new features, but it makes me wonder about the ability to force lock down anyone's device with just their serial number. It's something I'll need to spend more time looking into.

Licensed under: CC-BY-SA with attribution
Not affiliated with StackOverflow
scroll top