Using Apple iOS Devices with MSP
72E-151898-01 Revision L November 2011
© 2011 by Motorola Solutions, Inc. All rights reserved.
No part of this publication may be reproduced or used in any form, or by any electrical or mechanical means, without permission in writing from Motorola Solutions. This includes electronic or mechanical means, such as photocopying, recording, or information storage and retrieval systems. The material in this manual is subject to change without notice.
While every reasonable precaution has been taken in the preparation of this document, neither Symbol Technologies, Inc., nor Motorola Solutions, Inc., assumes responsibility for errors or omissions, or for damages resulting from the use of the information contained herein.
The software is provided strictly on an “as is” basis. All software, including firmware, furnished to the user is on a licensed basis. Motorola Solutions grants to the user a transferable and non-exclusive license to use each software or firmware program delivered hereunder (licensed program). Except as noted below, such license may not be assigned, sublicensed, or otherwise transferred by the user without prior written consent of Motorola Solutions. No right to copy a licensed program in whole or in part is granted, except as permitted under copyright law. The user shall not modify, merge, or incorporate any form or portion of a licensed program with other program material, create a derivative work from a licensed program, or use a licensed program in a network without written permission from Motorola Solutions. The user agrees to maintain Motorola Solution‟s copyright notice on the licensed programs delivered hereunder, and to include the same on any authorized copies it makes, in whole or in part. The user agrees not to decompile, disassemble, decode, or reverse engineer any licensed program delivered to the user or any portion thereof.
Motorola Solutions reserves the right to make changes to any software or product to improve reliability, function, or design.
Motorola Solutions does not assume any product liability arising out of, or in connection with, the application or use of any product, circuit, or application described herein.
No license is granted, either expressly or by implication, estoppel, or otherwise under any Motorola Solutions, Inc., intellectual property rights. An implied license only exists for equipment, circuits, and subsystems contained in Motorola Solutions products.
Motorola Solutions and the Stylized M Logo and Symbol and the Symbol logo are registered in the US Patent & Trademark Office. All other product or service names are the property of their respective owners.
Motorola Solutions, Inc One Motorola Plaza
Holtsville, New York 11742-1300 http:/motorolasolutions.com/
Table of Contents
About This Guide ... 1
MSP Documentation ... 1
Help ... 1
Service Information ... 1
Chapter 1 - Introduction ... 3
Overview ... 3
Apple iOS4 and iOS5 Device Management Differences ... 3
Licensing Information ... 5
Chapter 2 – Planning and Installation ... 7
Overview ... 7
Apple iOS Device Classes ... 7
Architecture ... 7
Apple iOS Device Gets its Identity Certificate Directly from MSP, Indirectly from SCEP ... 9
Apple iOS Device Gets its Identity Certificate Directly from a SCEP Server ... 11
Apple iOS Device Gets Static Identity Certificate from MSP ... 13
Deciding Which Identity Certificate Architecture to Use...15
Planning for Apple iOS Device Management ... 15
CA & SCEP Planning ... 15
Component Locations ... 16
Installation Roadmap ... 16
Prerequisites ... 16
Guide to Installing MSP with Apple iOS Support ... 17
Guide to Configuring MSP for Apple iOS Support ... 19
Creating APN Certificate Signing Request Using the MSP Administration Program ...20
DM Web Enrollment Configuration ...21
Chapter 3 – Staging Apple iOS Devices ... 23
Overview ... 23
Apple iOS Device Staging Process ... 23
Initiating Enrollment ... 24
Terminating Device Management ... 27
Chapter 4 – Provisioning Apple iOS Devices ... 29
Overview ... 29
Provisioning Support for Apple iOS Devices ... 29
Configuration ... 29
Supported Settings Classes ...29
Network.WLAN.Apple ... 29 Control.Apple.Wipe ... 29 Apple.CalDAV ... 30 Apple.CardDAV ... 30 Apple.Credentials ... 30 Apple.Email ... 30 Apple.Exchange ... 31 Apple.LDAP ... 31 Apple.ManagedSettings ... 31 Apple.Passphrase ... 31 Apple.Restrictions ... 31 Apple.SCEP ... 31 Apple.SubscribedCalendars ... 31 Apple.VPN ... 31 Apple.WebClips ... 31 Applications ... 32
Apple iOS Limitations ...32
Types of Applications ...32
Commercial Applications ... 32
Enterprise Applications... 33
Redemption Codes for Commercial Apps that Require Payment ... 34
Firmware Updates ... 35
Control Modules ... 35
Data Content ... 36
Chapter 5 – Using Apple iOS Device Management Support ... 37
How to use the Apple iOS Device Management ... 37
Using External Sources with Apple iOS ... 37
External Source Templates ...37
External Sources ...38
Creating a SCEP External Source ... 38
Creating a LDAP External Source ... 39
External Source Tagging ...39
Creating an External Source Tagging object ... 39
Using an External Source Tagging Object ... 40
Staging Support ... 41
Provisioning and Action Support ... 41
Processing Deployment Steps ...41
MSP Task List application (Only for iOS 4) ...42
Overview ... 42
Installation and Configuration ... 43
Notification ... 43
Launching and Execution ... 43
User Interface ... 44
Task Items ... 44
Device Attribute Support ... 46
Data Collection Support ... 49
About This Guide
MSP Documentation
The Using Apple iOS Devices with MSP document provides guidance for pre-installation planning, application set up, and the information for successfully using Apple iOS Devices with MSP. The library of available MSP documentation is extensive and widely available to MSP customers. Customers may obtain the latest version of all documents from:
http://support.symbol.com/support/product/softwaredownloads.do.
A Documentation library is available by accessing the MSP Console UI online Help.
Help
You can access page-specific help in the MSP Administration Program by clicking Help on the Menu bar.
Note:
Some configurations may require a second click of the Help link in the Menu bar. This is due to some minor conflicts caused by a Microsoft Security update.
Service Information
For Motorola support, please contact Motorola Enterprise Mobility support for your region. The contact information is available at: http://www.symbol.com/contactsupport.
When contacting Enterprise Mobility support, please have the following information available: Serial number of the software
Model number or product name Software type and version number Software license information
Motorola responds to contacts by email, telephone, or fax within the time limits set forth in support agreements. If you purchased your Enterprise Mobility business product from a Motorola
Chapter 1 - Introduction
Overview
Apple iOS4® and Apple iOS5® devices (iPhone®, iPod®, iPad®) can be managed only by using the Mobile Device Management (MDM) support built into Apple iOS, Apple‟s device operating
system. Version 4.0 of MSP has been enhanced to provide management functions using this built-in support. No MSP client is required to provide this support, but Apple requirements for device management must be followed.
Note:
Management capabilities of an Apple iOS device are different than other device types. For more information about the features supported for Apple iOS devices, refer to the MSP Release Notes.
Apple iOS4 and iOS5 Device Management
Differences
There are significant differences between devices running Apple iOS4 and those running Apple iOS5.
Some of these are:
Deployment of Applications to Device
o On any Apple iOS4 devices, the MSP Task List application must be installed on the device and be properly configured to facilitate the deployment of any applications to the device. The device user would then be required to open the MSP Task List application and complete the installation of any pending install tasks available.
o For all Apple iOS5 devices, the built-in DM client is used to process the
deployment of applications directly to the device; ence the MSP Task List app is not required on any Apple iOS5 devices.
o Both enterprise and commercial applications can be deployed to Apple iOS devices using MSP 4.0.
o The device user must still confirm the installation of any applications deployed (no silent application installs).
Commercial Applications
o MSP 4.0 allows the deployment of all commercial applications (both paid and free apps).
o In Apple iOS4, it is necessary for the device user to pay for the app directly using his or her iTunes account if it was not free. In Apple iOS5, redemption codes must be used to deploy paid apps, as the end Apple iOS5 user can not pay for the apps . The MSP Administrator would use the Apple Volume Purchase Program (VPP) to obtain redemption codes for specific apps. Also, a separate iTunes account must be used for the VPP.
o The device user must still confirm the installation of any applications deployed and installation of the app requires a basic iTunes account even though the account will not be charged.
Important:
Redemption Codes are not license keys. Once they are redeemed, they cannot be transferred, recovered, or reused for use with any other devices.
After the administrator purchases VPP codes and they are available, the administrator can download an Excel Spreadsheet containing the codes. The Excel file should then be saved as a .csv file and imported into MSP.
Removal of Management Profile on Device
o If the management profile is removed from an Apple iOS5 device, regardless of how it was removed, the agent.undermanagement value will be changed from 1 to 0 to indicate the device is no longer managed by MSP.
o If the management profile is removed manually on an Apple iOS4 device, the agent.undermanagement value will not be reset to 0. If the device is removed from management automatically using the Wipe setting from MSP to remove it, the agent.undermanagement value will get reset to 0.
Enhanced Apple Settings
o Several of the Apple settings have been enhanced for iOS 5 to reflect the additions and modifications of the latest iPhone Configuration Utility from Apple. Note that these enhancements are ignored on iOS 4 devices.
Enhanced Apple Settings Processing
o Processing of the Apple settings has changed in Apple iOS5. Due to this fact, some functionality available to Apple iOS 5 devices is not available to devices still running Apple iOS4.
If a device was enrolled as an Apple iOS4 device it will be managed as an Apple iOS4 device. This means that if that Apple iOS4 device is then upgraded to Apple iOS5, it must be re-enrolled to take full advantage of the Apple iOS5 management capabilities and be managed as an Apple iOS5 device.
Licensing Information
To install the component to support Apple iOS devices, at least one MSP Control License is required. Once installed, a Provision Edition license is required for each Apple iOS device managed with MSP.
Chapter 2 – Planning and Installation
Overview
Apple iOS Device Classes
MSP has a concept called a Device Class, which is important to understand when dealing with devices that are managed with MSP. A Device Class is a type or category that is used to differentiate devices that are managed by MSP. This is useful when devices have different capabilities and/or need to be managed independently of other devices. Apple iOS devices will have Device Classes of „iPad‟, „iPhone‟, and „iPod‟.
Architecture
The MSP architecture has been enhanced to support Apple iOS devices. The major components for MSP consist of the MSP Server and the MSP Device Management (DM) Server. Additional components and procedures may be required for this support depending on the security needs in the enterprise. Apple iOS devices require the use of an identity certificate during the initial staging/enrollment process as well as on-going provisioning. There are three different enterprise architectures that can be used, in two of them a Certificate Authority (CA) and SCEP server are required. Below the three architecture options are defined:
1. Apple iOS device gets its identity certificate directly from MSP, indirectly from SCEP During the staging process, MSP will contact the SCEP server on behalf of the Apple iOS device, retrieve the certificate and send the certificate to the device.
See the diagram in Figure 1 below.
2. Apple iOS device gets its identity certificate directly from a SCEP server
During the staging process, MSP will tell the Apple iOS device where the SCEP server exists and how to talk to it; the Apple iOS device will in turn contact the SCEP server and retrieve its identity certificate.
See the diagram in Figure 2 below.
3. Apple iOS device gets static identity certificate from MSP
A static certificate is used by all Apple iOS devices. This is the simplest mechanism and doesn‟t require any other enterprise components. The certificate (with private key) can be generated typically and is stored in MSP.
See the diagram in Figure 3 below.
Important:
Architecture #1 is the recommended method.
In the two models where SCEP is utilized, two feature/components are required. The following is recommended:
For Certificate Authority (CA) – Microsoft‟s feature/role of “Active Directory Certificate Services” with a role service of “Certificate Authority”.
For SCEP – Microsoft‟s feature/role of “Active Directory Certificate Services” with a role service of “Network Device Enrollment Service”.
Note:
Whichever components are used for CA and SCEP, there will be some basic set-up requirements that will be mandatory. This will be defined later in this document.
There are some basic architecture requirements for managing Apple iOS devices no matter which architecture chosen. The following items must be allowed in any network that will be used for this purpose.
MSP Server must be allowed to contact the gateway.push.apple.com server(s) on the internet via port 2195.
MSP Web Server must be allowed to contact the apple.com server(s) on the internet via an http connection.
Any Apple iOS device used must be able to access the gateway.push.apple.com server(s) on the internet via port 5223.
Any Apple iOS device used must be able to access the ax.init.itunes.apple.com server(s) on the internet via http/https and the ocsp.apple.com server(s) on the internet via http. Any Apple iOS device used must be able to access the MSP DM Web Server via http/https. Note:
This connection must use https for Apple iOS5 devices. The three architectures are described in more detail below.
Apple iOS Device Gets its Identity Certificate Directly from MSP, Indirectly from SCEP
Basic Information
As shown in Figure 1, an Apple iOS device will communicate with the MSP DM Web Server over https. If the devices will be only in the WLAN, then the MSP DM Web Server can be located within the WLAN. If any of the devices will be outside the WLAN and communicating to the enterprise over WWAN, then the MSP DM Web Server must be available to the internet, usually in a DMZ. Again, just to reiterate, Apple iOS devices must be able to communicate to the different Apple services over the internet.
When the Apple iOS device requires an identity certificate, the MSP server will communicate internally to the SCEP Server which in turn will talk to the Certificate Authority. This model will minimize what is exposed to the internet.
Required Components
Apple iOS Device Gets its Identity Certificate Directly from a SCEP Server
Basic Information
As shown in Figure 2, an Apple iOS device will communicate with the MSP DM Web Server over https. If the devices will be only in the WLAN, then the MSP DM Web Server can be located within the WLAN. If any of the devices will be outside the WLAN and communicating with the enterprise over WWAN, the MSP DM Web Server must be available to the internet usually in a DMZ. Apple iOS devices must be able to communicate to the different Apple services over the internet.
When the Apple iOS device requires an identity certificate, the MSP server will send the information on where and how to communicate to the SCEP Server. When necessary, the Apple iOS device will communicate directly to the SCEP Server which in turn will talk to the Certificate Authority.
Note:
In this model, if Apple iOS devices are communicating through the internet, the SCEP server will have to be available to the internet, as well. That would be most likely located in a DMZ.
Required Components
Apple iOS Device Gets Static Identity Certificate from MSP
Basic Information
As shown in Figure 3, an Apple iOS device will communicate with the MSP DM Web Server over https. If the devices will be only in the WLAN, then the MSP DM Web Server can be located within the WLAN. If any of the devices will be outside the WLAN and communicating to the enterprise over WWAN, the MSP DM Web Server must be available to the internet usually in a DMZ. Apple iOS devices must be able to communicate to the different Apple services over the internet.
This configuration is best used in small enterprises, as well as lab/testing facilities. Required Components
Deciding Which Identity Certificate Architecture to Use
For large Enterprise deployments of MSP, the recommended Enterprise Architecture should be the preferred method (Option 1). It offers several security benefits to the organization. First, when managing a large number of Apple iOS Devices, the organization will want the ability to issue unique identity certificates for each device. These identity certificates may be based on unique device IDs and/or may be based on the authentication username of the primary device user, such as the Active Directory username. If this is a requirement, the use of a static certificate will not be possible. In this case one of the identity certificate implementations that use SCEP should be used.
The decision of which SCEP implementation should be used needs to be based on the
Enterprise‟s security tolerance for exposing the SCEP server to direct access from the devices. If all devices are restricted to connectivity from an internal WLAN source, the use of direct SCEP access may be a good choice due to the fact that a specific firewall exception would not need to be made for traffic from the Internet. However, as is the case with many Apple iOS Devices, they may need to be required to access the MSP system from the internet. If this is the case, the use of direct SCEP access directly from the devices would require firewall exceptions to be made to allow this traffic. This may not be the preferred method due to the security restrictions of the Enterprise.
In the case of deployments for large Enterprise implementations that need unique identity certificates and do not want to expose the SCEP server to direct traffic from outside the intranet, MSP offers a solution were MSP contacts the SCEP server on behalf of the devices and sends the unique identity certificate to the device directly at the time of enrollment. The major benefit of this preferred option is that the SCEP server only needs to be accessed from inside the secure intranet. MSP is able to dynamically obtain and assign the identity certificate based on unique device attributes when the device is staged via web-based self enrollment.
For small deployments, the use of a static certificate may be an acceptable solution. It does not require the use of SCEP for assigning unique identity certificates. The benefit of this option is the simplified implementation. The limiting factor of the static certificate option is that if a common identity certificate is used, all devices would be assigned the same (non-unique) certificate. This would cause a management problem for large numbers of Apple iOS Devices. This might be a good solution for a very small number of these devices.
Important:
For purposes of installation planning, the rest of this discussion assumes the end user will be employing the Enterprise Apple iOS Management Architecture depicted by Figure 1 above.
Planning for Apple iOS Device Management
CA & SCEP Planning
Regardless of whether the Certification Authority and SCEP servers are deployed as part of an enterprise PKI environment or as a simplified standalone installation, there are a few
requirements for use with MSP:
The CA certificate validity period should be set appropriately for your enterprise CA should be configured to automatically approve certificate requests
SCEP must be configured to use Single Password
Specify a local or domain runtime account for SCEP; it should be a member of the local IIS_IUSRS group.
Verify the challenge and fingerprint strings via the MSCEP_admin page
(http://.../certsrv/mscep_admin) and make sure it is configured to allow the password to be used multiple times and that it will not expire.
For details describing how to setup and configure the items above, please consult Microsoft documentation for the respective products.
Component Locations
As a general rule, most of the components that comprise the MSP Apple iOS functionality can usually reside on the same server as the MSP Server. One common exception to this rule is the MSP DM Web Server component which must be accessible directly by Apple iOS Devices. If all Apple iOS Devices will access the MSP DM Web Server via an internal network (e.g. via an Enterprise WLAN), then it might be practical for the MSP DM Web Server component to reside on the same server as the MSP Server. But if any Apple iOS Devices will need to access the MSP DM Web Server via a connection from the Internet (e.g. via a WWAN Carrier or public WLAN), then the MSP Apple DM Web Server would likely need to be located in the DMZ. This typical situation is shown in Figure 1 above.
Note:
If the MSP DM Web Server must reside in the DMZ so it can be accessible from the Internet, it could still reside on the same server as the MSP Server if that server is itself located within the DMZ. In some cases, locating the MSP Server within the DMZ may be desirable to allow the MSP Console UI to be accessible from the Internet.
It should be noted, however, that securing a server that is located within a DMZ is generally more difficult than when that server is located more securely within the Enterprise network (e.g. at the NOC). So, if there is no other compelling reason for locating the MSP Server in the DMZ, then it may be preferable to locate the MSP DM Web Server on a separate server within the DMZ.
Installation Roadmap
Prerequisites
Once the locations of the required components have been identified, the installation process can begin. The following items are a high-level list of pre-install tasks that must be completed. Details and additional explanation of these steps (where applicable) will be included in later chapters in this document as well as in the MSP Installation Guide. For instructions on how to perform these tasks, you will need to consult third-party documentation from Microsoft, Apple, or others.
o A root certificate will be needed
o Intermediate Signer Certificates may be needed as well Install and configure the SCEP Server
o Should use the Microsoft Network Device Enrollment Service (NDES) role; this role requires at least Enterprise Edition of Windows Server.
o Must be configured to use Single Password
o Specify a local or domain runtime account, should be a member of the local IIS_IUSRS group.
o Set a certificate validity period appropriate for you enterprise
o Verify the challenge and fingerprint strings via the MSCEP_admin page (http://.../certsrv/mscep_admin) and make sure it is configured to allow the password to be used multiple times and that it will not expire.
Install and Configure IIS on the Server on which MSP will be installed Identify at least one FTP Server for use as an MSP Relay Server
Guide to Installing MSP with Apple iOS Support
1. Install the MSP Application server (refer to the MSP Install Guide for details).Notes:
The only requirement to use the Apple iOS support is Control edition licensing. No special options are needed while installing the MSP server.
2. After the Installation successfully completes, you must do the following before moving on to the MSP DM Web Installation. You will not be able to proceed with the MSP DM installation if a Control license is not present and you must choose a Relay Server to use for the DM during the install. Typically a default administrative user is defined during the MSP
installation, but if no users with this permission exist (ie admin or security) when the DM Web is installed, you will not be able to complete the installation.
Notes:
Ensure an MSP Control Edition License has been installed
Create at least one Relay Server in MSP that the Web Enrollment Server will be associated with.
3. Configure SSL for the IIS instance hosting the MSP web site. This is recommended but not required.
a) If using a CA that is not already listed as a trusted authority in the local machine certificate store, the Root CA public certificate for the CA being used must be installed.
b) From the IIS management console, request a signing cert for the web site hosting the MSP Web Console (http://.../MSP.Web) and Web Services
http://.../MSP.WebServices). For this step, the hostname that will be used to access MSP.Web will need to be specified as the Common Name for the certificate request.
c) Get the certificate request fulfilled.
In a domain configuration with Integrated CA, this can be configured to happen automatically.
In a domain configuration with a Standalone CA, this request may need to be submitted for fulfillment.
If using a Public CA, you will need to submit the request to the CA.
d) Use the response from the certificate request to complete the Certificate Request in IIS.
e) Specify at the web site level, that this certificate should be used for SSL.
Important:
Set the option to ignore client certificates for the MSP Web Console and web service. If no other web applications are being hosted, these settings can be applied at the web site level. If other web applications are being hosted in this IIS instance, then the settings will need to be applied at the virtual directory level.
f) If this certificate will be used as the signing certificate by MSP, read permission for the private key must be granted to the MSP service group.
4. Install the MSP Web Enrollment Server to create the DM Web (See Chapter 3 of the MSP Install Guide).The installation will also create the DM Server record in MSP. During the installation, you will need to choose a Relay Server to use from the list of available choices in MSP.
5. Configure SSL for the IIS instance that will host the MSP Web Enrollment Server
(https://.../DM.Web). This is a required step if you intend to manage any Apple iOS5 devices. This is only a recommended step if you will be managing Apple iOS4 devices exclusively.
This Step is the same as Step 3 with the following exception: Change the SSL settings to Require SSL and ignore client certificates
Apple recommends that the DM Web server is accessed via https.
6. Configure MSP for Apple iOS support.
g) Configure Apple iOS related settings via MSP Administration Program UI. (See Administering MSP for specific instructions for these settings.)
h) Configure the certificates and topic under Features ->Web-Based Enrollment -> iOS related -> MSP to APNS Bridge and DM.Web in the MSP Administrative Program UI. Additional information can be found in the MSP Administration Program Help file.
Guide to Configuring MSP for Apple iOS Support
1. Configure the DM Server via the MSP Console UI (See the MSP Console UI Help for moredetails).
Create a Setting to provide the DM client with a signing certificate for identity. There are three options for configuring this. These options correspond to the three different architectures described by the diagrams in Figures 1, 2 and 3 at the beginning of this chapter. You must choose the ONE option below which correctly corresponds to the architecture used in your setup.
a) Option 1: The MSP server requests a certificate from the SCEP server on behalf of the Apple iOS device.
To use this option, dynamic content must be enabled in MSP (See Administering MSP).
Create an External Source in the MSP Console UI to enable retrieval of certificates from the SCEP server.
Create an Apple.Credentials.setting object using the External Source just created.
b) Option 2: The DM Client of the Apple iOS device requests a certificate directly from a SCEP server. Create an Apple.SCEP.setting object in MSP containing the appropriate details for connecting to your SCEP server from the device.
Important:
Do not specify the state locality field when configuring this SCEP settings object. The Apple iOS DM client does not seem to process it properly.
c) Option 3: A static certificate is supplied that will be common among all staged Apple iOS Devices.
Create an Apple.Credentials.setting object specifying a certificate that has a private key embedded.
2. Configure a Web Enrollment Staging Profile
Create a Staging profile and add the setting just created to provide a signing certificate. For a staging profile to be used with Web Enrollment the following applies:
o These options are not important: Device Model, Device OS, Wireless LAN, Relay Server
o Add the signing certificate setting created in step 9 above as an additional setting.
o It doesn‟t need Barcode Staging or Electronic Staging enabled.
o It does need the option for Web-Based Self-Enrollment Staging enabled. For this option, the appropriate Apple iOS device(s) must be selected from the list
provided according to what device the profile should apply (i.e. iPad, iPhone, iPod).
3. Optionally configure SMS for staging
This will require configuring an SMS carrier to be used. (See the topic Create SMS Device in the MSP Console UI Help File.) This is for the pre-stage functionality.
Creating APN Certificate Signing Request Using the
MSP Administration Program
A signer certificate is required from Apple to be able to use MDM software to manage Apple iOS devices. MSP provides a convenient way for end users to obtain the necessary Apple Push Notification Certificate required.
Important:
In order to complete this process, the MSP administrator must have a basic iTunes account which will be used to log into the Apple web site to generate the certificate.
Note:
The Topic/Apple Bundle ID comes from the enterprise Apple MDM Push Notification certificate in the subject field. There will be a string that starts with the following: com.apple.mgmt. The entire string “com.apple.mgmt…..” is what needs to be entered in the Administration Program. This should be done automatically in the MSP Admin Program.
The overall process involves the following steps: 1. Create a certificate signing request
To begin the process, the MSP user must login to the MSP Admin Program and go to the APNS Bridge section of the Configuration. Click on the button to the right of the Push Notification cert drop down box to start the wizard.
2. Enter your company and contact info and click Next. This will make a web service call to send a request to Motorola Solutions.
This will make a secure web service request to a Motorola server which in turn signs it with a special MDM vendor certificate that Motorola received from Apple. A File Save dialog box will open prompting the user to save the certificate output. This resulting certificate must be uploaded to an Apple Certificate server by the user in the next step.
3. Upload signed certificate to Apple
The end user must go to the Apple Certificate site indicated in the MSP Admin Program. The URL will direct the user to the Apple site, https://daw.apple.com where the user must sign in with his or her own Apple ID. Complete the steps to create the Certificate, Accept the terms, and choose the file save above in step 2 to upload. This will create a new .pem certificate file which can be downloaded from the site.
4. Complete the signing request in MSP, which results in a certificate containing the private key Return to the MSP Admin Program, upload the .pem file, and click Finish to complete the certificate signing. This will create and import a signed certificate containing the private key which is used to verify your MSP server and allow communication with the Apple Push Notification service. It also assigns the necessary read permission to the certificate file for the MSP server.
DM Web Enrollment Configuration
When the DM Web Server installation is completed as described earlier in this chapter, a corresponding DM Server object is created in MSP. All DM Server objects can be viewed in the MSP Console under the Admin, DM Servers section.
MSP 4.0 provides some level of customization of DM Servers. Customization may be used to provide the company-specific logo and text on the various pages, provide a different prerequisites and profiles depending on the device type that is used to access the Web Enrollment pages, or to customize page content based on device type.
There is no way to Create a DM Server object within the MSP Console due to the fact that the DM Server installation is required to actually create it. Once created by the DM Server installation process, DM Server objects may be deactivated and modified from the console.
To modify an existing DM Server object, click on the ID of the DM Server and click Edit in the Related Tasks area. This will deactivate the DM Server to allow you to edit the details. In the DM Server information, you can choose to provide the DM server a new name, select a different Relay Server to use for it, edit the URL, or provide a new SMS staging message.
You should not modify the URL of the DM Web Server unless you sure that the URL will exactly correspond to your “DM.Web” virtual directory in IIS. Modifying the URL may also be used to switch to https if you have did not enable it when the DM was installed. Click Next to continue. You will then have the option to upload a custom logo for your company. Choose the logo file and click the Upload button. Click Next to continue.
When a DM Server is created, it is configured to use the all Content Pages (Welcome, Login, Prereqs, Staging Profile, Summary) with the standard message in each page for all device types. If you would like to modify the text for any of the Content Pages to make the message company-specific or to make the message company-specific to the device type that is being enrolled, they can be edited here. Click the Add Page button, choose the page you want to set, select the device types you want it to apply to, and provide your custom message.
You may want to create multiple customized Content Pages depending on device type. For example, you may want to include a different description on the Prereqs Page for Apple iOS device than you do for Android devices. In this case, you would have two custom Prereqs Content pages listed. Also note that if you elect not create a custom page for any of the Content Pages, the default will be used. For example, if you created customized Content Pages for Welcome, Login, Prereqs, and Staging Profile but omitted the Summary page, the default text will be used in the Summary. When you are finished with the Content Page edits, click Next to continue.
The Prerequisites list is important. There will be no items listed in the DM by default. However, if any Apple iOS devices will be enrolled, a root certificate prerequisite is required. Click the button to add a new prereq item. There are three types of prerequisites that can be included; Cert, Package, URL.
Cert
o When selecting the Cert prereq, you will NOT be presented with an option to select a certificate. When a Cert prereq is required, the specific certificate that is needed is the Root Certificate used by the MSP server. Therefore, the MSP Server knows which certificate is needed for the Prereq.
o The Cert prereq is required for enrolling any Apple iOS devices. Package
o When selecting the Package prereq, you simply need to select the package from the drop-down lost of available packages in MSP. The package must be defined in MSP before you can use it in this prereq definition. Note that the packages selected must be valid for the type of device(s) indicated.
URL
o When selecting the URL prereq, provide the URL for the item in the Content textbox. It must be a valid and correct URL.
You also must choose which device classes the particular prereq will apply to. You can select one item or the whole list. For example, for the Cert prereq, make sure you select the classes iPad, iPhone, and iPod from the list.
Finally, provide a title, description and the order you want the prereq to be presented in the list (if there are more than one for the given device type).
Once the list of prereqs is set, click Finish to complete the edit of the DM Server. This will also reactivate the DM Server making it ready to be used by devices immediately.
Chapter 3 – Staging Apple iOS Devices
Overview
Like most other devices that are Directly Managed or Indirectly Managed by MSP, Apple iOS Devices are brought under management by MSP through a Staging Process. Unlike devices that are Directly Managed by MSP, Apple iOS Devices must be brought under management using a different process.
Important:
Apple iOS Devices are supported only by MSP Provision Edition and MSP Control Edition.
Apple iOS Device Staging Process
Since Apple iOS Devices do not support a native MSP Client, the Staging Process for these devices cannot begin by running a Staging Client, like it does on devices that are Directly Managed by MSP. Instead, the Staging Process for Apple iOS Devices can be initiated from the Safari Web Browser on the device. This is known as Web-Based Self Enrollment, or simply Enrollment.
This method follows the “opt-in” model where device users can follow a pre-set procedure to enroll their device(s) without individual action required by an MSP administrator. The device user is required to agree to the terms of enrollment and management of their device in order to complete the enrollment process.
Initiating Enrollment
To initiate the Enrollment Process for an Apple iOS Device, the Safari Web Browser must be launched and directed to the URL of an MSP Device Management (DM) Web Server via which that device will be Enrolled. The URL to the MSP DM Web Server would typically have the following form:
https://<server>/dm.web/
where <server> is the IP address or network name of the MSP DM Web Server. The URL to the MSP DM Web Server could simply be provided to the Device User who would then manually launch the Web Browser and enter the URL. Alternately, the URL to the MSP DM Web Server could be sent to the Device User via the device (e.g. as a text message, Email message etc.). If provided in such a manner, the Device User could simply click on the URL to launch the Web Browser and automatically navigate to that URL.
Important:
The text and page content displayed in the various pages of the DM Web Enrollment below will depend on the configuration and customization of the corresponding DM Server object in MSP. For details about configuring the DM Server, refer to DM Web Enrollment Configuration section in Chapter 2.
SMS Messages may be used as a mean of delivering the Enrollment URL to Apple iOS Devices which are capable to receiving text messages. For details of using the SMS Messages see the Using MSP Guide.
Performing Enrollment
When the Web Browser on the Apple iOS Device accesses the URL of the MSP Apple DM Web Server, you may get a security warning of the form “Cannot Verify Server Identity”. This is an indication to the Device User that trust has not yet been established with the Certificate Authority that issued the Certificate to the MSP Apple DM Web Server.
The Device User may wish to click the Details button and verify that the URL being accessed is the one intended (i.e. no typos and not unexpected re-directions that could indicate a “man in the middle attack”). To proceed with the Staging Process, the Device User must click the Continue button, or if the Device User clicked the Details button, then the Device User must click Accept button.
Once the security warning has been accepted, the Device User is presented with an Apple Device Management Web Page. The Web Enrollment page will attempt to determine the type of device that is being used to access the page (Android, iPad, iPhone, iPod, or Mobile Device). The device type is important in determining page contents throughout the process. If the Web
Enrollment page is accessed by a device type which cannot be identified (as sometime occurs when access from a PC), the user will be presented with a page to first select their device type from the list.Staging is performed by executing the following steps, as presented on the DM Web Page:
The first page displayed will be the Web Enrollment Welcome page. The text on this page can be customized to display your company‟s desired text. This is also an appropriate place to include the Terms of Use. The user must click the “Accept” button to continue. 2. Login page
The device user must login using valid credentials for access MSP. For details on setting up MSP Users and Active Directory Users via Authentication Sources, refer to the Using MSP Guide. The user account used to login must be assigned to the SelfEnrollment role in MSP. This user may either be an MSP user or an AD user. Click Login to continue. 3. Prerequisites page
The purpose of this page is to display any prereqs required before proceeding with the enrollment. For Apple iOS devices, at least one prereq will always be required, the root certificate. Once the appropriate prerequisites have been installed, the user may proceed with the enrollment process.
a. Root Certificate
This step causes the Apple iOS Device to acquire the Root Certificate required to establish trust of the MSP DM Web Server.
Important:
The Root Certificate step is mandatory on Apple iOS devices, if it has not been previously executed. If the Root Certificate step has been
successfully completed during a previous execution of the Staging Process, and if the Root Certificate has not been removed, then this step can safely be skipped. Executing the Enroll step will fail if the Root Certificate is not properly installed.
To execute the Root Certificate step, the Device User must click the Root Certificate button. This causes the Root Certificate of the Certificate Authority that issued the Certificate to the MSP DM Web Server to be downloaded and displayed. To proceed with the Staging Process, the Device User must click the Install button to approve the installation of the Root Certificate.
A security warning of the form “Unverified Profile” may be displayed indicating that the device cannot automatically verify the authenticity of the Root Certificate. This is expected since trust has not yet been established. To continue, the Device User must click the Install button to accept the installation of the Root Certificate.
Once the Root Certificate has been installed, it will be displayed and will be shown as “Trusted”. To continue with the Staging Process, the Device User must click the Done button. The device will return to the Apple Device Management Web Prerequisites Page.
b. MSP Task List app (Only for iOS 4)
Important:
The Task List is only used for iOS 4. If Apple iOS4 device may be enrolled using this DM Web Server, it should be included and the text should on the page should state that it is highly recommended to download this for Apple iOS4. However, if there will be no Apple iOS4 devices enrolled, this prereq item should be removed altogether to avoid confusion. The Task List is not needed for Apple iOS 5 and should not be used. The Task List is also only needed on iOS 4 if you want to deploy any applications to the device. If no app deployment is required, the Task List is not necessary.
The MSP Task List app step initiates the installation of the MSP Task List application onto to the device. This step is optional, but installation of applications via MSP is not possible for a device if this optional step has not been performed.
To install the MSP Task List application, the Device User must click on the MSP Task List button. The MSP Task List application will then be
downloaded and the Device User will be presented with the message „<server> would like to install “MSP Task List”‟. To install the MSP Task List application, the Device User must click on the Install button.
Other prerequisite items may be added to this list as needed. However, these two will be the most common. If there will be NO iOS 4 devices enrolled. The MSP Task List should NOT be included as a prerequisite choice.
After installing the prerequisites, click Next to continue. 4. Staging Profiles page
The Staging Profiles page is used to display all of the staging profiles defined in MSP which are configured to allow Web-based Self-Enrollment Staging for the device type that is being enrolled.
Note:
At least one staging profile with the appropriate configuration must be defined in MSP before it will appear on this page. If there are multiple staging profiles defined for allowing web enrollment for this device type, a list will be presented for those. To avoid confusion, Motorola recommends providing the device user with only one staging option per device type. Typically, only one staging profile is needed for each of the Apple iOS device types.
When the device user clicks on the staging profile link, they will taken to the Profile details for the “MSP - Stage” Profile. This is where the actual enrollment process is initiated.
The Device User will be requested to accept the installation of the “MSP – Stage” Profile. The Profile should be shown as “Trusted” to indicate that it was in fact issued by the now-trusted MSP DM Web Server. The Device User must click the Install button, after which he will be asked to re-confirm the installation of the Profile. To continue with the Staging Process, the Device User must click the Install Now button.
number of status and progress messages while doing so. After a while, a security warning of the form “Mobile Device Management” will be displayed. This is an indication to the Device User that the device will now be under management by MSP. To continue with the Staging Process, the Device User must click the Install button.
Important:
Apple iOS Device Management is based on an “opt in” model. A Device User must explicitly accept the installation of a Device Management Profile which allows the device to be brought under management by a Device Management System. Once the installation of a Device Management Profile has been accepted, the Device Management System will be capable of re-configuring the device with no further warnings or notifications to the Device User except for the installation of apps. The device user will still be prompted to confirm installation of all apps.
The device will continue to perform actions required to install the Profile and will display a number of status and progress messages while doing so. When the installation of the Profile is complete a “Profile Installed” message will be displayed and the Profile will be shown as “Verified”. To complete the Staging Process, the Device User must click the Done button.
Once the Staging Process is completed, the Web Browser will return to the Summary page. At this point, no further action is required and the device will have been successfully brought under management by MSP. The Device User can choose to navigate away from the Login dialog, close the Web Browser, etc.
Terminating Device Management
As described earlier, the Apple DM Model is based on an “opt in” model which requires the explicit agreement of the Device User to bring the device under management. The Staging Process, as defined above, causes the device to be brought under management by MSP. Once a device is managed by MSP, no further warnings or notifications will be made to the Device User as a result of management operations performed by MSP to the device.
Important:
The one exception to the “no notifications” rule stated above is the fact that installation of
applications will always require the involvement of the Device User. This is unavoidable and is a basic requirement of the Apple DM Model.
Since bringing a device under management by MSP requires the Device User to “opt in”, it is also possible for the Device User to later “opt out”.
To “opt out” of management by MSP, the Device User must simply remove the Device
Management Profile that was installed on the device. Removing this Profile effectively breaks the partnership between the device and the MSP DM Web Server, and hence with the MSP Server. The Device User can delete the MSP - Stage Profile from the Settings->General->Profiles screen of the Apple iOS Device.
Terminating device management can also be achieved by an MSP Administrator by sending a Control.Apple.Wipe setting to the device from MSP. This will also remove the device from management as well as remove any settings applied while under management. For more details on the Control.Apple.Wipe setting see Chapter 4.
Important:
When a Device User chooses to “opt out” of management by MSP, any configuration changes made to the device by MSP will be removed from that device along with the Device Management Profile. For example, if the device has been configured to access the Enterprise network, has been configured to require a password, etc., these changes will all be removed when the devices is removed from management by MSP. For Apple iOS5 Devices, all applications installed by MSP will be removed when the Device is removed from device management. This is intentional and ensures that no sensitive Enterprise configuration remains on the device when MSP is no longer managing the device.
There is a slight difference in the way the terminate management is recorded in MSP depending on whether the device is runs Apple iOS4 or Apple iOS5. While under management, all Apple iOS devices will indicate a value of 1 for the agent.undermanagement attribute. When removed from management manually, MSP will not be informed of the profile removal and hence will have no way to know the device has been removed. For Apple iOS5, if the management profile is removed in any way MSP is notified and the agent.undermanagement attribute will be set appropriately with a value of 0.
Chapter 4 – Provisioning Apple iOS Devices
Overview
This chapter explains the Provisioning support provided by MSP for managed Apple iOS Devices.
Provisioning Support for Apple iOS Devices
Configuration
MSP Provisioning provides the ability to deploy configuration to Apple iOS Devices by applying any of a variety of Settings Objects to Apple iOS Devices that are being managed by MSP.
Important:
At present, the only types of configuration that can be deployed to Apple iOS Devices are those supported by the Apple DM Client. The Apple DM Model does not provide a model to plug-in new configuration handlers so it is not possible for MSP to extend the types of configuration that can be applied to Apple iOS Devices.
Supported Settings Classes
Network.WLAN.Apple
Settings Objects of the Network.WLAN.Apple Settings Class are used to configure the WLAN on Apple iOS Devices.
Control.Apple.Wipe
Settings Objects of the Control.Apple.Wipe Settings Class are used to initiate a Partial Wipe or a Full Wipe of an Apple iOS Device.
A Partial Wipe causes the Device Management partnership with the Apple DM Client to be terminated. As a result terminating that partnership, all settings that were applied by MSP, via the Apple DM Client, will be removed. Other settings, applications, and data will not be affected. To initiate a Partial Wipe for one or more Apple iOS Devices, select Action: “Terminate Management” in a Control.Apple.Wipe Settings and deploy that Settings Object to the devices via an MSP Provisioning Policy or Action.
A Full Wipe causes all settings, applications, and data, not just those applied by MSP, to be removed from the Apple iOS Device. A Full Wipe is also sometimes referred to as a Master Clear or a Factory Reset. To initiate a Full Wipe for one or more Apple iOS Devices, select Action: “Master Clear” in a Control.Apple.Wipe Settings and deploy that Settings Object to the devices via an MSP Provisioning Policy or Action.
Apple.CalDAV
Settings Objects of the Apple.CalDAV Settings Class are used to configure how Apple iOS Devices interact with a CalDAV-compliant Calendar Server. CalDAV (Calendaring Extensions to WebDAV) is an Internet standard that enables multiple client access to scheduling information stored on a remote Calendar Server. The CalDAV protocol is defined by IETF RFC 4791 and extends the WebDAV (HTTP-based protocol for data manipulation) protocol defined by IETF RFC 4918.
Apple.CardDAV
Settings Objects of the Apple.CardDAV Settings Class are used to configure how Apple iOS Devices interact with a CardDAV-compliant Contacts Server. CardDAV (vCard Extensions to WebDAV) is an Internet standard that enables multiple client access to contact information stored on a remote Contacts Server. The CardDAV protocol is defined by draft-ietf-vcarddav-carddav-10 and extends the WebDAV (HTTP-based protocol for data manipulation) protocol defined by IETF RFC 4918.
Apple.Credentials
Settings Objects of the Apple.Credentials Settings Class are used to deploy Digital Certificates to Apple iOS Devices. Apple iOS Devices support Server and CA Certificates in PKCS#1 format (e.g. .CET, .CRT, and .DER files) and Client Certificates in PKCS#12 format (e.g. .PFX format). Server and CA Certificates generally include only public key information and hence are not encrypted. Client Certificates generally also include private key information and hence are encrypted using a password, which must be supplied along with a Client Certificate in order to successfully deploy it.
Apple.Email
Settings Objects of the Apple.Email Settings Class are used to configure Apple iOS Devices to access Email via standards-based Email Servers (but not Microsoft Exchange Servers) that use the IMAP or POP protocols.
The IMAP (Internet Message Access Protocol) is an Application Layer Internet protocol that is defined by IETF RFC 3501 and allows an Email client to access Email on a remote Email Server. The POP (Post Office Protocol) is an Application Layer Internet protocol that allows an Email client to access Email on a remote Email Server. POP3 (Post Office Protocol, version 3) is the current ratified standard of POP and is defined by IETF RFC 1939.
Settings Objects of the Apple.Exchange Settings Class are used to configure Apple iOS Devices to access Email via Microsoft Exchange Servers.
Apple.LDAP
Settings Objects of the Apple.Exchange Settings Class are used to configure Apple iOS Devices to access LDAPv3 (Lightweight Directory Access Protocol, version 3) Servers. Using LDAP permits Apple iOS Devices to contact information extracted from an Enterprise directory.
Apple.ManagedSettings
Settings Objects of the Apple.ManagedSettings Class are used to Enable and Disable Voice and Data Roaming in several combinations.
Apple.Passphrase
Settings Objects of the Apple.Passphrase Settings Class are used to configure Apple iOS Devices as to whether an unlock passphrase is required or not and, when required, to configure the operation of the lock and unlock process, including rules about what constitutes a valid passphrase.
Apple.Restrictions
Settings Objects of the Apple.Restrictions Settings Class are used to configure Apple iOS Devices to configure application and content restrictions on the device. This can be used to prevent or allow installation of applications, use of the camera, screen capture, and a variety of other aspects of the usage of applications and content on the device.
Apple.SCEP
Settings Objects of the Apple.SCEP Settings Class are used to configure Apple iOS Devices with the information needed to access a SCEP (Simple Certificate Enrollment Protocol) Server. Accessing a SCEP Server allows a device to acquire or update the Digital Certificates it needs to perform secure communications.
Apple.SubscribedCalendars
Settings Objects of the Apple.SubscribedCalendars Settings Class are used to configure Apple iOS Devices to add read-only calendar subscriptions to the device‟s Calendar application.
Apple.VPN
Settings Objects of the Apple.VPN Settings Class are used to configure Apple iOS Devices to join a VPN (virtual private network), such as to provide secure access to an Enterprise network.
Apple.WebClips
Settings Objects of the Apple.WebClips Settings Class are used to configure Apple iOS Devices to add Web Clips to the device home page. Web Clips are essentially short-cuts that provide fast access to favorite web pages.
Applications
Apple iOS Limitations
Important:
It is possible to unlock an Apple iOS Device through a process that is commonly referred to as “Jail Breaking”. This process removes limitations imposed by Apple and effectively grants “root access” to a device, thus enabling the use of all features of the operating system.
“Jail Breaking” a device, while legal in many countries, violates the Apple warranty on the device and this is not a recommended practice. Compromising the security of a device is therefore generally incompatible with the goals of most Enterprises. None of the MSP functionality provided for Apple iOS Devices depends on or leverages capabilities that would require “Jail Breaking” the device.
Types of Applications
MSP Provisioning provides the ability to deploy applications to Apple iOS Devices. MSP Provisioning can deploy two types of applications: Commercial Applications and Enterprise Applications.
Commercial Applications
In a consumer setting, the most common method used to install applications on Apple iOS Devices is to “purchase” and install Commercial Applications from the Apple App Store™. Commercial Applications available from the Apple App Store™ may be free (usually paid for by advertising) or may require payment for installation on each device.
The process for obtaining Commercial Applications that require payment differs between Apple iOS4 and Apple iOS5 Devices. For Apple iOS4 Devices, the only way a Commercial Application can be purchased is by the Device User when they download the application. For Apple iOS5 Devices, there is no way for the Device User to pay for the application when it is downloaded. Commercial Applications that require payment are “paid” for by Redemption Codes which can be pre-purchased through the Apple Volume Purchase Program. For more information about
Redemption Codes see Redemption Codes for Commercial Apps that Require Payment on Page 34.
In many cases, applications used within an Enterprise will be Enterprise Application developed or purchased specifically for use within that Enterprise. Nonetheless, some Commercial
Applications available from the Apple App Store™ may be useful and add value when used within an Enterprise. The MSP Apple iOS functionality can facilitate the deployment installation of applications that are available from the Apple App Store™ onto Apple iOS Devices.
Retrieving Commercial App (.ipa file) for uploading to MSP
Unfortunately, there is no easy method, provided by Apple or application developers, to obtain the information required for Commercial Applications available for download from the iTunes Store™. The necessary information can generally only be determined by examining the contents of the .IPA file for the application.
On an Apple iOS Device with a suitable connection to the Internet, launch the Apple App Store™ by clicking the appropriate icon on the home page.
2. Locate the desired application within the Apple App Store™
From the Apple App Store™ on the device, locate the desired application, using an appropriate method (e.g. search, category browsing, etc.).
3. Install the desired application onto the Apple iOS Device
From the Apple App Store™ UI on the device, install the desired application, following all steps presented.
Important:
To install an application, you will need to authenticate to Apple iTunes™ and purchase of the application, including authorizing the payment of any charge for the application from your Apple iTunes™ account.
Purchasing an application from Apple iTunes™ generally grants the right to use the application on all devices that you “own or control” but expressly does not allow you to “distribute or make the Licensed Application available over a network where it could be used by multiple devices at the same time”.
4. Connect the device to Apple iTunes™ on a PC
Connect the device to a PC running Apple iTunes™ and allow it to synchronize the newly installed application to the PC.
5. Locate the .IPA file for the application on the PC
Locate the .IPA file for the application that was copied from the device to the PC by Apple iTunes™. The .IPA file is generally obviously named, based on the name of the
application. This can be done by searching the PC for files with a .IPA extension. On a Windows PC, Apple iTunes™ might store .IPA files in the folder “C:\Profiles\MyName\My Documents\My Music\iTunes\iTunes Media\Mobile Applications”.
Creating & Deploying Commercial App Package to an Apple iOS4 Device
To create a Commercial App package in MSP, go to the Commercial App section in the MSP UI, upload the .ipa file and complete the steps to create the package.
When a suitably constructed MSP Commercial Package, as described above, is deployed from MSP to an Apple iOS4 Device, the MSP sends the information contained within the Commercial app to the MSP Task List application, which then processes it as described in the subsection MSP Task List application.
Enterprise Applications
In many cases, applications used within an Enterprise will be Enterprise Applications developed or purchased specifically for use within that Enterprise. Developing and deploying Enterprise Applications for use on Apple iOS Devices requires an Enterprise Developer License, which can be obtained by joining the Apple iOS Enterprise Developer Program.
Enterprise Applications for Apple iOS Devices must be specially signed using a Digital Certificate. In addition, an enterprise distribution provisioning profile must be created to allow an Enterprise Application to be deployed within an Enterprise. Both of these tasks are accomplished using mechanisms made available through the Apple iOS Enterprise Developer Program. The MSP can facilitate the deployment and installation of Enterprise Applications onto Apple iOS Devices.
Enterprise Application Package
To deploy an Enterprise Application to an Apple iOS Device, a special MSP Enterprise
Application Package must be constructed that contains exactly two files: an Application (.IPA) file, and an XML Manifest (.PLIST) file. The Application file is an Apple-specific archive containing the code of the application. The XML Manifest file describes the Enterprise Application and the location within the Enterprise from which it will be downloaded. Both of these files are
constructed using Xcode, as part of the Enterprise Application development process.
Creating an Enterprise Application Package
To simplify the development of MSP Enterprise Application Packages, two special File templates are provided in the Build Tab of the MSP Console UI. To create an Enterprise Application
Package, select the Apple Application Package template. Next, select the Apple – Application File File template and browse to the .IPA file for the desired application. Next, select the Apple – Manifest File template and browse to the .PLIST file for the desired application.
Deploying an Enterprise Application Package
When a suitably constructed MSP Enterprise Application Package, as described above, is deployed from MSP to an Apple iOS Device, MSP hosts the Enterprise Application and provides information about it to the MSP Task List application, which then processes it as described in the subsection MSP Task List application.
Redemption Codes for Commercial Apps that
Require Payment
Important:
Only Apple iOS5 Devices support the use of Redemption Codes to “purchase” Commercial Apps that require payment. This is the only way Commercial Apps can be “purchased for Apple iOS5 Devices. The Redemption Codes are not application licenses, they can be redeemed once only and, once used, cannot be transferred, reused, or recovered for use with any other device. Redemption Codes are associated with iTune Accounts so a Device User that uses a Redemption Code to “purchase” a Commercial Application would be able to download the application to a replacement device.
Your Enterprise must set up an Apple Volume Purchase Program at apple.com to purchase Redemption Codes. Once the account is set up and Redemption Codes for specific applications that require payment are purchased, your Enterprise will be able to download an Excel
spreadsheet from apple.com that lets you know how many Redemption Codes have been purchased for an application and how many have been redeemed. You can download the spreadsheet as often as you wish.
You must convert the Excel spreadsheet to a .CSV file for uploading to MSP. This information is only as up-to-date as the latest Excel download and .CSV upload. Figure 4 depicts the
Figure 4
Firmware Updates
The Apple DM Model does not enable Device Management Systems to update the firmware on Apple iOS Devices. As a result, MSP cannot update or apply patches to the Operating System on Apple iOS Devices.
Control Modules
The Apple DM Model does not enable Device Management Systems to download and remotely launch applications with command line parameters on Apple iOS Devices. As a result, MSP does not permit the development, deployment, and launching of Control Modules as a means to extend MSP functionality on Apple iOS Devices.
Data Content
Apple iOS does not enable the storage of generalized file content on an Apple iOS Devices that can be utilized by applications deployed on the device. As a result, MSP Packages deployed to Apple iOS Devices cannot contain data files.
Chapter 5 – Using Apple iOS Device
Management Support
How to use the Apple iOS Device
Management
Apple iOS Devices are managed via MSP through the DM Web Server. Each Apple iOS Device will be treated by MSP as a managed device with a Device Class of “iPhone”, “iPod”, or “iPad”, depending on the type of Apple iOS Device it is detected as being. The following MSP support will be provided for managed Apple iOS Devices:
Using External Sources with Apple iOS
External Sources provide the ability to dynamically obtain and assign attribute values by making calls to an External Web Service. External Source Templates must be created in the MSP
Administration Program before External Sources associated with the Templates can be created in the MSP Console UI. MSP contains two built-in External Sources Templates that can be used to create External Sources which can be especially useful for Apple iOS Management. The following sections describe the use of External Sources as it pertains to the management of Apple iOS Devices specifically. For more details about External Sources in general, please see the Using MSP and Understanding MSP Guides.
Important:
The External Sources can only be used if the dynamic deployment feature is enabled in MSP. For details on enabling this feature in the MSP Administration Program, refer to the Administering MSP Guide.
External Source Templates
External Source Templates are the generic definitions for communicating with web services which will be used to dynamically retrieve information for use in MSP. The templates define the basic web service connection details and available methods. These generic templates are the basis for creating the External Sources described below. External Source Templates are defined in the
