13. Performing Mobile Device Management

Mobile Device Management? Isn’t that what this book has been doing up to now? Managing mobile devices? Well, yes and no. Mobile Device Management in the context of this chapter is a specific concept that addresses some of the liabilities of “manual” configuration profile use in a way that gives you greater device control and makes device management nicer for your users.

The Problem with Configuration Profiles

Configuration profiles, as we’ve used them so far, are handy, but they have some weaknesses. First, we can’t just push them out to devices. Even with the “convenience” of SCEP, the device user still has to go to the URL, log in, enter a password, and so on. It’s kind of a pain. Profile updates exacerbate that pain.

Configuration profiles, as we’ve used them, are also rather monolithic, which make changes inconvenient. As an example, let’s say that you have to change the SSID of your wireless network. This requires changing only a single line of text in a configuration profile. Yet to change that one line, you have to upload a complete profile and then send the users an email/text message with a URL where they must reinstall that entire profile. Just to change one line of text. Lame.

Configuration profiles also don’t allow you to do some tasks remotely. For example, you have decided to take passcodes seriously and implement passcodes with letters, numbers, and special characters. You already know what’s going to happen once you implement this change. You’re going to get a call from a user, on someone else’s phone, because he forgot his passcode. This is a bummer, because you can set passcode policy remotely using profiles, but you can’t actually reset or temporarily disable the passcode and allow the user to get into his phone. If this person is at the start of a week-long series of meetings in a remote location, he’s not going to be happy with you.

Yes, OTA enrollment is handy, but it’s only part of the story, and in many ways, the smallest part. It automates initial enrollment nicely, but then you’re still stuck with the problems we just listed—lots of sending of emails and texts on the administrator’s part, lots of logging in and tapping on the user’s part. The iPhone Configuration Utility (iPCU) and OTA enrollment are an incomplete solution.

Wouldn’t it be great if you could push changes out to devices? And just push the changes you actually need? Or push new settings? How about being able to temporarily drop that passcode so the person can get into his phone, yet still require a new passcode within n minutes? That would be awesome, wouldn’t it?

Yes, yes it would, and thanks to Mobile Device Management, you can do all that and more.

Grokking the Mobile Device Management Concept

Mobile Device Management is a marriage of push services, configuration profiles, and SCEP. The basic components of Mobile Device Management are the MDM server, Apple Push Services, and the iOS device (Figure 13.1). The basic flow of Mobile Device Management is pretty simple.

Figure 13.1. Mobile Device Management components

Image

The device user first enrolls her device to the Mobile Device Management server using SCEP (or some other system) to acquire the necessary certs. This is critical to enable encryption of all further communication with the Mobile Device Management server, configuration profiles, and configuration data (Figure 13.2).

Figure 13.2. Initial enrollment into Mobile Device Management

Image

After the device is enrolled, a minimal configuration profile with Mobile Device Management information is pushed out to the device (Figure 13.3). This profile allows the MDM system to interact with the device without any user involvement.

Figure 13.3. Initial Mobile Device Management configuration

Image

From this point, the interactions between device and server follow the same process: The server uses Apple Push Notification Service to inform the device that it needs to check in with the server (Figure 13.4). The device checks in with the server the next time it is able to do so. The server then sends out configuration changes, runs queries against the device, and so on.

Figure 13.4. Standard Mobile Device Management steps

Image

Wrapping Up

The setup for Mobile Device Management isn’t significantly harder than setting up conventional OTA delivery of configuration profiles, yet for both the administrator and the user, the advantages are significant.

Mobile Device Management completes your OTA solution by automating all of the process. The user no longer needs to log in for every change or to manually report details. The combination of Apple Push Services and automated OTA services handles this for us.

In addition, it allows us to do some things that are really almost impossible using the manual processes of conventional profile downloads. We said in the example at the start of this chapter, without Mobile Device Management, if a user forgets his passphrase, he’s out of luck. His device can’t log into the website to download the profile. Using Mobile Device Management, we can silently push out new configurations to the device and resolve this problem.

In the next few chapters, we’ll delve into Mobile Device Management details and show why it’s something that anyone managing more than a handful of iOS devices should seriously consider.

..................Content has been hidden....................

You can't read the all page of ebook, please click here login for view all page.
Reset
18.222.9.22