Emily
Brown

A beginner’s handbook for iOS Device Management

Emily Brown

May 18, 2021

12 min read

When Steve Jobs introduced the iPhone in 2007, we knew the product would be revolutionary. At the time, Gartner had cautioned the enterprise community to wait before using the iPhone as a business device. While highly convenient, the iPhones then could not be managed or secured for the enterprise. It was a complete consumer device. Fast forward to 2010, Apple opened its door to enterprise mobility, Mobile Device Management (MDM), and Mobile Application Management (MAM) by introducing iOS 4. Now in 2021, at iOS 14, iOS hanow evolved to one of the most secure choices for IT admins worldwideiPhones and iPads are now widely deployed in businesses and schools, and the BYOD capabilities allow the users to bring their personal devices to work. How is iOS device management done? How can the IT admins make sure that they are making complete use of the management capabilities? More importantly, why iOS? Let us take a look. 

iOS vs Android for business 

iOS device management
 

There is no doubt that Android is a major contender in the enterprise market with its highly customizable operating system. Businesses may choose Android for its extensive capabilities and often cheaper device options. However, is that the best thing to do for your business? Both the operating systems have their pros and cons, and choosing the operating system depends on your business requirement.  

Why should you use iOS? 

  • Greater security: The iPhones and iPads are more secure than their Android counterparts. Apple monitors every app that appears in the App Store, reducing the chances of the user downloading a malicious or buggy app. There is also good legacy support for Apple devices, which means that even your older devices would be getting the latest security fixes and running the updated software. In contrast, Android lacks stability as it suffers from device fragmentation.   
  • User interface: Both iOS and Android have very user-friendly interfaces. Using iOS is considerably simpler. If you need a stable and consistent experience across multiple devices rather than a highly customizable UI, choose iOS.  
  • Cheaper: Yes, you read that right. Using iOS devices for your business is cheaper in the long run. With excellent hardware and a secure OS, iOS devices do not need to be taken for constant repairs and do not easily go out of commission like most Android devices. More often than not, iPhones and iPads have a higher ROI as compared to Android smartphones and tablets. 

How does the device management solution communicate with iOS devices?

Let’s say your iOS devices are enrolled with an MDM solution, such as Hexnode UEM. How does Hexnode actually manage to communicate the IT admin’s commands to the managed device? 

iOS device management with Hexnode has three main components: 

  1. The devices being managed, 
  2.  Hexnode MDM server that is doing the management, and  
  3. Apple Push Notification service (APNs) – the method that Hexnode UEM uses to communicate with the device.  

APNs Workflow
APNs Workflow
When you send a command to your managed devices, the MDM server communicates with APNs, which in turn communicates with the devices. The devices communicate back to the MDM server and then execute the commands.  

Some terms you should know 

Before we look into iOS device management, there are some terms that you should familiarize yourself with. Feel free to skip to the next section if you are already aware of these. 

Supervision

It is a procedure designed by Apple for devices that are owned by the business. The iOS supervised mode gives the organization more control over the managed devices. Many corporate-targeted management features can be used only if the devices are supervised. iOS devices can be supervised using two methods: 

  1. Apple Configurator 
  2. Automated enrollment (Previously Apple DEP)

Apple Business/School Manager

To unlock the full management capabilities of iOS devices, it is important to have an Apple Business/School Manager account. Apple Business/School Manager is a web-based portal that is used to deploy and enroll Apple devices that are directly purchased from Apple or from an authorized reseller. If you intend to use the Device Enrollment Program (DEP) to deploy your devices, you can only do so with an ABM/ASM account.  

Activation Lock

Activation Lock is a security measure by Apple to prevent unauthorized access to a  lost or stolen iOS device. Hexnode lets you turn on the Activation Lock remotely and, if needed, bypass the Activation Lock too. Bypassing the Activation Lock can be required if the corporate-owned device is locked with the personal Apple ID of the employee. 

Apple Configurator 

It is an app in the Mac App Store that helps in deploying and configuring iPhone, iPad, and Apple TV devices in your business or school. This method requires the devices to be connected to the Mac using a USB.   

iPadOS 

It is the rebranded variant of iOS and was introduced first at the Apple WWDC 2019. The latest version is iPadOS 14, introduced at Apple WWDC 2020. 

iOS device management with Hexnode UEM

iOS Device Management
 

Apple has created a seamless framework for iOS device management. All you have to do is choose a good MDM solution and then you can get started even without any prior experience.  

Deployment methods 

After choosing an MDM solution, the first step to manage the devices is to enroll them. There are several methods to enroll an iOS device with Hexnode UEM: 

1. Over-the-air enrollment with DEP 

Apple DEP allows the devices to be enrolled into Hexnode on the initial start-up itself with zero user intervention. As mentioned earlier, the admin must have an ABM/ASM account for using DEP to supervise and enroll their devices. ABM/ASM provides a unified portal for deploying the devices. It helps in the bulk deployment of the devices and in applying settings and configurations as soon as the devices are connected to the network, making them ready for use right out of the box 

2. Automated enrollment with Apple Configurator 

To enroll devices using automated enrollment with ABM/ASM, the devices have to be directly purchased from Apple or an authorized reseller. However, for devices running iOS 11 or later, you can add them to DEP using Apple Configurator v2.5 or later, and take advantage of the management benefits.  

3. Apple Configurator enrollment without DEP 

As mentioned earlier, Apple Configurator is a Mac app that allows you to create configuration profiles for Apple devices like iPhones, iPads, Apple TV, and iPod Touch for easy deployment. Hexnode allows you to enroll your iOS devices directly using Apple Configurator. 

4. Enrollment using the enrollment URL 

This is an over-the-air-manual method. The admin has to send the enrollment URL to the user, and the user has to click the URL to get the device enrolled with HexnodeThe devices are not supervised when they are enrolled using this method. It can be used to enroll personal devices that are brought to work. This type of enrollment can either be authenticated or non-authenticated. Enrollment with authentication would deliver an enrollment request via email/SMS to the users that would contain the enrollment URL, username, password, and a QR code.  

5. GSuite Enrollment 

In this method, the iOS devices are assigned to GSuite users. The GSuite has to be initially configured with Hexnode. After the GSuite is configured, the devices can be enrolled using either Email/SMS enrollment or self-enrollment. 

Securing iOS devices 

iOS Device Management
 

Security is a prime concern for any IT admin. The good news is that it is remarkably easy to secure your managed iOS devices using Hexnode UEM. 

1. Passcode restrictions 

A strong password is the first step in device security. Configure restrictions so that the users have to set strong passcode to protect their devices. 

2. Security and Privacy settings 

For managed iOS devices, Hexnode allows the admin to configure many security and privacy settings such as password sharing, blocking Autofill of passwords, and so on.  

3. App and Website Blacklisting/Whitelisting 

Employees or students would not need access to all apps in the App Store or every website on the Internet. If given uncensored access, there is a chance for productivity to go down. There are also chances of accessing malicious websites or apps and a risk of infecting the work device. The admin can blacklist or whitelist the required applications and websites for securing the iOS devices. 

4. Network configurations 

  • Secure access to the internal Wi-Fi network by remotely configuring it and deploying it to the managed iOS devices. The devices would then automatically connect to the network without prompting for a password. 
  • Use a VPN for sending all the private data through a private virtual network to improve security.  

5. OS update management 

Not all OS updates should be installed right away. Some of them may still be buggy, and it would be better to wait before installing them. Use Hexnode UEM to forcefully delay the software updates. 

6. Lost device management 

Devices with important and sensitive corporate data may get stolen, and it is imperative to recover the stolen device or at least prevent a potentially malicious attacker from accessing the data. Any lost iOS device can be found if Find my iPhone is enabled. If it isn’t enabled, then there are ways to handle the lost devices using Hexnode UEM. For the iOS devices enrolled with DEP, the attacker would not be able to disenroll the device even after resetting the device.  

  • Hexnode’s Lost Mode helps you to lock down the stolen or lost device with a message 
  • If the device is lost somewhere nearby, use the “Remote Ring” feature to find it.  
  • If the location tracking is enabled, scan the device location remotely to find the device. 
  • To prevent any data leaks, remotely wipe the lost device using Hexnode UEM. 

7. BYOD Management  

All the apps and configurations pushed to the iOS device using Hexnode are managed, even on personal devicesThe business container policy segregates the work and personal space and restricts any flow of data between the two. The Managed Domain feature helps the admin to control the apps that can open documents downloaded from the enterprise domain. The admin can also push accounts like email and Exchange ActiveSync accounts to the iOS device. 

8. SCEP

Simple Certificate Enrollment Protocol (SCEP) is a protocol standard that allows you to securely issue certificates to a large number of devices using an automated enrollment technique. SCEP solves the security threats caused by accessing work emails, Wi-Fi, VPN, etc. from unauthorized devices by authenticating them with digital certificates.

9. Kiosk Management 

Kiosk device
iOS kiosk mode is a restrictive mode that locks down an iPhone, iPod, or iPad to a single app or a specific set of apps to run in the foreground. With Hexnode, the admin can lock down the device into a single app, multi-app, or web app mode. 
Single App Kiosk
The iOS device is locked down into a single app. The user would not have access to any other application or device settings. This is commonly used for locking down iPads into educational apps for students, or in industries where the iOS devices are used as single-purpose devices. Hexnode has an additional mode – Autonomous Single App Mode. In it, the app is launched in the foreground and can only be exited when the user is finished working with it.
Multi App Kiosk
Just as the name suggests, the device is locked into a set of required apps as specified by the admin.
Web App Kiosk
In this mode, the iOS device is locked into a select number of websites. The admin can choose the browser in which the kiosk websites are to open. They can also choose the wallpaper for the kiosk screen background.

App Management 

1. Remote App installation  

The required apps can be automatically pushed to the managed devices as mandatory apps. If the apps are not installed in the device, that devices would be shown as non-compliant in the Hexnode portal. The apps would be installed silently on the supervised iOS devicesIn non-supervised devices, the users get a prompt to install the application. The Volume Purchase Program (VPP) from Apple allows the admin to purchase and deploy apps in bulk to all managed devices. 

2. App Catalog 

The App Catalog feature of Hexnode allows the admin to create a custom app store for the end-user. The admin can include all the apps that are required for the enterprise. Businesses can easily deploy the approved business apps in this way.  

3. App Notification settings 

Hexnode allows the admin to choose how individual managed applications display notifications in the iOS device. This works on supervised iOS devices that are running version 9.3 and later. 

Data Expense Management   

The iOS network usage rules help the enterprise to control the cellular data usage or the roaming data usage by the managed applications. This helps the organization to avoid unnecessary data usage expenses.  

Customizing managed devices 

Looks matter when it comes to company devices. For example, the enterprise may need to set the company logo as the wallpaper for all the corporate devices. To set it manually in all the devices is an exhausting and mundane task. Hexnode allows you to set it remotely and push it to the managed devices in bulk. You can also configure the home screen layout and place the apps anywhere you want. 

Remote Management 

Today, remote management is in high demand as a consequence of the “Work from anywhere” trend. Almost every feature that we have discussed so far is configured remotely without any user intervention. Additionally, the admin can remotely view the user device and use it for troubleshooting the device. The admin can also execute different remote actions from the Hexnode portal such as locking the device, enabling lost mode, scanning the device location, wipe the device, and many more.

Inventory and Reports 

Remote management with reports
 

The device details such as the model, operating system version, enrollment details, compliance info, and more are displayed on the device page. The admin can also get the reports manually or even schedule the reports. Data and reports are important for the analysis and continuous improvement of iOS device management strategies, and Hexnode UEM is an excellent tool that creates the opportunity for you. 

Share
  •  
  •  
  •  
  •  
  •  
Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts