iPhone device management: A walk in the park

Alie Ashryver

Dec 19, 2022

19 min read

“I’m gonna make him an offer he can’t refuse.” Don Vito Corleone from The Godfather in 1972 may or may not have lived up to his promise, but the Apple iPhone sure does. Years after its debut, the iPhone is still a business favorite. Back in the year 2007, when Steve Jobs announced the launch of the iPhone at Macworld, he made an offer we simply couldn’t refuse. Apple promised to reinvent the phone, and reinvent it did! Despite the hype around its launch, the common folk underestimated the iPhone’s effect on business and communication. Cut to 20 years later; the iPhone has influenced mobility, computing, design, entertainment and the tech industry.

Initially a thorough consumer device, iPhone quickly widened its horizons to enterprise mobility upon the launch of iOS 4. As a result, IT admins around the globe have witnessed the evolution of the iPhone into the most secure business endpoint. In addition, the popularization of BYOD (Bring Your Own Device) has further increased the favor iPhone has received from working folks.

Let’s get Started:

Now that we’ve established that the iPhone is a choice favorite amongst businesses, it’s time we move on to the next phase. Securing the device…..

Yes, I know, Apple offers the very best when it comes to privacy and security. But, be that as it may, certain concerns need to be addressed when inducting any device into a corporate setting. So, a quick jog down the winding boulevards of iPhone device management is our plan for the day. Great! Now grab your joggers, and let’s go.

Featured Resource

Hexnode iOS Management Solution

Sneak a peek at the best in class iOS device management solution brought to you by Hexnode.

Download datasheet

Scoping the area:

Always check your surroundings before wandering across the grounds, lest you get lost! As much as Hexnode simplifies the whole process of iPhone device management, there are some terms associated with the process of managing iPhones that you need to know. Chance a glance:

  • APNs: Apple Push Notification service is a notification service that helps third-party apps deliver notifications to Apple devices. Pretty self-explanatory, isn’t it? Suffice to say APNs paves the way for communication between UEMs and connected Apple devices.
  • Apple Configurator: Apple Configurator is a software pushed out by Apple Inc. that aids in efficiently deploying Apple devices. Flaunting a flexible and device-centric design, the software can easily restore Apple devices.
  • Supervision: It is the process of providing more control over devices employed in the organization. Apple devices must be supervised for most corporate-targeted management features to be applied.
  • Apple Business/School Manager: Apple Business/School Manager unlocks the full scope for managing Apple devices. The web-based portal allows for easy and fast enrollment of Apple devices directly purchased from Apple or Apple-authorized resellers into the chosen UEM solution while providing supervision.

Warming Up:

A good start always needs some warming up. So, let’s round up our iPhones and get them ready to be managed in a corporate setting.

Step 1: Deployment

The pre-requisite for deploying any Apple device is configuring the APNs certificate in the portal. After all, what even is the point if you can’t communicate with the device? Okay, now let’s get back to the matter at hand.

Apple’s seamless framework for iOS device management makes it possible for the devices to be easily managed by a UEM solution. On that note, first things first, the IT team must enroll iPhones into the UEM solution before they are managed. Hexnode offers quite a few methods to enroll iPhones into Hexnode UEM, both as corporate-owned or personally managed. So, let’s take it one step at a time.

Over-the-air enrollment with DEP:

DEP, recently renamed Automated Device Enrollment, helps enroll iPhones into Hexnode’s UEM console. However, there’s a catch! These iPhones need to be purchased directly from Apple or Apple-authorized resellers. Yup, no compromises there! Apple has combined the Device Enrollment Program (DEP) and VPP (Volume Purchase Program) into a single portal – Apple Business Manager (ABM). Enterprise-owned iPhones can easily be supervised remotely using ABM with Hexnode UEM.

Automated enrollment with Apple Configurator:

But what about iPhones that were not purchased directly from Apple or Apple-authorized resellers? Ladies and gentlemen, fret not! Admins can now add iPhones running iOS 11 and above into DEP using Apple Configurator 2. Enroll and manage away! The process involves creating a blueprint that is then applied to the target device. Adding on to that, one blueprint is enough to provision a batch of iPhones in one sitting—the perfect Tylenol for the admins to the headache that is provisioning many devices.

Apple Configurator enrollment without DEP:

Apple Configurator can also enroll iPhones without adding them to ABM. And it’s as easy as unchecking the ‘ Add to Apple School Manager or Apple Business Manager ‘ option while preparing the blueprint. Apple Configurator 2 provides a certain degree of supervision over Apple devices just like the web portal that is ABM. Quite nifty indeed!

Enrollment URLs:

Enrollment URLs are like drinking soda to quench your thirst. It does the job but not as well as water. Similarly, enrollment URLs will enroll your iPhones into the Hexnode portal, but you will miss out on the extra control of the supervision feature offered by the other methods. But how does this work? What do the URLs do? Relax! It’s easy. Let me help you out of this puddle. The enrollment URLs will direct the user to the enrollment page to begin the process of enrolling the iPhone into Hexnode. So, how does the user get the URL? Technically, there are two ways this works:

  • Authenticated enrollment: Enrollment URL and authentication credentials are sent to the user via email or SMS. Additionally, AD (Active Directory), Azure AD, Okta and Google users can use their directory passwords. Furthermore, in the case of local users, they can use preassigned passwords for enrolling their iPhones – Self-enrollment.
  • Open enrollment: Direct enrollment using the enrollment URL without providing authentication credentials is what open enrollment promises. Well, Hexnode delivers what it promises!

User enrollment:

Latest addition to the stack of features offered by Apple facilitates the realization of the BYOD (Bring Your Own Device) model for Apple devices in the corporate setup. This allows a managed Apple ID to co-exist with the personal Apple ID without interference or interaction.

Wohoo! That’s one step down. Feel your muscles stretch yet? Don’t worry! We’ll start stretching soon enough and let Hexnode ease you into the super refreshing jog down the lanes of iPhone device management.

Step 2: Securing the device

Managing a device not only means overseeing it or keeping an eye on it but also securing it. So, what’s a good UEM supposed to do about it? Well, nothing short of providing the very best in both aspects! Everything, ranging from ensuring basic device protection with passwords to managing accounts across the different platforms, is essential. So, let’s jog over and see how Hexnode does it…….


What’s the first thing that comes to mind when you think of keeping something safe? One wild guess says…locking it up? Yup! That’s our most basic instinct taking over. Why should our digital dealings be any different if that’s the case? Accordingly, we turn to the digital equivalent of locking things up when securing our devices…..passcode! Hexnode allows for configuring the passcode settings for iPhones in a way that makes it air-tight. Air-tight in the sense that they won’t be easily compromised.


In a corporate or even an institutional setting, the best way to manage a device would be to restrict the usage of said device in a way other than the intended one. For a clearer picture, imagine, in a race, you’ve reached a point where the dirt track diverges into 6-7 tracks. Isn’t there a bigger chance of you going down the wrong track and messing up the race? Now imagine the same scenario with a slight difference. What if the tracks not used for the race were barred, or at least there was some sign that made it clear that the racers shouldn’t use them? This is exactly what Hexnode helps the admins to achieve, restricting the usage of iPhones to their intended purposes. These restrictions range from allowing/disallowing:

  • Device functionality
  • Applications settings
  • iCloud settings
  • Security and privacy settings
  • Controlling explicit contents
  • Extended restrictions for device functionality, app settings, security and privacy settings

That was quite some stretching……stretching a sense of security across all the managed iPhones! However, in a corporate environment, securing the network is as important as securing the device, if not more. So, let’s take a brisk walk along Hexnode’s policy concerning network security.

Common security concerns regarding Apple devices for enterprises

Step 3: Securing the network

Hexnode has quite a few tricks up its sleeve, as it offers an easy and efficient way of securing the network for iPhones. Chance a glance:

  • Wi-Fi: Scared of Wi-Fi passwords being shared around the office recklessly? Don’t be! Hexnode lets admins preconfigure company Wi-Fi on the iPhones.
  • APN: iPhones belong to the class of devices consisting of smartphones. And like every other smartphone, iPhone has the provisions to be used with a SIM card. And so there will be a concern for the APN configurations. The provider of the carrier service handles APN configurations. But these configurations are handled by an outsider, so isn’t there a scope for vulnerability? Well, Hexnode allows configuring the APN settings for iPhones.
  • VPN: VPN is not a new term. We’ve all heard about it and used it for something or the other. Well, Hexnode enables admins to configure VPN over the network for secure communication. In the case of iPhones, Apple had announced the provision for setting up VPN on a per-app basis. Therefore, segregating traffic at the app level and separating personal and corporate data can easily be handled by a robust Uniform Endpoint Management solution like Hexnode.
  • Monitoring usage of Wi-Fi and mobile data connection: Yet another way of managing any situation is to analyze the expenses related to that situation. Device management is no exception! Hexnode enables the admins to monitor the usage of Wi-Fi and mobile data connection.

Whoa! That was quite the jog down the mossy paths of securing the device and the network. So, let’s slow down and ensure we haven’t pulled any muscles. Securing devices and the network are all fine, but they’re not the end of it. There’s more to iPhone device management than that.

Step 4: Ensuring security

This is where we see how the certificates, proxies, business containers, etc., figure in with iPhone device management.


Certificate-based authentication is a thing. Yup! You read that right – certificate-based authentication. Now, what’s that, you ask? Well, authentication of work emails, Wi-Fi, etc., from unknown devices using digital certificates encompasses certificate-based authentication. So now, we need a protocol for managing these certificates – Simple Certificate Enrollment Program (SCEP). Configure SCEP and enforce certificate-based authentication on your iPhones using Hexnode.

Uploading certificates:

Now that we’ve seen SCEP, we know for a fact that Apple allows the use of certificates for authentication. Since these certificates are installed on the device, they can access sensitive corporate data. Consequently, these need to be managed very carefully. If it’s a problem, Hexnode’s here to help you with it. The portal allows the admins to configure the easy installation of certificates.

Global HTTP proxy:

Before we look into global HTTP proxies, let’s make a pit stop at what a proxy is. Simply put, a proxy is like a buffer between the devices and the internet. Since it has its own proxy address, intruders will only know the proxy address, and so the corporate servers stay anonymous. Moving on, in situations where the organization wants to send the entirety of the network traffic across a specific proxy server is when organizations deploy a global HTTP proxy. Okkaaayyyy……so what does Hexnode offer in this regard? Imagine tending to the above situation with the hundreds of thousands of iPhones deployed across the company! Sounds exhausting, right? Yup! This is where Hexnode figures in. You see it simplifies the whole process.

Web content filtering:

Well, this one right here is quite straightforward, isn’t it? But still, since we are covering all bases, let’s clear this one up too. Hexnode allows admins to configure iPhones in a way that allows them to regulate the web access on them. Essentially, they can either block specific URLs or allow access to only a specific set of URLs. Either way, the goal of filtering web content is achieved.

Ensuring secure access to documents from enterprise domains:

At the end of the day, what’s our primary requirement? The ultimate aim is to ensure that the corporate data is not leaked or, in other words, to protect corporate data. One way to ensure this is to know where and how the user can access this data. So, Hexnode brought together a policy template that allows admins to configure the iPhones to manage what apps can access the documents downloaded from Safari. But won’t that hinder the user from accessing personal files? Nope, no worries there! This will apply only to the documents downloaded from enterprise domains. See, problem solved! These iPhones managed by Hexnode deliver privacy for personal data and security for corporate data.

Setting up business containers for BYOD:

How does a discrete partition for private and corporate content sound? The business container is just that – a partition between private and corporate content. Standing on the pillars of security and privacy, admins can manage iPhones to control the flow of data between managed and unmanaged apps.

Managing OS updates:

Isn’t it tiring to see that red-marked notification in your iPhone settings reminding you to update your software? The popups prompt you to install the downloaded update at a specific time, especially when working on an important presentation or time-sensitive research. If only there were a way to delay these iOS updates. Well, you’re in luck! Hexnode allows admins to delay iOS updates by a specific number of days. So now, you will not only not see the notification until later, but you will also download the update after it has been deemed compatible with your applications. But how exactly did the compatibility with the applications come in? Well, the additional time will allow the admins to test out the bugs associated with the latest iOS updates, if any, in the test environment.

Now that we know our muscles are in A-okay condition let’s jog down the small trail running along the stream of managing accounts across the different platforms.

Step 5: Managing accounts

Everybody has thousands of different accounts, including Google, Yahoo, Hotmail, Outlook etc. Consequently, it’s only natural for the setting up of these accounts to also be a part of iPhone device management. So, organizations will release a sigh of relief if they can remotely set up the iPhones with the corporate emails and calendars. The answer to the ‘why’ that might crop up in this regard is that it would be faster and more efficient. So, let’s jog along with Hexnode and have a good look at how it is done.


Configure the incoming-outgoing mail server settings and how users authenticate. Enable S/MIME for encryption. For a quick and efficient deployment of the policy, Hexnode allows the usage of the wildcard feature to auto-populate the required fields.

Exchange ActiveSync:

Quickly sync emails, calendars, tasks, contacts, etc., between the iPhones and the Exchange server. As a result, even when there is no network, your work is not hindered. Ounces of extra protection with standard encryption services like SSL encryption ensures mobile communication with the server is not intercepted.


Sync all subscribed calendars to the iPhones using the iOS Calendar configuration in the Hexnode UEM portal.


Sync corporate contacts from the CardDAV server to their managed devices. Remotely add and remove contacts from managed iPhones without user intervention.


Hexnode’s Calendaring Extensions to WebDAV (CalDAV) policy enables enterprises to remotely configure iOS device connections to CalDAV-compliant calendar servers. Enable syncing the corporate calendar events, tasks, schedules, and notifications from numerous email accounts to the managed iPhones.

Google Accounts:

Set up Google email addresses on iPhones. Successfully authenticated accounts create a Google internet account on the iPhones so users can use other Google services associated with the account.


LDAP, short for Lightweight Directory Access Protocol, is used to access Active Directory elements such as the user’s name and email address. From the Hexnode console, the administrator can set up LDAP settings for managed iPhones.

A quick and comprehensive guide for iPadOS management

Jog, jog, jog away!

All set with the warm-up….let’s jog away! What’s the first thing that comes to mind when you think of smartphones? Yup, the myriad of apps that can be downloaded or are already downloaded on it. So, obviously, the next stop on our jogger’s trail is app management. Hurry and run along!

Managing Apps:

App management is an essential aspect of getting iPhones work-ready. Yet another cornerstone of iPhone device management, it promotes security and allows for efficiency in the corporate setting. Here’s a look at how Hexnode helps with achieving this goal.

Mandatory apps:

Some apps are absolutely necessary to work in a particular organization. All employees using iPhones trying to manually install these apps will only lead to chaos and wasting time. Instead, Hexnode allows for pushing the mandatory apps to the iPhones, thus eliminating the chaos and confusion.

Blacklisting and whitelisting apps:

Admins can further the management process of the iPhones deployed in the corporate setup. They apply restrictive policies like blacklisting and whitelisting the apps. Any user with a managed iPhone will not be able to use an app that the admin has blacklisted. Yup! The hitlist is definitely something you should be wary of. Whitelisting, on the other hand, works by allowing access only to the approved list of apps. So, in simpler terms, the policy works by blacklististing all the apps except for a select few. While blacklisting may be the stronger feature, whitelisting is stronger as a policy.

App catalogs:

Better manage the iPhones deployed in your organization by pushing a customized app catalog containing the different apps that the users might need with the compatible version.

Web clips:

Get creative with the exciting feature that is web clips. From face-timing and calling your most frequently used contact to quickly accessing websites with a single click, web clips make life with iPhones a whole lot easier. It adds a much-needed color to your corporate routine by helping setup an easy access to the shared documents from iCloud or easily compose a mail to a frequent recipient.

App notifications:

With Hexnode UEM, you can easily control the notification settings for any iOS app from a single console. The admins have control over the frequency and style of each app’s notification. On an iPhone under supervision, Hexnode provides several parameters that the admin can customize for app alerts.

Off we go to our next stop……


In today’s time and age, saying something like, “looks matter,” might land you in a pickle. However, there’s no denying that when it comes to an organization managing a large fleet of iPhones, there is a certain way the home screen, lock screen, etc., should look. Also, it wouldn’t hurt to provide the admins the option to deploy configurations across a multitude of iPhones from a single console. So, let’s have a quick look at the different configurations that Hexnode allows the admins to tweak around with as part of iPhone device management.

  • Deploy custom configurations
  • Install extra fonts
  • Customize the way the device looks
  • Remotely add AirPrint printers to the printer list on iOS devices
  • Allow iOS devices to connect to AirPlay-enabled devices on the same network
  • Customize messages on the lock screen
  • Customize the iPhone’s home screen look

Whew! That was quite a jog, wouldn’t you agree? Feeling thirsty? Don’t worry. Let’s stop by the beautiful fountain of kiosks and catch our breath while basking in the wonders of kiosks.

Take a break by the fountain of kiosks…

Kiosks are indeed a fantastic addition to managing devices. No strategy for iPhone device management would ever be complete without kiosks. After all, they ensure that the employees are not distracted and are more efficient and productive. Hexnode arms the admins with a handful of methods to deploy the kiosks across the managed iPhones. Here’s a glimpse:

  • Guided access: It is an accessibility feature in all iPhones. Guided access allows one to manually lock down the devices to a single app.
  • Single app mode: Admins can enable this mode to restrict iPhones to a single app.
  • Multi-app kiosk: In this mode, the admins can restrict the iPhones to function using a few essential apps.
  • Web app: Technically, users can save specific URLs in shortcuts called web apps. Web app kiosk restricts employees to the approved set of web apps.
  • Autonomous single app: Here, the app can lock and release itself from the single app mode. Once activated, the app runs in the foreground and only exits once the intended purpose is finished. Remember the online test portals? Yup, that’s how they work.

Kiosk mode for frontline worker devices

Cooling down with Hexnode’s remote actions:

Do you feel refreshed? The walk, the jog, and the sights are all part of the experience – iPhone device management. So, let’s cool down our muscles as we look at the different actions the admins can perform remotely as part of managing the different iPhones.

  • Remotely view the device
  • Scan device
  • Scan device location
  • Lock device
  • Clear passcode
  • Wipe device
  • Change owner
  • Edit device attributes
  • Remote ring
  • Install applications
  • Uninstall application
  • Enable/disable personal hotspot
  • Broadcast message
  • Associate policy
  • Export device details

Until next time…

iPhones have indeed jelled themselves into our lives, both professional and personal. As with anything corporate, security is the primary concern. So, even with iPhones, corporate organizations can’t take a chance. The American actor James Wood once said that the iPhone is as significant an invention as the Gutenberg press in terms of the future of humanity. Indeed, we stand witness to this fact today. As important a role as the iPhone plays in today’s world, we must take all possible measures to secure it. After all, prevention is always better than the cure! Not to forget, with Hexnode, iPhone device management has never been more easier!

Alie Ashryver

Product Evangelist @ Hexnode. Gimme a pen and paper and I'll clear up the cloud of thoughts in ma head...

Share your thoughts