Getting started with iOS device management

iOS device management involves the administration, security, and monitoring of Apple devices (iPhone, iPad, and iPod touch) within a corporate environment. Hexnode UEM provides a comprehensive framework to streamline this process.

To get started with iOS device management, administrators must follow a structured workflow involving certificate configuration, device enrollment, and policy application.

The Foundation: Prerequisites and APNs

To manage any Apple device, a secure communication channel between the Hexnode portal and Apple’s servers is mandatory.

• APNs Certificate (Mandatory): The Apple Push Notification service certificate acts as the digital handshake for all MDM commands.
  • Path: Admin > APNs.
  • Process: Generate a CSR from Hexnode, sign it via the Apple Push Certificates Portal, and re-upload the signed certificate.
• System Requirements: Supports iOS 11.0+ and iPadOS 13.1+.

Enrollment: Matching Method to Ownership

Enrollment establishes the management link. The choice depends on whether the device is corporate-owned or personal (BYOD).

Corporate-Owned (Automated & High Control)

• Apple Automated Device Enrollment (ADE/DEP): Part of Apple Business Manager (ABM). This method offers non-removable management and automatic Supervision out of the box.
• Apple Configurator: Best for mass-enrolling existing devices or devices not in ABM. Requires a Mac and physical connection.

Employee-Owned (Privacy-First BYOD)

• User Enrollment: Specifically designed for privacy. It creates a managed APFS volume that siloes corporate data from personal photos and messages.
• Email/SMS/QR Enrollment: A flexible method where users download a management profile via a unique link.

Key Management Pillars

Security and Restrictions

Controlling device functionality is central to iOS management.

• Basic Restrictions: Prevents access to specific standard apps and features (camera, FaceTime, etc.). Applicable to all iOS devices.
• Advanced Restrictions: Enhanced security settings available specifically for Supervised devices.
• Prevent MDM Removal: Administrators can restrict users from removing the MDM profile, particularly when devices are enrolled via Apple DEP.
• Activation Lock Bypass: Hexnode allows admins to bypass the activation lock to reset devices that have been locked by a user’s personal Apple ID.

App Management and Distribution

Hexnode UEM provides granular control over the application lifecycle.

• Managed Apps: Apps deployed via Hexnode. Admins can configure settings, remove apps on-demand, or automate removal when the MDM profile is deleted.
• Silent Installation: Apps can be installed without user interaction.
  Requirement: The device must be in Supervised Mode.
• Apple VPP (Volume Purchase Program): Allows organizations to buy app licenses in bulk and distribute them silently to supervised devices without requiring an Apple ID.
• Blocklist/Allowlist: Admins can block specific apps or restrict the device to run only essential apps.
• Kiosk Mode: Locks the device to a single app or a specific set of apps. (Requires Supervised Mode).
• Web Clips: Deploys shortcuts to specific URLs on the home screen, appearing like native app icons.

Data Separation and Network Security

To secure corporate data while respecting user privacy (BYOD), Hexnode utilizes containerization.

• Business Containers: Ensures work data cannot be opened in personal apps and personal data cannot be accessed by managed apps.
• Managed Domains: URLs defined as “managed.” Documents downloaded from these domains are treated as corporate data.
• Managed Accounts: Remotely configure email (Exchange, Google, IMAP/POP), CalDAV, CardDAV, and LDAP accounts.
• Network Configurations: Remotely set up Wi-Fi, VPN, Per-App VPN, and Access Point Names (APN).
• Global HTTP Proxy: Routes all HTTP traffic through a designated proxy server to inspect traffic and secure data.

OS Updates and Maintenance

Maintaining device health is critical for long-term management.

• Enforce OS Updates: Push the latest iOS version to devices (Requires Supervised Mode).
• Delay OS Updates: Administrators can delay software updates for up to 90 days to test for compatibility bugs (Requires Supervised Mode).
• Remote View: Admins can view the screen of enrolled devices in real-time from the console to assist with support.

Personalization and User Experience

Enterprises can brand devices and improve usability.

• Home Screen Layout: Customize the arrangement of apps and folders.
• Wallpaper: Enforce company logos on the Lock and Home screens.
• Lock Screen Message: Display asset tag information or return instructions if the device is lost.
• Font Management: Upload custom fonts for use within managed applications.

Troubleshooting Common iOS Management Issues

If you encounter issues while you get started with iOS device management, consult the following troubleshooting steps:

Issue 1: Unable to Install Apps Silently

Cause: The device is likely not in Supervised Mode.

Solution: Verify the device supervision status. Silent installation for non-VPP apps strictly requires supervision. For VPP apps, ensure the license assignment is correct.

Issue 2: MDM Profile Removal by User

Cause: The device was enrolled manually without ADE restrictions.

Solution: To prevent removal, enroll devices using the Automated Device Enrollment. This allows you to lock the MDM profile to the device.

Issue 3: “APNs Certificate Expired” Error

Cause: Apple Push Notification certificates are valid for one year.

Solution: Renew the APNs certificate using the same Apple ID used to create it initially. If you use a different ID, you will have to re-enroll all devices.

Issue 4: Hexnode App Logs for Diagnostics

Action: If the Hexnode app behaves unexpectedly, administrators can retrieve app logs remotely.

Path: These logs provide technical details on performance and errors, assisting support teams in diagnosing connectivity or policy failures.

Frequently Asked Questions (FAQs)

Q1: What is the first step to get started with iOS device management in Hexnode?

A: The absolute first step is configuring the APNs (Apple Push Notification service) certificate. Without this, the Hexnode server cannot communicate with Apple devices.

Q2: What is the difference between Supervised and Non-Supervised devices?

A: Non-supervised devices are typically personal devices (BYOD) with limited management controls. Supervised devices are institutionally owned and allow for advanced control, such as kiosk mode, silent app installation, and OS update restrictions.

Q3: Can I separate personal data from work data on an employee’s iPhone?

A: Yes. Hexnode uses Business Containers and Managed Domains to ensure corporate data resides in a separate, encrypted volume (on User Enrollment devices) or is logically separated from personal apps, preventing data intermixing.

Q4: How do I restrict devices to a single application?

A: You can use Kiosk Mode. This restricts the device to a single app or a specific list of apps and blocks all other functionalities. Note that the device must be Supervised to use Kiosk Mode.