Summary: Securing an Apple device to its absolute, ensuring business productivity applications and nothing more.
Apple Business manager & MobileIron: Yes another product I deployed a few years back was MobileIron, before the days of XenMobile. This was our MDM solution and I reviewed a number of other MDM products at the time. Well, I’ve thrown myself into a project for a client to provide company own and fully managed Apple devices.
Whats different to a normal MDM? In this project, we have completely stripped down the iPhone & iPad so it only contains application approved by the company and provision with Apple Business managed and VPP (Volume Purchasing Program)
How does it work: A registered company can set up an Apple Business Manager account so that all new devices purchased from an authorised reseller automatically get the company device profile and registered in MDM out of the box. (Brand New)!
Amazing, right! No need for an administrator to set up the phone, enrol into MDM.
Administrators predefine the applications they want users to have using VPP and these applications are then assigned to an App restriction policy in MobileIron.
Finally, we removed personal profiles and can restrict device features with MobileIron Policy restrictions. We stripped down the iPhone so it doesn’t have an Apple ID and got rid of the apple store and other non-essential applications that could be used to export company data. For our client communications on a company own device like WhatsApp were a cause for concern as they couldn’t be properly audited which would be required by financial regulations.
Existing Devices: You might wonder what happens to all the existing iPhones and iPad. Well, we can use Apple Configutrator2 to prepare and register them in Apple Business manager as well as add an MDM profile.
Result: Our client is now able to order a new device from Apple and send it directly to the user. The user gets an out of the box experience with the company profile assigned and registered with MobileIron.
My next challenge would be to implement the same security model on XenMobile for another client.