How do I deploy thousands of iOS devices quickly and securely?

Recently IBM and Apple have announced a number of strategic partnerships, however one of these that has slipped under the radar that we have found very interesting is the integration between IBM’s MobileFirst Protect (formerly MaaS360 by Fiberlink) and Apple’s Device Enrollment Program (DEP).

What happens when you get a new iOS device?

When receiving a nice new shiny Apple product, it’s a nice feeling when you get your hands on the box.

iOS1

 

Then once you take the device out of the box that feelgood factor continues. Apple have managed to turn purchasing one of their many devices into a consumer delight.

iOS2

 

You are now ready to finally switch it on and configure it.

However, once you have opened the cellophane, taken the device out the box and switched it on there are a series of things you need to do. Including (1) Choose a language (2) Choose a country (3) Choose a Wi-Fi network (4) Enter password for Wi-Fi (5) Enable/Disable Location Services, (6) Setup iPhone as new, restore from iTunes or restore from iCloud, (7) Sign in with Apple ID or Create a New Apple ID, (8) Terms and Conditions, (9) Set Passcode, (10) Confirm Passcode (11) Use Siri, (12) Welcome to iPhone.

Finally we are started and ready to go.

Except we still need to configure our email, secure our device, set up some things we need to use on our devices like VPN or wi-fi and finally get a some apps we need to make the device productive.

iOS5iOS6 iOS7 iOS8

 

 

 

Also, when using a device management product such as IBM MobileFirst Protect, that enrolment process needs to be factored in also, from both the administrator and the end user perspective. iOS9 Therefore that whole process can take up a significant amount of time per employee just to get the device useable and to a corporate standard. But what happens if you are in receipt of hundreds or thousands of iOS devices for your employees? How do you configure, secure and deploy them efficiently with the minimum of effort? You can multiply what you just done for one device, by potentially thousands. Performing all these steps manually will introduce user error through manual input, cost time and money and ultimately give you unhappy employees. Not to mention disgruntled administration and IT staff.

iOS10

Efficient, Streamlined iOS Deployment

Using the Apple Deployment Program alongside IBM Mobile First Protect to streamline device enrollment can really enable organisations to deploy efficiently, deploy securely and deploy with a lightweight touch to configure iOS devices OTA while at the same time realising huge cost savings. We have been able to assist customers with these technologies across health, finance and administration sectors, giving them immediate cost savings. One of our customers said “The ability to hand a healthcare professional an expensive state of the art device, where they have to simply unwrap, switch on and logon using existing credentials really makes it a simple and cost effective task for us to adopt” We will now discuss the steps to enable any organisation to realise the simpicity and effectiveness of using Apple’s DEP program alongside IBM MobileFirst Protect. 

Enabling IBM MobileFirst Protect and Apple’s DEP

#1 Enroll your organisation in DEP using the Apple DEP Portal

To enrol in the Apple Device Enrolment Program (DEP), you can get information on Apple’s DEP Home Page and also read Apple’s DEP Guide. DEP enablement typically takes up to 5 days, and here is my step by step guide to enrollment.

    • Sign in with a valid Apple ID at http://deploy.apple.com

iOS11 iOS12

    • Enroll your details, contact and institution details

iOS13 iOS14 iOS15

  • The single most important piece of information in this process is ensuring you know where you purchased your iOS devices from as you will require a DEP Reseller ID. This will be either from your supplier or a distributor who supplies your supplier. Without this you cannot use Apple’s DEP.
  • Once enrollment is complete you will be notified by Apple. We will come back to what you are required to do once this notification is complete.

 Enabling Apple DEP in IBM MobileFirst Protect

 Configure DEP Options in IBM MobileFirst Protect

  • Log into your IBM MobileFirst Protect Portal (it will be your own URL or https://login.maas360.com)
  • Enable the DEP in IBM MobileFirst Protect by going to Setup … Deployment Settings, then selecting Use Apple’s Device Enrollment Program under Advanced Management for Corporate iOS Devices.

iOS16

  • The custom Authentication Screen Header text highlighted above, will be displayed to the end user when the device is activated. Also if the cloud extender has been installed then Active Directory authentication can be used which is also greatly beneficial.
  • From the main menu in the IBM MobileFirst Protect portal, select Devices … Enrollments. On the Enrollments (Add Device Requests) screen, select Streamlined Enrollment.

iOS17

  • Step 1 is enrol and create an account at deploy.apple.com which was discussed previously. You are then presented with a dialog instructing you to download and save a public key. This public key is required for Apple to generate an MDM token to link this IBM MobileFirst Protect instance with Apple.
    • Step 2 is to Download the public key
    • Step 3 is to Upload a server token that is downloaded from the Apple DEP portal for the MDM server created in Step 2

iOS18

Configure IBM MobileFirst Protect in DEP

iOS11

  • Select Add MDM Server and enter the MDM server name. This is an internal identifier and bears no relation to the MDM server, solution provider or actual system.

iOS19

  • Upload the IBM MobileFirst Protect public key downloaded previously from the IBM MobileFirst Protect portal.

iOS20

  • Finally download the MDM server token

iOS21

Update the Token in the IBM MobileFirst Protect Portal

  • Upload the server token to IBM MobileFirst Protect

iOS18

  • As soon as the token is uploaded, IBM MobileFirst Protect uses the token generated in the process and finds all the devices available for DEP. The list of associated device serial numbers, are then displayed. Each device has to be assigned a profile which defines the way in which it is setup. IBM MobileFirst Protect refreshes serial numbers automatically every 4 hours, or on demand by using the refresh button.
  • To create a profile for the streamlined enrolment, select the Profiles option, then Add Profile. This profile will allow definition of the following based on requirements.

iOS22 iOS23

  • Profile configuration options:
    • Profile Name: Display name of the profile
    • Set as Default Profile: The default profile will override an existing default. New devices and devices without an assigned profile will be assigned this profile
    • Require MDM Enrollment: This will require users to enroll their device with MaaS360 during the setup process
    • Supervise Device: This will allow you to take advantage of the additional supervised policy options available in MaaS360.
    • Authenticate User: This will prompt the user to authenticate during devices set up. After the setup they will receive their assigned settings and content, like policies, rules, apps and docs.
      • NOTE 1: This is only supported on devices running iOS 7.1 or higher
      • NOTE 2: If using AD/LDAP integration through the Cloud Extender, the username format must be in domain\username
    • Allow iTunes Pairing: This will allow the user to sync their device to iTunes
    • Skip Setup Items: Skip items such as Location, Apple ID, Siri, Touch ID, Restore, TOS and Diagnostics.
    • Set a Department Name
    • Set a Support Phone Number
    • Set Assignment: A profile may be assigned to None, All Devices or All unassigned devices.

Setting all this will result in a view similar to the following showing all the Apple devices with Serial Number, Status, Token Name and Assigned Profile alongside a description of the device and model.

iOS24

The Result

When you have enabled DEP support within IBM MobileFirst Protect, all your DEP enabled devices will be capable of being configured as a new device from being wrapped in cellophane to being fully operational within minutes. This includes

  • Taking them out the box
  • Switch on
  • Select country and language
  • Select Wi-Fi network
  • Authenticate with AD

IBM MobileFirst Protect will then

  • Configure the device
  • Deploy an MDM Profile
  • Deploy relevant security policies such as passcode, restrictions, wifi and VPN settings and more
  • Deploy the Secure Container
  • Configure email or secure email, whichever one has been chosen for use
  • Deploy corporate apps

The employee will then have a fully enabled and secured corporate iOS device they can then use straight from the box with minimal effort. The other great thing about DEP enabled devices is that if they are ever stolen, lost or wiped the next time they are switched on and connected to the internet they will be automatically reconfigured as before, which renders the devices useless to anyone outside your organisation.

Here is a short video about Apples Device enrollment program and IBM MobileFirst Protect.

Notes

IBM have established IBM MobileFirst for iOS which encompasses a suite of solutions built for transformation that are aiming to solve issues such as security, cloud, integration, and app management and support. IBM MobileFirst for iOS is an end-to-end set of offerings designed to address industry challenges on an individual level.

IBM acquired Fiberlink Communications and IBM MobileFirst Protect is a rebranding of the MaaS360 product.

Comments are closed.