Posted on 09-04-2014 07:51 AM
Hello all,
I'm trying to figure out how to make an iPad that is stolen from a student unusable to the thief.
1) All my devices are in DEP and will be assigned to a PreStage enrollment.
In my testing, the iPad is always Supervised and Enrolled according to my PreStage settings if set up as new. And of course if the configuration is Applied. (Waiting for 9.41 to allow me to turn on 'Mandatory' and turn off 'Allow Removal').
If Restored from iCloud by the same user (backup has same serial number) the prompt to Apply Configuration is not shown, and the Supervision profile is (all profiles are) installed from the Restore.
If Restored from iCloud by a different user (backup has different serial number) the prompt to Apply Configuration IS shown, no profiles from the backup are restored, and the device is Supervised and Enrolled. NICE!!
I tried hooking up a DEP Supervised device to Configurator, after first putting it into DFU and wiping it with iTunes. It is not showing up in the Prepare tab.. not sure why as it has not had a chance to contact Apple. Unless there is something on the iPad indicating the Supervision or DEP program even after an iTunes restore.....
So all looks good from this standpoint. It looks like I will always have a stolen device back under management if they try to use it.
2) I'm thinking of dumping all new enrollments into a Smart Group, and install a Configuration Profile that is as restricted as possible. This part works fine. My huge question though - how do I get them out of this Smart Group without having to do it myself?
I thought of having them authenticate to the new Self Service Mobile app.. perhaps to install a Configuration Profile that is assigned to them.. but I can't get it to work yet (LDAP user signs in ok, but I don't know how to scope this). The SG criteria would check for 'does not have' this 'Profile Name'.
Are there any other thoughts or ideas? Am I missing something?
Thanks!!!!
chris :)
Posted on 09-04-2014 10:16 AM
We had been toying with this to see how we could make the DEP enrollment stick. If the device is restored from any type of backup, it will skip the enrollment screen. If the device is set as new, the DEP enrollment kicks in, and you cannot go past it without authentication.
Posted on 09-04-2014 10:32 AM
We just use LDAP authentication during the DEP enroll process. So if the device is wiped, the device can't even be activated without a district login.
Posted on 09-04-2014 12:25 PM
"Without Authentication".. my PreStages did not have that checked. Testing... That works pretty well. It has the added benefit of assigning the user to the iPad.
Let's add another layer. I also would love to know where my stolen device is. Keeping in mind that it has been wiped by the thief, LDAP authentication will make it a brick to them.
If instead I allow an unauthenticated enrollment, I can capture an IP address and the knowledge that someone is still trying to use it. Perhaps the police will subpoena for the IP address, perhaps not. I may have the IP address in my database already from another student, since the IP address collected is the public one not the private (NAT) one.
Are there then any thoughts on my item 2) above?
chris
Posted on 09-04-2014 01:06 PM
@qhle373 In my testing it only skipped the enrollment screen if the backup was from the same device. In this case the backup was from when it was still managed and it began communicating with the JSS again.