- Jamf Nation Community
- Products
- Jamf Pro
- MDM: Locking Enrollment Profiles
Options
- Subscribe to RSS Feed
- Mark Topic as New
- Mark Topic as Read
- Float this Topic for Current User
- Bookmark
- Subscribe
- Mute
- Printer Friendly Page
MDM: Locking Enrollment Profiles
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-08-2011 08:36 AM
When downloading a JSS generated enrollment profile into iPCU, the profile looks and acts as if it could be made into a configuration profile. However, any change made to the profile causes iPCU to fail upon installation of the profile onto a device. In particular, we would at least like to require authentication to remove the profile. If we could also change it into a full blown configuration profile so that configuration and enrollment can take place in one step, that would be a bonus.
Is it possible to modify enrollment profiles?
Dan Peterka District Technology Office Solana Beach School District
9 REPLIES 9
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-15-2012 08:22 AM
EDIT: By design Apple chose not to allow an MDM profile the ability to be secured (locked out from being deleted). If you deploy a secure profile with MDM settings in it, the iOS device will actively refuse it. Bummer...
We are curious about this too. What we are seeing is that users can actively remove the MDM and Certificate profile from a managed device and effectively break the management capabilities of Casper. It would be nice if the enrollment process bound the MDM and certificate with which ever profile you created and assigned to a device or user, and then encapsulate it with profile security features seen in the iPhone Configuration Utility.
Patrick Reeder
Systems Engineer
Leander ISD
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-29-2012 02:17 PM
So enrollment can't be locked? I am just starting to look at MDM and noticed that I could delete the MDM enrollment profile (but not the OTA applied configurations). I would like to ensure that devices that are enrolled stay enrolled. Is this not possible?
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 02-29-2012 02:26 PM
Sadly not, it looks like Apple's take is that if people unenroll they will lose all the settings required to work on your environment...
Which is great, until you start dealing with students..
Not applicable
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-03-2012 03:52 PM
It is a major pain, also for Hotels, deploying iPads to Hotel Guests.
At present we Laser Etch them via Apple, in order to not ruin Warranty & fit a non-removable Asset Tag to the back.
Then turn on "Find my iDevice"
I would love to see the later getting password protected by Apple, either via the AppleID Password, to which the Device is associated to or via a separate Password that can not be the same as the LockScreen Code...
So that you can not just swipe it offline
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-04-2012 07:49 AM
As mentioned already Apple did this by design. Its difficult because it makes MDM very clunky.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2012 03:49 AM
Which is great, until you start dealing with students..
Yup. Not just students, though; unfortunately. Adults (staff/teachers) are equally frustrating in this manner.
I've filed bug reports with Apple over this and spoken with our Sales guy and Engineer regularly. Apple's inability to understand that district owned devices are just that, District property, not end user owned, is beyond frustrating.
The entire process of maintaining a large scale iOS install base (we've got 2500 now, 4000 by the end of the summer) is maddening due to the management leash. It seems these days, I spend almost all of my time playing nurse maid to our iOS devices and barely get to consider my Macs (only a thousand or so).
The inability to lock the MDM profile, restrict a user from changing OUR device name, restricting to a whitelisted AP/Wifi and locking iTunes account (the way we can iCloud...!) is very frustrating.
And don't get me started on the mess that is VPP.
Sorry, gripe hijacking here; but Apple clearly doesn't view these as Enterprise/Education devices. The percentages are just too small to make it worthwhile for them to release an "Enterprise" firmware that would provide us with what we need in a non-User owned deployment.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2012 06:04 AM
Sorry, gripe hijacking here; but Apple clearly doesn't view these as Enterprise/Education devices.
But that doesn't prevent them from heavily marketing to those exact same segments... I feel your pain.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2012 08:55 AM
It's not a perfect solution for all situations but you can use Configurator in a supervised mode, to protect the MDM profiles. If your end user tries doing a reset all settings before un-supervising the device in Configurator, the device will restart with everything still intact including the MDM enrollment profiles. (Thanks Jeff Strauss - JAMF SE)
Trouble with this in our district, is we setup these devices prior to sending them out to a site and unless we use a provisonal node that's going to the site as well supervising them in configurator on our district nodes marries them to our nodes and not the sites.
So now we have about 6 different setup scenarios for deployment in our large school district and about 4000+ devices and growing UGH!
We're all in the same boat.
Options
- Mark as New
- Bookmark
- Subscribe
- Mute
- Subscribe to RSS Feed
- Permalink
- Report Inappropriate Content
Posted on 06-05-2012 09:01 AM
BTW, these steps that Jeff Strauss provided to me not only lock the profiles they also allow for a silent install of the enrollment profiles when you are using the supervised mode in configurator. I found them a bit more helpful than the "one to one" technical paper currently provided by JAMF.
Hopefully this may in some cases help someone here.
1) Connect an iOS device to a machine running Configurator.
2) In the Prepare task area, leave the device name blank and turn Supervision on. Do not select any other options and don't install any profiles.
3) Click the Prepare button beneath the settings.
4) Once the process has completed, manually continue through the activation process *without* configuring a Wi-Fi network until you get to the Home screen.
5) In Configurator, switch over to the Supervise tab, right-click the device you've just Supervised and set up, and select "Back Up..." from the drop-down. Save a backup.
6) Once your backup is saved, right-click it and select Unsupervise from the drop-down. This will restore it to factory defaults. Once unsupervision is complete, unplug the device.
7) Go to the Prepare tab, choose your naming convention, and turn Supervision on.
8) Leave iOS set to Latest, and for Restore, select the backup we just created.
9) In the Profiles pane, select your Wi-Fi and enrollment profiles.
10) Hit Prepare and connect your device.
Disconnect your devices and try erasing everything, you'll see upon restart the profiles are intact.
Good Luck!
