Posted on 06-26-2018 07:25 AM
Long story short, our leadership team would like a terms and conditions "splash" screen that shows up after logging into a device on enrollment that must be agreed to before being able to use an iPad. I think I know some steps, but no clue how to make it work. Looking for possible answers/guidance?
iPad sets up, config profile to hide all applications besides settings and webclips installs.
Inside webclip, there is an agreement of sorts that says blah blah blah, field for their LDAP username, and a button saying "I agree". After this, there is a webhook?/get/post idk to add the username that was input above into a static/smart group. Said static/smart group is the exemption from the configuration profile that locked down all apps.
Thoughts? Better ways to accomplish this?
Posted on 06-26-2018 09:40 AM
I needed to do something similar for staff members who wanted "loaner/checkout" iPads. Grain of salt—I did make a proof of concept but at some point the demand died down and it was never put in to practice (and the proof of concept wasn't very secure.)
We didn't know who would be in charge of maintaining the inventory (or if anyone would be at all), so I came up with the same carrot-and-stick idea to hide all of the apps if the device had gone more than a week without someone updating who was the current user. The full process is fairly straight-forward, and requires an extension attribute, a smart group, the API and a web page that can run a script to make changes on device records.
I added a mobile device extension attribute for "Last Checkout Date". I made a static group for the intended "Checkout Devices", and then a smart group called "Checkout Expired" with the criteria of Group Membership is "Checkout Devices" AND Last Checkout Date is over 7 days ago. The "Checkout Expired" smart group had a configuration profile that hid all of the apps, and added a webclip for our checkout form.
That webclip's URL had a variable for the device's serial number (like this: http://your.server/checkout_device.php?ipadSerial=$SERIALNUMBER) so it could be passed to some PHP functions facilitating all of the API work. Every week, the device's apps would be hidden because of changing smart group membership and the user needed to pop in their username into the form (like I said, proof of concept). The script would then update the user and "Last Checkout Date", which would then take the device out of the "Checkout expired" group, releasing the hidden apps, etc.
You could do something similar with a user extension attribute, and instead pass a $USERNAME variable in your webclip to your form page.
Posted on 06-26-2018 12:43 PM
@bumbletech you have me thinking now...
Now all I need is time to think this out fully... but what I'm thinking is a webclip to a standardized "Agreement", and another webclip with a variable along the lines of http://your.server/device_agreement_date.php?/jssID=$JSSID where the date gets input, and then create a smart group of:
"Device Agreement Date" is "before MM-DD-YYYY" and then scope the Device Agreement webclip, and the device-specific "I Agree" link webclip to devices in that smart group.
Now to figure out custom attributes, and a .php script that throws some HTML along the lines of "Your Device Agreement is being processed. Once it is processed, the iPad will unlock, and apps will reappear". insert facepalm emoji
Sidenote: If anyone could give a few hints on this, or has a file that does this easily "laying around" feel free to message me!