Posted on 10-18-2023 01:09 AM
A tiny bit of a hiccup with JAMF that might affect one of the more 'special' users in my company!
When deploying devices, we block practically all iCloud functionality. The user can log in, but document and data sync (such as photos, etc.) is disabled. All done out of security, I must point out that the iCloud accounts are just like any other iCloud account (not managed by the company). All new iPhones receive a configuration profile related to security and iPhone functionally. Let's just call this 'Standard'. For example, certain apps are not available to download. Screenshots cannot be taken, manual resets of the iPhone are not allowed, and so on.
There is another config profile for 'Managers' who are afforded a little more freedom in terms of what they can do. Screenshots are allowed. Otherwise blocked apps from the App Store can be installed. WhatsApp is the best example.
VPP apps auto-install on the iPhones soon after being enrolled. Nearly everything in the company is Microsoft related. Outlook, Teams etc. I must manage the initial logins for them. 99% havn't a clue what MFA means, where to find the QR code to scan to generate the VPN OTP code. 'Zero Touch'... forget it!
A management user has received a new iPhone that otherwise has no iCloud functionality (the norm). Unhappy that his 3rd party apps are not present, no photos have synced etc. I explained the rationale for this. I spoke with my boss, and he agreed to make a special exception for him so that iCloud backup of the old iPhone could be used for the restore on the new iPhone.
I did some testing with my work iPhone before committing to this with him. A second/test pre-stage (as well as a slightly modifiedmanagement restrictions config enrollment was created (scope limited to my iPhone only) to accommodate iCloud backup & restores when going through the 'set-up wizard' of a recently reset iPhone - this is the only point at which you can do an iCloud restore.
That all seems to go smoothly, but the VPP apps will not open. A cloud download symbol alongside the name of the app, but an error message appears to stop me using the APP allotted app. See the screenshot to better understand what I mean. '3rd party' app survive the backup and restore OK, but it is very problematic having to delete essential work-related app so that he can have a more 'consistant' work iPhone experience is a bummer. The problematic apps must be deleted and then re-downloaded from the App Store. Using it is not a problem as the user himself has the MS license to use company apps such as Outlook and Teams. 'Self Service' is also affected by this problem! Additional (but otherwise free to the user, assuming the IT department has granted a license) apps will all need to be manually installed; examples include MS Visio etc. I am being forced to ask myself, "What is more important, work apps, or what are effectively apps he doesn't need to do his job?
Btw, I can still see the iPhone in JAMF, apply the lock code, send blank pushes, etc. Everything looks 'normal' here'. The test iPhone also appears to have as many certificates, VPP apps assigned to it etc. Again, no tangible difference can be found when compared to every other iPhone in JAMF.
I have repeated the erase/install process many times, and when I don't do an iCloud restore the company VPP apps VPP all work.
Researching this, it looks like one of the JAMF certs doesn't 'survive' the iCloud backup/restore. Can someone please confirm this for me?
Is there any workarounds for this?
Regards,
WL
Solved! Go to Solution.
Posted on 10-19-2023 05:55 AM
Hi, the problem is not unique to Teams. It applies to all of the most critical MS Apps (as well as 'Self-Service) that auto-install soon after the iPhone is enrolled and (this) user is presented with the home screen.. For every app (with the scope "All Standard Devices", 'Managed Distribution' has the box is for 'Assign Content Purchased' in Volume'. 'VPP Codes' is not a concern here as all the apps themselves are free as far as things relate to Apple Business Manager. Even if the normal App Store was hidden or disabled (by JAMF) such apps should still be installed or made available later (as far as I know).
Yeah, reinstalling from the App Store is an option but it is very time consuming for all. 'Self-Service' is there for anything work related - the user doesn't necessarily need an Apple ID to do his job). About 40 app are available via this service. Not all are going to be needed by everyone though.
Everything is standard. All that stands out is that his iPhone has been assigned a restrictions config profile that allows for iCloud backups from old devices AND his iPhone has been assigned to special pre-stage enrollment that allows for option for iCloud restore to be presented along the way. iCloud restore can only be done when the iPhone is being set up for the first time. For everybody else, things just work.
In any event, both of us have conceded defeat here! I am going to treat him and the iPhone as 'standard' as much as possible (as well as anybody else who asks for special iCloud permissions in the future!).
Thanks for your suggestions nontheless.
Posted on 10-18-2023 01:11 AM
A screenshot of what I mean. Could not post it in the body of the post? HTML error?
Here goes...
Posted on 10-18-2023 07:44 PM
Have you tried ticking the nox in the Teams VPP app configuration to make the app managed if unmanaged, and selected to automatically update the app? This is what we do for the most common and centrally managed apps. If users that have access to the app stopre install Teams and Outlook from Apples App Store instead of self service, then JAMF converts those apps to managed and reinstalls them automatically. I haven't seen this particular issue though, but this approach might solve that as well. Also, it's a good idea to do this for pre-installed apps such as GarageBand etc too.
Posted on 10-19-2023 05:55 AM
Hi, the problem is not unique to Teams. It applies to all of the most critical MS Apps (as well as 'Self-Service) that auto-install soon after the iPhone is enrolled and (this) user is presented with the home screen.. For every app (with the scope "All Standard Devices", 'Managed Distribution' has the box is for 'Assign Content Purchased' in Volume'. 'VPP Codes' is not a concern here as all the apps themselves are free as far as things relate to Apple Business Manager. Even if the normal App Store was hidden or disabled (by JAMF) such apps should still be installed or made available later (as far as I know).
Yeah, reinstalling from the App Store is an option but it is very time consuming for all. 'Self-Service' is there for anything work related - the user doesn't necessarily need an Apple ID to do his job). About 40 app are available via this service. Not all are going to be needed by everyone though.
Everything is standard. All that stands out is that his iPhone has been assigned a restrictions config profile that allows for iCloud backups from old devices AND his iPhone has been assigned to special pre-stage enrollment that allows for option for iCloud restore to be presented along the way. iCloud restore can only be done when the iPhone is being set up for the first time. For everybody else, things just work.
In any event, both of us have conceded defeat here! I am going to treat him and the iPhone as 'standard' as much as possible (as well as anybody else who asks for special iCloud permissions in the future!).
Thanks for your suggestions nontheless.
Posted on 10-19-2023 05:59 AM
Sorry. Small typo. When I wrote "All Standard Devices", I just meant "All Mobile Devices' (and not 'Specific Mobile Devices'). Too much going on in my head.