Jamf Nation Community

Wombat · ‎02-28-2022

I know that this is was discussed in a really old thread in pro but it didn't' seem to answer this for schools. I am looking to stop students accessing things like Mail, Calendar, Contacts, Home, Music, Photo Booth, Podcasts, Reminders, Stocks, Tips, TV and Voice Memo.

I thought my enrollment profile 'stopped' them and restricted access but they have all been put in a group that any user can open and then use. This is on 'page two'/'swipe right' on the iPad but the group does not show on the layout tab in my profile. I can access that page in Profile but that page is blank so I can't amend it.

Thoughts please?

awoodbury · ‎02-28-2022

Do you have a Config Profile that Restricts App usage - Some apps not allowed?

Wombat · ‎02-28-2022

I completed the DEP profile when we set up Jamf and 'skipped'/ticked all I didn't want students to use. I can't see another way to restrict usage :-(

awoodbury · ‎02-28-2022

Skipping these screens during Prestage does not restrict them, it just skips over them during the initial setup. A Config Profile to Restrict them are under App Usage - Some apps not allowed and will need to be Scoped separately.

timbyler1890 · ‎02-28-2022

You will want to go to Configuration Profiles - Restrictions - Apps and go to the App usage section and set the drop down to Some apps not Allowed and then add the apps that you don't want to that list.

Henry_Chang · ‎03-01-2022

Hi @Wombat

If you want to remove the built-in app such like Calendar, Messages...etc you need to use the "Safelist and Blocklist" payload in Jamf School Profile.

Actually we just hide the built-in app in the iOS devices

And then you can add the application that you wouldn't let the user to use.

Wombat · ‎03-01-2022

Thanks for that Henry!

I was convinced that would work making these changes (I added all the apps mentioned above):

However, having re-sync'd and left it for 30 mins I still have this app collection on my iPads:

And all the apps are available to be used :-(

What am I doing wrong?

Henry_Chang · ‎03-01-2022

Hi @Wombat

Have you scope the device group after you created the profile about hiding built-in app?

If so, you can check the "Managed Profiles" of this device and check the profile status.

You can find the "Managed Profiles" at Devices -> Devices -> Choose iPad -> Managed Profiles

Wombat · ‎03-01-2022

I 'have' but when I was getting a pic to show you I see that the last action on these iPads is 'failed'. Is that something to do with it and how do I chase that down?

Fluffy · ‎03-01-2022

The first thing I would try is to reinstall the profile to see if it was a fluke. If you click on the device name you can get to the Device Details page. Go to Managed Profiles, find that profile and push the Reinstall command. If it fails again, then something may be off. The message you get from clicking on the Failed status may give some information.

To troubleshoot this further, you should try making separate configuration profiles to test where it is going wrong. Best practice is to combine as few profiles as you feel comfortable with to avoid situations like you are experiencing. For example: have separate profiles for Wi-Fi, Passcode, and Restrictions. It will also help if and when you have to change a setting without affecting the rest of the profile.

Also, this might just be me seeing ghosts, but I noticed you have a Passcode payload for your profile. I've experienced issues with profiles not installing with a conflict between the Passcode and Restrictions payload. If you have a Restrictions payload on the device as well, check to see if you have "Allow modifying passcode" disabled. Having the Passcode payload configured as well as disabling "Allow modifying passcode" in the Restrictions payload causes a conflict (there is usually a notification that fades away pretty quick).

I hope you find this helpful.

mh-jena · ‎03-01-2022

I would recommend to separate the profiles, every aspect should have its own profile. And what is the failure message? You should be able to click on the Failed Button, to get a detailed message.

Wombat · ‎03-02-2022

Thanks people,

Yes, fails again on re-install and there is/was a conflict with the passcode. I want the iPads open so anyone in a class can use then but NOT allow them to set a passcode. There was a message saying there was a conflict but it all 'worked'. It even allowed me to install apps on them until yesterday!

I removed the passcode in the profile and it still fails to install.

I did get a message a couple of days ago saying that the Token (.p7m file) had expired (I thought they were meant to last a year and we only set this up last week!) so I downloaded it from ASM again and installed it - so don't know if this could be part of the problem?

Not sure if this is related but I have some iPads that I added using the ODE QR Code as they were purchased about a year ago and can't be enrolled automatically (according to our reseller). The Device management profile installed fine and they show in Devices in Jamf but they come up as 'unsupervised' and there doesn't seem to be any way to change this and profile also shows as failed :-(.

Any help much appreciated.

Fluffy · ‎03-03-2022

I would try adding some to ASM through Apple Configurator 2 and test if that fixes anything. I haven't done it myself, but I can point you to Jamf's guide here.

As pointed out on that page, keep this in mind: "With manual device enrollment, a 30-day provisional period begins once a device is activated. During that period, users can remove their devices from enrollment, supervision, and MDM."

Wombat · ‎03-04-2022

Thanks, I've borrowed a mac and found that I can get them installed using Apple Configurator 2. Its a bit of a faff and I think I could make it easier with 'blueprints' but I only have 11 left to do so I think I'll go with what works!

Thanks for your help!

Jamf Nation Community

Remove Built in Apps from iPad