iOS MDM: Achieving Even Greater Control

Apple’s native MDM is just a starting point; vendors add their own secret sauce to meet even broader enterprise needs.

IT can accomplish quite a bit using nothing more than native iOS MDM, accessed through an MDM server’s console. For example, IT could ask all users to visit an open enrollment page to activate their own iPhones and iPads without assistance, pushing one standard set of configuration and application profiles to all devices. But this barely scratches the surface of what IT can do with an iOS-capable MDM.

Starting from Apple’s API, MDM vendors try to differentiate their products–for example, by automating workflows, creating audit trails, generating actionable reports, and integrating with enterprise infrastructure. Some value-adds are included; others may require additional software or licenses. Let’s look at some common enterprise needs, considering how MDM controls can make life easier for IT.

Device Enrollment

Native iOS MDM device enrollment can be initiated in many ways. Depending on product, administrators may need to create user accounts, issue enrollment PINs, or send messages carrying one-time URLs to invited users. But many MDM servers go further through integration with enterprise directories – especially Active Directory.

This can be useful to send invitations to an entire group or domain, authenticate users with existing credentials during enrollment, or use directory attributes to determine which devices to accept and which profiles to deploy. In short, native iOS MDM automates over-the-air enrollment, but look closely at how the entire workflow is presented in any MDM console to assess organizational fit and efficiency.

Provisioning and Configuration Management

Apple’s Configuration Profiles dictate the iPhone and iPad attributes that any MDM can set, no matter how profiles are installed. For example, IT can stop users from syncing documents to iCloud because this profile attribute was added in iOS 5. A full list of profiled attributes can be found here.

So don’t waste time comparing supported attributes. Instead, evaluate how any MDM can actually help IT maintain, deploy, and verify Configuration Profiles. For example, does the MDM warn of iOS version limitations or errors (below)? How does it help to manage profile versions, refine profiles, and determine which devices and users will be affected.

Administrative tasks

MDM servers often go beyond native iOS MDM when it comes to actions. For example, native actions include remote wipe (reset to factory default) and remove MDM control (deletes all MDM-installed profiles). However, some MDM servers can also quarantine non-compliant devices by selectively removing Wi-Fi, VPN, Exchange, and/or enterprise application profiles while maintaining MDM visibility and control.

MDMs also tend to automate common tasks, such as wiping jail-broken iOS devices (above) or applying a temporary lock-and-block to lost devices. Examine how such tasks are supported. Can time-sensitive actions be triggered by compliance checks? How many steps are required to address a problem–or to reverse those actions later? Unfortunately, no MDM can take actions that IT might like but are prevented by Apple, such as removing user-installed apps.