iOS 7 is finally out, giving us more details about new enterprise features. There’s a lot that we already knew about—Apple gave us a preliminary list of new enterprise features all the way back in June—but now that the NDA is lifted, more details are available.
So were there any big new surprises? Eh... not really. However, there are plenty of interesting smaller details that we can look at now.
Apple hasn’t put all of the official iOS 7 documentation out yet, but there’s still some good information out there. The MDM Configuration Profile Key Reference is available at developer.apple.com, and there’s a good video from the World Wide Developer Conference in June. (You have to be signed in to watch it, but the registration is free and you don’t have to actually join the developer program.) In addition, a few vendors have done more than just blog posts and press releases. Hats off to MobileIron, who put together an extensive series of videos—check out the ones called “iOS 7 [feature x] Explained” for some great general information that applies to all vendors, not just MobileIron.
Anyway, here are some of the new details that are especially interesting: (Remember, this list is mostly just the new stuff that we learned about this week. For a complete picture of all of the new iOS 7 enterprise capabilities, also take a look at all the features that we’ve known about since June.)
New mobile app management details
As we know from before, most of the new MAM features are only available for apps that are installed by the MDM server. These are known as “managed apps.” One problem comes up when an admin wants to use MDM to install and manage an app, but the user has already installed the app on their own. In this case there’s no way for MDM to take over the app. Either it just can’t be managed, or the user will have to uninstall the app and let the MDM server reinstall it.
- Managed open in: Open in controls will apply to all of the managed apps and managed email accounts collectively as a group, so there are no controls for individual apps. It’s possible to to control open in going both ways (opening files from managed apps into unmanaged apps and vice versa.) Managed open in only applies to sharing documents, so there are still a bunch of ways that data can move between apps, such as AirDrop.
- App configurations: The MDM protocol can now be used to send configuration information to individual apps, and the apps can send data back to the MDM server. Apps must be specifically developed to take advantage of this feature. Of course there have always been ways to communicate with apps, so what’s new here is that it can be done through the MDM protocol.
New mobile device management options
There are many new settings, commands, queries, and restrictions that can be handled by the MDM protocol.
- AirPlay mirroring: MDM can command devices to start AirPlay Mirror, distribute AirPlay passwords, and whitelist AirPlay locations for supervised devices. (More on supervised devices later.)
- Apple TV management: It will be possible to use MDM to set the language and WiFi credentials for Apple TVs.
- Fonts: MDM will now be able to install font files.
- Configure AirPrint: MDM can be used to pre-populate lists of printers on devices.
- Hotspot 2.0: Contains settings for how a device connects to Hotspot 2.0 WiFi networks. (Hotspot 2.0 is an emerging standard that allows devices to roam seamlessly from cellular networks to public WiFi networks.)
- New MDM queries: MDM can now query the device to see if it’s enabled as a mobile hotspot, if Do Not Disturb is active, if Find My iPhone is active, or if the device has an iTunes account signed in.
- New MDM commands: MDM can now command the device to set a custom lock screen, put the device in lost mode (displays a message on the lock screen), or disable using the device as a hotspot.
- New device restrictions: There are many new ways to use MDM to restrict device functionality, including: limit ad tracking, prevent iCloud keychain sync, prevent over the air PKI updates, block the lock screen control center, disable Touch ID, block the Notification Center in the lock screen, block the Today view in lock screen, and last, the Open In controls are implemented in the Restrictions
Volume Purchase Program
With the old VPP, once app redemption codes were given to users, there was no way to reclaim them. In June, Apple announced that with iOS 7 the the VPP would use a system of reclaimable licenses. We also just learned that these new licenses will work for any country—it used to be that you had to buy VPP apps on a country by country basis.
To distribute licenses, companies will send invitations to users. Users will associate their Apple ID with the company (though the company will not be able to see the actual ID). When an app license is assigned, the app will show up in the user’s “purchased” list, and the user can then download it. Once the license is revoked, the user will not be able to update or reinstall the app. It’s also possible to use MDM to simply install VPP apps as managed apps. The VPP can be used to purchase books, too, but book license assignments are permanent and cannot be reassigned to other users.
Supervised devices and the streamlined enrollment service.
“Supervised devices” refer to iOS devices that are managed more tightly than with conventional MDM. They are commonly used in education, for shared devices, or other scenarios when a greater degree of lockdown is required. Supervised devices can be managed over the air using MDM, but prior to iOS 7, the initial setup had to be done using a Mac OS X computer, the Apple Configurator software, and a physical connection. Needless to say, setting up a large number of devices could be a huge pain—you’d have to unbox them all, and go through the setup and enrollment process manually.
Now with iOS 7, it’s possible to order devices from Apple and have them be enrolled as supervised devices automatically, using the streamlined device enrollment service. When the device setup process begins and the device is connected to a network, it will recognize that it’s intended to be supervised and managed. From there, the next step is simply entering enterprise credentials to enroll it in MDM. Admins can lock the device into the MDM connection, and even if a device is erased, it will still automatically re-enroll when it’s reactivated.
- New features for supervised devices: Admins can push apps silently, so there’s no need for the user to acknowledge the installation, like on devices with regular MDM. MDM can also be used to set up web URL filtering, without a need for an outside service.
- Restrictions for supervised devices: The restrictions available to supervised devices are more extensive than with just standard MDM, and include the following: restrict account changes, restrict changes to Find My Friends setting, prevent changes to settings related to apps using cellular data, restrict pairing the device to other computers, prevent wallpaper changes, define service for text selection, and prevent the use of AirDrop.
This list of newly-emerged details is by no means complete. Like I mentioned in my recent article, the best place to go will be Apple’s official MDM documentation, which isn’t out yet.
I’ve been talking to people about the new MAM features all summer, but right now what’s actually most interesting about this is the new streamlined enrollment service. What do you think? Is there anything here that will be a game-changer and open up new deployment options? Or are these new details just business as usual? What do you think is missing?