There was a lot of buzz this week around a rumor posted at AppleInsider.com that iOS 7.1 will be released in March, and that it will include improved mobile device management capabilities. All indications point to these new capabilities being the long-awaited and much-needed streamlined MDM enrollment process. This is great news for a lot of IT organizations, as it closes a potential security loophole and makes bulk deployment easier.
So what is the streamlined MDM enrollment process and why is it great news?
When it comes to enrolling iOS devices in mobile device management, currently there are two main options:
First, devices can be enrolled over the air—this is what’s done in most corporate MDM scenarios. Over-the-air enrollment uses a voluntary opt-in model which means that users can un-enroll devices at any time. When that happens, goodbye corporate management. As a safeguard any corporate settings, credentials, and apps that were installed via MDM are also removed.
Second, devices can be enrolled via USB. In this case, it actually is possible to lock the device into management so that users can’t un-enroll it. Unfortunately there’s an easy loophole: just erase the entire device and start over, MDM-free. The users might be missing corporate resources now, but on the other hand they get to walk away with an unrestricted iPad. Since iOS devices have become popular for educational and institutional use, you can image that this is a serious problem—remember that whole iPad “hacking” scandal in the LA school district last fall?
The streamlined MDM enrollment process closes this loophole by bringing a third enrollment option. When companies buy Apple devices in bulk they can customize the device setup process. One of the (expected) new options is to have MDM enrollment be included in that process. When the device is powered on for the first time, users will have to enter their credentials to enroll it in MDM before it can be used. Even if a device is completely erased, it will still have to be enrolled again.
Besides the obvious security angle, the streamlined MDM enrollment process will also make it way easier to do bulk deployment. Currently, companies have to go through devices one by one and enroll them manually, which doesn’t exactly sound like a fun project. (Seriously, there are stories that Apple’s advice was to tell companies to just hire temps to do bulk deployments.) Soon, though, companies will be able to just pass out devices directly to users and let the streamlined enrollment process will take care of everything else.
We first heard about this last June, shortly after the Apple WWDC 2013. We got more details later in September when the iOS 7 developer NDA was lifted, but since then it ever materialized, causing some frustration.
However, now all signs are indicating that the streamlined MDM enrollment process will finally arrive next month. (Hurray!) AppleInsider published a rumor from an unidentified source stating that Apple is working on iOS managed deployment, and that it will come with iOS 7.1 in mid-March. Also, there’s a new Volume Services portal up and running at Apple.com.
Why was this delayed? I don’t even want to pretend to know what goes inside Apple. I’ll just say that regardless of the timing, there are a lot of institutional customers that’ll be glad that this serious loophole is finally about to close.