Mobile Device Management (MDM) Primer
The next step in the MDM process is configuration of the devices through various settings and policies. Once enrolled in the MDM, the administrator has the ability to make changes to the configuration (profile) and push this out to any and all devices, as applicable. The trust relationship has already been set up, so all devices being controlled by the MDM have extensive access to make changes. Based on these profiles, IT has control over corporate assets and security, ensuring the users have proper access to confidential information.
Remember, IT can control the device and the access it has, but you have no way of knowing who the user is at the other end of the device. Requiring passcodes, of any type, is a necessary part of the process to help control who has access to confidential resources.
MDM device configuration is quite flexible: you can push managed configuration profiles at any time to configure a device for a new end user or to access a new infrastructure. You can also use MDM to remove functionality from a device by revoking a configuration profile that contains configuration settings necessary for access to corporate Wi-Fi or VPN.
Managed profiles use the same configuration settings available with standard configuration profiles (as is available through iPCU); some MDM vendors add minor, additional settings, that push the envelope, but may not, necessarily be approved by Apple.
Figure 11 - Device Query
The MDM server can also query devices for details about the device itself, network information, installed apps, and compliance and security data. Device queries can be scheduled on a repetitive basis, or pulled on an as-needed basis to ensure that compliance, security and usage policies are being followed. The following is a list of information that may be queried from devices enrolled in your MDM:
- Unique Device Identifier (UDID)
- Device name
- iOS and build version
- Model name and number
- Serial number
- Capacity and space available
- Modem firmware
- Bluetooth and Wi-Fi MAC addresses
- Current carrier network
- SIM carrier network
- Carrier settings version
- Phone number
- Data roaming setting (on/off)
- Applications installed
- Application ID
- Application name
- Application version
- Application and application data size
- Provisioning profiles installed with expiration dates
Compliance and security data
- Configuration profiles installed
- Certificates installed
- List of all restrictions enforced
- Hardware encryption capability
- Data Protection enabled
- Passcode present
With the management component of MDM, you can remove and install settings wirelessly. The management function does not, typically, enable the MDM to remove apps or prevent app installation, however, you would be able query the device for notification that an app has been installed and an end user can be notified to remove a specific app.
Some specific actions that an MDM server can administer include:
- Remote wipe - sets the device back to factory defaults. Once the command is issued, the device immediately starts the process, requiring no other user intervention. All data and settings are lost.
- Remote lock - immediately locks the device, requiring the user to enter the passcode in order to move on.
- Clear passcode - if a user forgets their passcode, you can send the command to remove their prior passcode and enter a new one, enforcing your current passcode policy.
Configuration and provisioning profiles
- To configure devices and provision in-house apps, MDM servers can add and remove configuration profiles and app provisioning profiles, as well as their associated data, remotely.