Apple MDM: the basics, part 1

It’s perhaps not terribly surprising that many corporate customers of MDM (mobile device management) solutions don’t really understand how it works. The better MDM vendors provide enough information for the IT department to get the service running, but Apple is inscrutable, and in most environments everything “just works”, at least well enough to focus on other problems.

So let’s start with the basics and see where we land.

Apple provides three mechanisms for configuring a mobile device:

  • Via the Settings app
  • Via a USB dock connector, one device at a time
  • Over the air (OTA)

The last two items are collectively what Apple calls MDM.

There are many configuration options via Settings on a device that are not achievable via MDM. For example, while Apple offers MDM customers the ability to disable document synchronization via iCloud, if the user uses iCloud for email, MDM cannot be used to prevent the user from accessing iCloud email.

Conversely, the iPhone and iPad do not expose all configurable options via Settings. (Perhaps not so curiously, no one ever talks about the iPod touch in the enterprise environment. Anyone outside of–or even inside–retail using these in large numbers?)

Finally, Apple exposes the same configuration choices for a device managed via the dock connector as it does via over the air management, with one significant exception: it is impossible to add a separate password lock to the MDM configuration options over the air.

In other words, a user is always free to opt out of MDM management trivially if the device is managed over the air[*].

It’s important to note that the configuration options managed via MDM cannot be changed by the user; the user is only free to remove them. Carefully managed, this is not disastrous: in an ideal world, without those configuration bits, a device cannot connect to corporate resources, thus rendering it harmless.

This leads to the carrot/stick approach to device management, which I’ll talk more about in the future.

The next post will cover OTA MDM via TCP/IP, 802.11, CDMA or GSM…or why can’t we talk without all these blasted acronyms?

* With iOS 5 Apple has added a final MDM check-in when a user removes the MDM configuration from the device. Hopefully more such triggers will be added over time, such as when an app is installed.

Leave a comment

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s

%d bloggers like this: