Apple iOS Provisioning

Apple iOS Mobile Device Management utilizes configuration policies to control the functionality on Apple devices.

From Dashboard 2020.12.15, Mobile Device Management for Apple devices uses the Apple Device Management infrastructure to handle communication between the Dashboard and newly installed Apple devices, including pushing configuration profiles. Before provisioning an Apple device in Mobile Device Management, please ensure the Apple Push Notification Certificate is setup in Apple Device Management.

Once setup with the Apple Device Management version of Mobile Device Management, you can upload and deploy custom Apple Configuration Profiles.

After the mobile device is added to the Dashboard, either as a single device or as part of a Add Multiple Mobile Devices, the specified user receives an invitation email (and where selected SMS) containing a provisioning link.

When the user opens the provisioning link from their mobile device they are automatically offered the version applicable to its Operating System: Apple iOS, Google Android or Windows Phone 8.1.


Apple iOS Provisioning Steps

  1. After pressing on the Download for your iOS device link in the provisioning email or SMS message, press Allow to download the Mobile Device Management configuration profile
  2. Once the download finishes, review the message then press Close to exit out of the dialog
  3. Go to the Profiles section in Settings > General > Profiles (& Device Management) and press on theMobile Device Management profile
  4. Review the profile information then press Install
  5. Enter your authentication method when prompted, for example Passcode
  6. Review the Apple "Root Certificate" and "Mobile Device Management" warning message then press Install
  7. After reading the Remote Management message press Trust
  8. Click Done once the profile installs to exit out of the Mobile Device Management dialog

During the provisioning process the device appear as unregistered on the Dashboard, it does not display any operating system or device type information and when clicking on the device it reports as "Unregistered mobile device selected" in the south pane.

After the MDM successfully installs on the device, Mobile Device Management communicates back to the Dashboard and populates the device information.

Where an iOS device successfully enrolls in Mobile Device Management using the Apple Device Management framework, a green tick box displays against the device in the Mobile Devices section of the Dashboard.

Once iOS devices report back to the Dashboard you can then begin to deploy your own custom configuration profiles.

Apple iOS only supports the use of one Mobile Device Management solution at a time. Where a third-party Mobile Device Management product is already installed on a device, you will receive a "Profile installation failed as Mobile Device Management is already installed" error message when attempting to deploy Mobile Guardian.

The competing Mobile Device Management product profile may be removed from Settings > General > Profiles & Device Management press on the profile and select the remove option.

For Apple iOS we retrieve the required provisioning files via the Apple Push Notification Service (APNS) and to permit the APNS traffic when connecting via Wi-Fi specific ports must be open in the firewall.

Apple introduced changes to its MDM configuration settings in iOS 13. When upgrading to iOS 13 on a device already running the non- Apple Device Management version of MDM, iOS forcibly removes MobileGuardian from the device. To continue monitoring, re-enroll MDM on the device to apply the Apple Device Management version.

Apple deprecated the APNs (Apple Push Notifications) protocols used by the non-Apple Device Management version of MDM on 31st March 2021. After this date all iOS devices using a non-Apple Device Management version of MDM stopped communicating with the Dashboard. If using a non-Apple Device Management version of MDM, we suggest migrating to the new version, by uninstalling the previous enrollment profile then re-enrolling the device.