Managing iOS MDM devices

This section describes advanced features for management of iOS MDM devices through Kaspersky Security Center. The application supports the following features for management of iOS MDM devices:

• Define the settings of managed iOS MDM devices in centralized mode and restrict features of devices through configuration profiles. You can add or modify configuration profiles and install them on mobile devices.
• Install apps on mobile devices by means of provisioning profiles, bypassing App Store. For example, you can use provisioning profiles for installation of in-house corporate apps on users' mobile devices. A provisioning profile contains information about an app and a mobile device.
• Install apps on an iOS MDM device through the App Store. Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server.

Every 24 hours, a push notification is sent to all connected iOS MDM devices in order to synchronize data with the iOS MDM Server.

For information about the configuration profile and the provisioning profile, as well as apps installed on an iOS MDM device, please refer to the properties window of the device.

Signing an iOS MDM profile by a certificate

You can sign an iOS MDM profile by a certificate. You can use a certificate that you issued yourself or you can receive a certificate from trusted certification authorities.

To sign an iOS MDM profile by a certificate:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.
2. In the context menu of the Mobile devices folder, select Properties.
3. In the properties window of the folder, select the Connection settings for iOS devices section.
4. Click the Browse button under the Select certificate file field.

   The Certificate window.

5. In the Certificate type field, specify the public or private certificate type:
   • If the PKCS #12 container value is selected, specify the certificate file and the password.
   • If the X.509 certificate value is selected:
     1. Specify the private key file (one with the *.prk or *.pem extension).
     2. Specify the private key password.
     3. Specify the public key file (one with the *.cer extension).
6. Click OK.

The iOS MDM profile is signed by a certificate.

Adding a configuration profile

To create a configuration profile, you can use Apple Configurator 2, which is available at the Apple Inc. website. Apple Configurator 2 works only on devices running macOS; if you do not have such devices at your disposal, you can use iPhone Configuration Utility on the device with Administration Console instead. However, Apple Inc. does not support iPhone Configuration Utility any longer.

To create a configuration profile using iPhone Configuration Utility and to add it to an iOS MDM Server:

1. In the console tree, select the Mobile Device Management folder.
2. In the workspace of the Mobile Device Management folder, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the iOS MDM Server, select the Configuration profiles section.
6. In the Configuration profiles section, click the Create button.

   The New configuration profile window opens.

7. In the New configuration profile window, specify a name and ID for the profile.

   The configuration profile ID should be unique; the value should be specified in Reverse-DNS format, for example, com.companyname.identifier.

8. Click OK.

   iPhone Configuration Utility then starts if you have it installed.

9. Reconfigure the profile in iPhone Configuration Utility.

   For a description of the profile settings and instructions on how to configure the profile, please refer to the documentation enclosed with iPhone Configuration Utility.

After you configure the profile with iPhone Configuration Utility, the new configuration profile is displayed in the Configuration profiles section in the properties window of the iOS MDM Server.

You can click the Modify button to modify the configuration profile.

You can click the Import button to load the configuration profile to a program.

You can click the Export button to save the configuration profile to a file.

The profile that you have created must be installed on iOS MDM devices.

Installing a configuration profile on a device

To install a configuration profile to a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the user mobile device on which you have to install a configuration profile.

   You can select multiple mobile devices to install the profile on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device management commands window, proceed to the Install profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install profile.

   The Select profiles window opens showing a list of profiles. Select from the list the profile that you have to install on the mobile device. You can select multiple profiles to install them on the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected configuration profile will be installed on the user's mobile device. If the command is successfully executed, the current status of the command in the command log will be shown as Done.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device management commands window.

You can view the profile that you installed and remove it, if necessary.

Removing the configuration profile from a device

To remove a configuration profile from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
3. Select the user's mobile device from which you have to remove the configuration profile.

   You can select multiple mobile devices to remove the profile from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device management commands window, proceed to the Remove profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu of the device, and then selecting Remove profile.

   The Remove profiles window opens showing a list of profiles.

6. Select from the list the profile that you have to remove from the mobile device. You can select multiple profiles to remove them from the mobile device simultaneously. To select the range of profiles, use the Shift key. To combine profiles into a group, use the CTRL key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected configuration profile will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device management commands window.

Adding a new device by publishing a link to a profile

In Administration Console, the administrator creates a new iOS MDM profile, using the New Mobile Device Connection Wizard. The Wizard performs the following actions:

• The iOS MDM profile is automatically published on the Web Server.
• The user is sent a link to the iOS MDM profile by SMS or by email. Upon receiving the link, the user installs the iOS MDM profile on the mobile device.
• The mobile device connects to the iOS MDM Server.

Due to a stricter security policy introduced by Apple, you have to set up TLS 1.1 and TLS 1.2 protocol versions when connecting a mobile device running iOS 11 to an Administration Server that has integration with Public Key Infrastructure (PKI) enabled.

Adding a new device through profile installation by the administrator

To connect a mobile device to an iOS MDM Server by installing an iOS MDM profile on that mobile device, the administrator must perform the following actions:

1. In Administration Console, open the New Device Connection Wizard.
2. Create a new iOS MDM profile by selecting the Show certificate after the Wizard finishes check box in the New Profile Wizard window.
3. Save the iOS MDM profile.
4. Install the iOS MDM profile on the user's mobile device through the Apple Configurator utility.

The mobile device connects to the iOS MDM Server.

Due to a stricter security policy introduced by Apple, you have to set up TLS 1.1 and TLS 1.2 protocol versions when connecting a mobile device running iOS 11 to an Administration Server that has integration with Public Key Infrastructure (PKI) enabled.

Adding a provisioning profile

To add a provisioning profile to an iOS MDM Server:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   The Mobile Device Server properties window opens.

5. In the properties window of the iOS MDM Server, go to the Provisioning profiles section.
6. In the Provisioning profiles section, click the Import button and specify the path to a provisioning profile file.

The profile will be added to the iOS MDM Server settings.

You can click the Export button to save the provisioning profile to a file.

You can install the provisioning profile that you imported on iOS MDM devices.

Installing a provisioning profile to a device

To install a provisioning profile on a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the user's mobile device on which you have to install the provisioning profile.

   You can select multiple mobile devices to install the provisioning profile simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device management commands window, proceed to the Install provisioning profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu of that mobile device, and then selecting Install provisioning profile.

   The Select provisioning profiles window opens showing a list of provisioning profiles. Select from the list the provisioning profile that you have to install on the mobile device. You can select multiple provisioning profiles to install them on the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.

6. Click OK to send the command to the mobile device.

   When the command is executed, the selected provisioning profile will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log is shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

7. Click OK to close the Mobile device management commands window.

You can view the profile that you installed and remove it, if necessary.

Removing a provisioning profile from a device

To remove a provisioning profile from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the user's mobile device from which you have to remove the provisioning profile.

   You can select multiple mobile devices to remove the provisioning profile from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device management commands window, proceed to the Remove provisioning profile section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands from the context menu and then selecting Remove provisioning profile.

   The Remove provisioning profiles window opens showing a list of profiles.

6. Select from the list the provisioning profile that you need to remove from the mobile device. You can select multiple provisioning profiles to remove them from the mobile device simultaneously. To select the range of provisioning profiles, use the Shift key. To combine provisioning profiles into a group, use the Ctrl key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected provisioning profile will be removed from the user's mobile device. Applications that are related to the deleted provisioning profile will not be operable. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device management commands window.

Adding a managed application

Before installing an app on an iOS MDM device, you must add that app to an iOS MDM Server. An application is considered managed if it has been installed on a device through Kaspersky Security Center. A managed application can be managed remotely by means of Kaspersky Security Center.

To add a managed application to an iOS MDM Server:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder in the console tree, select the Mobile Device Servers subfolder.
3. In the workspace of the Mobile Device Servers folder, select an iOS MDM Server.
4. In the context menu of the iOS MDM Server, select Properties.

   This opens the properties window of the iOS MDM Server.

5. In the properties window of the iOS MDM Server, select the Managed applications section.
6. Click the Add button in the Managed applications section.

   The Add an application window opens.

7. In the Add an application window, in the App name field, specify the name of the application to be added.
8. In the Apple ID or App Store link field, specify the Apple ID of the application to be added, or specify a link to a manifest file that can be used to download the application.
9. If you want a managed application to be removed from the user's mobile device along with the iOS MDM profile when removing the latter, select the Remove together with iOS MDM profile check box.
10. If you want to block the application data backup through iTunes, select the Block data backup check box.
11. Click OK.

The added application is displayed in the Managed applications section of the properties window of the iOS MDM Server.

Installing an app on a mobile device

To install an app on an iOS MDM mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. Select the iOS MDM device on which you want to install an app.

   You can select multiple mobile devices to install the application on them simultaneously.

3. In the context menu of the mobile device, select Show command log.
4. In the Mobile device management commands window, proceed to the Install app section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Install app.

   The Select apps window opens showing a list of profiles. Select from the list the application that you have to install on the mobile device. You can select multiple applications to install them on the mobile device simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.

5. Click OK to send the command to the mobile device.

   When the command is executed, the selected application will be installed on the user's mobile device. If the command is successfully executed, its current status in the command log will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again. You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

6. Click OK to close the Mobile device management commands window.

Information about the application installed is displayed in the properties of the iOS MDM mobile device. You can remove the application from the mobile device through the command log or the context menu of the mobile device.

Removing an app from a device

To remove an app from a mobile device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by protocol type (iOS MDM).
3. Select the user's mobile device from which you have to remove the app.

   You can select multiple mobile devices to remove the app from them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device management commands window, proceed to the Remove app section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands in the context menu of that mobile device, and then selecting Remove app.

   The Remove apps window opens showing a list of applications.

6. Select from the list the app that you need to remove from the mobile device. You can select multiple apps to remove them simultaneously. To select a range of apps, use the Shift key. To combine apps into a group, use the Ctrl key.
7. Click OK to send the command to the mobile device.

   When the command is executed, the selected app will be removed from the user's mobile device. If the command is executed successfully, the current status of the command will be shown as Completed.

   You can click the Resend button to send the command to the user's mobile device again.

   You can click the Remove from queue button to cancel execution of a command that was sent if the command has not yet been executed.

   The Command log section displays commands that have been sent to the mobile device, with the respective execution statuses. Click Refresh to update the list of commands.

8. Click OK to close the Mobile device management commands window.

Configuring roaming on an iOS MDM mobile device

Expand all | Collapse all

To configure roaming:

1. In the console tree, open the Mobile Device Management folder.
2. In the Mobile Device Management folder, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

3. Select the iOS MDM device owned by the user for whom you have to configure roaming.

   You can select multiple mobile devices to configure roaming on them simultaneously.

4. In the context menu of the mobile device, select Show command log.
5. In the Mobile device management commands window, proceed to the Configure roaming section and click the Send command button.

   You can also send the command to the mobile device by selecting All commands → Configure roaming from the context menu of the device.

6. In the Roaming settings window, specify the relevant settings:
   • Enable voice roaming

     If this option is enabled, the voice roaming is enabled on the iOS MDM mobile device. The user of the iOS MDM mobile device can make and answer calls while in roaming.

     By default, this option is enabled.

   • Enable data roaming

     If this option is enabled, the data roaming is enabled on the iOS MDM mobile device. The user of the iOS MDM mobile device can surf the internet while in roaming.

     By default, this option is disabled.

Roaming is configured for the selected devices.

Viewing information about an iOS MDM device

To view information about an iOS MDM device:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
3. Select the mobile device for which you want to view the information.
4. From the context menu of the mobile device select Properties.

   The properties window of the iOS MDM device opens.

The properties window of the mobile device displays information about the connected iOS MDM device.

Disconnecting an iOS MDM device from management

To disconnect an iOS MDM device from the iOS MDM Server:

1. In the Mobile Device Management folder in the console tree, select the Mobile devices subfolder.

   The folder workspace displays a list of managed mobile devices.

2. In the workspace, filter iOS MDM devices by clicking the iOS MDM link.
3. Select the mobile device that you have to disconnect.
4. In the context menu of the mobile device, select Delete.

The iOS MDM device will be marked in the list for removal. The mobile device will be automatically removed from the list of managed devices after it is removed from the iOS MDM Server database. The mobile device will be removed from the iOS MDM Server database within one minute.

After the iOS MDM device is disconnected from management, all installed configuration profiles, the iOS MDM profile, and applications for which the Remove together with iOS MDM profile option has been enabled, will be removed from the mobile device.

Sending commands to a device

To send a command to an iOS MDM device:

1. In Administration Console, open the Mobile Device Management node.
2. Select the Mobile devices folder.
3. In the Mobile devices folder, select the mobile device to which the commands need to be sent.
4. In the context menu of the mobile device, select Show command log.
5. In the list that appears, select the command to be sent to the mobile device.

Checking the execution status of commands sent

To check the execution status of a command that has been sent to a mobile device:

1. In Administration Console, open the Mobile Device Management node.
2. Select the Mobile devices folder.
3. In the Mobile devices folder, select the mobile device on which the execution status needs to be checked for the selected commands.
4. In the context menu of the mobile device, select Show command log.