Installing an iOS MDM profile

This section describes the methods of deploying iOS MDM profiles on a corporate network.

Before deploying an iOS MDM profile, you must deploy a mobile device management system.

For details on deploying an iOS MDM profile in Kaspersky Endpoint Security Cloud, please refer to Kaspersky Endpoint Security Cloud help.

About iOS device management modes

You can deploy an iOS device management system in several different ways. The management mode depends on the owner of the mobile device (personal or corporate) and corporate security requirements. You can choose the management mode that is most suitable for the company, and use several modes at the same time.

Unsupervised devices

Unsupervised iOS devices are employees' personal devices that are connected to Kaspersky Security Center. In this mode, the user is allowed to use a personal Apple ID, work with any apps, and store personal data on the device. You can use a Kaspersky Device Management for iOS group policy to configure access to corporate resources, security settings, and other settings. By default, all iOS devices are unsupervised.

Supervised devices

Supervised iOS devices are corporate devices that are connected to Kaspersky Security Center. Initial configuration of the mobile device is performed in Apple Configurator. Apple Configurator is an application designed to prepare and configure iOS devices. Apple Configurator is installed on a computer running OS X. For more details about working with Apple Configurator, please refer to the Apple Technical Support website. You can use a Kaspersky Device Management for iOS group policy for further configuration. On supervised devices, you can access an extended selection of settings. For example, you can configure Global HTTP Proxy and additional restrictions (for example, blocked use of iMessage and Game Center), and you can block user account modifications.

To work with supervised and unsupervised iOS devices, the iOS MDM Server must have an APNs certificate installed, and an iOS MDM profile must be installed on the mobile devices of users.

Installing via Kaspersky Security Center

The iOS MDM profile is installed to the mobile devices of users whose user accounts have been added in Kaspersky Security Center. For more details about user accounts in Kaspersky Security Center, please refer to Kaspersky Security Center Help.

To install an iOS MDM profile:

1. In the console tree, select the Mobile Device Management → Mobile devices folder.
2. In the workspace of the Mobile devices folder, click the Add mobile device button.

   This starts the New Mobile Device Connection Wizard. Follow the instructions of the Wizard.

3. In the Operating system section, select iOS.
4. At the Selecting iOS MDM Server step of the wizard, select an iOS MDM Server from the list.
5. At the Select users whose mobile devices you want to manage step of the wizard, select one or several users for installation of the iOS MDM profile to their mobile devices.

   If the user is not in the list, you can add a new user account without exiting the Mobile Device Connection wizard.

6. At the Certificate source step of the wizard, select the source of the certificate for protection of data transfer between the mobile device and Kaspersky Security Center:
   • Issue certificate through Administration Server tools. In this case, the certificate will be created automatically.
   • Specify certificate file. In this case, your own certificate must be prepared ahead of time and then selected in the window of the wizard. This option cannot be used if you want to install the iOS MDM profile to several mobile devices. A separate certificate must be created for each user.
7. At the User notification method step of the wizard, select the method to be used to send the QR code for the iOS MDM profile installation:
   • Select Show QR code in wizard to scan the QR code with the camera of the mobile device on which you want to install the profile.
   • Select Send QR code to user to send the QR code with the corresponding link by email to the selected users in your organization. To install the iOS MDM profile, a user must then scan the QR code using the camera of the mobile device or open the link to the profile.

     If you select this method, specify the following parameters in the By email section:

     1. Select the User emails check box. In the drop-down list, select one of the following options:
        • All emails
        • Main email
        • Alternate email

        These email addresses must be specified in the user account settings in Kaspersky Security Center.

     2. If you want to send the QR code to an email address that is not specified in the user account settings in Kaspersky Security Center, select the Another email check box, and then specify the required email address.
     3. Click the Edit message button to configure the subject and the text of the notification message.

        If you selected the Prompt for password during certificate installation check box in the Issuance of mobile certificates section, add the %PASS% macro to the text of a notification message to send a password to the user. Otherwise, a warning appears and the notification message cannot be sent.

     Click the Next button to send the generated email message.

8. The Result step of the wizard displays a summary of the entered information. Scan the QR code if you selected the Show QR code in wizard option at the previous step of the wizard.
9. Finish the Mobile Device Connection wizard.

After installing the iOS MDM profile to users' mobile devices, you will be able to configure the app settings by using group policies. You will also be able to send commands to mobile devices for data protection in case devices are lost or stolen.

On mobile devices running iOS 12.1 or later, you must manually confirm installation of an iOS MDM profile on the mobile device. You must also grant permission for remote management of the device.