Managing and Securing iPads & iPhones in the Zero Trust World – Best Practices Jonathan Scarborough Senior Technical Support Engineer Device Enrollment Program Volume Purchase Program Agenda Apple Business Manager iOS with MobileIron Access & MobileIron Authenticator Device Enrollment Program (DEP) • Automate device enrollment during activation • Streamlined device setup • Wireless Supervision Device Enrollment Program Volume Purchase Program Agenda Apple Business Manager iOS with MobileIron Access & MobileIron Authenticator Volume Purchase Program (VPP) • Allows organizations to bulk purchase and distribute apps • Available for public and B2B apps • Apps can be assigned to users or devices Device Enrollment Program Volume Purchase Program Agenda Apple Business Manager iOS with MobileIron Access & MobileIron Authenticator Apple Business Manager DEP VPP ABM Apple Business Manager – Device Enrollment Requirements Apple Business Manager is available to organizations in supported countries or regions that purchase devices from any of the following channels: • Directly from Apple • Participating Apple Authorized Resellers • Cellular carriers Device Enrollment works on any of these devices: • iOS devices with iOS 7 or later • Mac computers with OS X Mavericks 10.9 or later • Apple TV devices (4th generation or later) with tvOS 10.2 or later DEP Process Create MDM Assign iOS entry in ABM & Enroll in ABM devices to MDM Link to Core/MI server Cloud Create/Edit DEP Assign devices Enrollment to Enrollment Activate Devices Profiles Profiles DEP Setup – MobileIron Cloud 1. Download the key from MobileIron Cloud 2. Upload the key to business.apple.com & download the server token 3. Upload server token to MI Cloud DEP Setup – MobileIron Core 1. Download the key from MobileIron Core 2. Upload the key to business.apple.com & download the server token 3. Upload server token to Core DEP – Device Assignment Authentication Type Password Anonymous PIN • Most common • Least common • Device records must be pre- • Default option • Auto assigns devices to created • Does not require “Signed-Out” • Independent of device record label global pre-creation • Devices are not authentication associated with a settings username Enrollment Profile - Enforce Basic Requirements Enable Require MDM Allow MDM Allow Pairing Supervision Enrollment Removal Allows additional Can enforce Allows users to Allows management features: MDM enrollment remove profile communication restrictions, controls, or allow users after enrollment with Mac/PC and functions, etc to skip enrollment during setup Important if If disallowed, can Must occur re-enroll is necessary complicate log during device setup collection when troubleshooting Setup wirelessly during device enrollment Enforce Basic Requirements – MI Cloud Enforce Basic Requirements – Core Why Supervision Matters Legal Enhanced Single App Lost Mode Requirements Management Mode Activation Branding & Silent App iOS Update Lock Bypass Uniformity Installation Management Customize User Experience – Core Customize User Experience – Cloud Await Device Configuration during DEP Setup Core MI Cloud Establishing Trust Anchor Certificates Pairing Certificates • Required for environments with • Certificate is applied to devices; internally-signed or self-signed certificate and private keys must certificates be installed on admin • Devices return obvious status workstations codes for trust issues • Highly recommended if pairing is disabled by Enrollment Profile or Restrictions Establishing Trust Core MI Cloud Volume Purchase Program VPP Setup – Download Location-based Token VPP Setup – Add VPP token to MI Cloud VPP Setup – Add VPP token to Core VPP Distribution Options Device-Based User-Based App Assignment App Assignment • App licenses are assigned to • Users must create/manage devices, not users their own Apple ID • Does not require Apple ID for • Users must register with VPP app installation by accepting an invitation • Allows silent app installation (supervised devices only) User/Device License Assignment – MI Cloud User/Device License Assignment - Core VPP – Legacy Token vs Location-Based Token Legacy Location-Based Token Token • Downloaded from • Downloaded from volume.itunes.apple.com business.apple.com • Single token for entire app • App licenses can be grouped purchase history into different locations • Tokens are unique across locations Unsupervised iOS devices Device Enrollment Program Volume Purchase Program Agenda Apple Business Manager iOS with MobileIron Access & MobileIron Authenticator MobileIron Access – Conditional Rules MobileIron Access – Conditional Rules Authentication Models: Traditional Authentication Models: Network/Cloud Authentication Models: Federated Authentication Models: Zero touch What is Access? • Access is a proxy for federated authentication that can incorporate device posture as part of it’s decision making process • Access acts as a… • Service Provider for Identity Providers • Identity Provider for Service Providers Authentication with Salesforce Service Provider Identity Provider MobileIron Access with Salesforce MobileIron Authenticator with iOS Access Overview Access Overview Access Overview Access Overview In Summary • Enforce OTA supervision for greater control • Simplify and lockdown iOS app management • Control access to cloud-based services with MobileIron Access Q & A .