iOS MDM : apply Policies (Restrictions) and Wifi Configurations on Device

1
votes

I have completed the iOS MDM Enrollment Phases as well as the APNs push for Commands like DeviceInformation, DeviceLock etc.

Now I am trying to push policies (restrictions) , wifi configurations and passcode over the device.

So currently in my device i have one profile installed which is the MDM Management profile.

Going through this Updating Configuration Profile installed in iOS device in MDM forum, we have to send an InstallProfile Command to the device whenever we want to apply policies.

But when i do so a in my Profiles section under settings -> General -> Profile , i see 2 profiles installed one is my MDM payload and second is the restrictions payload which i had sent.

This is how i am trying to send the Payload

<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN"
"http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
    <dict>
        <key>Command</key>
        <dict>
            <key>RequestType</key>
            <string>InstallProfile</string>
            <key>Payload</key>
            <data>cGhfbWRtX2Jhc2VfNjRfZW5jb2RlZA==</data>
        </dict>
        <key>CommandUUID</key>
        <string>ph_mdm_command_uuid</string>
    </dict>
</plist>

Here Payload value contains the base64 encoded plist for profile this is my profile configuration which is being sent in the Payload of InstallProfile requesttype.

<plist version="1.0">
<dict>
    <key>PayloadContent</key>
    <array>
        <dict>
            <key>PayloadDescription</key>
            <string></string>
            <key>PayloadDisplayName</key>
            <string>Restrictions</string>
            <key>PayloadIdentifier</key>
            <string>com.hQLvCF.mdm.version1.mdm3.restrictions1</string>
            <key>PayloadOrganization</key>
            <string></string>
            <key>PayloadType</key>
            <string>com.apple.applicationaccess</string>
            <key>PayloadUUID</key>
            <string>E9D5CFA9-4482-47DA-9CFA-5AA7AF4F62DC</string>
            <key>PayloadVersion</key>
            <integer>1</integer>
            <key>allowAddingGameCenterFriends</key>
            <true/>
            <key>allowAppInstallation</key>
            <true/>
            <key>allowAssistant</key>
            <true/>
            <key>allowAssistantWhileLocked</key>
            <true/>
            <key>allowBookstoreErotica</key>
            <true/>
            <key>allowCamera</key>
            <true/>
            <key>allowCloudBackup</key>
            <true/>
            <key>allowCloudDocumentSync</key>
            <true/>
            <key>allowDiagnosticSubmission</key>
            <true/>
            <key>allowExplicitContent</key>
            <true/>
            <key>allowGlobalBackgroundFetchWhenRoaming</key>
            <true/>
            <key>allowInAppPurchases</key>
            <true/>
            <key>allowMultiplayerGaming</key>
            <true/>
            <key>allowPassbookWhileLocked</key>
            <true/>
            <key>allowPhotoStream</key>
            <true/>
            <key>allowSafari</key>
            <true/>
            <key>allowScreenShot</key>
            <true/>
            <key>allowSharedStream</key>
            <true/>
            <key>allowUntrustedTLSPrompt</key>
            <true/>
            <key>allowVideoConferencing</key>
            <true/>
            <key>allowVoiceDialing</key>
            <true/>
            <key>allowYouTube</key>
            <true/>
            <key>allowiTunes</key>
            <true/>
            <key>forceEncryptedBackup</key>
            <false/>
            <key>forceITunesStorePasswordEntry</key>
            <false/>
            <key>ratingApps</key>
            <integer>1000</integer>
            <key>ratingMovies</key>
            <integer>1000</integer>
            <key>ratingRegion</key>
            <string>us</string>
            <key>ratingTVShows</key>
            <integer>1000</integer>
            <key>safariAcceptCookies</key>
            <integer>2</integer>
            <key>safariAllowAutoFill</key>
            <true/>
            <key>safariAllowJavaScript</key>
            <true/>
            <key>safariAllowPopups</key>
            <true/>
            <key>safariForceFraudWarning</key>
            <false/>
        </dict>
    </array>
    <key>PayloadDescription</key>
    <string>Push Policies</string>
    <key>PayloadDisplayName</key>
    <string>Policy Push</string>
    <key>PayloadIdentifier</key>
    <string>com.hQLvCF.mdm.version1.mdm3</string>
    <key>PayloadOrganization</key>
    <string></string>
    <key>PayloadRemovalDisallowed</key>
    <false/>
    <key>PayloadType</key>
    <string>Configuration</string>
    <key>PayloadUUID</key>
    <string>73D449F8-342F-4B53-9786-B888A0203349</string>
    <key>PayloadVersion</key>
    <integer>1</integer>
</dict>
</plist>

so now what happens is it shows this new profile with profile name as "Push Policies" on my device. Similar is the case with wi-fi profile.

My Question is:

How do i incorporate this policy payload within the MDM payload and not have a new profile created/ installed.

This new profile is appearing since i have sent an InstallProfile command. I would like this policy or wifi configuration to be within the mdm payload.

Policies and Wifi configurations can be removed or added at any time in the system. So we cannot add default while enrolling the device.

I hope i made myself clear.

Thanks for reading.

2
javaiosmdm

2 Answers

0
votes

You shouldn't do what you described.

The common practice is to install additional profiles. So, you have you basic MDM profile and you have bunch of other profiles which are separate from it.

Based on MDM documentation, the good pattern is to have both "carrot" and "stick" within profile (as example, requirements to set complex passcode + Wifi for your network). However, as I know a lot of companies doesn't do that.

0
votes

Solution to above query: A full fledged MDM profile is first installed on the device with Identifier as:

<key>PayloadIdentifier</key>
<string>com.myprofile.mdm.version1.mdm3</string>
<key>PayloadType</key>
<string>com.apple.mdm</string>

this payload contains other details which are not specified here.

To apply policies and wifi configurations on the device a different profile is installed with identifier as below:

<key>PayloadRemovalDisallowed</key>
<true/>
<key>PayloadIdentifier</key>
<string>com.myprofile.mdm.version1.mdm3.configuration</string>
<key>PayloadType</key>
<string>Configuration</string>

keeping the PayloadRemovalDisallowed true as user should not be able to remove this configuration profile.

whenever the mdm profile is removed this profile is automatically removed and all the policies are removed.

When there is a change in the policy or wifi the latest policies and wifi are pushed on the device and installed.