Managing iOS Devices:

One of the biggest challenges with large scale i)S devie deployments in managing the devices and application distribution.
Apple provides some information, as a basic configuration tool and makes reference to the ability to distribute applications.
Unfortunately, the “distribute Apps” feature is limited to apps that are developed in-house under the Apple Enterprise developer program ( It does not help with applications purchased from the iTunes app store and the feature of Apple management tool is limited mostly to configuration. Apple does provide a set of APIs (application programing interfaces) for others to build products to manage i)S devices.
The class of products is called Mobile Device Managers (MDM). Here is the list of some of the vendors in this area:

  • Apple iPhone Configuration Utility
  • DME from Excitor
  • KACE from Dell
  • MobileIron from MobileIron
  • Afaria from Sybase
  • Mobile Device Manager from AirWatch
  • Ubitexx - Mobile Device Management
  • Boxtone
  • Absolute Software
  • Zenprise

The website provides a good comparison chart of several of these products (see

Since all of these vendors rely on what apple provides via their iOS APIs, the feature sets are very similar. Even though they don’t do what I expect to be able to do with a tool like Microsoft SMS or App-V to remotely push out apps and updates to “traditional” computers, there are some useful features that could make life easier for large iOS deployments.

Apple has a good whitepaper on the features exposed via the iOS APIs that these vendors can take advantage of (the key thing here is if Apple hasn't open up the API for something there is not much the vendor can do to build the feature). Some of the things that seem to be advantages in the MDM products over the free Apple tool are

  • As near as I can tell, these tools can push changes out to devices. This is an improvement over the Apple configuration tool, where if I wanted to change a configuration profile it is “pull” rather than “push”, I would have to either touch each device (via USB) or rely on the user o go to a web site and download a new configuration profile.
  • Better enrolment capabilities (easier that the iPhone configuration utility) especially when using client certificates (you have to be running an internal certificate authority)
  • The ability to query managed devices to get things like iOS version, parental restrictions, serial numbers, MAC addresses and lists of installed apps
  • The ability to remotely wipe/lock or reset a passcode for a device (the only other way to do this would be to associate all devices with an exchange email account or lots and lots of mobile me accounts)
  • Most of these will integrate in to major configuration/asset tracking systems so you don’t have to manage them separately

Since all of these tools have to work within the apple APIs, what would be great if Apple could add to the management API to be the ability to :

  • In the “query” interface, identify apps by which iTunes account “owns” them (very important now that we have vpp)Have an administrator encrypt (and update) an iTunes account on the device that is managed by the MDM (since iOS devices can have apps from up to 5 accounts)—then allow itunes to run the app update function without requiring the user to know and enter the password for the account.
  • “Push” via notification the purchase via redeem (of VPP code)and download of an iTunes app out to a device (under the specific iTunes account)
  • Delete/Uninstall an app, very important under the VPP program, we’ll need to the option delete apps from devices at the end of the year and put them on different devices otherwise we are locked into specific “images” .