Skip to content

Apple Device Management

This section explains about how to apply operations and policies to Apple devices.

Features

Apple Device Operations

Add Operations to an Apple Device

Prerequisites

Server has to be downloaded and started.

Must have been logged on to the server's Endpoint Management Portal.

View the device that you have enrolled.

Steps

  1. Click on the operation that you need to apply to the device. In this tutorial, let us apply the Voice Roaming operation.

  2. A pop up message will be displayed on the screen. Select the Enable voice roaming check box.

  3. Click Send to Device.

The Voice Roaming operation will now be acitaved on the device.

The following table lists out the operations that can be applied to the macOS devices:

{insert table}

Apple Device Polices

Add a Policy

Prerequisites

Server has to be downloaded and started.

Must have been logged on to the server's Endpoint Management Portal.

Steps

  1. Click Add Policies. (https://{IP}:{port}/devicemgt/policy/add).
  2. Click iOS from DEVICE TYPES.
  3. Create your policy. In this tutorial, let us create a passcode policy. After defining the settings, click CONTINUE.

NOTE

A profile in the context of WSO2 IoT Server refers to a collection of policies. For example, in this use case you are only creating one policy that is the passcode policy. If you want to, you can add an restrictions policy too. All these policies will be bundled as a profile and then pushed to the devices.

  1. Define the user groups that the passcode policy needs to be assigned to:

NOTE Select the set user role/s or set user/s option and then select the users/roles from the item list. Let's select set user role/s and then select ANY.

  1. Click CONTINUE.

  2. Define the policy name and the description of the policy.

  3. Click SAVE AND PUBLISH to save and publish the configured profile as an active policy to the database.

NOTE If you SAVE the configured profile, it will be in the inactive state and will not be applied to any devices. If you SAVE AND PUBLISH the configured profile of policies, it will be in the active state.

  1. To publish the policy to the existing devices, click APPLY CHANGES TO DEVICES from the policy management page.

View a Policy

  1. Go to Endpoint Management portal and click View Policies (https://{IP}:{port}/devicemgt/devicemgt/policies.

Publish a Policy

  1. Click View under Policies to get the list of the available policies.

  2. Click Select to select the policies you wish to publish that have not been published arleady.

  3. Click Publish.

Unpublish a Policy

  1. Go to Endpoint Management portal and click View policies. (https://{IP}:{port}/devicemgt/devicemgt/policies.
  2. Click Select to select the policies that you wish to unpublish from those that have already been published.
  3. Click Unpublish.
  4. Click YES to confirm that you want to unpublish the policy.
  5. Now your policy is unpublished and is in the inactive/updated state. Therefore, the policy will not be applied on devices that enroll newly with Entgra UEM Server.

Verify the Policy Enforced on a Device

  1. Click View under DEVICES.
  2. Click on your device to view the device details. Click Policy Compliance.
  3. You will see the policy that is currently applied to your device.

Manage the Policy Priority Order

You can change the priority order of the policies and make sure the policy that you want is applied on devices that register with Entgra UEM Server.

  1. Click View under POLICIES to get the list of the available policies.
  2. Click POLICY PRIORITY.
  3. Manage the policy priority: Drag and drop the policies to prioritize the policies accordingly. Manage the policy priority order by defining the order using the edit box.
  4. Click SAVE NEW PRIORITY ORDER to save the changes.
  5. Click APPLY CHANGES to push the changes, to the existing devices.

Updating a Policy

  1. Click View under POLICIES to get the list of the available policies.
  2. On the policy, you wish to edit, click on the edit icon.
  3. Edit the policy:

a. Edit current profile and click CONTINUE.

b. Edit assignment groups and click CONTINUE.

c. Optionally, edit the policy name and description.

d. Click SAVE to save the configured profile or click SAVE AND PUBLISH to save and publish the configured profile as an active policy to the database.

{Insert list of policies??}

Applicable Apple Device Polices

Encryption Security Type

Encryption Security Type field is set to WEP, WPA, or ANY, the following fields may also be provided.

Wi-Fi Password: Password used for encryption security. Absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.

EAP Client Configuration: In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the EAP Client Configuration key. If present, its value is a dictionary with the following keys: The following EAP types are accepted:

13 = TLS 17 = LEAP 18 = EAP-SIM 21 = TTLS 23 = EAP-AKA 25 = PEAP 43 = EAP-FAST For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.

Username: Unless you enter a user name, this property won't appear in an imported configuration. Users can enter this information by themselves when they authenticate.

Password: If not provided, the user will be prompted during login.

One Time Password: If checked, the user will be prompted for a password each time they connect to the network.

TLS Trusted Server Certificate Names: This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates.

Allow TLS Trust Exceptions: Allows / disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is unchecked, the authentication fails if the certificate isn't already trusted.

Require TLS Certificate: If checked, allows for two-factor authentication for EAP-TTLS, PEAP or EAP-FAST. If unchecked, allows for zero factor authentication for EAP-TLS. By default this is enabled for EAP-TLS and disabled for other EAP types. Available in iOS 7.0 and later. TTLS Inner Authentication Type: Specifies the inner authentication used by the TTLS module. Possible values are PAP, CHAP, MSCHAP and MSCHAPv2.

Outer Identity: This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear.

EAP-Fast Support: Use existing PAC for EAP-FAST Allow PAC Provisioning Allow Anonymous PAC Provisioning

These keys are hierarchical in nature.: If Use existing PAC for EAP-FAST is false, the other two properties arenʼt consulted. Similarly, if Allow PAC Provisioning is false, Allow Anonymous PAC Provisioning isnʼt consulted. If Use existing PAC for EAP-FAST is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time.If checked, the device will use an existing PAC. Otherwise, the server must present its identity using a certificate.

If Allow PAC Provisioning is checked, allows PAC provisioning. This particular attribute must be enabled for EAP-FAST PAC usage to succeed, because there is no other way to provision a PAC. If Allow Anonymous PAC Provisioning is checked, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning.

Number of expected RANDs for EAP-SIM: Number of expected RANDs for EAPSIM. Valid values are 2 and 3. Defaults to 3.

Certificate Payload UUID: UUID of the certificate payload to use for the identity credential.

Refer to Publish policy for instructions on how to publish an applied policy in an iOS device.

Wifi Settings Policy

Refer to Add policy for instructions on how to add a policy to an iOS device.

Data Keys of Policy and its Descriptions

Service Set Identifier (SSID)

SSID of the Wi-Fi network to be used. In iOS 7.0 and later, this is optional if a DomainName value is provided.

Domain Name

This field can be provided instead of SSID_STR. Available in iOS 7.0 and later.( For Wi-Fi Hotspot 2.0 negotiation )

Hidden Network

Besides SSID, the device uses information such as broadcast type and encryption type to differentiate a network. By default (false), it is assumed that all configured networks are open or broadcast. To specify a hidden network, must be true.

Hot Spot

If true, the network is treated as a hotspot. Available in iOS 7.0 and later.

Enable Service Provider Roaming

If true, allows connection to roaming service providers. Defaults to false. Available in iOS 7.0 and later.

Auto Join

If true, the network is auto-joined. If false, the user has to tap the network name to join it. Available in iOS 5.0 and later.

Displayed Operator Name

The operator name to display when connected to this network. Used only with Wi-Fi Hotspot 2.0 access points. Available in iOS 7.0 and later.

Proxy Setup

Valid values are None, Manual, and Auto. Available in iOS 5.0 and later. If the ProxyType field is set to Manual, the following fields must also be provided

  • Proxy Server: The proxy serverʼs network address.( Server URL or IP Address )

  • Proxy Server Port: The proxy serverʼs port.

  • Proxy Username: The username used to authenticate to the proxy server.

  • Proxy Password: The password used to authenticate to the proxy server.

  • Proxy PAC URL: The URL of the PAC file that defines the proxy configuration.

  • Allow Proxy PAC FallBack: . If false, prevents the device from connecting directly to the destination if the PAC file is unreachable. Default is false. Available in iOS 7 and later

Encryption Security Type

Encryption Security Type field is set to WEP, WPA, or ANY, the following fields may also be provided

  • Wi-Fi Password: Password used for encryption security. Absence of a password does not prevent a network from being added to the list of known networks. The user is eventually prompted to provide the password when connecting to that network.

  • EAP Client Configuration: In addition to the standard encryption types, it is possible to specify an enterprise profile for a given network via the EAP Client Configuration key. If present, its value is a dictionary with the following keys: The following EAP types are accepted: 13 = TLS 17 = LEAP 18 = EAP-SIM 21 = TTLS 23 = EAP-AKA 25 = PEAP 43 = EAP-FAST

For EAP-TLS authentication without a network payload, install the necessary identity certificates and have your users select EAP-TLS mode in the 802.1X credentials dialog that appears when they connect to the network. For other EAP types, a network payload is necessary and must specify the correct settings for the network.

  • Username: Unless you enter a user name, this property won't appear in an imported configuration. Users can enter this information by themselves when they authenticate.
  • Password: If not provided, the user will be prompted during login.
  • One Time Password: If checked, the user will be prompted for a password each time they connect to the network.
  • TLS Trusted Server Certificate Names: This is the list of server certificate common names that will be accepted. You can use wildcards to specify the name, such as wpa.*.example.com. If a server presents a certificate that isn't in this list, it won't be trusted. Used alone or in combination with TLSTrustedCertificates, the property allows someone to carefully craft which certificates to trust for the given network, and avoid dynamically trusted certificates.
  • Allow TLS Trust Exceptions: Allows / disallows a dynamic trust decision by the user. The dynamic trust is the certificate dialogue that appears when a certificate isn't trusted. If this is unchecked, the authentication fails if the certificate isn't already trusted.
  • Require TLS Certificate: If checked, allows for two-factor authentication for EAP-TTLS, PEAP or EAP-FAST. If unchecked, allows for zero factor authentication for EAP-TLS. By default this is enabled for EAP-TLS and disabled for other EAP types. Available in iOS 7.0 and later.
  • TTLS Inner Authentication Type: Specifies the inner authentication used by the TTLS module. Possible values are PAP, CHAP, MSCHAP and MSCHAPv2.
  • Outer Identity: This key is only relevant to TTLS, PEAP, and EAP-FAST. This allows the user to hide his or her identity. The userʼs actual name appears only inside the encrypted tunnel. For example, it could be set to ”anonymous” or ”anon”, or ”anon@mycompany.net”. It can increase security because an attacker canʼt see the authenticating userʼs name in the clear.

  • EAP-Fast Support:

    Use existing PAC for EAP-FAST

    Allow PAC Provisioning

    Allow Anonymous PAC Provisioning

These keys are hierarchical in nature. : If Use existing PAC for EAP-FAST is false, the other two properties arenʼt consulted. Similarly, if Allow PAC Provisioning is false, Allow Anonymous PAC Provisioning isnʼt consulted. If Use existing PAC for EAP-FAST is false, authentication proceeds much like PEAP or TTLS: the server proves its identity using a certificate each time.If checked, the device will use an existing PAC. Otherwise, the server must present its identity using a certificate.

If Allow PAC Provisioning is checked, allows PAC provisioning. This particular attribute must be enabled for EAP-FAST PAC usage to succeed, because there is no other way to provision a PAC.

If Allow Anonymous PAC Provisioning is checked, provisions the device anonymously. Note that there are known man-in-the-middle attacks for anonymous provisioning.

  • Number of expected RANDs for EAP-SIM: Number of expected RANDs for EAPSIM. Valid values are 2 and 3. Defaults to 3.

  • Certificate Payload UUID: UUID of the certificate payload to use for the identity credential.

Roaming Consortium OIs

Roaming Consortium Organization Identifiers used for Wi-Fi Hotspot 2.0negotiation. Requires 6 or 10 hexadecimal characters. Available in iOS 7.0 and later.

Network Access Identifier ( NAI ) Realm Names

List of Network Access Identifier Real names used for Wi-Fi Hotspot 2.0 negotiation. Available in iOS 7.0 and later.

Mobile Country Code ( MCC ) / Mobile Network Code ( MNC ) Configuration

List of Mobile Country Code (MCC)/Mobile Network Code (MNC) pairs used for Wi-Fi Hotspot 2.0 negotiation. Each string must contain exactly six digits. Available in iOS 7.0 and later.

NOTE Refer to Publish policy for instructions on how to publish an applied policy in an >iOS device.