Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 13821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Protect Base MDM profile

Moltran5

Is there a way to password protect the base MDM profile for IOS devices?  Thanks!

:36127


This thread was automatically locked due to age.
  • 0

    Hi Moltron5k,

    unfortunately, there is no possibility to password protect the MDM profile.
    According to Apple an MDM profile may not contain a password protection and must be always removable.
    As we stick to the functioanlitys provided by Apple there is no way as of now to prevent the user from uninstalling the MDM profile.

    Best regards

    Stefan

    :36813
  • 0

    Is there still no way to password protect the mdm file? IMHO it makes no sense to let the user decide to delete the mdm base profile or not... and... if you remove the base mdm all the other profiles are removed, too :smileyfrustrated:

    :44771
  • 0

    Hi All,

    just some additional information on this.

    Within iOS 7 Apple still does not allow to protect an mdm profile with a password. It still has to be removable.

    Even if a device is in the so called 'supervised mode' which can be done with the Apple Configurator, it is not possible to prevent the uninstallation of the mdm profile.

    This is still a limitation defined by Apple.

    Best regards

    Stefan

    :44813
  • 0

    Unfortunately this is a right pain as it makes the whole MDM solution null and void, as the user has ultimate "Control". Not Sophos Mobile "Control". 

    However I completely understand that this is Apple's decision to not lock down the removal of MDM profiles.

    I imagine this is a safeguard to stop iDevices from being "owned" by anyone other than Apple. 

    However Apple do need to allow legitimate MDM solution providers more hooks into the control of the iDevices; as a simple removal of the SMC iDevice app and the MDM profile, and the phone is lost forever!

    After all, if its a company owned device, then the company should have control over their own assets. Not Apple!

    I think this is why other MDM solution providers have gone down the root of sandboxing their apps, only allowing the retrieval of the emails via their app, and also hooking the MDM controls into the same app. 

    This way the app always needs to remain open and active if the user wants their corporate emails, unlike the SMC iDevice app, which can be forcibly quit from the app switcher: http://support.apple.com/kb/HT5137. Thus loosing the following functionality:

    - display messages sent by the SMC server
    - display the compliance status
    - show the "Enterprise app store"
    - use the location services to send the location to the SMC server
    - check the jailbreak status

    Regards, 

    John

    :50888
Unfiltered HTML