Guest User!

You are not Sophos Staff.

Thread Info
  • State Verified Answer
  • Locked Locked
  • Replies 4 replies
  • Subscribers 5 subscribers
  • Views 13821 views
  • Users 0 members are here
Options
Suggested
This discussion has been locked.
You can no longer post new replies to this discussion. If you have a question you can start a new discussion

Password Protect Base MDM profile

Moltran5

Is there a way to password protect the base MDM profile for IOS devices?  Thanks!

:36127


This thread was automatically locked due to age.
Parents
  • 0

    Unfortunately this is a right pain as it makes the whole MDM solution null and void, as the user has ultimate "Control". Not Sophos Mobile "Control". 

    However I completely understand that this is Apple's decision to not lock down the removal of MDM profiles.

    I imagine this is a safeguard to stop iDevices from being "owned" by anyone other than Apple. 

    However Apple do need to allow legitimate MDM solution providers more hooks into the control of the iDevices; as a simple removal of the SMC iDevice app and the MDM profile, and the phone is lost forever!

    After all, if its a company owned device, then the company should have control over their own assets. Not Apple!

    I think this is why other MDM solution providers have gone down the root of sandboxing their apps, only allowing the retrieval of the emails via their app, and also hooking the MDM controls into the same app. 

    This way the app always needs to remain open and active if the user wants their corporate emails, unlike the SMC iDevice app, which can be forcibly quit from the app switcher: http://support.apple.com/kb/HT5137. Thus loosing the following functionality:

    - display messages sent by the SMC server
    - display the compliance status
    - show the "Enterprise app store"
    - use the location services to send the location to the SMC server
    - check the jailbreak status

    Regards, 

    John

    :50888
Reply
  • 0

    Unfortunately this is a right pain as it makes the whole MDM solution null and void, as the user has ultimate "Control". Not Sophos Mobile "Control". 

    However I completely understand that this is Apple's decision to not lock down the removal of MDM profiles.

    I imagine this is a safeguard to stop iDevices from being "owned" by anyone other than Apple. 

    However Apple do need to allow legitimate MDM solution providers more hooks into the control of the iDevices; as a simple removal of the SMC iDevice app and the MDM profile, and the phone is lost forever!

    After all, if its a company owned device, then the company should have control over their own assets. Not Apple!

    I think this is why other MDM solution providers have gone down the root of sandboxing their apps, only allowing the retrieval of the emails via their app, and also hooking the MDM controls into the same app. 

    This way the app always needs to remain open and active if the user wants their corporate emails, unlike the SMC iDevice app, which can be forcibly quit from the app switcher: http://support.apple.com/kb/HT5137. Thus loosing the following functionality:

    - display messages sent by the SMC server
    - display the compliance status
    - show the "Enterprise app store"
    - use the location services to send the location to the SMC server
    - check the jailbreak status

    Regards, 

    John

    :50888
Children
No Data
Unfiltered HTML