SMC 6: Auto-enrolled iPads and Control App

Hi All,

at the moment it is not possible to automatically configure the SMC app when it is distributed to an iOS device. The developmen team currently looks into that and check if that can be realized somehow.

However, within the Apple DEP profile, you have the option "Install SMC Client" option to directly install the SMC app during enrollment.
See attached Screenshot.

If you enable this option, the SMC app should be installed directly during the enrollment.

Best regards
Stefan

Hi,

well, it's not the point to get the SMC app installed, that can be done there or with a compliance triggered task. The next step - configuring the SMC app - is the point. An automated configuration of the SMC app during the installation process of the iPad would be a really hot feature and save me some hours of work when I have to reconfigure my pool-iPads.

Cheers

/Detlef

Ja Gott, is halt International hier ;-). Also ohne VPP geht ja bei Apple bald nix mehr im MDM-Umfeld und ich habe hier 200 Pool-iPads, auf denen keine User angemeldet werden sollen. Das ging im übrigen auch alles wunderbar bis iOS 9.3, glaube ich. Ab da hat Apple einiges geändert, glaube ich. Dann kam noch der Wechsel von Apple Configurator auf den Apple Configurator 2 vorher, dieses ganze MDM-Thema ist ein furchtbares Kuddelmuddel.

Schönen Feierabend

/Detlef

Good Morning,

well, everything's working fine now after I deleted some old attempts to get everything up and running. My actual setup:

- 30 Tablets are in 1 Tablet-Carts connected to my MacBook with Apple Configurator 2

- Preconfiguration of tablets with most actual iOS (9.3.2), Certificate-Profile and WiFi-Profile

- Setting of iPad-Names with AC2

- Taking the iPads out of the cart 1 by 1 and then slide, Germany, German, confirm Wifi, Get Configuration OTA, Control App appears (it's magic)

- Open Control-App on the iPad, it's linked to the SMC, yes! Then some yes, allow, yes, ... and some minutes later I do have 3 blue check marks for the iPad in my SMC.

This requires the engineers victory dance!

Ich habe fertig.

Cheers

/Detlef

Well ok, 

I was trying to test your *plan with native options via the sophos mdm. It means without Apple Configurator, cause we do not have any mac pc :D

I was trying and trying but without doing any action on the iPad itself , no automatic enrollment was possible. I read an articel that this would be possible with the AC2 but like I said, we do not have any MAC so I was not possible to test this as well. 

But nice to hear that it now works!

-franz

There is still one last thing that does not work for me: When I take a new iPad that has never been rolled out to the SMC via the DEP of apple, the installation of the control-app fails because a license for the control-app can only be checked out for managed devices. So I have to install the new iPad without assigning the control-app. Then it's managed and I can go to the app, edit, VPP-Licenses and here i can give a license to this new iPad. This license is persistent. Now I can delete the iPad and reattach it to the SMC-Server. Meanwhile I changed to DEP-Profile to install the control-app and NOW it works without problems.

So in short words:

I need to assign a license for the control app to the new iPad before it get's contact to the smc-server with a DEP-Profile that tries to install the control app. How-to?

Cheers

/Detlef (who had a long day configuring iPads and understanding this problem)

Please vote for:

http://feature.astaro.com/forums/143212-sophos-mobile-solutions/suggestions/14819568-implement-automatic-license-checkout-from-vpp-for

Sophos Support wants this to be a feature-request, well, here it is. So if YOU want to use automated iPad-Rollout with automated Control-App-configuration, give me your votes.

Cheers

/Detlef

Hi All,

there soon will be a patch available introducing some improvements regarding the DEP enrollment and VPP license assignment.
With this patch, the SMC server will automatically assign a VPP license to a VPP user or an iOS device if an installation task for a VPP app is sent to a device.

There will be an option within the VPP tab where you can decide if you want to use the automatic license assignment based on the VPP user or on a device base.

This will hopefully solve SMC client installation and configuration issue.

It is planned to release the patch within the upcoming weeks.

Best regards
Stefan

Hi SDU, 

Do we have any time scale on when this is likely to be released? This feature is desperately needed!

Thanks, 

Adam

Hi Adam,

testing of the patch is ongoing.
If everything runs through smoothly we can release it next week.

I'll answer to that post, once the patch is available. Most likely a News item will also be sent to all SMC 6.1 servers.

Best regards
Stefan

Hi All,

the patch is now available for download on sophos.com.
After you have installed it, you have a new option within the "Apple VPP" tab called "Automatically assign VPP apps on installation"

There, you can decide if you want to assign a device license or a user license.

Additional information about the patch can be found in this knowledgebase article.

Best regards
Stefan

Hi SDU, 

I've just got round to testing this patch, and i can see the option to 'Automatically assign VPP apps on installation' and that's set to assign it to the device, however I've just set up a new device through DEP and it has failed to assign any license to it.

Am i missing something out?

Cheers, 

Adam

Hi SDU, 

I've just got round to testing this patch, and i can see the option to 'Automatically assign VPP apps on installation' and that's set to assign it to the device, however I've just set up a new device through DEP and it has failed to assign any license to it.

Am i missing something out?

Cheers, 

Adam

HI All,

This is a feature I have been waiting for and really needed!   I have been able to install VPP apps without assigning licences on iOS 9.3.4 devices, However ....

For a new device the initial Sophos Mobile Control install fails as it prompts to sign into iTunes. Any device that has previously had a Sophos Control licence assigned does install correctly and automatically setup completes ok.

Could it be that Sophos cant "automatically" assign a licence to a device that has not yet completed the app enrolment? I notice you cant manually assign a licence until you have a device fully enrolled so I guess that makes sense?

Unfortunately I may have to unbox 250 phones, update to iOS 9.3.4, assign Sophos control licence via AC2 then hand back to the support teams to continue setup.

Saying that after cancelling the iTunes install message on some 9.3.2 devices it has actually installed the app ok. I have also seen this behaviour on app installs for devices that are already setup which suggests it could just be an intermittent fault?  I have the Sophos Control app set to install via the DEP profile and again at the end of a compliance rule.

Cheers

Andrew