We use MobileIron with on-prem Exchange but are now looking to move some of our users to Office 365. I would like to avoid using a Sentry if possible (i.e. have the user devices go to Office 365 for email etc. directly rather than via the extra hop of a Sentry) but at the same time I want to restrict such access to just company managed devices. Via Conditional Access policies I see that one can set access to be only from devices marked as compliant, but from what I see this is a flag only Intune can set. Is there a way of setting a device as compliant via something like MobileIron?
I am interested in hearing any other suggestions or experiences from others who've had to do something similar. We have a mix of iOS and Android devices all currently managed via MobileIron on-prem. Even if the workaround for now is to manually mark devices as compliant via Graph API or PowerShell that'll do too.
Based on Require device to be marked as compliant document, this option requires a device to be registered with Azure AD, and also to be marked as compliant by:
Intune
A third-party mobile device management (MDM) system that manages
Windows 10 devices via Azure AD integration. Third-party MDM systems
for device OS types other than Windows 10 are not supported.
So currently, iOS and Android devices are not supported.
BTW, Graph API or PowerShell configurations should be the same with what can be done on Azure portal.
Conditional Access Policies already allow non-windows OS devices. Use the filter to include "Trust Type" then select AD Registered or AD Joined as Device needed for non windows and windows devices. Then do a negative operator to say Block all access, UNLESS the Trust type is above. It works, we use it successfully. You just have to AD register your devices, Microsoft has notes on how to AD register devices.
Related
Goal
We want to use Intune MDM to create kiosk devices with multiple applications. To set up the devices, we use Autopilot with a SelfDeployment profile. The device will be assigned a Kiosk profile with auto-enrollment enabled.
Problem
Setting up the devices works without any problems and also new apps or changes are synchronized, but we do not get any feedback in intune if changes were successful or not. So to speak, there is only a one-sided synchronization.
For example, we can successfully update an application after a successful setup, but Intune always shows us the old version.
We know that the autostart function creates a local user and logs in with it and logically this user cannot synchronize. But is this intentional or are we missing something here?
If you guys need any information, please let me know.
We have an App which is intended to run on a LAN reading a company's own feed and producing local reports with it.
In order to do this I need to enable read_stream but I note that this is not possible without submitting an App for Review.
However in order to do this I need to choose a platform. I am only able to choose between ios/andrioid/Windows App/App on Facebook/Website/Page Tab/XBox/Playstation
A Windows Server is none of these. I looked at Windows App, but this is asking for a Windows Store ID - we do not particularly want to put this in the Windows Store. We just need to turn on read_stream.
Also, I see that the Review Submission requires a minimum of 4 screen shots. This seems a bizarre thing to have to provide for a Windows Service.
Any ideas how I can navigate all this red tape ?
My client needs to find a way to automatically push app updates to a number of iphone 3gs devices remotely. These devices will be in guided access mode so the users will only be able to access the app in question.
I believe we have two option for distribution:
B2B custom app via the Volume Purchase Program
In-house app released with the Apple Enterprise Program
Having researched our options I can see that over the air app updates can be achieved by either:
Building an in-app update functionality to check for new updates (Enterprise only I am guessing?) and automatically update and restart the app
Using an MDM such as http://www.air-watch.com/ (as I understand Apple Configurator must have devices plugged in via USB to work?)
I am wondering if anyone can tell me whether either of those options are possible with the devices being in guided access mode?
Or are there any other solutions, which I have missed, that can automatically manage the app remotely while the device is in guided access mode?
You can solve this with an Enterprise distributed app.
App only. Update check for an OTA-Update from your app when the app is coming to the foreground (or some other metric at your clients leisure, like added time delay, etc). Basically self explanatory; you implement a call to your clients/your API to check the version and inform the user of a new one. The update can either be optional or mandatory (preferably announced by the API and changed when needed); present the user with an alert about it. The user acts upon it and you OTA install via an ITMS link provided by your API call. And that's it.
MDM. Tbh, I'm a bit on shaky ground here. Theoretically this is all possible via MDM too, however I am not sure if it is the (varying) MDM solutions or some misconfigurations, but clients usually seem to lose control after some time.
Both. Yes, you can perfectly well live with both. MDM while everything is fine, and as a backup a well structured App+API mechanism to push the OTA updates out. This is especially useful if you have customers where some departments are under MDM and others are not. So, some may get it via MDM (and if all else fails via the App itself), the rest will get it via the App.
The tradeoffs are a matter of personal preference, if there is a fully working MDM solution in place the update will be pushed out and the user however 'malicious' can do nothing against it. But the same is true for the 'App only' solution, as you have the option to not let him use the app if he does not update (either by not providing a cancel button or, as you are in an enterprise environment and there it is allowed doing an exit(0)).
From experience I prefer any solution that has the 'App only' option as it is the last fallback if anything on client side fails. Whatever may be added on top is just sugar to the cake.
While not strictly relevant, the 'App only' solution always goes well with Push Notifications when an update came out.
How can we distribute iOS build, which is built by using Enterprise Account? Is there any possible to distribute via testflight account? Any help much appreciate.
Thanks!
There's a couple of different ways to do this. Once you've got a .ipa file for the app, you can:
Distribute via iTunes, if your employees can sync their iOS devices with their laptops (Apple Docs)
By using the iOS Configuration utility, though this means you have to physically have the device (Apple docs)
Over-the-air (iOS 4+), using an app store. You can do this through TestFlight, but the license restrictions on the Enterprise agreement don't go well with this kind of deployment. You'll need to either create and secure your own app store (like I've done for my employer) or use a third party service. Have a Google around for some good ones. There's plenty of documentation on how to do the deployment here
Some MDM suppliers like MobileIron have app stores available. Some will even allow you to push apps onto enterprise devices (iOS 5+) without any need for human intervention.
Other options are via email or putting it on the web for download (suggest you would want a website with a login to access it).
i want to create an application which will not launch in AppStore but all my clients can install my application in their devices. the problem is that i do not have all my clients devices UDID. how they can insert my application because i can't create Ad Hoc since i do not have all my clients UDID and i do not want to create an App Store binary.
Please tell me this is possible or not.?
Use InHouse distribution, see
https://developer.apple.com/programs/ios/enterprise/
and
http://www.apple.com/iphone/business/apps/in-house/
In short, you'll need an Enterprise account. With it, you can create inhouse-distributions that work the same as ad-hoc (i.e. you can distribute them directly or via Over-the-air), except that you don't need to specify UDIDs.
However, since this is a major security "flaw" you have to make sure that everyone who downloads/gets this app is properly authenticated one way or another.
Important: If your clients are not members or subcompanies of your company, I'd check the legal status of using InHouse distribution for this. I'm not sure myself.
If you can turn your app into a web app, then yes you can do it.
But assuming you are talking about a native iOS app, and you don't want to require clients to jailbreak their phones, then no, Apple have a single distribution channel and that's the App Store.
If your clients are 'internal' clients, ie you want to distribute within your own organisation, then the enterprise program is an option for you;
https://developer.apple.com/programs/ios/enterprise/
If your clients are large, and want to buy in volume and then re-distribute internally, another option may be the custom B2B program;
http://www.apple.com/business/vpp/