Geekly Articles each Day
📜 ⬆️ ⬇️

Manage enterprise iOS devices using OS X Server, as well as distributing applications within the company



Sooner or later, in a good part of large companies, the question arises of developing an internal corporate mobile application. In this regard, IT specialists face the challenge of working out two scenarios: when to install applications on employees' personal devices and when they need to distribute devices that are company property for employees to perform specific tasks. This article discusses working with iOS devices through OS X Server.


Introduction


')
Today, if you wish, you can easily find information on setting up OS X Server, MDM solutions, etc. in English, and in general, the configuration does not present any complexity. This article is addressed to people in the Russian-speaking segment who first encountered this task and who want to understand what awaits them and how difficult and frightening everything is.
The presented material was compiled as a brief guide to action and, as unnecessary, was sent straight to the Basket, but before I clicked “Empty Cart”, I thought that perhaps it would be useful to someone else who is not familiar with this topic.
Therefore, a separate category of commentators please be lenient.
image


Formulation of the problem



So, let's define the tasks that the company (or the customer) has set for us.

We have two independent vectors of mobile development:


Likbez



Despite the fact that these two areas are different, they have something in common, namely the distribution of applications within the company, i.e. on the Apple Developer Enterprise Program . For an unprepared developer, it may seem that this is simply the registration of the company-developer as a legal entity, with some Enterprise gadgets. Unfortunately, literally the essence of the program is “The Apple AppStore: no joining this program you get the opportunity to distribute iOS-applications bypassing the AppStore, but lose the opportunity to publish to the official AppStore.

Let's now take a look at the question of the proliferation of corporate mobile applications a little wider, and not only through the eyes of Apple. There are three major players on the market today - Google, Apple and Microsoft.
So, as each application of these technology companies sees the distribution of applications bypassing the store.

Google
It's simple. Android open operating system. Build an application package (* .apk) and then do whatever you want with it. All you need is to pay a one-time fee to the Google Play Developer Program.

Microsoft
Two programs. For publication in the official store - a small one-time fee. To publish to bypass the store, you must once a year buy a special certificate - Enterprise Mobile Code Signing, which your applications subscribe to. Roughly speaking, it is like a pass for an application to the garage of a smartphone application - “I am VIP, I can be installed from the back door”.

Apple
Cupertino, in turn, see the approach to the development of mobile applications as follows.
For publication in the official AppStore, there is an Apple Developer Program in which both individuals and legal entities can participate, the price is the same. If you have a need to publish applications within the company, i.e. Not for everyone, Apple provides the Apple Developer Enterprise Program, although in it you will not be able to publish applications in the AppStore.
But what if you need to publish apps for both scenarios? Or until it is possible to register a legal entity, you just started to make a prototype and you can register an individual, i.e. one developer.
In this case, the classic Apple Developer Program provides the ability to upload applications directly to 100 devices of various types (iPhone, iPad) registered in the developer console. Scientifically, this is called AdHoc, i.e. distribution for testing purposes.
Strangely enough, this thing often solves a whole layer of problems at the initial stages, and we'll talk about it in the framework of this article.

Great, we have a prototype of a mobile application, a developer account in the Apple Developer Program and a great desire to solve the problem.

We now turn to the model of managing iOS devices. If you used to use an iPhone or iPad, you probably heard about such a thing as Profile. No, not that user profile from SharePoint, but a profile that describes device permissions. For example, access to beta versions of iOS. It is on this thing that everything is spinning in the Apple world: installing applications, limiting device capabilities, configuring devices, etc. And as you probably already understood, we will steer these profiles. With someone voluntarily, with someone forcibly.


Apple Configurator 2



In order to distribute iOS applications in a corporate environment, two tools are needed (from the AppStore):

Both tools can manage profiles, but only the profiles installed by Apple Configurator 2 cannot be deleted by the user.
Those. everything is under control, namely


OS X Server, or rather the Profile Manager, which is part of it, is required for remote configuration of profiles, since Apple Configurator 2 works only "on the cord".

So that you clearly understand the scheme: through profiles (in fact, the configuration file that flies back and forth), you can install applications remotely and configure devices. Apple Configurator 2 allows you to ensure that the profile set with it will not be deleted by the user, and the Profile Manager in OS X Server allows you to configure installed profiles remotely. In the first approximation, the picture is as follows.

Now that you have collected your thoughts in a handful, it remains to add a couple of missing elements to the puzzle. In addition to profiles, there is another link of the mechanism called Supervising, which Apple Configurator 2 provides. It consists in resetting the device to factory settings, tightly configuring to use your Profile Manager, and banning the device from hard reset. It also supports the function of removing images of memory, in other words, backups.

And the last thing, I think you have already thought, how can ordinary employees get corporate applications without all these terrible discharges and configurations? For them, the Profile Manager provides a website, called MyDevices by default, from which they can download a profile that automatically installs the necessary applications on their smartphone. Yes, that's how simple it is with ordinary employees.

Ok, back to Apple Configurator 2.
So it looks in the AppStore


We list its main features again:


A new word, Blueprint, has appeared in this list, and we still have not understood exactly what restrictions we can set through Profiles. Let's talk about it.


Profiles in Apple Configurator 2



Profiles are used to set the required parameters and restrictions on the device.

For example, you can install in one profile:

Multiple profiles can be installed on one device.

The list of available settings through the profile
General device information


Password on the casting screen


Restrictions on device functionality




Application Restrictions


Media Content Restrictions


Global Proxy Settings


List of allowed sites


Domain Policy


WiFi access


VPN settings


AirPlay settings


AirPrint Settings


Email Account Settings


Exchange ActiveSync Settings


LDAP settings


Sync calendars


Contact Sync


Subscribe to calendars


Icons go to the website


Fonts


Certificates


SCEP server setup


Settings APN points for 3G






Blueprints in Apple Configurator 2



Blueprints are quick “images” of desired settings and applications that can be applied to a connected device in one click.

Work with Blueprints
Blueprint creation





Select device type



Add the necessary enterprise applications to the image



Add * .ipa - application package



Adding Profiles



Well, I hope you got a general idea of ​​the basic configuration tools for iOS devices. It's time to move on to more advanced and, accordingly, paid instruments.


Apple OS X Server



OS X Server is an application, pre-2014 pre-installed on top versions of Apple Mac mini computers. Currently distributed as a separate application through the AppStore and is available for installation on any Apple computers.
It is a set of services for maintaining the fleet of Apple devices, as well as the remote control of iOS and OSX devices.
So it looks in the AppStore


Key features:



Synchronize OS X Server with Active Directory



Of course, I could not pass by Active Directory, as we work in the corporate segment, and, at least, a few words I must say on this topic. Like Microsoft, Apple works with its directory service, the Open Directory, which is not conceptually different from Active Directory.
For integration with Active Directory, a “binding” mechanism is used. It is configured quite simply, however, it does not differ in iron stability (on different combinations of versions of Windows Server and OS X Server there is a different result, that is, you can lose touch).

Configuring synchronization with Active Directory

















Great, now you are aware of all the basic terms and principles. We can start setting up mechanisms for distributing applications within the company and configuring iOS devices.


Algorithm of actions for setting up the infrastructure for configuring iOS devices and distributing applications



1. Install Apple Configurator 2 from the AppStore.

2. Install Apple OS X Server from the AppStore.

3. Create a profile with WiFi settings for an iOS device through Apple Configurator 2, if employees need to use a certain private corporate network to which we do not want to give them a password.
Read more


Specify the password that you need to enter to delete the profile. This is one of the possible options. We can generally prohibit the removal.








4. Let's go to configure OS X Server. Set the host name, accessibility from networks and remote access settings. This is the initial configuration of our server.
Read more













5. Configure the Open Directory in OS X Server to further store users in it.
Read more







6. Create users in OS X Server, or synchronize the server with Active Directory. We will need another administrator and a simple user (he is also an employee).
Read more









7. Create user groups (by teams / departments / divisions) and distribute users to these groups in OS X Server. We will need this to configure device groups.
Read more













8. Enable Apple Push Notifications in OS X Server.
Read more
Enabling Apple Push Notifications is necessary for managing devices over the Internet, since push notifications deliver commands from the OS X server.



Here we already need an account of our developer, with an active Apple Developer Program.






9. Set up contact synchronization in OS X Server. This is optional if you do not plan to maintain a general list of contacts between employees.
Read more





10. Now the most interesting. Configure the profile manager in OS X Server.
Read more

Mobile Device Management Server


Profile Manager allows you to centrally administer and manage registered mobile devices running OS X 10.7 or higher or iOS 4 or higher.

It should be noted that Apple provides management of the API of its devices to third-party developers of MDM solutions in order to use their experience.

Typically, these mobile device management systems (MDM - Mobile Device Management) have more options for customization.
To implement the server-initiated settings load, the software will need a push service. The push server is part of OS X Server (sometimes the push service is implemented as part of the MDM solution, in this case Apple’s push service is not needed). The push server will perform functions for loading commands related to the configuration or installation of mobile device software, interacting with the Apple app store. This ensures that urgent actions are taken, such as blocking stolen devices or deleting information from them.

If you plan to manage only Apple devices, and there are no special requirements, then Profile Manager is the best solution in terms of cost / functionality. In this case, for centralized loading of corporate software settings, use Apple Push Server. And the ability to install policies on devices connected even beyond the perimeter of the corporate network will provide Apple Push Notification Service (APNS).

Profile Manager Algorithm























11. Through the Profile Manager in OS X Server, enable the ability to bind iOS devices configured in Apple Configurator 2.
Read more









12. Through the Profile Manager in OS X Server, we will set the user (better the user group) restrictions on his iOS device.
Read more



















13. It's time to work with a physical device. We will translate an iOS device into Supervised mode via Apple Configurator 2 with accepting settings from a remote Mobile Device Management (MDM) server, which is OS X Server.
Read more




















After rebooting (before accepting the greeting), the iOS device via Apple Configurator 2 will load the profile created earlier with WiFi settings and a description of the device into it.









Receive the greeting on the iOS device transferred to the Supervised mode and log in with the desired user created in OS X Server.


















14. Add all iOS devices to the Apple developer account.
Read more
To add an iOS device to a developer account, we need to get its unique number - UDID. It can be obtained in three ways:
  • See via iTunes;
  • See through Apple Configurator 2;
  • Request programmatically through the installation profile;

We will use the second option, because at the moment we are working with Apple Configurator 2.




















15. Prepare a corporate application in Xcode for distribution within the company in Xcode (Archive).
Read more




We are not going to publish the application in the AppStore, so we click Export ...














16. Download the * .ipa package of the application in the Profile Manager in OS X Server.
Read more






In this window you can see a list of corporate applications available for distribution.




17. In the Profile Manager in OS X Server, we indicate for the desired user (better than the user group) which corporate applications to install on his device. Let's push applications (we will begin remote installation).
Read more
This is how an iOS device looks like before assigning applications to a user.





Add applications to users.





We see the status of application settings / installation applications.



"Suddenly," the installation of enterprise applications on the device has begun. The user does not take any action.



Application installation is complete.




Infrastructure setup is complete.


Distributing apps to employees with personal iOS devices



Employee action algorithm
All the employee needs is:
  1. Go to the server site;
      http://os-x-server.com/mydevices
  2. Log in with an account created on OS X Server. Or, if common applications for all are provided, authorization is not trumpeted;
  3. Click Enroll My Device. The iOS device appears in the Profile Manager;
  4. After that, the installation of applications accessible to the user will begin.

Unfortunately, I have not saved the screenshots of this process, due to its simplicity, but you can catch the gist of this video (it starts from the right moment). Scientifically, this is called a self-service portal. Almost like in the factory canteen.


Afterword



A conceptual description of OS X Server in Russian, although a bit outdated, I advise you to read here .

Current videos on setting up individual components of OS X Server can be viewed here .

Note
The distribution method described in the article is applicable to any applications created for iOS, i.e. It is identical for applications written in Xamarin, Cordova or Native. All you need is to create an * .ipa application package and load it into Profile Manager.

I hope the article will seem useful to beginners, or not so, iOS developers. Successes!

Source: https://habr.com/ru/post/277763/

More articles:


All Articles