Best advice for assigning settings due to AppleID issues

Jacko
Here to help

Best advice for assigning settings due to AppleID issues

Hi all,

so, i have a saved config in SM DEP that bypasses just about everything when setting up a new iphone.

However once it's activated Meraki tries to install all the apps and keeps asking for me to sign in with an appleID. But it's relentless in throwing up messages to sign in so i can't actually get anywhere.

Would it be better to NOT bypass the AppleID creation/login at setup so that once the SM profile tries to kick in the AppleID is already in place?

That said, i've also experienced the situation whereby you're signed in but it wants you to input your password to athenticate the install of some of the apps, and again, it's relentless in throwing up messages for the password for every app that you can't do anything.

 

Hope this makes sense as i really need help with this.

Many thanks

 

21 REPLIES 21
jared_f
Kind of a big deal

You need to purchase the free VPP codes for the Meraki MDM app to get silent install. No Apple ID required.

Find this helpful? Click the kudos button. Thanks!

I have VPP all setup and have loads of purchased apps in VPP.

So if i acquired all our free apps through VPP also, it would allow me to silently configure an iphone fully without the needs for creating employee AppleIDs?

Further to this,

if we truly don't need AppleID's, is there a part of the SM policy where i can disallow an iphone user from actually signing into their appleID so that they cannot install their own apps?

OCT_OMG
Getting noticed


@Jacko wrote:

Further to this,

if we truly don't need AppleID's, is there a part of the SM policy where i can disallow an iphone user from actually signing into their appleID so that they cannot install their own apps?


For non-DEP devices, you should be able to disallow the use of the iTunes Store under the iOS Restrictions section of your profile and get the desired result.

 

For DEP/Supervised devices, you can also whitelist or blacklist apps depending on your needs. By whitelisting a group of allowed apps, users won't be able to install/use anything that's not included.  I've also found it very handy to use the blacklist feature to automate the removal of those pesky pre-installed iOS system apps such as iTunes Store, App Store, News, Tips, Find Friends, GarageBand, etc...

 

mmmmmmark
Building a reputation


@Jacko wrote:

Further to this,

if we truly don't need AppleID's, is there a part of the SM policy where i can disallow an iphone user from actually signing into their appleID so that they cannot install their own apps?


I've not tested it, but this should prevent the users from installing their own apps.

Thanks, i do have that set so that users cannot install apps.

I've also arranged the home screen  (in the profile) so that certain apps appear in the same place on each iphone, however this locks down the page so that the user cannot move ANY apps, and that's unnecessarily restrictive in my view as some use certain apps more than others so would want a different priority on the homepage .

I wouldn't have thought that by simply assigning 'some' apps to the homepage that it would lock everything down, but it does. 

 

I've created a new topic about not using AppleID's but not had any replies.

Not having to create employee AppleID's would be heaven, but then how would their phones get backed up without a logged into icloud account?


@mmmmmmark wrote:

@Jacko wrote:

Further to this,

if we truly don't need AppleID's, is there a part of the SM policy where i can disallow an iphone user from actually signing into their appleID so that they cannot install their own apps?


I've not tested it, but this should prevent the users from installing their own apps.


 

Unfortunately, I believe this setting will also prevent Meraki SM from installing apps on iOS devices, so it must remain checked.  I vaguely remembered reading @Melissa's post in an earlier thread, so all credit goes to her 🙂

Melissa
Meraki Alumni (Retired)
Meraki Alumni (Retired)

hi @OCT_OMG

 

I would suggest using this restriction to prevent users from installing apps - it's under "ios restrictions (supervised)" and does require that the devices are supervised. 


 

Screen Shot 2018-09-07 at 12.18.35 PM.png

 

This will NOT prevent you from pushing apps through the SM dashboard - like the restriction below under "Cross-platform restrictions" would:

 

Screen Shot 2018-09-07 at 12.20.16 PM.png

 

If that solves your needs - great! If you otherwise wanted to prevent users from logging in to any personal itunes/icloud accounts, you could use this restriction to do that as well, also under "ios restrictions (supervised)"

 

Screen Shot 2018-09-07 at 12.21.49 PM.png

 

 

Thanks, i'll make the config alts now.

 

What about backing up of devices though?

Without a signed in icloud account the device won't get backed up and that could be an issue due to photos, notes, contacts etc.

We use Office365 and SM pushes the outlook app to devices.

Would it be possible to use the same managed icloud account for each device, just so they back themselves up i wonder?

OCT_OMG
Getting noticed


@Jacko wrote:

Thanks, i'll make the config alts now.

 

What about backing up of devices though?

Without a signed in icloud account the device won't get backed up and that could be an issue due to photos, notes, contacts etc.

We use Office365 and SM pushes the outlook app to devices.

Would it be possible to use the same managed icloud account for each device, just so they back themselves up i wonder?


We don't use iCloud for backups, so can't offer much insight there.  It should be easy enough to test, though.

 

Since you already use Office365, have you evaluated whether or not OneDrive meets your backup requirements?

 

If you find it necessary to continue using multiple AppleID's for your devices, I'd suggest checking into upgrading our DEP account to a new Apple Business Manager account.  May make managing multiple AppleID's easier for you.

Thanks.

i did read that upgrading DEP to ABM only allows management of AppleIDs for actual users of ABM not general employees, which if true is a damn shame ☹️

The other benefit of having iCloud sign in is tracking.

SM is laughably bad at showing the location of a device. I mean, ssoooooooo bad they should probably remove it. I have almost zero faith in SM’s ability to geo locate, I had to abandon the geo policies I set up as they constantly got it wrong and it’s embarassing to ring an employee and ask why they are literally 100s of miles away (according to SM) and then they walk into your office, phone in hand with a quizzical look on their face.

ooops!

OCT_OMG
Getting noticed


@Jacko wrote:

The other benefit of having iCloud sign in is tracking.

SM is laughably bad at showing the location of a device. I mean, ssoooooooo bad they should probably remove it. I have almost zero faith in SM’s ability to geo locate, I had to abandon the geo policies I set up as they constantly got it wrong and it’s embarassing to ring an employee and ask why they are literally 100s of miles away (according to SM) and then they walk into your office, phone in hand with a quizzical look on their face.

ooops!

Check out the SM Location doc to determine the method your devices are most likely using to approximate their location.  I suspect that, since your devices have cellular data capabilities, the discrepancy comes from a combination of factors such as lack of GPS signal, cellular carrier IP geolocation, VPN/Proxy, location services disabled, etc...

 

To keep our users from disabling location services on iOS devices, we had to manually enable restrictions on the devices, then restrict the ability to change location services settings.  This was a manual process that couldn't be performed by SM, and had to be re-enabled after the iOS 11.3 or 11.4 (can't remember which) update broke it.  We also had to make sure the SM App was installed and that it was allowed to use the device location before the restrictions were enabled.  So much for hands-off deployment, huh? 😄

 

I think it's also worth noting that the disparity you see between SM and iCloud device locations is intended as such by Apple, and would likely be an issue regardless of the MDM system being used.  Perhaps others with more experience in this regard can chime in.  These Apple privacy restrictions probably have something to do with why OneDrive for Business won't allow camera uploads from the iPhone app (but that probably belongs in the other thread...).

Untitled 7.png

 

OCT_OMG
Getting noticed


@Jacko wrote:

Thanks.

i did read that upgrading DEP to ABM only allows management of AppleIDs for actual users of ABM not general employees, which if true is a damn shame ☹️

I think maybe I misunderstood your situation 🙂

 

Who owns the devices and associated AppleID's; the end user or the company?  Are the devices actually enrolled in an Apple DEP account?

 

If both the AppleID and device are corporately owned and you have an ABM account, you should be able to create managed AppleID's under your registered domains and assign different roles to them; all from within the ABM dashboard.  These managed Apple ID's are considered ABM Users due to their creation under an ABM account, but should operate much like a standard Apple ID.

 

I've never tested how they work with iCloud since we don't use it, but am interested to find out.  I'll try to find a few minutes this weekend to look into it further.

 

 

 


I've never tested how they work with iCloud since we don't use it, but am interested to find out.  I'll try to find a few minutes this weekend to look into it further.

 


Update:

Logged into our Apple Business Manager account, created 2 separate managed AppleID's, then used them to log into one of our DEP Supervised iPads.  Set up iCloud backup & ran it, then logged into iCloud via a PC web browser and was able to see photos, etc... as expected.

 

From this very limited test, it seems to me that, if you're in a situation where you've got DEP Supervised devices, but need each user to also have a unique AppleID for the purposes of VPP licensing, discrete iCloud backup of photos, etc..., the ABM account is the way to go for managing them.

 

I'm curious to know if these managed AppleID's will actually sync with SM so they can be assigned as device owners and VPP Users without having to create them in SM first.  As of yet, mine aren't showing up, so I'm thinking not.

Thanks for your continued help on this OCT_OMG.

The ideal would be that i could create AppleID's en masse in ABM. They flow through into SM and when assigning a user to the device in SM that it also signs in the AppleID associated with the user.

Otherwise if you had a new iphone shipped straight to the employee, they'd still need to signin with the AppleID you give them.

But i dont think it can be done.

When you create a VPP user in SM, it emails the person, so you need to either pre-warn them to forward on those kind of emails or have the users login details to do it all for them.

Once done you can then create an owner by importing the VPP list.

It's very convoluted.......and sadly its been this way for a few years now.

 

I've successfully enrolled an iphone7 using VPP device assigment and its actually very fast to install all the apps. But, again, the issue of backing up things like sms, contacts, photos etc is forefront of my deployment dilemmas.

 

 

Another thing, i've now upgrade to ABM from DEP. I've use our main domain, but i have another domain that is basically a separate company within the group of companies i look after.

Not fig

OCT_OMG
Getting noticed


@Jacko wrote:

 

 

I've successfully enrolled an iphone7 using VPP device assigment and its actually very fast to install all the apps. But, again, the issue of backing up things like sms, contacts, photos etc is forefront of my deployment dilemmas.

 


While you've likely considered these things, I wanted to mention a few quick thoughts for others who may stumble across this thread later.

 

It seems the biggest potential issues caused by using a single, common AppleID for iCloud backups might be:

 

  • 5GB storage per account
    • With more than a couple of devices backing up photos to the same iCloud account, this limit may be reached very quickly.
  • Account Device Limit
    • Apple states there is a 10 Device limit per account, but not sure how strict they are about this.
  • Co-mingled data
    • When using a single AppleID across multiple devices, it's possible that an individual device's Photos, Notes, Reminders, etc...will be placed into a single bucket in iCloud, then sync'd with all other devices.  
  • iMessage mayhem
    • when using a single AppleID across multiple devices, it's possible that a user can also select another user's device for Text Message Forwarding or to Send & Receive.  
    • How might this affect Mac Messages app users?
  • Keychain
    • How might Keychains be affected by using a single AppleID?

 

Certainly food for thought 🙂 

mmmmmmark
Building a reputation

Also, I've had the experience of having another employee get my phone call on their phone as both our phones were on the same wifi and were using the same icloud account. Don't know if that's still the case or not now though.

Thanks for the input.

yeah i’d already discounted using a single iCloud account for all the reasons you mentioned above. Tried it once back in the day....not a good result.

 

Sharing Apple ID's is asking for trouble. It may even being against there terms and conditions. If they are business devices which you are not allowing personal App's on the use VPP until the cows come home.

 

iCloud do users really need to backup there devices? If they need to backup photos why not use Dropbox to seamlessly sharing images between phone and desktop/laptop.

 

To get a proper location using SM you need to install the SM app on the device, open it and allow it to use location services. This isn't Meraki's bad design its Apple rules around privacy. 

OCT_OMG
Getting noticed


@Jacko wrote:

I have VPP all setup and have loads of purchased apps in VPP.

So if i acquired all our free apps through VPP also, it would allow me to silently configure an iphone fully without the needs for creating employee AppleIDs?


Hi @Jacko

 

If you already have VPP configured & sync'd in your dashboard and you are using Device Assignment vs User Assignment, then yes.  

 

Meraki has made this type of installation very easy by using device tags in conjunction with each app's Target Scope to automate installation on specific devices.

 

Let's suppose you want to install Google Chrome on several (but not all) devices. By creating and applying a device tag such as APP-Chrome to the desired target devices, then setting the Chrome app's Target Scope to install on devices that contain all of the following tags :APP-Chrome, it will silently install on all devices within scope and will not prompt for credentials.

 

This isn't to say that the same thing can't be done when licensing by User Assignment or Redemption Codes, but we don't use those, so I don't know the specifics of those methods. 

 

For reference in case anyone else needs it, here's a link to the Meraki documentation:

 

https://documentation.meraki.com/SM/Apps_and_Software/Using_Apple’s_Volume_Purchase_Program_(VPP)_wi...

 

 

 

 

Get notified when there are additional replies to this discussion.
Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.
Labels