Hi Guys,
1) I have some ipads to setup for a school for the pupils, doing it via Meraki for deploying the apps only. I was just wondering what restrictions you guys setup on the Ipads themselves for example, turning off Facetime, turning off Install Apps etc and what you allow.
2) Final question (thought it maybe easier killing 2 birds with one stone), if apps are deployed via Meraki and I turn off installing apps on the ipad, can apps still be deployed via Meraki ?
Look forward to hearing from you guys.
@discoveranother Here is a few things I would restrict:
-Installing configuration profiles (Meraki can still install them under the management profile, but the pupils cannot install manual payloads.)
-Are you pushing WiFi via a profile and that is going to be the only network they can join? If so, consider using WiFi whitelisting so they cannot tether to their phones to possibly get by your filters.
-Enforce Safari fraud warning
-Restrict erotica in iBooks
-Siri profanity filter
-Diagnostic submission not allowed
-If you are planning on setting the wallpaper, restrict changing that.
-I feel iMessaginf and FaceTime should be turned off if they are school iPads.
Obvously this is is between you and the administration to see what they/you want to restrict.
To answer your second question:
Are you planning on using VPP and DEP and having these devices supervised (I highly suggest all three). If so, you can use the restriction thy disabled the App Store and use VPP for device based app distribution (and an Apple ID on each device would not be nexessary!). What I do is deploy the Meraki MDM app and any other mandatory apps and then place anyone else in the Meraki MDM app to allow the user to install them. *If apps are managed and marked as mandatory (i.e. the Meraki MDM app) and the user deletes it, it will re-install next time the device inventory updates.
Hope that is helpful,
Jared
How are you marking an app as mandatory?
@Diane I just have "Auto Install" checked in my managed apps. If a user deleted the app it will reinstall when the device checks in.
I didn't have the auto-install option until just the last couple of days. I need to test it out. Thanks!
@jared_f Make a list of the options you think you need. Disable everything. Then individually go through your first list and justify why you might think you need it.
My personal approach to security is bottom-up rather than top-down.
In most of our client setups we have two 'allowed apps' and nearly everything else disabled.
Thank you,
Peter James
For your second question - it sounds like you are referring to the Restrictions on the Settings page. Is that right?
Under "Cross Platform Restrictions", deselecting "Allow installing apps" will turn off the user's and SM's ability to install applications.
The more popular option would be to use the restriction under "ios restrictions (supervised)" to deselect "Allow App Store". This works for supervised devices on ios 9 and above and will still allow you to push apps and updates through SM 🙂