Apple will soon release a change in the way non-DEP iOS devices are enrolled into EMM platforms. These changes were first tested in iOS 12.1.3 beta late last year and will soon be introduced in the iOS 12.2 public release.
Apple is making this change in iOS 12.2 “in order to improve the platform security by reducing misleading profile installations.”
This new workflow will affect all EMM vendors and impacts the initial enrollment of BYOD devices in EMM. EMM vendors are working on providing explicit information within their applications/enrolment flows to make it as clear as possible what an end user needs to do; the main change is that the browser will no longer redirect an end user automatically to Settings in order to install a MDM profile, instead end users need to do this manually by coming out of the EMM app and navigating to Settings in order to install the profile. Installation is timed, and will eventually expire.
This change does not affect the enrolment of DEP-enabled iOS devices, only those enrolled manually to the EMM console.
In order to be prepared for this upcoming change you need to:
- Test iOS 12.2 beta to see if you find any issues with this new workflow. At this time (February 20th) we are in iOS 12.2 beta 3
- Get in touch with your EMM vendor to see what plans they have to change the wording in the application for a better user experience
- Keep your end user documentation updated to better navigate this change
- Keep an eye open or contact your Apple representative for an official release date of iOS 12.2
My take on this is that with this change Apple is improving the overall iOS platform security by:
- Giving end users the option to “inspect the details of the profile and install it”
- Automatically deleting uninstalled profiles after 8 minutes
These benefits come with a cost; organizations will face challenges with the BYOD enrollment process, so should organisations provide corporate-owned devices for employees, they must seriously take into consideration Apple Business Manager and DEP to avoid future complications.
Discuss this article on MobilePros!
Jump straight to the iOS channel for members:
Or click below to join our community:
Pingback: Device Enrollment Program (DEP) – Admin & End User Benefits and Challenges – Mobile Pros
I’m not a fan of this change as I would imagine any user who wishes to enroll his/her device into EMM expects any install is related to the enrollment from a known/trusted source. I do agree that in the long run, any corporate device should by default be in DEP before giving to users.
“the main change is that the browser will no longer redirect an end user automatically to Settings in order to install a MDM profile, instead end users need to do this manually by coming out of the EMM app and navigating to Settings in order to install the profile.”