February 25, 2016 at 07:18Manage corporate iOS devices with OS X Server, as well as distribute applications within the company
- Tutorial
Sooner or later, in a good part of large companies, the question arises of developing an internal corporate mobile application. In this regard, IT specialists are faced with the task of working out two scenarios: when you need to install applications on personal devices of employees and when you need to distribute devices that are the property of the company for employees to perform specific tasks. This article discusses working with iOS devices through OS X Server.
Introduction
Today, if you wish, you can easily find information on configuring OS X Server, MDM solutions, etc. in English, and in general, the configuration does not present any complexity. This article is addressed to people in the Russian-speaking segment who first encountered this problem and want to understand what awaits them and how complicated and scary everything is.
The material presented was compiled as a brief guide to action and went straight to the Trash as unnecessary, but before I clicked on “Empty Trash,” I thought that it might be useful to someone else who is not familiar with this topic.
Therefore, a separate category of commentators please be condescending
Formulation of the problem
So, let's determine the tasks that the company (or the customer) has set for us.
We have two independent development vectors of the mobile direction:
- Corporate mobile application for company employees, which they install on personal devices, in our case, on iOS devices. For example, the main functionality is reading news and a calendar of events;
- A highly specialized mobile application for certain categories of employees, for example, sociologists who do polls, say, on the street. They are given iOS devices specifically for these tasks, and management, of course, hoping for the consciousness of these people, nevertheless, wants to exclude the very possibility of misuse of both working time and devices. Simply put, you need to prohibit doing everything: listen to music, use the Internet, install games from the application store, etc., leave only the ability to use the application for social events. polls
Educational program
Despite the fact that these two areas are different, they have something in common, namely, the distribution of applications within the company, i.e. under the Apple Developer Enterprise Program . For an untrained developer, it may seem that this is simply registering the developer company as a legal entity, with some Enterprise gadgets. Unfortunately, the essence of the program literally is “The Apple AppStore: no place to distribute enterprise apps”, i.e. entering this program you gain the ability to distribute iOS applications bypassing the AppStore, but lose the ability to publish to the official AppStore.
Let’s now take a look at the issue of the spread of corporate mobile applications somewhat wider and not only through the eyes of Apple. There are three major players on the market today - these are Google, Apple and Microsoft.
So, as each of these technology companies sees application distribution bypassing the store.
It's simple. Android is an open operating system. Build the application package (* .apk) and then do whatever you want with it. All you need to do is pay a one-time fee to the Google Play Developer Program.
Microsoft
Two programs. For publication in the official store - a small one-time fee. To publish bypassing the store, you have to buy a special certificate once a year - Enterprise Mobile Code Signing, with which your applications are signed. Roughly speaking, it’s like a pass for an application to the smartphone’s application garage - “I’m VIP, I can be installed from the back door”.
Apple
Cupertinos, in turn, see the approach to developing mobile applications as follows.
For publication in the official AppStore store there is an Apple Developer Program in which both individuals and legal entities can participate, the price is the same. If you have a need to publish applications within the company, i.e. not for everyone, then Apple provides the Apple Developer Enterprise Program, though in it you will no longer be able to publish applications in the AppStore.
But what if you need to publish applications in both scenarios? Or while there is no way to register a legal entity, you just started making a prototype and you can register an individual, i.e. one developer.
In this case, the classic Apple Developer Program provides the ability to upload applications directly to 100 devices of various types (iPhone, iPad) registered in the developer's console. Scientifically, this is called AdHoc, i.e. distribution for testing purposes.
Oddly enough, this thing often solves a whole layer of problems in the initial stages and we will talk about it in the framework of this article.
Well, we have a prototype mobile application, we have a developer account in the Apple Developer Program and a great desire to solve the problem.
Now let's move on to the iOS device management model. If you used an iPhone or iPad before, then you probably heard about such a thing as a Profile. No, not that user profile from SharePoint, but a profile that describes device permissions. For example, access to beta versions of iOS. Namely, on this thing everything revolves in the Apple world: installing applications, limiting device capabilities, configuring devices, etc. And as you probably already understood, we will steer these profiles. With someone voluntarily, with someone forcibly.
Apple Configurator 2
To distribute iOS applications in a corporate environment, two tools are needed (from the AppStore):
- Apple Configurator 2 Application ( Free );
- OS X Server application ( 1.490 rubles );
Both tools can manage profiles, but only profiles set by Apple Configurator 2 cannot be deleted by the user.
Those. everything is under control, namely
OS X Server, or rather Profile Manager, which is part of it, is necessary for remote configuration of profiles, because Apple Configurator 2 only works "on a cord."
So that you clearly understand the scheme: through profiles (essentially a configuration file that flies here and there), remote installation of applications and configuration of devices are carried out. Apple Configurator 2 ensures that the profile installed with it is not deleted by the user, and Profile Manager in OS X Server allows you to configure installed profiles remotely. In a first approximation, the picture is this.
Now that you have collected your thoughts in a bunch, it remains to add a couple more missing elements to the puzzle. In addition to profiles, there is another link in the mechanism called Supervising, which is provided by Apple Configurator 2. It consists in resetting the device to factory settings, hard configuration for using your Profile Manager, and the ban on the hard reset of the device. It also supports the function of taking images of memory, in other words, backups.
And the last, I think you already thought, but how then can ordinary employees get corporate applications without all these terrible dumps and configuration? For them, Profile Manager provides a website, by default called “MyDevices,” from which they can download a profile that
Ok, back to Apple Configurator 2.
So it looks in the AppStore
Once again, we list its main features:
- Reset iOS device to factory settings;
- Create device profiles;
- Create Blueprint images;
- Installing an iOS device in the Supervised mode, which allows you to control the device (reset, etc.) only from this computer;
- Creating backups of iOS devices;
A new word, Blueprint, has appeared in this list, and we still have not understood which restrictions we can set through Profiles. Let's talk about it.
Profiles in Apple Configurator 2
Profiles are used to install the required parameters and restrictions on the device.
For example, you can set in one profile:
- Settings for connecting to WiFi;
- Restrictions on the use of multimedia capabilities of the device;
- Ban on installing applications from the AppStore;
- Filter on available websites, or prohibit the use of the Safari browser;
Multiple profiles can be installed on one device.
List of available settings through the profile
General device information
Password on the broker screen
Device Functionality Limitations
Application Restrictions
Restrictions on the use of media content
Global Proxy Settings
List of allowed sites
Domain Policy
WiFi access
VPN settings
AirPlay Settings
AirPrint Settings
Email Account Settings
Exchange ActiveSync Settings
LDAP Settings
Calendar Sync
Contact Sync
Calendaring
Website quick jump icons
Fonts
Certifications
SCEP server setup
APN point settings for 3G
Blueprints in Apple Configurator 2
Blueprints are quick “images” of the desired settings and applications that can be applied to the connected device in one click.
Work with Blueprints
Creating a Blueprint
Selecting a device type
Adding the desired enterprise applications to the image
Add * .ipa-application package
Adding profiles
Selecting a device type
Adding the desired enterprise applications to the image
Add * .ipa-application package
Adding profiles
Well, I hope you got a general idea of the basic configuration tools for iOS devices. It's time to move on to more advanced, and accordingly, paid tools.
Apple OS X Server
OS X Server is an application pre-installed on top-end versions of Apple Mac mini computers until 2014. Currently distributed as a standalone application through the AppStore and is available for installation on any Apple computer.
It is a set of services for servicing the Apple fleet of devices, as well as remote management of iOS and OSX devices.
So it looks in the AppStore
Key features:
- User administration within the framework of Open Directory (integration with Active Directory is possible);
- Sync calendars
- Contact Sync
- File Sharing;
- Mail server;
- Group user chats;
- Profile Manager for remote management of iOS and OSX devices;
- TimeMachine Server (backups);
- VPN
- Website hosting in PHP and Python;
- CMS Wiki
- Xcode server for continuous integration;
- DHCP server;
- DNS server;
- FTP server;
Sync OS X Server with Active Directory
Of course, I could not get past Active Directory, since we work in the corporate segment, and at least a few words I have to say on this subject. Like Microsoft, Apple works with its directory service - Open Directory, which is conceptually no different from Active Directory.
For integration with Active Directory, the Binding mechanism is used. It is configured quite simply, however, it does not differ in iron stability (different combinations of versions of Windows Server and OS X Server have different results, that is, you may lose connection).
Setting up synchronization with Active Directory
Great, now you are aware of all the basic terms and principles. We can begin to configure the mechanisms for distributing applications within the company and configuring iOS devices.
Algorithm for configuring the infrastructure for configuring iOS devices and distributing applications
1. Install Apple Configurator 2 from the AppStore.
2. Install Apple OS X Server from the AppStore.
3. We create a profile with WiFi settings for the iOS device via Apple Configurator 2 if employees must use a certain closed corporate network to which we do not want to give them a password.
More details
Specify the password that you must enter to delete the profile. This is one of the possible options. We can generally prohibit deletion.
Specify the password that you must enter to delete the profile. This is one of the possible options. We can generally prohibit deletion.
4. Let's move on to setting up OS X Server. Set the host name, network availability and remote access settings. This is the initial configuration of our server.
More details
5. Configure Open Directory in OS X Server to further store users in it.
More details
6. Create users in OS X Server, or synchronize the server with Active Directory. We need one more administrator and a simple user (he is also an employee).
More details
7. Create user groups (by team / department / department) and distribute users to these groups in OS X Server. We will need this to configure device groups.
More details
8. Enable Apple Push Notifications in OS X Server.
More details
Enabling Apple Push Notifications is necessary for managing devices over the Internet, as commands from the OS X server are delivered via push notifications.
Here we already need an account of our developer, with an active Apple Developer Program.
Here we already need an account of our developer, with an active Apple Developer Program.
9. Set up contact synchronization in OS X Server. This is optional if you do not plan to maintain a common list of contacts between employees.
More details
10. Now for the fun part. Set up a profile manager in OS X Server.
More details
Profile Manager позволяет централизованно администрировать и управлять зарегистрированными мобильными устройствами, работающими под OS X 10.7 и выше или iOS 4 и выше.
Следует отметить, что Apple предоставляет управление API своих устройств сторонним разработчикам MDM-решений, чтобы использовать их опыт.
Как правило эти системы управления мобильными устройствами (MDM — Mobile Device Management) имеют больше возможностей для настройки.
Для осуществления инициируемой со стороны сервера загрузки настроек, программного обеспечения понадобится push-сервис. Push сервер является частью OS X Server (иногда push-сервис реализуется как часть MDM-решения, в этом случае push-сервис от Apple не нужен). Push сервер будет выполнять функции по загрузке команд, связанных с конфигурацией или установкой ПО мобильных устройств, взаимодействуя с магазином приложений компании Apple. Это обеспечивает выполнение срочных действий, таких как блокировка похищенных устройств или удаление информации с них.
If you plan to manage only Apple devices, and there are no special requirements, then Profile Manager is the best solution in terms of cost / functionality. In this case, use the Apple Push Server to centrally download enterprise software settings. And the ability to install policies on devices connected even beyond the perimeter of the corporate network will provide Apple Push Notification Service (APNS).
Mobile device management server
Profile Manager позволяет централизованно администрировать и управлять зарегистрированными мобильными устройствами, работающими под OS X 10.7 и выше или iOS 4 и выше.
Следует отметить, что Apple предоставляет управление API своих устройств сторонним разработчикам MDM-решений, чтобы использовать их опыт.
Как правило эти системы управления мобильными устройствами (MDM — Mobile Device Management) имеют больше возможностей для настройки.
Для осуществления инициируемой со стороны сервера загрузки настроек, программного обеспечения понадобится push-сервис. Push сервер является частью OS X Server (иногда push-сервис реализуется как часть MDM-решения, в этом случае push-сервис от Apple не нужен). Push сервер будет выполнять функции по загрузке команд, связанных с конфигурацией или установкой ПО мобильных устройств, взаимодействуя с магазином приложений компании Apple. Это обеспечивает выполнение срочных действий, таких как блокировка похищенных устройств или удаление информации с них.
If you plan to manage only Apple devices, and there are no special requirements, then Profile Manager is the best solution in terms of cost / functionality. In this case, use the Apple Push Server to centrally download enterprise software settings. And the ability to install policies on devices connected even beyond the perimeter of the corporate network will provide Apple Push Notification Service (APNS).
Profile Manager Setup Algorithm
11. Through Profile Manager in OS X Server, enable the ability to bind iOS devices configured in Apple Configurator 2.
More details
12. Through Profile Manager in OS X Server, we will set the user (preferably a group of users) restrictions on his iOS device.
More details
13. The time has come to work with the physical device. We transfer the iOS device to Supervised mode through Apple Configurator 2 with the acceptance of the settings from the remote MDM server (Mobile Device Management), which is OS X Server.
More details
After rebooting (before accepting the greeting) the iOS device via Apple Configurator 2, upload to it the previously created profile with WiFi settings and a description of the accessory.
Accept the greeting on the iOS device that is in Supervised mode and log in with the correct user created in OS X Server.
After rebooting (before accepting the greeting) the iOS device via Apple Configurator 2, upload to it the previously created profile with WiFi settings and a description of the accessory.
Accept the greeting on the iOS device that is in Supervised mode and log in with the correct user created in OS X Server.
14. Add all iOS devices to the Apple developer account.
More details
To add an iOS device to the developer account, we need to get its unique number - UDID. It can be obtained in three ways:
We will use the second option, as we are currently working with Apple Configurator 2.
- See through iTunes;
- See through Apple Configurator 2;
- Request programmatically, through setting a profile;
We will use the second option, as we are currently working with Apple Configurator 2.
15. Prepare the enterprise application in Xcode for distribution within the company in Xcode (Archive).
More details
We are not going to publish the application in the AppStore, so click Export ...
We are not going to publish the application in the AppStore, so click Export ...
16. Download the * .ipa package of the application in Profile Manager in OS X Server.
More details
In this window, you see a list of enterprise applications available for distribution.
In this window, you see a list of enterprise applications available for distribution.
17. In Profile Manager in OS X Server, we indicate for the desired user (preferably a group of users) which corporate applications to install on his device. Let's make Push applications (start the remote installation).
More details
This is how an iOS device looks before assigning applications to a user.
Add applications to users.
We see the status of application settings / application installation.
“Suddenly” began installing enterprise applications on the device. The user does not take any action.
Application installation is complete.
Add applications to users.
We see the status of application settings / application installation.
“Suddenly” began installing enterprise applications on the device. The user does not take any action.
Application installation is complete.
The infrastructure setup is now complete.
Distributing apps to employees with personal iOS devices
Employee Action Algorithm
All that an employee needs is:
К сожалению, у меня не сохранились скриншоты этого процесса, ввиду его простоты, но суть вы можете уловить из этого видео (начинается с нужного момента). По научному это называется «портал самообслуживания». Почти как в заводской столовой.
- Go to the server site;
http://os-x-server.com/mydevices
- Log in with an account created on OS X Server. Or, if there are common applications for everyone - authorization is not trumpeted;
- Click Enroll My Device. The iOS device appears in Profile Manager;
- After that, the installation of applications available to the user will begin.
К сожалению, у меня не сохранились скриншоты этого процесса, ввиду его простоты, но суть вы можете уловить из этого видео (начинается с нужного момента). По научному это называется «портал самообслуживания». Почти как в заводской столовой.
Послесловие
The conceptual description of OS X Server in Russian, although a little outdated, I advise you to read here .
You can watch the latest videos on configuring individual OS X Server components here .
Note
The distribution method described in the article is applicable to any applications created for iOS, i.e. It is identical for applications written in Xamarin, Cordova, or native. All you need to do is create a * .ipa application package and upload it to Profile Manager.
I hope the article seems useful to beginners, or not so, iOS developers. Good luck!