The following five guest posts are written by David Colville, with some light editing by me. I first met David online in 2015 when I was exploring Microsoft PowerBI and its suitability for educational analytics at St Andrew’s College. David connected me with Datacom New Zealand and their BI Team and the rest, as they say, is history. Since the initial introduction, our paths have crossed digitally many times, yet only once in person! Recently we chatted online about using Intune to manage iOS devices in educational contexts and from there the idea of a series of blog posts emerged. We have decided to split these reasonably technical and lengthy posts into the following five topics:
- Intune & iOS – Setting Up
- Intune & iOS – Adding iOS Devices Using Device Enrollment Program (DEP)
- Intune & iOS – Assign Applications To Devices
- Intune & iOS – Setting Up Profiles
- Intune & iOS – Building A Custom Profile
I am really thrilled to have David share his expertise in these posts and it highlights the value of building a Professional Learning Network (PLN) online, as without our initial virtual engagements, I would not have had access to his knowledge and skills. So I extend a huge thanks to David and strongly encourage you to connect with him on Twitter.
Setting Up / Creating Profiles:
Once you’ve setup a device and added applications (as demonstrated in the previous three blog posts), you will often want to setup what are called Profiles that provide custom restrictions on the iPad.
Most commonly Profiles are used for minimizing access to Adult Content, or making sure that you’re distributing Apps via the Mobile Device Manageement (MDM) platform, in this case Intune, rather than leaving the Apple Store active for end users to simply install whichever Apps they choose. Another use of Profiles can be to install certificates on a device to enable it to authenticate to a wireless network for example.
Apple uses the ‘Configuration Profile’ method for pushing settings out to devices – these can be settings delivered to both iOS devices( (iPads or iPhones) and MacOS computers (MacBook Air/Pro etc). These settings are deployed through an XML formatted ‘mobileconfig’ file. These can be installed in a few different ways, but most commonly this is done via an MDM like Intune or, using Apple’s own software, called ‘Apple Configurator.’
Apple have a large reference site of the XML configurations available on this page, and in Intune there is a section where you can define these settings through the “Device Configuration – Profiles” blade.
To get started, create a new profile of type “Device Restrictions”- and you’re prompted with a wide range of settings:
Apple have provided a really extensive range of settings that can be configured through the use of Profiles and it is worth checking these out for yourself and identify those that best fit your schooling environment. The following are some that I regularly apply for a K-6 school.
The “General” section includes restrictions around “Account Modification.” This is incredibly useful if you want to automatically setup email accounts via your MDM (in this case, Intune), but prevent the user from being able to remove it. You can also prevent the user changing the device name or being able to erase the device (which would result in it becoming un-managed at the same time):
Another group of settings that are commonly restricted through Profiles are access to the App Store, Document Viewing, and the Gaming section which includes the ability to lock down the App Store and crucially, In-App Purchases (to avoid any unexpected surprises on the credit card!):
Lastly, the “Built-In Apps” section may have some restrictions you’d like to control such as access to the News, Music and other default Apple Apps that you might want to prevent students from using:
Assigning Profiles To Devices:
Once you’re comfortable with these settings and creating a Profile, you can “assign” them to a group of devices, in a way that is similar to assigning Apps to devices in the previous blog post.
The easiest way to create a group of devices is through the “Users” section – where you can build up dynamic groups. These dynamic groups will search for all devices based on criteria that you define, for instance, here is my group for all iOS devices (both iPads and iPhones):
Note that in my testing this took around 15 minutes to reflect the devices I was expecting to appear in my dynamic group. This may have been due to them needing to be inventoried on their initial enrollment into Intune.
Once the devices started showing up I went back to the “Device Configuration – Profiles” blade in Intune and used the Assignments section to apply my restriction to the “All iOS Devices Group”:
Again, this took around 15 minutes to apply to the iPads – it would appear that Intune restricts sending out the Push Notifications required for the policies to apply to a rotating schedule of once every 15 minutes.
In this blog post we have learnt how to apply just a small number of the restrictions Apple allows to iPads and iPhones through the use of Profiles. Intune is growing this list within the Graphical User Interface (GUI) all the time, however there is a lot more that can be done using the XML keys provided by Apple.
In the final blog post in this series, we will explore how we can create Custom Profiles within Intune, essentially using the raw XML keys to provide additional settings and restrictions that are not currently directly configurable within Intune’s GUI. Custom Profiles are a critical feature of Intune as it provides an administrator the ability to replicate any other feature provided in other MDMs.