apple

whats new in enterprise – iOS14 and macOS Big Sur

apart from consumer features from iOS with it’s homescreen widgets, app libary, app clips or picture-in-Picture and many other features (already available in Android) – so, what’s new about managing the new release to utalize of enterprise with mdm

iOS 14 release date, beta, features and compatible iPhones @techradar

announced at wwdc 2020 the upcoming releases are packed full of features even for enterprise, a lot a leasons learned from iOS transered to macOS and some highlights in my opinion

  • macOS enrollment – more seamless with detailed options to ease the onboarding process
  • auto advance for mac – added an offline enrollment method that just require connecction network and power
  • lights out management for mac pro, payload via mdm
  • user enrolled macOS are supervised !!!
  • macOS managed software – defer updates up to 90 days, same as for iOS or force update
  • macOS managed apps – remove by mdm, managed app configuration or convert from managed to unmanaged
  • download profiles for macOS – privacy from iOS to prevent mistakes and manually install profile iOS-style
  • shared iPad for business – multi user device with managed apple id via apple’s abm
  • non-removable managed apps – homescreen layout advanced to allow rearrange but prohibit uninstall of apps
  • managed openin support shortcuts app
  • set timezone – without location service
  • per account vpn – mail,contact,calendar for same domain
  • encrypted dns
  • randomized wifi mac

about managing apple devices at wwdc @apple


read more about how to join and even downgrade from beta

apple

iOS client certificate authentication or iOS13.5 – the real important fix

“Apple Safari before 6.2.5, 7.x before 7.1.5, and 8.x before 8.0.5 does not properly select X.509 client certificates, which makes it easier for remote attackers to track users via a crafted web site.”

https://nvd.nist.gov/vuln/detail/CVE-2015-1129#VulnChangeHistoryDiv

Impact: Users may be tracked by malicious websites using client certificates

Description: An issue existed in Safari’s client certificate matching for SSL authentication. This issue was addressed through improved matching of valid client certificates.

security content of iOS 9 @apple

apple

jailbreaking made easy for everyone [update: fix out now]

even with the current release of iOS13.5 it is possible to jailbreak an iOS device, to either customize your design or even worse to get around systemlevel security

  • first your need to download AltStore, also sideload any ipa without a jailbreak
  • trust App as developer in settings on your device
  • open unc0ver.dev and select “Open in AltStore”
  1. open unc0ver to perform jailbreak
  • done, now check Cydia App for Tweaks e.g. OpenSSH
we’re connected via putty

but in my opinion…

  • require a desktop macOS/Win10/LInux perform
  • AltServer works just for a single device at a time
  • unc0ver needs to be excuted after a device reboot
  • iOS 13.5.1 beta already fixed is [update: is fixed right now]
  • minor benefit for personal
  • enterprise are aware of this issue and scan device with UEM and Advance Thread Detection

it will always be a cat-and-mouse game 

apple

how to install an old version of an iOS app

usually it’s not that simple for apple user to install a previous version of an app, sideloading of apps is reserved for android devices or just in cydia store via iOS jailbreak

TestFlight is apple’s Beta Testing Service to test Pre-Release version with new features, it support up to 10.000 tester invited per mail or via shared link, your able to install newer and even older versions of the invited app, or switch betweeen versions is possible, but builds remain just active for 90 days

the link will refer to the previous installed TestFlight app, select the shared beta app and select any previous build

apple, security

iOS VPNonDemand gets “inactive”

recently we noticed VPN wasn’t working, could be the disabled connect on demand option – nope – the entire VPN configuration was inactive?!

a bit history: apple introduced VPN on demand (VPoD) still in iOS 5, it’s required setup certificate authentication – at first it was just possible to define single domains, over the years it advanced to ignore, evaluate or disconnect for certain domains – along with iOS 7 apple intoduced Per-app VPN to connect specific apps – since iOS13 it is even possible to tunnel just mail/calandar/contacts domains

noticed that this just happed for VPoD configuration, even if a single domain overlap in OnDemand rule, always the last pushed VPN configuration is active

even though all other obsete profiles are remove, the VPN config stays in it’s current state, even if it’s the last remaining configuration

you either manually enable the desired config or repush the config via MDM to remote enable

apple

current bundle id’s of iOS devices

the bundle id’s of apple current ios 13 are useful to sort icons in homescreen layout or to block dedicated app for supervised iOS devices

Activitycom.apple.Fitness
Apple TV Remote com.apple.TVRemote
AppStore com.apple.AppStore
Bookscom.apple.iBooks
Calculatorcom.apple.calculator
Calendarcom.apple.mobilecal
Cameracom.apple.camera
Classroom com.apple.classroom
Clipscom.apple.clips
Clockcom.apple.mobiletimer
Compasscom.apple.compass
Contactscom.apple.MobileAddressBook
Facetimecom.apple.facetime
Feedback Assistant com.apple.appleseed.FeedbackAssistant
Filecom.apple.DocumentsApp
Find Friends com.apple.mobileme.fmf1
Find iPhone com.apple.mobileme.fmip1
Find Mycom.apple.findmy
GarageBandcom.apple.mobilegarageband
Healthcom.apple.Health
Homecom.apple.Home
iCloud Drivecom.apple.iCloudDriveApp
iMoviecom.apple.imovie
iTunes Storecom.apple.MobileStore
iTunes Ucom.apple.itunesu
Mailcom.apple.mobilemail
Mapscom.apple.Maps
Messagescom.apple.MobileSMS
Measurecom.apple.measure
Musiccom.apple.Music
Newscom.apple.news
Notescom.apple.mobilenotes
Phonecom.apple.mobilephone
Photoscom.apple.mobileslideshow
Photo Boothcom.apple.Photo-Booth
Podcastscom.apple.podcasts
Remindercom.apple.reminders
Safaricom.apple.mobilesafari
Settingscom.apple.Preferences
Shortscutscom.apple.shortcuts
Stockscom.apple.stocks
Tipscom.apple.tips
TVcom.apple.tv
Videoscom.apple.videos
Voice Memoscom.apple.VoiceMemos
Walletcom.apple.Passbook
Watchcom.apple.Bridge
Weathercom.apple.weather

you may also interessted in

apple, technology

iOS13 just released, but already updated

…with some interesting festures:

  • share ETA in maps
  • dynamic wallpapers
  • icon of volume slide

even for enterprise mobility there is some interesing festure, with iOS13.1 it’s possible to silently update an App, it will close, update and continue in kiosk/single app-mode.

more about apple developer beta at beta.apple.com

or read about how to downgrade beta

https://madereal.blog/2019/03/19/downgrade-beta/
apple, innovation

whole new iOS13 with more privacy in enterprise

tim cook recently spoke about user data and privacy, while criticizing technology companies, like google or facebook

iOS is enterprise’s first choice for mobile activity, egnyte‘s enterprise insight showed a clear weighting and content is getting more more mobile

How-Businesses-Work-in_employees-840x1087

the biggest change since iOS5 introduced supervised devices and open-in management debuted in iOS7

iOS 13 will available in fall 2019 – since google is pushing hard with android enterprise to fit business needs, with it’s buildin containerization based on samsung’s KNOX – iOS 13 provide more granular security and better privacy restriction

enrollment methods

there are already rolled out thousands of iOS devices with either manually installing a mdm profile (uamdm) or centralized with device enrollment program (dep) to get the device under control of a unified endpoint management (uem) – additionally you can enable your iOS device as supervised either while dep enrolled or via apple configurator connected to a mac

newly added – user enrollment – previously an administrator of a managed device was able to retrieve the installed apps, remove the passcode or wipe the entire device – at least the privacy controls of the registered uem prohibit this features to individuals – with user enrollment there are huge improvements to the users privacy

  • user needs to login with managed apple id
  • uem unable to retrieve device information like IMEI, serial or mac address
  • private apps aren’t reported to uem
  • no control about device passcode or to wipe the entire device
  • still the configuration of wifi, vpn or exchange accounts will available
  • other existing restrictions reserved for supervised devices, see listing below

restriction changes

  • allowSafari, available since iOS 4, require supervised device as of iOS 13
  • allowVideoConferencing, available since iOS 4, require supervised device as of iOS 13
  • allowWiFiPowerModification, available for supervised iOS 13 devices
  • safariAllowAutoFill, available since iOS 4, require supervised device as of iOS 13
  • allowAddingGameCenterFriends, available since iOS 4.2.1, require supervised device as of iOS 13
  • allowAppInstallation, available since iOS 4, require supervised device as of iOS 13
  • allowCamera, available since iOS 4, require supervised device as of iOS 13
  • allowCloudBackup, available since iOS 5, require supervised device as of iOS 13
  • allowCloudDocumentSync, available since iOS 5, require supervised device as of iOS 13
  • allowCloudKeychainSync, available since iOS 7, require supervised device as of iOS 13
  • allowContinuousPathKeyboard, available for supervised iOS 13 devices
  • allowExplicitContent, available since iOS 4, require supervised device as of iOS 13
  • allowFindMyDevice, available for supervised iOS 13 devices
  • allowFindMyFriends, available for supervised iOS 13 devices
  • allowiTunes, available since iOS 4, require supervised device as of iOS 13
  • allowMultiplayerGaming, available since iOS 4.1, require supervised device as of iOS 13

read a full list of apple’s device management restrictions here

Sign in with Apple vs. managed Apple ID

while sign in with apple is the approach to to compete with google or facebook as a identity provider (idp) for external services, for business on the other hand managed Apple IDs were so far to manage functions of Apple Business Manager, since WWDC 2019 it’s necessary to register with user  enrollment, enterprise create additional account’s for byod user to add to their device, keeps data completely separated between both accounts, hopefully compared to now:

iPadOS

along with iOS13 apple separate to path between iPhone and iPad with a standalone OS, finally iPadOS can provide more feature to the tablet, a classic desktop replacement could possible – view the demo below

stay tuned for final release around mid-september with likely new 2019 iPhone


apple, google, innovation, microsoft, technology

windows 10 is (still) mobile

by the end of this year microsoft will end the support for windows 10 mobile on december 10 2019, the october release 1709 was the last update back in 2017

since microsoft wasn’t able to get a markable footprint in mobile business, windows phone failed, relaunched a windows 10 mobile .. there are still ways to combine windows 10 and mobile

launcher 10 – android launcher

i was a huge fan of windows 10 mobile and it’s live tile design, but missing enterprise features und apps forced me to look for other opportunities

launcher 10 offers the beloved windows phone design for android smarthphones as seaperate launcher, sort and resize your tiles including a paid feature of live tiles

live tiles are deprecated of microsoft, and microsoft missed to remove all refences, so it’s possible to do a sub domain tack over, the the service is still online http://www.buildmypinnedsite.com/

your phone app companion

every windows 10 embed a feature to connect your ios or android phone to be able to remote use features like sending messages or access media remotely from your device or synchronize file changes between devices

with is current windows 10 insider preview build 18885 (20H1) microsoft added notification for android devices – stop reaching for your phone to check your with features like

  • see incoming phone notifications in real-time
  • view all of your phone notifications in one place
  • customize which notifications you want to receive
  • clear notifications individually or all at once

read more about productivity with a second screen

3rd party services

other apps like airdroid pushbulltet, mightytext and others offer the also the ability to compose and receive messages from desktop , transfer files without a wired connection and for sure receive push notifications directly from device – additionally
possible within your browser, independent from your platfrom os or even device with when using a webservice

apple

if your using an apple device you’d probably own a mac and should use features like
universal clipboard, make calls with your mac, send and receive messages or handoff immediately between devices where your stopped before, everything connected to icloud

use continuity to connect your mac, iphone, ipad, ipod touch, and apple watch