Posts Tagged ‘iOS’

Wishes Granted! Apple Configurator 1.4 and iOS 7

Wednesday, September 25th, 2013

Back in June, we posted about common irritations of iOS(6) device deployment, especially in schools or other environments trying to remove features that could distract students. Just like with the Genie, we asked for three wishes:

- 1. Prevent the addition of other email accounts, or 2. the sign-in (or creation!) of Twitter/Facebook(/Vimeo/Flickr, etc.) accounts

Yay! Rejoice in the implementation of your feature requests! At least when on a supervised device, you can now have these options show up as greyed out.

- 3. Disable the setting of a password lock…

Boo! This is still in the realm of things only an MDM can do for you. But at least it’s not something new that MDM’s need to implement. More agile ways to interact with App Lock should be showing up in a lot more vendors products for a ‘do not pass go, do not collect $200 dollars’ way to lead a group of iPads through the exact app they should be using. Something new we’re definitely looking forward to for MDM vendors to implement is…

Over-the-Air Supervision!

Won’t it be neat when we don’t need to tether all these devices to get those extra management features?

And One More Thing

Screen Shot 2013-09-24 at 2.35.14 PM

Oh, and one last feature I made reference to in passing, you can now sync a Supervised device to a computer! …With the caveat that you need to designate that functionality at the time you move the device into Supervise mode, and the specific Restriction payload needs setting appropriately.

Screen Shot 2013-09-24 at 2.34.29 PM

We hope you enjoy the bounty that a new OS and updated admin tools brings.

Spelunking An iTunes Backup

Wednesday, June 12th, 2013

Say you’re excited about installing a particular beta of a particular mobile operating system, and are foolhardy enough to put it on a phone that was in use for business purposes. Let’s go even further, hypothetically, and say you had been using iCloud Backup, but made a backup with iTunes before upgrading… leaving about half a day gap, during which contacts were added. This is a phone that’s often used for testing and little else, so no accounts besides iCloud are configured and you don’t encrypt the backup because you don’t have passwords you want/need restored. After the beta upgrade completes, you restore the iCloud Backup, leaving out that one phone number that’s the direct line to a level two support group at a certain backup company. iTunes is just not fun to plug into, though, so let’s go spelunking in the backup it created.

First, I need to put the backup into a state I can interact with it in. For that I chose the product with the best domain name, http://supercrazyawesome.com, and its iOS Backup Extractor. I chose to put it all in tmp, so it gets dumped sooner rather than later, and found a promising database to sift through:

in tmp

Following basic sqlite3 commands I found on @tvsutton’s site, I saw a promising table, ABPersonFullTextSearch_content. Sure enough, the contact info I was missing was there and I could pull it out to restore just that one contact I’d created.

 I never use this theme

iOS 7 Management API and Apple Configurator Wishlist Quicky

Thursday, June 6th, 2013

We feel privileged to be living in the modern era, iOS device activation can happen over-the-air, and use of iTunes has almost completely been eclipsed by Apple Configurator. But it isn’t uncommon to hear the sysadmins being referred to as ‘the haters,’ since things can never be easy or nice enough for us. (And in reality, there’s still plenty of conflict and stress to go around without worrying about the reliability or functionality of our tools.) Besides the fact enrollment profiles themselves can always be removed at any time by end users, there are also still surprisingly numerous things that would require manual interaction to manage, and missing integration with other Apple products. With something that could be called iOS7 potentially around the corner, and with no inside information, here’s some of the things that still trip up the modern iOS deployment in certain environments.

As of this point in time, through the official management API and payloads documented in the canonical reference Apple provides, you cannot do the following:

Restrictions
- Disable the setting of a password lock
Especially in education, the accidental turning on of this ‘feature’ has probably sold MDM more than anything else
- Prevent the addition of other email accounts
File transfer and content distribution is still by no means a solved problem, and email has always been a ubiquitous option – but in certain environments we probably don’t want accounts added nilly-willy… (er, strike that, reverse…)
- Prevent the sign-in (or creation!) of Twitter or Facebook accounts
Yay for social media integration! Boo for education or other environments where these devices aren’t to be used ‘socially.’

Account addition OR creation

Apple Configurator can allow the handing out of documents to an app like Adobe Reader(which still has an unfortunate amount of Adobe’s interruptions in its first-time use experience,) and you can collect documents as well when assigned devices get checked back in. The two apps you CAN’T at present add content/documents to? Apple’s own iTunesU and iBooks apps! Nor can you pull in iMovie projects or pictures from the Camera Roll.

The longer you work with these things, the more corner/edge-cases you notice – like the fact you can’t use two MDM services on the same device. It makes sense when you know the moving parts and think about the ramifications, but it still can surprise folks because documentation doesn’t seem to warn against it. (That I’ve found, at least, feel free to correct us on the Twitter or elsewhere!) We mention these things not to say it’s a horrible experience to deploy the devices in most use cases, just to point out there’s always room for improvement and we’re excited to see what the next version might offer.

The State of Tablets in Schools

Thursday, January 3rd, 2013

Any managed IT environment needs policies. One of the obvious ones is to refresh the hardware on some sort of schedule so that the tools people need are available and they aren’t hampered by running new software on old hardware. Commonly, security updates are available exclusively on the newest release of an operating system. Tablets are just the same, and education has been seeing as much of an influx of iOS devices as anywhere else.

Fraser Speirs has just gone through the process of evaluating replacements for iPads used in education, and discusses the criteria he’s come up with and his conclusions on his blog

A Simple, Yet Cautionary Tale

Friday, December 28th, 2012

While we don’t normally cover web development security basics, or find much to report when poking around in iOS apps, a great example of independent investigative tech journalism related to these topics broke late last week. On Nick Arnott(@noir‘s) blog Neglected Potential, he expands on a previous post involving how data is stored within an app(nice shout-out to a personal fave, PhoneView by Ecamm,) to talk about how it communicates with whatever services it may be hooked up to. Generally speaking, SSL and PKI don’t magically solve all our issues(as comically referred to here: This is 2012 and we’re still stitching together little microcomputers with HTTPS and ssh and calling it revolutionary,) and end users reflexively clicking ‘accept’ on self-signed cert warnings is the front lines of the convenience vs. security battle. No, you shouldn’t send auth in plaintext just ’cause it’s SSL. (Yes, you should be seeding any straggler self-signed certs on the devices in your purview so you don’t need to say ‘just for this ONE sites self-signed cert, please just click Continue’.) The fact that a banking users SSN number was being sent to the app on every communication was… surprising, and corrected immediately after the heightened interest resulting from the aforementioned blog post.

Security via public trust

Security via public trust

After the publicity surrounding the post, however, folks were reassured by getting an immediate audience with the Director of Engineering at Simple, Brian Merritt(@btmerr.) Perhaps the flaw may have been considered too contrived a process for traditional(read: an email to their security team) channels at Simple to respond in a way that satisfied Mr. Arnott before he went ahead and published his post. “If only Jimmy had gone to the police,” the saying goes, “none of this would have happened” – please do note that while responsible disclosure was attempted, the issue is with PKI and not Simple itself, and updates were added to the post when clarifications were worth mentioning to present the facts in an even-handed manner. A key take-away is the fact that there is no live, zero-day exploit going on, just the relative ineffectiveness of PKI being exposed.

simpleNoEntryWhenTalkingToCharles

Although a process can enable the snooping of traffic, by default proxy’d SSL wouldn’t be allowed to start a session

But even more importantly, the fact that observing the traffic was even possible (thanks to CharlesProxy, also recently mentioned on @tvsutton‘s MacOps blog) highlights the ease with which basic internet security can be thwarted, and how much progress is left to be made. Of the improvements out there, Certificate Pinning is one of those ‘new to me’ concept enhancements regarding PKI, which luckily already has proposals in for review with the IETF. (An interesting contender from about a year ago is expounded on at the tack.io site.) There are quite a few variables involved that make intelligent discussion of the topic difficult for amateurs, but the take-away should be that you can inspect these things yourselves, as convoluted as it may be to get to the root cause of security issues. Hopefully we’ll have easier-to-deploy systems that’ll enable us to never ‘give up’ and use autosign again.

Thanks to Mr. Merritt, Michael Lynn and Jeff McCune for reviewing drafts of this post.

iOS and Backups

Wednesday, December 12th, 2012

If you’re like us, you’re a fan of our modern era, as we are (for the most part) better off than we previously were for managing iOS devices. One such example is bootstrapping, although we’re still a ways away from traditional ‘imaging’. You don’t need Xcode to update the OS in parallel, iPCU to generate configuration profiles, and iTunes for restoring backups anymore. Nowadays in our Apple Configurator world, you don’t interact with iTunes much at all (although it needs to be present for assisting in loading apps and takes a part in activation.)

So what are backups like now, what are the differences between a restore from, say, iCloud versus Apple Configurator? Well, as it was under the previous administration, iTunes has all our stuff, practically our entire base belongs to it. It knows about our Apple ID, it has the ‘firmware’ or OS itself cached, we can rearrange icons with our pointing human interface device… good times. Backups with iTunes are pretty close to imaging, as an IT admin would possibly define it. The new kids on the block(iCloud, Apple Configurator,) however, have a different approach.

iOS devices maintain a heavily structured and segmented environment. Configuration profiles are bolted on top(more on this in a future episode), ‘Userspace’ and many settings are closer to the surface, apps live further down towards the core, and the OS is the nougat-y center. Apple Configurator interacts with all these modularly, and backups take the stage after the OS and apps have been laid down. This means if your backup includes apps that Apple Configurator did not provide for you… the apps(and their corresponding sandboxed data) are no longer with us, the backup it makes cannot restore the apps or their placement on the home screen.

iCloud therefore stands head and shoulders above the rest(even if iTunes might be faster.) It’s proven to be a reliable repository of backups, while managing a cornucopia of other data – mail, contacts, calendars, etc. It’s a pretty sweet deal that all you need is to plug in to power for a backup to kick off, which makes testing devices by wiping them just about as easy as it can get. (Assuming the apps have the right iCloud-compatibility, so the saved games and other sandbox data can be backed up…) Could it be better? Of course. What’s your radar for restoring a single app? (At this point, that can be accomplished with iTunes and manual interaction only.) How about more control over frequency/retention? Never satisfied, these IT folk.

MacSysAdmin 2012 Slides and Videos are Live!

Thursday, September 20th, 2012

318 Inc. CTO Charles Edge and Solutions Architect alumni Zack Smith were back at the MacSysAdmin Conference in Sweden again this year, and the slides and videos are now available! All the 2012 presentations can be found here, and past years are at the bottom of this page.

Using Squidman as a Web Proxy for OS X

Thursday, October 27th, 2011

Squid is an open source package available at http://www.squid-cache.org that caches web files to a local server, increasing throughput for users and decreasing the amount of traffic on WAN connections. A Mac OS X software package named SquidMan, which includes Squid is available at http://web.me.com/adg/squidman/index.html. SquidMan makes installing and using Squid much easier, giving nice buttons to use for management rather than managing Squid using configuration files.

Once SquidMan is downloaded, copy the SquidMan application bundle to the /Applications directory. Then open it. At the Helper Tool Installation screen click on the Yes button.

At the Squid Missing screen click on the OK button to install squid itself.

The Preferences screen then opens. Click on the Clients tab and, if you would like to restrict access to only a set of IP addresses, define them (or use the net mask to define a range).

Click on the General tab. Here, provide the following information:

  • HTTP Port: The port number that the proxy will run on.
  • Visible hostname: The hostname of the server (e.g. proxy.318.com).
  • Cache size: The total amount of space used for the proxies cache.
  • Maximum object size: The maximum size of single cached files.
  • Rotate logs: The frequency with which log files are rotated (I usually use Manually here).
  • Start Squid on launch: Automatically start squid when SquidMan is launched, and delay start by x number of seconds.
  • Quid Squid on logout: Define whether logging out of the server also stops squid.
  • Show errors produced by Squid: Displays squid’s errors in SquidMan.

Click on the Parent and define a proxy server that this one will use (if there is one, otherwise it just uses the web to directly access files). This feature is only used if you are daisy chaining multiple squid servers.

Click on the Direct tab and enter any sites that should not be proxied. Internal staging environments are a great example of sites that should bypass proxy servers.

At the Template tab, enter any custom variables.

Squid is usually used to cache and speed up web access, so the default configuration file is optimized for small files. In order to cache larger files effectively, change the configuration to allow for larger files (up to 64 megabytes) and allow for more total disk storage of cached files (up to 8 gigabytes in our tests for a few specific projects, but much larger is fine). This usually depends on the total available disk space on the machine which will run squid.

These are some of the options which we updated for a specific project we’re working on in the squid.conf (Template):

http_port 3128 transparent (add transparent if using NAT to redirect http requests):
maximum_object_size_in_memory 65536 KB
cache_dir ufs /usr/local/var/squid/cache 8192 16 256
maximum_object_size 65536 KB

These days, we prefer to use squid running in NetBSD’s pkgsrc, although any method of installation (such as the squidman approach) should be acceptable.

Next, click on the SquidMan application which should have been running the whole time and click Start Squid.

The squid daemon then starts. Looking at the processes running on the host reveals that it is run as follows:

/usr/local/squid/sbin/squid -f /Users/admin/Library/Preferences/squid.conf

Client systems can then be configured to use the squid proxy, or PAC (Proxy auto-config) file can be configured to configure clients. Another option being transparent parodying:

rdr de0 0.0.0.0/0 port 80 -> (local Squid server) port 3128 tcp

Setting Up Additional Google Apps Calendars on an iOS Device

Monday, April 18th, 2011

Syncing and Managing Additional Google Apps Calendars on your iOS Device

Google Apps allows users to easily setup multiple calendars in their account and access other uses calendars via a web browser or calendar client such as iCal or Outlook. Duplicating this functionality on iOS devices requires some additional configuration steps:

1. Configure your device(s) with Exchange Active Sync for your Google Apps account. See http://www.google.com/support/mobile/bin/answer.py?answer=138740&topic=14252 for instructions.
2. On your iOS device (iPad, iPhone or iPod Touch) use the Safari web browser to navigate to http://m.google.com
3. Scroll to the bottom of the page and tap the Google Apps user? button.
4. A popup will appear prompting you to Enter your Google Apps domain. Enter your domain (everything after the @ in your email address) and tap Go.
5. Sign into your Google Apps account if prompted.
6. A Google Mobile page will load, with buttons for various services. Tap the Sync button.
7. A Manage Devices page will load. Tap to select the device you would like to add/delete calendars from (i.e. your iPhone).
8. Tap to check the box next to each calendar you want to sync. Tap to uncheck any calendar you wish to stop syncing.
9. Click Save.

The calendars for which you enabled sync should now be displayed in the iOS Calendar app. You may have to tap Calendars to return to the calendar selection and turn on the additional calendars if they are not displayed immediately.

Note: these instructions differ slightly from the published Google instructions pertaining to generic Gmail accounts (primarily skipping steps 3 and 4). If you would like to setup additional calendars for your personal Gmail account please follow the steps here: http://www.google.com/support/mobile/bin/answer.py?answer=139206

Enable AirPrint On Mac OS X Server

Monday, March 7th, 2011

Since the introduction of AirPrint in iOS version 4.2.1, a handful of shareware and freeware solutions have been introduced that allow iOS devices to use AirPrint to print documents on “unsupported” printers (namely, those printers that do not have the necessary AirPrint features built-in). This typically requires enabling printer sharing on a Mac system, as well as making a slight modification to the CUPS configuration file at /etc/cups/cupsd.conf, which the software typically does for you.

However, one of the more prominent solutions available, AirPrint Activator from Netputing.com, does not work properly on a Mac OS X Server system when following the provided instructions, which appear to be aimed at users running the non-Server version of Mac OS X. Here are the steps you can follow to get Mac OS X Server v10.6 to share printer queues to AirPrint-enabled iOS devices:

Prerequisites: Mac OS X Server v10.6.5 or later (I have only tested on 10.6.6), one or more networked or local printers, and one or more iOS devices running iOS 4.2.1

1. In the System Preferences > Print & Fax preference pane, delete all existing printer queues from the server.

2. Download AirPrint Activator from http://netputing.com/airprintactivator/ to the Mac OS X Server system from which you wish to host print queues.

3. Launch the AirPrint Activator program and slide the Activator switch to On (you will be prompted to authenticate).

4. With your favorite text editor, open the file /etc/cups/cupsd.conf

5. Locate the line that reads Browsing Off and change it to read Browsing On. Save the changes.

6. Open Server Admin and enable and Start the Print service.

7. Open the System Preferences > Print & Fax preference pane and add the printers that you wish to share, being sure to give the shared print queue a unique Sharing Name a Location. If you are only using the Print service to connect iOS devices, you may want to include “AirPrint” in the queue or location name (ie, “AirPrint to Accounting Printer”).

8. In the Print service window, select the Queues tab and select the print queue you wish to share.

9. Enable the IPP protocol. You can enable the other protocols if you want to enable printer sharing to platforms beyond just your iOS devices.

10. Follow steps 7 through 9 with the other printers that you wish to use for AirPrint.

11. From an iOS device, open a supported document such as a PDF, JPG, or other printable file.

12. Click the box with a curved arrow pointing to the upper right to invoke the Print command.

13. Select the Printer from the menu and print your documents!

CIO: An Interview with Charles Edge on iPad 2

Friday, March 4th, 2011

Charles Edge, the Director of Technology for 318 was interviewed recently by CIO magazine, shortly after the announcement of the iPad 2. In the interview, enterprise viability of iPad 2 and a number of other items around iOS in the enterprise were discussed.

See the full article here:
http://www.cio.com/article/672117/Do_iPad_2_iOS_4.3_Make_Enough_Gains_for_Enterprise_?source=rss_news

318 Featured in IT Business Edge

Tuesday, December 28th, 2010

318 has been a leader in bringing iOS into the Enterprise for some time. We have been sitting alongside our customers, working to get iPhones integrated into organizations of all sizes for years. Since the release of the iPad the quantity of projects we are involved with continues to increase. Now, 318 has been featured in a slide show on IT Business Edge illustrating “how 318’s team is advising clients who are trying to bring iPads and iPhones into enterprise environment.”

And if you would like to discuss how your organization can deploy iPhone, iPad or iPod Touch please feel free to contact your 318 Professional Services Manager or sales@318.com for more information.

Book On Enterprise iOS Integration Available

Monday, December 20th, 2010

The 6th book from 318′s staff is now available: Enterprise iPhone and iPad Administrator’s Guide. In this title, Charles Edge, the Director of Technology at 318, takes a look at lessons learned in our numerous iOS integration projects, from procurement to deployment to patch management. Per the publisher, Apress, the following indicates who the book is intended for:

This book is intended for IT staff members that will be charged with planning an iPhone and ipad implementation or pilot program, as well as those that will be charged with ultimately deploying and provisioning the devices and delivering support to iPhone and iPad users. Readers should have an existing background in IT management, systems administration, and end user support working in a medium to large business or enterprise environment.

If you are considering doing a large scale integration or remediation project for iOS-based devices in your environment then contact your 318 Professional Services Manager or sales@318.com for more information on how 318 can assist you in your endeavors.

318 Press Releases

Friday, December 17th, 2010

Today, 318 released two press releases pertaining to initiatives within the mobility space. These include the following:

http://www.marketwire.com/press-release/Challenged-by-Deployment-of-Apple-iPads-in-Your-Enterprise-Tips-From-318-Consulting-1371111.htm

http://www.marketwire.com/press-release/Leading-Enterprise-Class-Apple-Consultancy-318-Becomes-iPad-Reseller-1371114.htm

Also worth note is that 318 has been a reseller for Research in Motion, the makers of the Blackberry and Blackberry Enterprise Server, Google Apps and a number of other solutions that fit nicely into the mobility space. If you would like to discuss any of these topics please reach out to us at 877.318.1318 for more information on services and products that 318 can work to integrate and manage for your organization.

iPhone iOS 4 Software Update

Tuesday, June 29th, 2010


The newest release of the iPhone operating system, the re-branded iOS 4, launched last week from Apple’s busy servers. According to Apple, iOS 4 works with iPhone 4, iPhone 3GS and iPhone 3G (but not all new features are supported on older hardware). The update will also install on second and third generation iPod Touch devices.

As with all major software upgrades, be sure to backup your current environment using iTunes before proceeding with the installation. This Apple knowledge base article describes the process in detail.

The upgrade process is also managed in iTunes and took a fair amount of time to complete on an iPhone 3GS. Reports of slowness and instability on older hardware were confirmed on one test 3G unit we tried, but others report no issues.

So what do you get after upgrading? Some key features:

  • Folders – works as advertised and helps reduce the number of pages you need to scroll through to find the app you need.
  • Mail Improvements – welcome options for combined inbox and threaded discussions.
  • Multitasking (3GS and 4 only) – double-click the home button to reveal a row of other running apps you can switch to right away. Might take some time to get used to this one.
  • Home screen wallpaper (3GS and 4 only) – purely cosmetic, but nice in day-to-day use.
  • iBooks app – just like the iPad version, only smaller. Bookmarks are supposed to sync between the two versions, but it doesn’t seem like one knows what the other actually holds as far as books go.
  • Camera – older hardware gets the digital zoom feature, but quality is, well, like a digital zoom.
  • Bluetooth keyboard support – haven’t tried this, but could be useful.

The new iPhone 4 hardware enhances some features of iOS, such as FaceTime video conferencing, improved camera performance, HD video support/editing and the high-quality retina display.

To find out more about how to utilize the iPhone platform in your organization, call your 318 account manager today, or email sales@318.com for more information.

Access File Shares from iPad

Wednesday, April 21st, 2010

Note: For more information about the information contained in this article, contact us for a professional consultation.

As the iPad eeks its way into businesses we’re starting to hear a very common question: How do I access my files on the server? While you can enable WebDAV on most modern file servers and access data that way, or look to the cloud, many simply want a way to tap into existing SMB file shares. Well, you’re in luck!

Stratopherix (http://www.stratospherix.com) has released FileBrowser, an application for the iPad that can mount a file share and provide access to the resources on the share. FileBrowser will allow you to connect to servers and then access files as you would from a regular desktop computer, wirelessly or over a network connection.

If you find that you cannot access file shares once installed, then we have seen some policy issues on file servers (mostly those that do double-duty as a domain controller) or if you are remotely then you might need to either forward ports to the server or first establish a VPN into the environment. If you still cannot access them then contact your 318 account manager and we will be happy to assist with any needs you might have.

Happy File Browsing!

Pushing Mail Configurations to iPhone

Monday, May 11th, 2009

First, you need to download the iPhone configuration utility. You can find it at http://support.apple.com/downloads/iPhone_Configuration_Utility_1_1_for_Mac_OS_X

Once you have downloaded that and installed it. You go to your /Applications/Utilities folder and find the iPhone Configuration Utility app.

Open that up and go to the Configuration Profiles and click on New up on the top menu bar.

From there it will give you a bunch of different parameters that you can customize for a given profile. If you go to the Email tab, you can configure mail for the client so that all they have to do is just enter their password and it will set it up by itself.

Once you are done with all of the configurations, you can either export it or just email it by either of the 2 buttons on the top menu bar.

Once mailed to the client they will just have to agree to install it on their phone, entering their password, and than they have the settings.

You want to make sure that if they had a previously setup email address with these settings you are sending them, that they delete that account. You will have to email it to a different email address than the one it will be setting up.

————————

To delete the account, on the iPhone, go to the Settings – General – Profiles. You can uninstall the profile from that screen.