Upcoming changes to on-boarding iOS devices to MDM
Later this year, Apple will be introducing a new workflow to manual profile installations. This change requires users to complete the installation of configuration profiles in the Settings app when enrollment is initiated via a website or email message, to improve the overall security of the platform.
Why is Apple making this change?
From our discussions with Apple, the primary driver for this change is to protect all iOS devices from malicious profile installation. iOS devices are inherently secure mobile devices out of box. The operating system and hardware work harmoniously to protect user data and privacy, which is one of the main reasons for its success in the enterprise space .
Apple is splitting the process of downloading and installing an update to prevent users from being deceived into unintentionally installing a profile. Malicious attackers could trick users into installing configuration profiles (VPN or malicious MDM profile) from websites or email attachments in one smooth flow that users can click through. With the latest iOS beta, even if a user were to encounter a malicious website or email attachment that attempted to install a configuration profile, it will only download automatically but require the user to consciously complete the installation of the profile by navigating to the Settings app.
How does this impact enrollment into MDM?
This new workflow only impacts the initial enrollment into MDM. Protection from misuse is increased with only one extra step required from the user enrolling the device. In the current public release of iOS (iOS 12.1.3 and earlier) users enrolling into MDM will originate or be taken to Safari, be prompted to download a profile, and automatically redirected to the device Settings to install that profile. In the upcoming enrollment workflow, users will no longer be automatically redirected from Safari to the device Settings. Users must now manually navigate to the Settings App and install the downloaded profile.
This change does not affect device enrollment in Apple Business Manager or Apple School Manager nor configuration profiles being installed via MDM (such as Wi-Fi, passcode etc.).
When can we expect this change?
In Apple’s support article, they have mentioned this change is already part of their latest beta and will be arriving in a future version of iOS 12. Organizations have the opportunity today to beta test this new workflow and prepare for its release.
How to prepare for this change?
We are making updates to the Workspace ONE UEM platform as well as Workspace ONE Intelligent Hub to include instructions and navigation links where possible in the enrollment flow assisting users to complete enrollment successfully.
Please subscribe to our Knowledge Base article for more updates on the experience for web-enrollment and app-based enrollment with Hub application.
We also recommend that you download the latest beta of iOS at https://appleseed.apple.com and test this new enrollment experience in your organization’s environment typically used for testing and report any feedback to us or Apple. Apple Seed for IT program also includes a new test plan for the profile installation changes that we encourage customers to leverage.