If you’re unfamiliar with MDM, VPP, Supervision, and DEP, read below for a quick primer on how these pieces work together to allow for easy remote app installation. If the pressures of the modern day economy and the strength of your coffee are shouting “ONWARD WITH HASTE!” here are the Cliff’s Notes:
- Create an MDM account supporting Apple iOS like SimpleMDM.
- Put your devices in supervised mode, if possible. Here’s a helpful video.
- Enroll your devices with your MDM account.
- Make sure your MDM is configured to use device VPP assignment. If you used the above link to create an account, you’re good to go.
- Select the apps you want to install and push them to your devices. Done!
Though the technology has been available for years, many companies that are new to managing mobile devices are unaware of the great solutions available for installing mobile apps to a fleet of iPads and iPhones automatically. I have personally come across countless instances where an internal IT employee was setting up appointments and call company employees at remote locations to guide them through the process of installing or updating a business app on their device. There’s a better solution, and I’ll outline the best process here.
Enter Mobile Device Management
Mobile Device Management (commonly abbreviated and referred to as “MDM”) is both a product category as well as a protocol.
Apple, Android, Windows, and most modern mobile operating systems implement some degree of MDM. MDM is a communication channel that allows a remote piece of software to configure, protect and monitor the device itself. The degree of this control varies based on OS and configured options, allowing most companies and individuals to strike an agreeable balance between functionality and privacy.
An entire product category has sprung up around this functionality. As interacting with devices via the MDM channel would be next to impossible to do manually, these products simplify the interaction and allow you to leverage the entire capabilities of MDM with a few clicks in your web browser. Leading services such as SimpleMDM, Bushel, and Airwatch are good examples of this.
The nomenclature can be confusing at times, with many offerings touting themselves as EMM (enterprise mobility management), MAM (mobile application management), amongst others. These terms do have different meanings, but t they are often abused. Point being: avoid taking these terms at face value. Drill into the features and functionalities of a product to really understand it.
The subcategory of MDM functionality that is relevant to this article is the ability to manage mobile apps. Most providers will allow you to install free app store apps and paid apps remotely. The more feature-complete ones will allow to you install enterprise iOS apps remotely, too. Using MDM to manage apps is extremely powerful. You can select as many devices as you want and ‘push’ a number of mobile apps to them all at once. Can you imagine having to install a couple apps on 100 devices manually?
Avoid These Pitfalls
The devil can be in the details when it comes to app deployment and I want to outline the most common gotchas and pitfalls.
Apple ID Management
For paid apps, Apple expects a company to utilize their Volume Purchase Program (VPP) to purchase app licenses. Before apps are sent to devices, the MDM is responsible for assigning these licenses so that the end device user doesn’t have to pay for them in advance.
Traditionally, this has been done via Apple ID. The MDM sends a request to the device asking the user to enter their Apple ID info. The license then gets assigned to the user. The problem with this is that it creates a tremendous amount of interaction overhead. Here’s the typical flow:
- Device asks user to sign in with Apple ID
- Device asks user to join the company VPP program
- MDM waits around, checking every so often to see if the user has joined
- Finally, MDM assigns the license to the Apple ID of the device user
So, some not so great things happen here. First, the device has to have an associated Apple ID. Not a huge deal if the device is assigned to a person, but what if it’s a shared device, or maybe used as a kiosk? Second, entering an Apple ID and password and joining the program is a lot of extra work when trying to deploy to a ton of devices. Last, the wait period between joining a program and receiving the apps and be long. We’ve seen anywhere from a couple of minutes all the way up to a few hours. This can be enough time to provoke a user to call IT for help.
Apple, starting with iOS 9 allows licenses to be assigned to the serial number of a device. If you are evaluating MDMs, make sure to select one that allows you to assign VPP licenses to devices.
Installation Approval Requests
Even with device-level VPP license assignment, there’s another catch. MDM, by default, isn’t allowed to install an app to a device without getting approval from the device user. iOS will prompt the user, asking them if they’d like to allow the app to install. Again, not a big deal generally speaking but if you’re installing to many, many devices, it’s really a horrible experience to have to go through touching each one.
iOS devices can be put into a mode called ‘Supervised’ that allows MDM to have more control of the device than it is normally allowed to have. When a device is supervised, among other things, MDM can install apps without asking for permission. They just show up.
To take advantage of this, make sure that the MDM you’re using has support for supervised devices. SimpleMDM and Airwatch are both capable of this. Also, place the devices in supervised mode before enrolling them with MDM. You can do this one of two ways:
- Use an OS X application called Apple Configurator 2. Connect the devices via USB. Part of this process wipes and resets your device, so make sure you do this step first. Here’s a helpful YouTube video.
- Use the Apple Device Enrollment Program (DEP). This program allows you to purchase new devices that are already in Supervised mode. You can even have them automatically enroll in an MDM when you power them up for the first time. DEP needs to be supported by your MDM as well to use it.
Apps Not Installing After Pushing
If iOS prompts a device user to install an app and the user says no, iOS sometimes gets stuck and won’t allow the MDM to send the request again. Instead, iOS will respond to the MDM with a message stating that the app is already scheduled for management. Here’s a good example of that.
We’ve found that an easy fix is to turn off the device and turn it back on again. Don’t laugh! You can also unenroll the device from MDM management and re-enroll it, but this is a much more tedious process and we don’t recommend it.
With any luck, Apple will fix this apparent bug that’s been around since iOS 7.
Get started by selecting an iOS MDM provider like SimpleMDM, which allows you to enroll your first five devices for free. Let us know if you run into any hitches in the comments section below and we’ll add the solution to this article.