Integration of iOS devices into the Mobile Security Portal
Last adaptation to the version: 1.5 (11.2019)
New:
- Added warning about missing operating modes
- Layout and design adjustments
Last updated:
- 07.2024
This article refers to a Beta version
notempty
In this operating mode without Apple Business Manager (ABM), the following features are not available:
- Automatic enrollment after a factory reset
- Interaction-free installation and updates of apps without Apple ID
- Reenrollment
- The devices can be permanently removed from the MDM from the end device
Technical requirements
- iPhone / iPad (min. iOS 11)
- Access to the Securepoint Mobile Security Portal
- For security reasons, Apple provides the full functionality for iOS devices only in supported mode.
Requirements for this:- Apple Mac (min. macOS 10.14 or later)
- Apple Configurator 2 (at no charge in the App Store)
- It is possible to have notifications sent automatically as soon as a device is enrolled or unenrolled.
Further information in our Wiki article.
For a large number of devices and users, it is recommended that you map the assignment using roles.
Prepare device
The onboarding of iOS can be performed in supervised or unsupervised mode. The differences are listed in a Functional Comparison Overview.
Unsupervised device
User without access to Securepoint Mobile Security Portal
| Preliminary work of the administrator in the Securepoint Mobile Security Portal: | |
|---|---|
| / Send invite | |
|
 |
| |
Administrator with access to the Securepoint Mobile Security Portal
| Preliminary work of the administrator in the Securepoint Mobile Security Portal: |  |
| / Register new device | |
| The QR code can be scanned with the camera app. | |
| The following steps must be executed: | |
| |
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
Fig.1
Open link in Safari
Datei:MSI Konfigurationsprofil-zulassen-iOS-en.png
Fig.2
This website is trying t odownload a configuration profile. Do you want to allow this?
Allow
Fig.3
Profile is downloaded
Close
Continue in the "Settings" menu
Fig.4
The loaded profile is selected (highlighted here) and installed.
Datei:MSI Profil SP-MDM-en.png
Fig.5
Profile Securepoint MDM
Install
Fig.6
Root-Certificate
Install
Fig.7
Remote Management
Trust
Fig.8
iOS profile is installed. Finish this step with
Done
Continue in the portal with the section Login to the portalSupervised device
notempty
Sign in to the device enrollment program.
Has to be skipped.
All data, configurations and individually installed apps are deleted during this process!
The device is reset to the factory settings. Operating system updates are kept. This process is required in iOS to ensure complete control over the device and to prevent unwanted apps from being allowed or uninstalled.
Preparation
notempty
If the device has already been connected to an Apple user account, this connection must be disconnected:
- Log on to https://appleid.apple.com with the login data, used on the device.
- In the Devices section, remove the device in question.
Configuring the device
- Preparation in Apple Configurator2:
- Connect your iPhone / iPad to your Mac
- Ignore the message "A new network connection was found" with .
| 1. | 2. | 3. |
| Abb.1 | Abb.2 | Abb.3 |
| Abbildungen | ||
Fig.1
Apple Configurator 2 open and select the device
button
button
Fig.2
Manual configuration
activation of:
Supervise devices
Allow devices to pair with other computers
activation of:
Supervise devices
Allow devices to pair with other computers
Fig.3
Register at MDM server:
Server: New Server…
If another device has already been enrolled, the server can be selected here. Otherwise the configuration is done in the next step.
Server: New Server…
If another device has already been enrolled, the server can be selected here. Otherwise the configuration is done in the next step.
Fig.4
If no MDM server has been specified yet:
/ Enroll new device
copy URL
/ Enroll new device
copy URL
Fig.5
If no MDM server has been specified yet:
A meaningful name can be assigned here.
This configuration can be selected directly for other devices that are to be registered for the same customer (or tenant).
Name: Unique name (customizable)
Hostname or URL: Insert the URL from the dialog in the Securepoint Mobile Security Portal (see previous step)
A meaningful name can be assigned here.
This configuration can be selected directly for other devices that are to be registered for the same customer (or tenant).
Name: Unique name (customizable)
Hostname or URL: Insert the URL from the dialog in the Securepoint Mobile Security Portal (see previous step)
Fig.6
If no MDM server has been specified yet:
Unable to verify the server's enrollment URL
Since macOS does not know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the certificate cannot be checked, but is still correct!
Unable to verify the server's enrollment URL
Since macOS does not know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the certificate cannot be checked, but is still correct!
Fig.7
If no MDM server has been specified yet:
Add trust anchor for the MDM server:
The certificate *.securepoint.cloud is already installed.
Add trust anchor for the MDM server:
The certificate *.securepoint.cloud is already installed.
Fig.8
Sign in to the device enrollment program.
Has to be skipped.
Fig.9
If no MDM server has been specified yet:
Create an organization, if necessary:
If this is the first device for this organization to be registered in the portal, information about the organization should be entered.
Create an organization, if necessary:
If this is the first device for this organization to be registered in the portal, information about the organization should be entered.
Fig.10
Details of the organization
Fig.11
Generate a new supervision identity
Fig.12
Configure iOS Setup Assistant: Select the steps that the user must perform in the System Wizard.
Fig.13
This step must be confirmed by entering the username and password of the MacOS user account.
Fig.14
notempty
If this message appears, this device has already been configured once and the System Assistant settings cannot be transferred directly.
With all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.
Configurator could not perform the requested action because "iPhone" was already prepared.
If this message appears, this device has already been configured once and the System Assistant settings cannot be transferred directly.
With all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.
- Configuration of the smartphone with the steps previously configured for the iOS installation wizard.
- Allow remote management
Login to the portal
The device is now displayed in the portal and the enrollment must be completed by clicking on the device tile.
Device Alias
For better identification, the device should be given an alias name:
a0a0 (4-digit ID) (in the upper part of the device tile)
Ownership Selection
There are two different installation options for the Securepoint Mobile Security App, which result in significant differences in administration:
| Owner COPE |
| ||||||||
| Owner BYOD | Standard functional range
| ||||||||
Login
| Ownership | Selection between COPE (Corperate owned, Personal enabled) BYOD (Bring‑Your‑Own‑Device) |
 |
With BYOD additionally:
| ||
| User | Device user from the user administration notempty The user cannot be changed afterwards for BYOD devices. | |
| Accept the terms of the license and privacy policy | ||
| agree | Accepting and saving the settings | |
| Displays the updated properties | ||