Jump to:navigation, search
Wiki

Configuration iOS profile: Shared-iPad

From Securepoint Wiki


































De.png
En.png
Fr.png









Managing iOS profiles with the Shared iPad type in the Mobile Security Portal

Last adaptation to the version: 1.28 (07.2024)

New:
  • Changed menu navigation
notempty
This article refers to a Resellerpreview
Access: portal.securepoint.cloud  Mobile Security iOS/iPadOS Profile









































Preamble

In a profile permissions, restrictions, password requirements, email settings and security settings are configured.
Several users or user groups (roles) can be assigned to a profile.
Several devices or device groups (devices designated by tags) can be assigned to a profile.

notempty
For a large number of devices and users it is recommended to map the assignment via groups.
  • Device registration is directly tied to a profile
  • A profile must be created first' (and configured) before a device can be registered

In Android Enterprise profiles, numerous security-relevant settings can be made, e.g.

  • Disable Kamara
  • Disable microphone
  • Disable USB file transfer
  • Disable outgoing calls
  • Disable Bluetooth
  • Disable contact sharing
  • Disable tethering
  • Disable sms
  • Enable network only with VPN
  • and much more.
notempty
Android Enterprise Profiles are used immediately and do not need to be published!

Overview of profile management

In the profile overview new profiles can be created, existing ones can be edited and deleted. The view of the profiles can be displayed in the list or tile view. You can also view details of existing profiles, update the list of profiles, and publish profiles. MS 1.25 iOS Profile-en.png
Overview of profile management iOS 		MS 1.25 Android Profile-en.png
Overview of profile management Android

General Options

Name Sorts the tiles by profile name
Priority Sorts the tiles according to the priority of the profile
Ascending Sorts the tiles in ascending or descending order according to the selected criterion
Search Filters on profile tiles that contain the search text
 Add profile Creates a new profile. The settings in the profile vary depending on the operating system.
 Import profile Existing profiles that were previously exported from the Securepoint Mobile Security Portal can be imported here
 Hide generated profiles Hides the generated profiles
Show / hide details: For a large number of profiles, it can be useful to hide the most important details for clarity.
/ Switch between lists and grid view
Refreshes the display

Profile tile

Profile-Options
The button at the top right of each profile tile provides the following options:
 Edit Editing the settings (see below)
  Copy Copying the profile to the clipboard
  Export Exporting the settings
  Delete Deletes one or more selected profiles
Details displayed in the profile tile:
 Updated Changes have been made to the profile that have not yet been published!
 Partially installed Not all sub profiles were able to be installed
Profile information
  Type Profile type (see below)
  Roles Roles
  Users User
 Devices Devices
  tags Tags
  Parts Listing of the sub-profiles that make up the complete Mobile Security Profile.

Copy & paste of profiles

Click on the logo of the profile tile to mark one or more profiles In the general options, another field now appears under the filter mask:
Action for selected items Please choose Execute the selected action with Ok
Copy Copies one or more selected profiles to the clipboard
Delete Deletes one or more selected profiles
  Paste Inserts a copy of a profile from the clipboard
This also works from one tenant / customer to another as long as they are assigned to the same reseller account   AnyIdeas GmbH


Configuration iOS profile Shared-iPad




























General iOS

General

 Add profile

Caption Values Description MSP 1.28 iOS Profile Allgemein-en.png
General menu item
Type Device profile Standard device profile
Shared iPad Profile that allows different users for one iPad
  • Only for devices with iPadOS
    • Apple TV profiles Profile with limited settings options. Additional settings for Apple TV
    User Enrollmant profile Profile owned by the user on which managed apps of the company can be installed
    Name Name Profile name
    Priority 5Link= The higher the number, the higher the priority. This is only used if a device is assigned to multiple profiles.
    Roles Add roles Click-Box: The profile will be assigned to all devices of all users with these roles
    Users Add users The profile will be assigned to all devices from these users
    Devices Add devices The profile will be assigned to these devices
    Tags Add tags The profile will be assigned to all devices with these tags
    Comment Comment Comment








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter





























    Restrictions

    Restrictions

    Configuration by clicking on Activate restrictions   

    Numerous restrictions can be configured to control the behavior of a device.


    List of possible restrictions with default values and explanations:

    General restrictions
    General restrictions
    Table-check.png


    Table-check.png


    Table-check.png


    Classroom-App
    Classroom-App

    The Classroom App is available free of charge in the App-Store and offers possibilities for use in school classes.
    Important restrictions can be configured here.

    Table-check.png


    Restrictions for supervised devices
    Restrictions for supervised devices

    A range of restrictions is only available for devices in the Supervised embedding mode.


    Table-check.png



    Table-check.png









    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter



























    Notification settings

    Notification settings

      Add settings The settings are made separately for each app

    Caption Value Description MSP 1.28 iOS Profile Benachrichtigungseinstellungen-en.png
    Menu item Notification settings
    Application Enter id The bundle ID of the application. WARNING: Entering an unknown bundle ID can cause problems
    Enable notifications    Enables, respectively disables    notifications for this app.
    Alert type Temporary banner The notification type for notifications for this app: None/Banner/Warning
    Permanent banner
    None
    Badges enabled    Allow or disallow    for this app.
    Enable critical alerts    When active    , critical alerts are enabled that can ignore "Do Not Disturb" and ringer settings for this app.
    Grouping type Automatic The notification grouping type
    by App
    Off
    Preview type Always The notification type preview
    When unlocked Displays the notification only when the device is unlocked
    Never Never displays the notifications
    Show in CarPlay    When active, notifications are displayed in CarPlay
    Show in lock screen    Determines whether notifications can be displayed in the lock screen
    Show in notification center    Determines whether notifications are displayed in the notification center
    Sounds enabled    Determines if sounds are allowed for this app








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter







































    Apps

    Apps
    Profil ab Portalversion 1.31 angelegt
    notempty
    Profil ab Portalversion 1.31 angelegt
     notempty
    New as of 1.31
    Das Verwalten von Apps und Webclips über Profile ist veraltet und nicht mehr verfügbar. Die Neuzuweisung von Applikationen zu Geräten wird stattdessen über den im Seitenmenü befindlichen Menüpunkt  Mobile Security iOS/iPadOS Apps vorgenommen.
    Weitere Informationen sind im Wiki-Artikel über iOS-Apps zu finden.     		MS 1.31 iOS Profil Apps-en.png
    Apps & Web clips
    Profil vor Portalversion 1.31 angelegt
    notempty
    Profil vor Portalversion 1.31 angelegt
    notempty
    Diese Funktion ist veraltet. In Profilen vor Version 1.31 können Apps gelöscht, aber nicht neu hinzugefügt werden. Die Neuzuweisung von Applikationen zu Geräten wird stattdessen über den im Seitenmenü befindlichen Menüpunkt  Mobile Security iOS/iPadOS Apps vorgenommen. Darüber ist auch die spätere Deinstallation der Anwendungen möglich.
    Weitere Informationen sind im Wiki-Artikel über iOS-Apps zu finden.
    Caption Value Description MS 1.31 iOS Profil Apps vor131-en.png
    Apps & Web clips
    Apps
    		Securepoint VPN Client Die angelegten Apps können lediglich gelöscht werden.
    Es können keine neuen Apps hinzugefügt werden.
    Über die Portalseite  Apps werden Apps einem iOS-Profil hinzugefügt und entfernt.
    Web clips Securepoint Wiki [Label: SP Wiki] (https://wiki.securepoint.de) Die angelegten Web clips können lediglich gelöscht werden.
    Es können keine neuen Web clips hinzugefügt werden.
    Über die Portalseite  Apps werden Web clips einem iOS-Profil hinzugefügt und entfernt.


    App-Lock (Kiosk mode)
    App-Lock (Kiosk mode)

    The app lock activates the guided mode which limits the device to a single app. In this state - also called kiosk mode - you can control which app functions are available.

    Activate configuration   

    Table-check.png








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter


































































































    Email & Exchange Active Sync

    Email & Exchange Active Sync

    Multiple mail accounts can be set up in the Email settings section.
    These settings affect IMAP or POP3 accounts. Settings for Exchange ActiveSync must be made in the corresponding menu item!


    Email accounts  Add account
    Operation Default Description MSP 1.28 iOS Profile E-Mail-en.png
    Email settings
    Account description Account description The display name of the account (e.g. "Company Mail Account")
    Account name Account name The display name of the user (e.g. "John Appleseed")
    Variables can be used as well.

    The display name can be combined with the variable %device_user_name%. The variable reads from the user settings of the user to whom the respective device is assigned the fields first name and last name. e.g.: %device_user_name% | ttt-Point AGMartin Müller | ttt-Point AG
    Email address Email address The address of the account (e.g. "john@company.com")
    The entry $emailaddress$ reads the email address from the user settings of the user to whom the device is assigned.
    Variables can be used as well.

    The entries $variable1$, $variable2$ and $variable3$ can be defined individually.
    Prevent move    If set to true, messages may not be moved out of this email account into another account
    Disable email recipient synchronization    If set to true, this account is excluded from address "recent" syncing
    Allow Mail drop    If set to true, this account is allowed to use Mail drop
    Prevent App Sheet    If set to true, this account will not be available for sending mail in third party applications
    S/MIME Enabled    If set to true, this account will support S/MIME
    S/MIME signing enabled    If set to true, this account will enable message signing
    S/MIME encryption enabled    If set to true, this account will support message encryption
    S/MIME enable Per-Message Switch    If set to true, enables the per-message encryption switch
    Incoming mails
    Operation Default Description
    Mail server Mail server Hostname or IP address
    Port 993Link= Port number for incoming mail
    Account type IMAP

    POP    		 The protocol for accessing the email account
    Username Select user The username used to connect to the server for incoming emails
    Variables can be used as well.
    $emailaddress$, $username$, $variable1$, $variable2$, $variable3$

    Examples:
    • The email user name is identical to the device user name: ttt-point.local\%device_user_username%
    • The email user name is stored in the user settings as variable1: ttt-point.local\%variable1%
    Path prefix Path prefix Path prefix for IMAP mail server
    Incoming Mail Server authentication authentication method The authentication method for the incoming mail server
    None
    Password
    CrammD5
    NTLM
    HTTPMD5
    Password Password The password for the incoming mail server
    Use SSL    Incoming email retrieval via Secure Socket Layer
    Outgoing mails
    Operation Default Description
    Mail server Mail server Hostname or IP address for outgoing email
    Port 587Link= The port number for outgoing email
    Username Select user The username used to connect to the server for outgoing mail
    Variables can be used as well. $emailaddress$, $username$, $variable1$, $variable2$, $variable3$

    Examples:
    • The email user name is identical to the device user name: ttt-point.local\%device_user_username%
    • The email user name is stored in the user settings as variable1: ttt-point.local\%variable1%
    authentication type authentication method The authentication method for the outgoing mail server
    Password
    CrammD5
    NTLM
    HTTPMD5
    Outgoing Password: Same as incoming    SMTP authentication uses the same password as POP/IMAP server for incoming emails
      
    Password Password The password for the outgoing mail server
    Use SSL    Send outgoing email through Secure Socket Layer
    Exchange accounts
    Exchange accounts  Add account

    Configuration for Exchange mails retrieved via https connections

    Configuration by clicking on Activate Exchange ActiveSync   

    Operation Default Description MSP 1.28 iOS Profile E-Mail Exchange-en.png
    Settings Exchange ActiveSync
    Account name     The display name of the user (e.g. "John Appleseed"). Different variables can be used.
    Exchange ActiveSync Host Enter host Host name or IP address of the Exchange server
    Past days of mail to sync Synchronization period
    Use SSL    Encrypts all messages with SSL (Secure Socket layer)
    Email address Select email address The address of the account to be synchronized (e.g. "john@company.com") Variables can be used as well.

    The entries $variable1$, $variable2$ and $variable3$ can be defined individually.
    Domain\User Username Mail domain and mail user
    • The field must remain empty if the device should ask.
    • If the domain should be entered automatically, this can be configured on the server.
    • Variables can be used as well.
      $emailaddress$, $username$, $variable1$, $variable2$, $variable3$
      Examples:
      • The email user name is identical to the device user name: ttt-point.local\%device_user_username%
      • The email user name is stored in the user settings as variable1: ttt-point.local\%variable1%
    Password Password The password for the account
    Use OAuth    Specifies whether the connection should use OAuth for authentication. notempty
    If OAuth is specified, the password field should remain blank
    Payload certificate UUID Select certificate UUID of the certificate that is used for authentication
    Prevent move    If set to true, messages may not be moved out of this email account into another account
    Prevent App sheet    If set to true, this account will not be available for sending mail in third party applications
    Allow Mail Drop    If set to true, this account is allowed to use Mail Drop
    S/MIME enabled    If set to true, this account will support S/MIME
    S/MIME signing enabled
    		    If set to true, this account will enable message signing
    S/MIME encryption enabled
    		    If set to true, this account will support message encryption
    S/MIME enable Per-Message Switch
    		    If set to true, enables the per-message encryption switch
    Disable email recipient synchronization    If this value is set to true, this account will be excluded from the synchronization of the "Recent" addresses
    Activate calendar    Activate calendar
    Calendar overwritable    Allow account to enable/disable calendar
    Enable/disable contacts    Enable contacts
    Contacts overwritable    Allow account to enable/disable contacts
    Enable email    Enable email
    Mail overwritable    Allow account to enable/disable mail
    Enable notes    Enable notes
       Allow account to enable/disable notes
    Enable reminders    Enable reminders
    Reminders overwritable    Allow the account to enable/disable reminders
    Overwrite previous password    Overwrite previous password
    Audio calls Enter ID The bundle ID of the application that processes audio calls made to contacts from this account

    Example: Office365 accountsExample: Office365 accounts

    Example: Integration of an Office 365 account with OAuth

  • OAuth only works with ActiveSync
    Configuration in the Email & Exchange Active Sync tab when adding an Exchange Account
  • The OAuth data of other providers can be obtained exclusively and directly from these providers
    • Operation Value Description
    Account name Account name Name of the user to be displayed
    Exchange ActiveSync Host outlook.office365.com Example for Office365
    Number of days in which the emails from the past are synchronized Forever Possible values: 1 day, 3 days, 1 week, 2 weeks, 1 month, forever
    Use SSL    Sends all communications via Secure Socket Layer. notempty
    Securepoint recommends to activate the option
    Email address
    		alice@ttt-point.onmicrosoft.de Possible addresses are selectable from the dropdown menu incl. variables that take the information from the user data
    Domain\User
    		alice@ttt-point.onmicrosoft.de The previously selected e-mail address of the user
    Password     The password for the email account on the mail server notempty
    If OAuth is specified, the password field should remain blank
    Use OAuth    Specifies whether the connection should use OAuth for authentication.
  • Must be activated on the mail server!
  • If OAuth is specified, the password field should remain blank
    • OAuth login URL https://login.microsoftonline.com/common/oauth2/v2.0/authorize Login URL
    Here shown for Office365 accounts (example)
    OAuth token request URL https://login.microsoftonline.com/common/oauth2/v2.0/token OAuth token request URL
    Here shown for Office365 accounts (example)
    Payload certificate UUID: None If the authentication on the Exchange server is to be done with a certificate, this can be selected here.








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter
























    Calendar

    Calendar

    Calendar with user account
    Calendar with user account Variables can be used as well.

    User  Add account
    Caption Value Description MSP 1.28 iOS Profile Kalender Benutzer-en.png
    Calendar with user account
    Hostname Hostname Server address of the calendar
    Username Username The username for the login
    The entries $emailaddress$, $username$, $variable1$, $variable2$ and $variable3$ are also possible.
    Password Password Optional. The password of the user
    Use SSL    Enable Secure Socket Layer communication with the CalDAV server
    Port PortLink= Optional. The port of the server to which the connection is made.
    Main URL Main URL The URL to the user's calendar.
  • In iOS/iPadOS, this URL is required when the user does not provide a password, because the service auto-detection fails and the account is not created. Optional.
    • Account description Account description Optional. The description of the account.


    Add subscription
    Subscribed calendar Variables can be used as well.

    Subscriptions  Add subscription
    Caption Value Description MSP 1.28 iOS Profile Kalender Abo-en.png
    Subscribed calendar
    Hostname Hostname Server address of the calendar
    Username Username The username for the login
    The entries $emailaddress$, $username$, $variable1$, $variable2$ and $variable3$ are also possible.
    Password Password Optional. The password of the user
    Use SSL    Enable Secure Socket Layer communication with the CalDAV server
    Account description Account description Optional. The description of the account.








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter























    CardDav

    CardDav

    Variables can be used as well.

    User  Add account
    Caption Value Description MSP 1.28 iOS Profile CardDAV-en.png
    Include address books
    Hostname Hostname The CardDAV server hostname or IP address
    Username Username The CardDAV username
    The entries $emailaddress$, $username$, $variable1$, $variable2$ and $variable3$ are also possible.
    Password Password The CardDAV password
    Use SSL    When enabled   , the Secure Socket Layer communicates with the CardDAV server.
    Port PortLink= The port number to connect to the CardDAV server
    Main URL Main URL The main URL for the CardDAV account
    Account description Account description The display name of the account (e.g. "Company CardDAV Account").








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter

















    Google account

    Google account

    Caption Value Description MSP 1.28 iOS Profile GoogleAccounts-en.png
    Google Accounts menu item
    User  Add account Adds a Google account.
    This also makes, for example, the history of Google searches or individual Google Maps configurations, such as special points, available on the device.
    Account description Account description The displayed name of the account (e.g. "Company Server Account").
    Account name Account name Full user name of the Google account
    Email address Email address The address of the account (e.g. "mdm.ttt-point@gmailcom")
    Addresses of created users (from  General  Users ) can be selected or freely entered.
    Audio calls Enter ID The bundle ID of the application that processes audio calls made to contacts from this account








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter










    {{var | Karenzzeit für die Online-Authentifizierung--desc

    | Eine Karenzzeit (in Tagen) für die Online-Authentifizierung des Shared iPad.
     | A grace period (in days) for online authentication of the Shared iPad.










    Shared Device Configuration

    Shared Device Configuration

    notempty
    The profile used with these settings can only be installed on an iPad if no users have been previously registered on this iPad. The iPad must therefore be reset to the factory settings.
    Caption Value Description MSP 1.28 iOS Profile Shared Device Konfiguration-en.png
    Shared Device Konfiguration menu item
    Activate configuration    The shared device configuration can be set by activating   .
    Managed Apple ID default domains Enter domains A list of domains displayed on the login screen of the Shared iPad.
    When logging into the device, the user can select a domain from the list to complete their Managed Apple ID. The corresponding domain is added to their login.
    Online authentication grace period 0
    Quota size 0 The quota size (in megabytes MB) for each user on the shared device or, if the quota size is too small, the minimum quota size.
    Resident users 0 The expected number of users.
    If this entered number is greater than the value for the maximum possible number of users that the device supports, the MDM server uses the maximum possible number instead.
    Skip language setup    When    is activated, the system automatically selects the system language and regional scheme for the new Shared iPad user.
    Temporary session only    If    is activated, the user sees the welcome screen for guests and can only log in as a guest user.
    Time limit for temporary session 30 The temporary session is automatically logged off after the specified period (in seconds) of inactivity.
    User session timeout 30 The user session is automatically logged off after the specified period (in seconds) of inactivity.








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter











    Shared iPad User

    Shared iPad User

    Caption Value Description MSP 1.28 iOS Profile Shared iPad Benutzer-en.png
    Shared iPad Benutzer menu item
    Apple IDs admin@ttt-point.de This profile will be available on all General selected Devices for these Apple IDs.








    Schließen Schließt den Reiter ohne Änderungen zu übernehmen
     Speichern Übernimmt die Änderungen / Neuanlage, speichert und schließt den Reiter
    Retrieved from "https://wiki.securepoint.de/index.php?title=MS/deployment/profile-shared-iPad&oldid=92447"