Enrollment iOS

Integration of iOS devices into the Mobile Security Portal

Last adaptation to the version: 1.5 (11.2019)

New:

Localization only possible for supervised devices
Changes in the enrollment process
Detailed description of the steps on the device
Detailed description of the steps with MacOS for supervised devices

Technical requirements

iPhone / iPad (min. iOS 11)
Access to the Securepoint Mobile Security Portal
For security reasons, Apple provides the full functionality for iOS devices only in supported mode.
Requirements for this:
- Apple Mac (min. macOS 10.14 or later)
- Apple Configurator 2 (at no charge in the App Store)
- It is possible to have notifications sent automatically as soon as a device is enrolled or unenrolled.
  Further information in our Wiki article.

For a large number of devices and users, it is recommended that you map the assignment using roles.

Installation on the device

The onboarding of iOS can be performed in supervised or unsupervised mode. The differences are listed in a Functional Comparison Overview.

Unsupervised device

User without access to Securepoint Mobile Security Portal

Invitation mail

Preliminary work of the administrator in the Securepoint Mobile Security Portal:
Devices / Send invite
Selection of a user or Select an e-mail address Send invite	Send invitation
The E-mail to the user includes: a link to the 'Securepoint Mobile Security App in the Play-Store: the enrollment code alternatively a QR code instructions on how to proceed.

Administrator with access to the Securepoint Mobile Security Portal

Register iOS device

Preliminary work of the administrator in the Securepoint Mobile Security Portal:
Devices / Register new device / iOS

The QR code can be scanned with the camera app.
The following steps must be executed:

Website QR Code. open securepopint.cloud in Safari
This website is trying t odownload a configuration profile. Do you want to allow this?
Install configuration profile Securepoint MDM via menu Settings → Profile loaded
Install Securepoint Mobile Security certificate and add it to the list of trusted certificates.
Trust Remote management

Open link in Safari

This website is trying t odownload a configuration profile. Do you want to allow this?

Allow

Profile is downloaded

Close

Continue in the "Settings" menu

The loaded profile is selected (highlighted here) and installed.

Profile Securepoint MDM

Install

Root-Certificate

Install

Remote Management

Trust

iOS profile is installed. Finish this step with

Done

Continue in the portal with the section Login to the portal

Supervised device

All data, configurations and individually installed apps are deleted during this process!
The device is reset to the factory settings. Operating system updates are kept. This process is required in iOS to ensure complete control over the device and to prevent unwanted apps from being allowed or uninstalled.

Preparation

If the device has already been connected to an Apple user account, this connection must be disconnected:

Log on to https://appleid.apple.com with the login data, used on the device.
In the Devices section, remove the device in question.

Configuring the device

Preparation in Apple Configurator2:

Connect your iPhone / iPad to your Mac
Ignore the message "A new network connection was found" with Cancel .

Apple Configurator 2 open and select the device
button Prepare

Manual configuration
activation of:

Supervise devices

Allow devices to pair with other computers

Register at MDM server:
Server: New Server…
If another device has already been enrolled, the server can be selected here. Otherwise the configuration is done in the next step.

If no MDM server has been specified yet: / Enroll new device / iOS
copy URL

If no MDM server has been specified yet: A meaningful name can be assigned here.
This configuration can be selected directly for other devices that are to be registered for the same customer (or tenant).
Name: Unique name ( customizable)

Hostname or URL: Insert the URL from the dialog in the Securepoint Mobile Security Portal (see previous step)

If no MDM server has been specified yet: Unable to verify the server's enrollment URL

Since macOS does not know the certificate of the individual customer access to the Securepoint Mobile Security Portal, the certificate cannot be checked, but is still correct!

If no MDM server has been stored yet: Add trust anchor for the MDM server:
The certificate *.securepoint.cloud is already installed.

If no MDM server has been stored yet:
Sign in to the device enrollment program.
Has to be skipped.

Skip

If no MDM server has been stored yet:
Create an organization, if necessary:
If this is the first device for this organization to be registered in the portal, information about the organization should be entered.

Details of the organization

Generate a new supervision identity

Configure iOS Setup Assistant: Select the steps that the user must perform in the System Wizard.

Prepare

This step must be confirmed by entering the username and password of the MacOS user account.

Update Settings

Configurator could not perform the requested action because "iPhone" was already prepared.
If this message appears, this device has already been configured once and the System Assistant settings cannot be transferred directly. With erase all contents and settings are deleted and the device is prepared for an (initial) configuration with connection to the Securepoint Mobile Security Portal.

Configuration of the smartphone with the steps previously configured for the iOS installation wizard.
Allow remote management

Login to the portal

The device is now displayed in the portal and the enrollment must be completed by clicking on the device tile.

Device Alias

For better identification, the device should be given an alias name:
a0a0 (4-digit ID) (in the upper part of the device tile)

Ownership Selection

There are two different installation options for the Securepoint Mobile Security App, which result in significant differences in administration:

Owner 'COPE

The following functions are additionally available in the device administration in the Mobile Security Portal:

⦁ Localize	Only available if the device has been registered in supervised mode. at: Operations => Enable Lost Mode
⦁ Clear password	at: Operations
⦁ Wipe Data	at: Operations : Deletion of personal data
⦁ Applications	Monitoring of installed apps, installation, deinstallation

Owner BYOD

Standard functional range.

no localization
No way to remove the local device password
No deletion of personal data
No control for installed apps

Login

Terms of License and Ownership

Ownership	Selection between COPE (Corperate owned, Personal enabled) BYOD (Bring‑Your‑Own‑Device)
With BYOD additionally:
User	Device user from the user administration. The user cannot be changed afterwards for BYOD devices.
□	Accept the terms of the license and privacy policy
agree	Accepting and saving the settings
	Displays the updated properties.