Introduction to AirWatch and Configurator Overview AirWatch integrates seamlessly with Apple Configurator to enable IT administrators to effectively deploy and manage Apple ios devices. Deploying a large number of corporate devices can be challenging especially the initial setup of each device. Apple Configurator, which you must install and run from a Mac OS X laptop, makes it easy to mass configure devices with the same AirWatch MDM configuration in preparation for your deployment. Enrollment into AirWatch is the first step to enable remote management and configuration capabilities of ios devices. End users can enroll their devices using the AirWatch Agent, or you can use Apple Configurator to stage devices to be pre-enrolled for distribution to your end users. AirWatch s integration with Apple Configurator enables administrators to prepare and enroll devices in bulk while also leveraging AirWatch's remote MDM capabilities from the AirWatch Admin Console. By integrating AirWatch with Configurator you can supervise devices, which lets you closely manage devices and reconfigure them on a regular basis. Supervised devices also provide additional MDM settings that can be controlled over-the-air by AirWatch such as device HTTP Proxy and Kiosk Mode. In addition, you can set up shared devices in retail stores, classrooms or hospital to be used by multiple end users. Supervised Devices and MDM Note: For a complete list of features and functionality available to supervised and unsupervised devices, please refer to the ios Functionality appendix. Benefits of Supervised Mode Once a device is supervised and enrolled in AirWatch, the administrator has the following enhanced features available for configuration when compared to normal devices: Elevated Restrictions over MDM o Prevent User from Removing Applications. o Prevent AirDrop. o Prevent account modification to prevent users from modifying icloud and Mail account settings. o Disable imessage. o Disable Game Center and ibookstore. Enhanced Security o Prevent end users from visiting websites with adult content in Safari. o Restrict which devices can connect to specified AirPlay destinations, such as Apple TVs. o Force all device network traffic through a global HTTP proxy. Kiosk Mode o Lock down devices to one app with single app mode and disable the home button. 1
Customize Wallpaper and Text on Device Enable or Clear Activation Lock In This Guide Before You Begin Details useful background information and things to keep in mind before diving into AirWatch and ios device management with Configurator, including prerequisites and suggested reading. Integrating AirWatch with Apple Configurator Details the process required to integrate Configurator with AirWatch and manage devices from the AirWatch Admin Console. Appendix: ios Functionality Lists all available securing, configuring and managing profiles and actions available for ios devices and the software version and/or supervision status required for each. 2
Before You Begin Overview Before integrating AirWatch with Apple Configurator, you should consider the following requirements, supporting materials, and helpful suggestions from the AirWatch team. Familiarizing yourself with the information available in this section helps prepare you for your AirWatch-Configurator deployment. In This Section Requirements Lists the prerequisites for a successful Apple Configurator configuration. Recommended Reading Lists helpful background and supporting information available from other AirWatch guides. Requirements A Basic or Directory user account with Staging settings enabled if you are staging devices for end users. A Mac OS X laptop, which will be used to connect to ios devices using Configurator. Using Apple Configurator with AirWatch requires the latest version of Configurator available in the App Store and access to the AirWatch Admin Console. Recommended Reading This guide touches on aspects of mobile device management and ios device management. For an extensive background on these topics, please refer to the following guide, Apple Configurator Help, which contains useful topics on using the application. 3
Integrating AirWatch with Apple Configurator Overview Integrating Apple Configurator and AirWatch is a simple process. The following steps guide you through creating an Mobile Device Management (MDM) profile, setting up Apple Configurator, how to prepare devices and enroll devices in bulk, and how to enable supervision on devices for management. In This Section Generating the MDM Enrollment Profile from the AirWatch Admin Console Walks through the steps required to generate an integration profile from the AirWatch Admin Console. Choosing to Prepare or Supervise Devices with Apple Configurator Discusses the differences between preparing and supervising devices. Prepare Devices Explains how to prepare devices for mass enrollment without supervision. Supervise Devices Explains how to supervise devices, which prepares them and equips them to take advantage of additional AirWatch MDM functionality. Verify Enrollment into AirWatch Details how to locate and confirm a prepared device in the AirWatch Admin Console. Generating the MDM Enrollment Profile from the AirWatch Admin Console Use AirWatch to generate the enrollment profile for the desired organization group. The enrollment profile contains MDM enrollment settings along with a certificate that uniquely identifies the MDM server URL, group ID, and username to assign to the device. 1. Log in to the AirWatch Admin Console. 2. Create a Staging user account, if you have not already. This can be a Basic user account you manually create or a Directory user account that is enabled with staging. 3. Navigate to Devices Settings Devices & Users Apple Apple Configurator. The instructions on this page explain the basic flow for integrating with Configurator. 4. Select Enable Automated Enrollment. You may need to Override the current organization group to do this. 5. Select the appropriate Staging Mode depending on how the device is going to be used and how the device must enroll. You can choose to pre-register devices and enroll using Apple Configurator. By pre-registering devices and selecting the None or Single User mode, you can pre-assign the end user for each device. However, you cannot preregister Multi User devices. If you do not register any devices, the enrollment user is dependent on the Staging Mode selected below: a. None Does not stage device for other users. For non-registered devices, all devices are enrolled under the Default Enrollment User. In this case, only non-staging users are available as Default Enrollment User options. 4
b. Single User Stages device for a single, known user. Only staging users are available as Default Enrollment User options. Once the end user opens the AirWatch Agent, the end user must enter credentials to fully enroll the staged device. When complete, the device details are updated in the AirWatch Admin Console and the device is associated with that end user. c. Multi User Places device into Shared Device Mode, staging device for multiple, unknown users. Only staging users are available as Default Enrollment User options. Once the end user opens the AirWatch Agent they must enter credentials to check out the device for use. Known Users Single Users Pre-register a device for the end user. Select Single User or None as the Staging Mode. Select a Staging User. The device is reassigned to the end user upon enrollment. Select Single User as the Staging Mode. Multiple Users N/A (Even though you may know the users, you are not specifying them, so use the method outlined below.) Select Multi User as the Staging Mode. Unknown Users Select a Staging User. The device prompts an end user for their credentials so they can enroll, and after a short time, the device is re-assigned to that user in the AirWatch Admin Console.* Select a Staging User. Upon enrollment, the device is launched into Shared Device mode, where end users can check out. *Using this method differs based on whether you are using directory users (integrated with your directory service) or basic users (created directly in the AirWatch Admin Console). If using directory users, then a user account can be created at the time a user signs in (if it does not already exist). However, basic users must be created for them to be able to enroll. 5
6. Select Save and Export Profile. You are asked to save a.mobileconfig file that includes the name of the organization group. If you performed this step on a Mac OS X laptop, save the file and continue to the next section. If you performed this step on a Windows PC, then transfer the file to the Mac OS X laptop (location does not matter, but be sure to note it) that is running Configurator and then continue with the next section. Choosing to Prepare or Supervise Devices At this point, you can use Apple Configurator to perform one of two actions: Prepare Devices Preparing devices involves connecting them to a Mac OS X computer. The primary purpose of preparing devices is to enroll many devices withairwatch MDM functionality at once. Supervise Devices Supervising devices encompasses everything preparing devices does and includes the added benefit of placing them in Supervised mode. This allows devices to leverage additional MDM capabilities utilizing the AirWatch Admin Console. 6
Preparing Devices The prepare feature in Apple Configurator allows administrators to quickly apply configurations, name devices in sequential order, and update the ios version across multiple devices. You can automatically enroll devices into AirWatch when preparing them. Additionally, you can restore a master backup to the device Configurator, which helps stage device settings, the home screen layout and restore app data to the devices. 1. Launch Apple Configurator on the staging Mac and click Prepare in the row of icons on top of the Apple Configurator window. The number of devices attached to the staging computer appears in a badge. 2. Configure Settings: Name Choose a naming scheme for the device(s). o Enable a sequential number to the name(s) of the device(s) by selecting the checkbox. If you do not want to start at 1, enter a new number in the Name field and then select the checkbox for an updated count. Toggle this switch to Off to prepare devices for mass deployment without supervision. Organization Info... Write a brief description of the organization's information to be displayed on the device. Update ios Choose when to update the ios on the device(s). o Choose to erase the device before installing. Restore Choose to Import Backup or Create Backup file from the drop-down menu. o To create a backup, select Create Back Up. o Tether the device with your master settings to the Mac and select Create Backup. o Name the backup appropriately, and select it under the Restore option. Note: If you do not want to delete the current data and settings on unsupervised devices, choose Don't Restore Backup. 3. Select the Setup tab, which lets you configure options related to how the device is booted. Choose the screens you want to skip during the Setup Assistant when the device is booted. 7
4. Configure a Wi-Fi profile to enable Internet connectivity and allow the device to enroll into AirWatch. Select Wi-Fi, then select Configure Settings. Enter your Wi-Fi network settings to allow the device to connect to your Wi-Fi network and save to create a new profile. 5. Next, select the Device Enrollment payload and then select Configure Settings. A dialog displays with a field for your MDM Server URL. To retrieve this URL, you need to navigate to your MDM Enrollment (.mobileconfig) file. 6. Open the MDM Enrollment (.mobileconfig) file that you downloaded from the AirWatch Admin Console using TextEdit. Copy the MDM Server URL as shown below. 7. Paste the text into the MDM Server URL field and select Save. 8. Connect the device to the Mac with Apple Configurator using a USB cord, or to provision many devices simultaneously, connect with a USB hub or ios device cart. 9. Click the Prepare icon at the bottom of the Apple Configurator window to start configuration. 10. Disconnect the device(s) as green check marks appear indicating that the devices have been configured. Supervising Devices Supervised devices enable the device administrator to manage the device on an ongoing basis using Apple Configurator. Administrators can apply a standard image to a device and reapply the same image when the device is connected back to the supervising Mac. Supervised ios devices allow for additional APIs and over-the-air configurations on these devices. In the AirWatch Admin Console, these features display with badges indicating that supervised mode is required. 1. Launch Apple Configurator on the staging Mac and click Prepare in the row of icons on top of the Apple Configurator window. The number of devices attached to the staging computer appears in a badge. 2. Configure Settings: Name Choose a naming scheme for the device(s). o Enable a sequential number to the name(s) of the device(s) by selecting the checkbox. If you do not want to start at 1, enter a new number in the Name field and then select the checkbox for an updated count. Toggle this switch to On to supervise devices for added MDM functionality. Optionally select whether to Allow devices to connect to other Macs. Organization Info... Write a brief description of the organization's information to be displayed on the device. Update ios Choose when to update the ios on the device(s). o Choose to erase the device before installing. Restore Choose to Import Backup or Create Backup file from the drop-down menu. 8
o To create a backup, select Create Back Up. o Tether the device with your master settings to the Mac and select Create Backup. o Name the backup appropriately, and select it under the Restore option. Note: If preparing supervised devices and you choose Don't Restore Backup, the device is erased. A backup image must be restored or the device must enable Apple Configurator-based enrollment and supervision. 3. Configure a Wi-Fi profile to enable Internet connectivity and allow the device to enroll into AirWatch. In the Profiles section, select Install Profiles, proceed through the setup assistant, then select or create a new Wi-Fi profile. If creating a new Wi-Fi profile, enter General settings, followed by your Wi-Fi network settings to allow the device to connect to your Wi-Fi network and save to create a new profile. 4. Select the Setup tab to configure options related to how the device is booted. Choose the screens you want to skip during the Setup Assistant when the device is booted. 5. Next, select the Device Enrollment payload and then select Configure Settings. A dialog displays with a field for your MDM Server URL. To retrieve this URL, you need to open your MDM Enrollment (.mobileconfig) file. 9
6. Open your MDM Enrollment (.mobileconfig) file that you downloaded from the AirWatch Admin Console using TextEdit. Copy the MDM Server URL as shown below. 7. Paste the text into the MDM Server URL field and select Save. 8. Connect the device to the Mac with Apple Configurator using a USB cord, or to provision many devices simultaneously, connect with a USB hub or ios device cart. 9. Click the Prepare icon at the bottom of the Apple Configurator window to start configuration. 10. Disconnect the device(s) as green check marks appear indicating that the devices have been configured. Verifying Enrollment into AirWatch Once the devices are either prepared or supervised via Apple Configurator, you can view all enrolled devices in the AirWatch Admin Console. Once the devices populate, administrators can manage and deploy updates and apps to all the devices using AirWatch. 10
Appendix A ios Functionality: Supervised vs. Unsupervised The following table shows all of the available ios profile functionality that you can control via the AirWatch Admin Console. It is organized by whether a supervised ios device is required to configure a particular setting or feature. Also included are OS Notes that indicate the minimum ios version that applies. Features and Functionality Passcode Does Not Require Requires OS Notes Passcode settings - Restrictions Device Functionality Allow use of camera - Allow FaceTime - Allow screen capture - Allow Fingerprint for Unlock Allow use of imessage + iphone 5s ios 6 + Supervised Allow installing public apps - Allow app removal ios 6 + Supervised Allow in-app purchase - Allow opening managed app documents in unmanaged apps Allow opening unmanaged app documents in managed apps 11
Features and Functionality Does Not Require Requires OS Notes Limit ad tracking Allow automatic sync while roaming - Allow voice dialing - Allow Siri ios 5 Allow Siri while device locked ios 5.1 Enable Siri Profanity Filter ios 6 Allow Passbook while device locked ios 6 Allow manual profile installation Allow account modification ios 6 Show Control Center on lock screen Show notifications view on lock screen Show today view on lock screen Allow AirDrop Applications Allow use of YouTube ios 5 and below Allow use of itunes Music Store - Allow use of ibookstore ios 6 Allow Game Center ios 6 12
Features and Functionality Does Not Require Requires OS Notes Allow multiplayer gaming - Allow adding Game Center Friends - Allow changes to Find My Friends Allow changes to cellular data usage for apps Allow use of Safari - Enable autofill - Force fraud warning - Enable JavaScript - Enable plugins - Block pop-ups - Accept Cookies - icloud Allow backup ios 5 Allow document sync ios 5 Allow keychain sync Allow app settings sync (key value sync) ios 5 Allow Photo Stream ios 5 Allow Shared Photo Stream ios 6 Security and Privacy Force itunes Store password entry ios 5 Allow diagnostic data to be sent to Apple ios 5 Allow user to accept untrusted TLS certificates ios 5 13
Features and Functionality Does Not Require Requires OS Notes Allow over the air PKI updates Force encrypted backups - Allow pairing with non-configurator hosts Enable Activation Lock Clear Activation Lock Media Content.1 + Supervised Ratings region/movies/tv Shows/Apps - ibooks ios 6 Allow explicit music and podcasts - Wi-Fi Wi-Fi settings - Auto-Join ios 5 Wi-Fi Hotspot 2.0 settings Proxy settings ios 5 VPN VPN settings - Per-App VPN Connect automatically 14
Features and Functionality Does Not Require Requires OS Notes Email Email settings - Prevent Moving Messages ios 5 Disable recent contact sync ios 6 Prevent Use In 3rd Party Apps ios 5 Use S/MIME ios 5 Exchange ActiveSync EAS settings - Use S/MIME ios 5 Prevent Moving Messages ios 5 Prevent Use In 3rd Party Apps ios 5 Disable recent contact sync ios 6 LDAP LDAP settings - CalDAV CalDAV settings - Subscribed Calendars 15
Features and Functionality Does Not Require Requires OS Notes Subscribed Calendar settings - CardDAV CardDAV settings - Web Clips Web Clip settings - Credentials Credentials certificate settings - SCEP SCEP settings for certificate authority - Global HTTP Proxy Global HTTP Proxy settings Single App Mode Single App Mode Lock device into a single app Optional settings for "Lock device into a single app" Autonomous single app mode ios 6 Web Content Filter Web Content Filter settings (Whitelist, Blacklist, Permitted URLs) 16
Features and Functionality Does Not Require Requires OS Notes Single Sign On Single Sign On settings with Kerberos authentication AirPrint AirPrint destination settings AirPlay Mirroring AirPlay Destination settings (Whitelist) Advanced Advanced Access Point settings App Installation Settings Silent App Installation Control Cellular Settings Voice Roaming ios 5 Data Roaming ios 5 Personal Hotspot Wallpaper Settings Set Lockscreen Image Set Home Screen Image 17
Features and Functionality Does Not Require Requires OS Notes Queries and Commands Supervised status Location service status Personal Hotspot status Custom Fonts and Messaging Custom Font Installation Custom Enrollment Messages ios 6 Custom MDM Prompts Activation Lock Warning 18