Shortly after the iPad event on Wednesday, Apple released the free Apple Configurator application. It’s billed as a way to “set up new devices, and install enterprise apps,” but my main interest was in learning how it might interact with Mobile Device Management. So I upgraded my iTunes to 10.6, installed the application, and started poking around.
Essentially, Configurator allows you to maintain a fleet of identical iOS devices. With it, you can re-baseline up to 30 devices simultaneously, pre-installing applications and configuration profiles at the same time as wiping it clean and updating the OS version. The application allows you to create configuration profiles directly, or you may import profiles created in the iPhone Configuration Utility (IPCU). [Aside -- the IPCU was also updated on Wednesday, and both that and Configurator support some new features, including the ability to disable Siri when the device is locked. Interestingly, Configurator also includes the ability to enable a "Siri Profanity Filter" and to disable Location Services, neither of which I've been able to find in the new IPCU.] The Configurator doesn’t include the capability to create an MDM enrollment profile, but you can import one from IPCU and it works just fine.
When used in this mode, Configurator can easily streamline the setup of large numbers of devices for corporate deployment. I haven’t found a way to pre-set all the “Welcome to iOS” responses (selecting a language, assigning an Apple ID, etc.), but even with those last few manual steps, this can make rapid deployment of large numbers of devices in an enterprise much, much easier. The device is wiped, then the latest version of the iOS installed, along with applications and profiles. At this point, the device can be set aside into a pool, ready to be used. You can even load pre-purchased App Store applications (for very small deployments, you can pre-set the AppleID used to purchase the apps you’re installing, otherwise you’d need to use the Volume Purchase Program to load redemption codes for each device).
But that’s not all! When baselining (or “preparing”) a device, the user has a chance to configure it as a “Supervised” device. When issuing the device to end users, you can just hand it to them, or have the system formally “check out” the device. By doing the check out, the device can be customized with the user’s name, photo, and pre-installed user-specific documents. When the user is done with the device, they return it, and the check-in process then backs up the user’s data, and wipes and re-baselines the device for the next user.
All of that would be interesting enough, but my focus is more on security than ease of deployment — what does Configurator do to enhance or replace MDM? Firstly, the profile that marks the device as supervised can not be removed by the end user. In fact, as far as I can tell, it can’t even be removed by the machine which prepared the device. The only way to “un-supervise” a device is to wipe it clean and start from scratch. It also locks the device to the system used to prepare it — trying to connect to iTunes or IPCU on another system results in an error. In fact, even using IPCU on the Configurator machine won’t work — it won’t let you install or remove profiles at all. However, I was able to manually install an MDM profile, as a user, by tapping on a link in Safari, so the end user might still be able to make changes that way even if IPCU is locked out. Also, even when the MDM enrollment profile is installed as part of the device preparation and baseline process, the user may still remove the enrollment.
One final interesting point — the use of the “supervised” term caught my eye. When researching the changes that iOS 5.0 brought to the MDM system, I found several mentions of supervised devices near other MDM-related strings in the iOS binaries. I also found several references to a “Chaperone” system. These included things like “PermissionSlip,” “AllowSleepOver,” and even “ReadyForKeyMaster” (though no mention of Zuul). Ever since seeing that, I’ve wondered if some form of parental-oriented device management and monitoring might be in the works. Well, this system seems to make use of Chaperone-related profiles, so perhaps we’re seeing the first elements of this beginning to enter production.
In summary, the new Apple Configurator application looks like it will be very useful for anyone maintaining a small fleet of devices (such as loaner devices, or in support of a class), and will also greatly streamline the large-scale preparation and deployment of devices within the enterprise. For further reading, here’s a link to the Configurator Documentation from Apple.
Published date:  09 March 2012
Written by:  dschuetz