A Lockout Protocol for iOS 9.3

One of the vital issues I need so that you could do in our new deployment is discover gadgets which might be “out of spec” and ensure that the customers in finding their as far back as me for … ah … re-education.

Maximum “out of spec” issues will also be handled by way of the MDM server itself. If a tool assessments in with a lacking configuration profile or a lacking app, the server will robotically handle that.

Occasionally, although, we wish to test for different stipulations and ensure that those scenarios do not pass on for too lengthy. To reach this, I’ve designed a “lockout protocol” for our deployment.

The Configuration Profile

Now we have a configuration profile that may be carried out to any supervised iPad that necessarily “locks out” the consumer from doing any paintings. It’s truly somewhat easy.

The primary payload is a Restrictions payload which I exploit to simply permit one app: The JAMF Self Provider app.

The second one payload is a House Display screen Format payload. This places the Self Provider app into the Dock, in order that other folks can in finding it simply.

That’s all it’s however, for the reason that gadgets are supervised and in DEP, there’s not anything the consumer can do to get out of this example aside from to come back and notice me for lend a hand.

The Standards for Lockout

To discover those anomalous stipulations, I’ve a wise software team in our MDM that captures gadgets in accordance with the next stipulations:

  1. The software stock is greater than 10 days previous (i.e. it’s no longer speaking with the server correctly) OR
  2. The JSS “Jailbreak Detected” box is “sure” OR
  3. The “Location Products and services for Self Provider” is “Now not Enabled/Unknown”.
  4. The iOS model is not up to the present unlock model of iOS.

Now, I generally give a grace duration for iOS updates of a couple of week ahead of I replace the standards for the sensible team so it’s no longer too draconian.

I haven’t but had a tool the place the stock on my own used to be stale. I think this situation is most definitely redundant for the reason that, if the software can’t provide stock, it’s not likely so that you could obtain the brand new profile both.

Caution Length

When a brand new iOS replace comes out, the very first thing I do is push a notification to Self Provider. To be honest, about part the scholars reply to this in a well timed way.

After a couple of days, my new factor is to push a brand new wallpaper to the gadgets that places the message proper within the scholars’ faces.

After a couple of extra days, if the gadgets nonetheless aren’t up to date, I replace the standards for the lockout protocol and the shutter comes down till the entirety comes into line.

Even if locked out, the software will nonetheless be capable of be up to date as Settings is the one app that may’t be hidden.

As soon as the anomalous state of affairs is resolved, the consumer will most likely want to come and notice me. Units replace their stock normally as soon as an afternoon to the JSS, however an administrator can pressure a list replace manually. That may motive the software knowledge to be up to date and the limitations lifted.