Probably the most issues I would like so to do in our new deployment is come across units which might be “out of spec” and be sure that the customers in finding their as far back as me for … ah … re-education.
Maximum “out of spec” issues may also be handled through the MDM server itself. If a tool exams in with a lacking configuration profile or a lacking app, the server will robotically care for that.
Occasionally, regardless that, we wish to take a look at for different stipulations and be sure that those eventualities do not move on for too lengthy. To reach this, I’ve designed a “lockout protocol” for our deployment.
The Configuration Profile
We now have a configuration profile that may be implemented to any supervised iPad that necessarily “locks out” the consumer from doing any paintings. It’s actually slightly easy.
The primary payload is a Restrictions payload which I exploit to just permit one app: The JAMF Self Provider app.
The second one payload is a House Display screen Structure payload. This places the Self Provider app into the Dock, in order that folks can in finding it simply.
That’s all it’s however, since the units are supervised and in DEP, there’s not anything the consumer can do to get out of this example excluding to return and notice me for lend a hand.
The Standards for Lockout
To come across those anomalous stipulations, I’ve a wise software crew in our MDM that captures units in accordance with the next stipulations:
- The software stock is greater than 10 days outdated (i.e. it’s no longer speaking with the server correctly) OR
- The JSS “Jailbreak Detected” box is “sure” OR
- The “Location Products and services for Self Provider” is “No longer Enabled/Unknown”.
- The iOS model is not up to the present liberate model of iOS.
Now, I typically give a grace length for iOS updates of a few week earlier than I replace the standards for the sensible crew so it’s no longer too draconian.
I haven’t but had a tool the place the stock on my own was once stale. I think this situation is most likely redundant for the reason that, if the software can’t provide stock, it’s not likely so to obtain the brand new profile both.
When a brand new iOS replace comes out, the very first thing I do is push a notification to Self Provider. To be honest, about part the scholars reply to this in a well timed way.
After a couple of days, my new factor is to push a brand new wallpaper to the units that places the message proper within the scholars’ faces.
After a couple of extra days, if the units nonetheless aren’t up to date, I replace the standards for the lockout protocol and the shutter comes down till the entirety comes into line.
Even if locked out, the software will nonetheless be capable of be up to date as Settings is the one app that may’t be hidden.
As soon as the anomalous state of affairs is resolved, the consumer will most probably want to come and notice me. Gadgets replace their stock most often as soon as an afternoon to the JSS, however an administrator can power a list replace manually. That may trigger the software knowledge to be up to date and the limitations lifted.