Filip Brož Serial "We deploy Apple products in business" we help spread awareness of how iPads, Macs or iPhones can be effectively integrated into the operations of companies and institutions in the Czech Republic. In the first part, we will focus on the MDM program.
The whole series you can find it on Jablíčkář under the label #byznys.
In the first part of our series, we will look at the integration of iPads into a manufacturing company that uses them to streamline work directly in production, specifically at the initial process of product selection, their installation and subsequent management.
AVEX Steel Products is a manufacturer of storage and transport pallets for the automotive industry. In the past, like most companies today, the company dealt with the issue of work efficiency at individual workplaces. In this particular case, AVEX focused on increasing productivity by eliminating existing dysfunctional mechanisms based on the distribution of information in production on paper.
Individual workstations obtained information about the order, storage and production in paper form, or went to the shift manager, who had all the data at his station on the computer. They decided to solve this unproductive and, above all, inefficient way of transmitting information to individual production workers by introducing tablets to individual workstations.
Tablets thus began to replace paper with drawings, information about orders and warehouse management. People stopped losing papers with information, gained an overview of the order and could start focusing primarily on their work and not on administration.
The first steps when you want to deploy iPads in your company
The way tablets are used today at AVEX has fundamentally changed the entire course of production and the overall awareness of individual orders. However, we will return to how this fundamental change took place, which led to increased productivity and more efficient operations at AVEX, in one of the following parts. Now we will focus on the necessary theory that everything starts with.
At the very beginning of everything for the AVEX company was the decision of which tablets to purchase and how the company would take care of them. The following questions were absolutely key to their deployment.
- Which tablet to choose?
- How to deal with preparing and setting up a large number of tablets?
- How to install the necessary applications for the distribution of drawings, orders and warehouses on tablets?
- How will the company take care of the tablets?
- How to ensure user comfort in production without placing increased demands on employees for technical knowledge of tablet settings?
At the time the project was implemented, there was only one tablet on the market that met all the defined criteria. They were far from just the price, but above all the references from similar deployments in the production environment, the simplicity of developing a stable application for the company's tailor-made production needs, the possibility of controlling the tablet remotely, making it impossible for the user to accidentally delete applications and modify the settings in the tablet.
Although the tablets you can buy on the market today appear to fulfill all these functions, they are still a long way behind the capabilities of the iPad itself.
So iPads were bought for AVEX and the next step was on the line. A company needs to install several applications that will allow users in production to access information and work with orders in production. Imagine a large number of devices and an IT administrator who must first set them all up, install applications, connect to Wi-Fi and secure against accidental uninstalls and changes to settings. In addition, it is also necessary to ensure the security of the data that the applications contain and to prevent their possible theft from operation.
At this stage, MDM (Mobile Device Management) technology comes into play. Everything that the company will need to set up, install and manage iPads is handled by this technology from Apple.
There are several MDM service providers on the market and prices range from 49 to 90 crowns per device per month. Companies can also use native server applications from Apple, which will ensure the management of all iOS and Mac devices without monthly fees and so-called on premise.
Before choosing the right solution, you need to define what you will require from this service. Individual providers may differ from each other in the options of functionality offered, and the final price is also related to this. In our case, we will focus on the basic functions of MDM, which sufficiently meet all the criteria of the AVEX company.
MDM as the key to everything
MDM is a solution for the management of mobile devices and at the same time a technology that will suddenly become the best assistant for an IT worker who is in charge of managing iPads.
"Thanks to MDM, the administrator of mobile devices can perform time-consuming operations, such as mass installation of applications or Wi-Fi settings, and all this within a few seconds," explains Jan Kučerík, who has long been involved in the implementation of Apple products in various sectors of human activity and with whom we are working together on this series. "It is enough for the administrator to enter the command for the given operation for all iPads at once from any device with a web browser."
“Installation starts in seconds, regardless of where the individual iPads are currently located. For example, the installation can be done from an iPhone while traveling between the office and the warehouse. The administrator also has a complete overview of all devices, for example, he can see how much disk space is left in each iPad or what the current battery status is," Kučerík adds.
For the needs of a manufacturing company like AVEX, you can use MDM to hide, for example, the App Store or iTunes and thus prevent end users from logging in under a different Apple ID. You can completely disable the deletion of applications, disable the change of the background or define the parameters of the code lock as one of the elements of company security. MDM can also hide any app on the iPad.
"It's not always desirable for the end user to browse Facebook or the Internet," Kučerík gives an example, adding that MDM also handles password management and Wi-Fi settings, which is also a key feature.
The app disappears when needed
In a corporate environment, you can even set a location where all devices automatically turn off or have their cameras disappear, which is handy when you need to protect manufacturing secrets, for example. "You don't have to cover the lenses with adhesive tape, as is common practice today," continues Kučerík.
There are several applications of geolocation functions in MDM. The administrator of the iPads can set the geolocation policy of the iPads so that if the device leaves the defined area, the data can be deleted automatically. The administrator is always informed about the violation of the set location by the user as soon as the device leaves the defined area. There are many uses, and most of them lead to the maximum security of company data against their misuse.
“MDM allows me to send to any iPad the application I need there. I can set a security policy for an iPad or a group of iPads and disable unnecessary or unnecessary functionality due to the desired use of the iPad. At the same time as monitoring the geographic location, MDM is a powerful tool for the corporate environment," confirms AVEX Steel Products IT manager Stanislav Farda.
How about privacy?
At the moment, it can be argued that, thanks to MDM, the privacy and security of user-entered data is disappearing from iPads and iPhones. What if the user wants to use their own device? Can an administrator view my messages, emails or view photos? We divide the MDM setting modes for iOS devices into two – supervised and unsupervised, so-called BYOD (Bring Your Own Device).
"Equipment that is owned by a private person and not owned by a company, we mostly set it up in unsupervised mode. This mode is significantly more benevolent, and the MDM administrator cannot remotely do whatever they want with the user's device.
"This setup primarily serves as remote technical support and a tool for providing settings and installing applications in the environment in which the user moves within the company," explains Kučerík.
Unsupervised mode
So how does the unsupervised setting behave and what benefits does it bring to the user in a corporate environment and what can the administrator remotely set using MDM? "This includes access to Wi-Fi networks, setting up VPNs, Exchange servers and e-mail clients, it can install new fonts, install signature and server certificates, install applications for business use, set up access to AirPlay, install printers or add access for subscribed calendars and contacts," lists Kučeřík.
Installing applications in unsupervised mode is significantly different from that with higher supervision. In this case, the user receives information on the display of his iOS device that the MDM administrator is about to install the application on his device. It is then up to the user to allow or deny the installation.
The MDM administrator does not have any possibility to see and view the contents of the user's device in this mode. Apple itself would never allow such a function and only gives MDM administrators a tool that ensures maximum user comfort, not spying. "This setting cannot be bypassed in any way," emphasizes Kučerík, noting that it is similar to tracking the location and location where the device is located.
"Device location, or determining where your device is currently located, is a feature that as an MDM user you would have to confirm on your device by enabling location services in the MDM app that your administrator has installed on your iOS device will install. Without a combination of your enabling this function on the device as part of location services and written consent, it is not possible to determine your current location," assures Kučerík.
As a rule, the network administrator can only display the location of your network connection provider, which is often on the opposite side of the country depending on who your internet connection provider is.
Supervision mode
Settings in supervision mode are mainly used for iOS devices that are owned by the company and employees only have iPads on loan. In this case, the MDM administrator can do almost anything with the device. Again, it needs to be mentioned that as with the unsupervised version, the administrator cannot view the contents of the device and read emails, view photos, etc. But these are the only nooks and crannies that the MDM administrator can't get into. The rest of the door is wide open for him here.
But what about device location tracking in this case? "There are laws in the Czech Republic, and even MDM administrators must comply with them when it comes to tracking the location of devices. In the case of a supervised device, it is the responsibility of the owner of the device who lent it to you to use, to inform you that the device is under surveillance and its location is being monitored. In this way, the owner or company fulfills the notification obligation. Ideally, the employer should have informed the user in writing," Kučerík explains.
An important element of the supervised setting is the possibility of using the so-called Single App Mode. This allows, for example, a single application to be run on selected iPads in the company without users being able to turn it off or go anywhere else on the iPad.
This function brings its benefits when the iPad is to serve as a single-purpose tool for the performance of a defined function. The iPad administrator has an application for this tool available on their iOS device, which will launch the desired content on all selected devices within a few seconds. To exit Single App Mode, simply turn off the function and the iPads will be unlocked in a few seconds, allowing them to use their full potential.
In the supervision mode, the administrator can also delete applications, make changes to the settings, connect the iPad to another device (Apple Watch), change the background or log in to Apple Music and other services, among other things.
"MDM is an absolute foundation that you cannot do without if you are thinking about implementing iPads or iPhones in your company. Subsequently, the new VPP and DEP programs come into play, which Apple launched for the Czech Republic only last October," concludes Kučerík.
It is the device registration and bulk purchase programs that push the efficiency of using iPads within the corporate environment a significant step further. We will discuss these new Apple programs in more detail in the next part of our series.
Nice article, it's interesting, but I would also appreciate articles about options for households/professionals - individual options and setting up several devices.
Hello Michael. What specifically do you have in mind for self-employed people? Continuations are being prepared, and if you give us a theme that corresponds to the real solution we implemented, we will be happy to incorporate it. In this series, we focus on practical cases from the Czech Republic, so that we do not present only theoretical possibilities. Thank you for the comment.
Hello, I had in mind a "small solution" - within a family or a small group or even a self-employed person - example - MacBook or iMac, iPad, iPhone, Time Capsule, Watch....
The possibilities that this will bring in terms of connection, content sharing, for example some privacy, backup, increased efficiency, some personal comfort...
Simply, if someone wants to switch to this platform in order to know what all it will allow him or not, how to set up the device for such use so that he can easily access invoices on a Mac from a phone or iPad, for example, but at the same time cannot browse other documents and does not have to be on the same ID, sharing calendar, notes or call handling, for example, on a Mac.
Such basics and advanced procedures are just what happens when a person starts from Windows and gets confused and often does not even know what is and is not possible.
Maybe it was already here, maybe it's very easy, but I haven't read a comprehensive article on the subject yet.
Thank you.
Hello Michael. Thanks for the clarification. Yes, you are right that this topic is also quite interesting. I think this is a topic for apple lovers and I will definitely recommend guys to write something like this. Currently, this article is dedicated to the corporate environment. Although in the introduction it appears that we are talking about a manufacturing company and MDM, there will be observations that can be used and applied to self-employed persons and smaller companies. There are a lot of topics and content. In any case, thanks for the topic! Have a nice day
Thanks also, yes I'd love to read more sequels - this kind of custom articles are very nice.
Good day to you too.
Hello, topic for households/entrepreneurs, see "Mr. Michal" I would also welcome.
Thank you
This is exactly the solution directly from Apple itself in the base. All devices are interconnected within the framework of one Apple ID. And through iCloud Drive, you can access all the documents, including those invoices.
Great series, keep it up, I might be interested in the possibilities of deploying Outlook for Mac in a corporate environment, I was not able to start the corporate calendar, management of contacts in outlook (synchronization with contacts on the phone...)
Greetings Franto from 1.cestovní! Good topic and thanks for them. Outlook and e-mail clients in general is a long-winded topic not only in terms of settings, but also usability for a corporate environment on Apple devices. Several factors come into consideration. If I'm still using an iOS device. If so, if I want to have an encryption (commercial) certificate, or an authentication for authorities (qualified) certificate, or both. Will these devices be with clients in MDM? If so, it is not possible to ensure the distribution of certificates to all devices except for the native mail client. Also, what delivery and shipping service do you use? exchange, imap, pop3, which provider? There are really too many factors. However, more or less everything is solvable. Similarly, I use a native email client precisely because of the inclusion of my Apple devices in MDM and the use of certificates on iOS as well. The advantage of MDM is that you don't have to worry about anything. You only need to know the password, nothing more.
Office 365 will solve this for you. In fact, even without work. What you are asking for is all in "default".
Thanks for the info, I'll look into it.
If there was a problem with that, let me know. I would send you a link to a one-month trial version for testing.
I would like to try it. If your offer is still valid...
No problem, where should I send it?
d9f5c8@tmpeml.info Thank you
Sent :-)
Nothing so far
According to the log, it has already been delivered
https://uploads.disquscdn.com/images/32b6ad7a7e0692906f9b64f368c56a79e58364c32ffc9fd9774dd0871e2cc243.png
Interestingly, nothing happened to me :o
Hello!
I wonder if it is possible to use the "free" MDM directly from Apple to take care of, for example, a simple backup of contacts, messages, backup devices, etc. Also, what limitations does Apple MDM have compared to paid services, if it is worth it?
Concretely: We have about 15 iPhones in the company, from the beginning we let employees use their own AppleID on company phones, but of course it got out of control, we lose an overview of company contacts and devices in general... I have no experience with MDM at all, but I would like to start this way to check all company devices, but I don't know where to start. Is it necessary to set up a Mac or does it also work on Windows (internal server, mail, everything runs on Win and we don't have a single Mac in the company).
Hello Mr Vasko. Thank you for your question. A native Apple server can solve quite a lot, especially in your smaller company, especially if the user devices are only from Apple. In order to advise you, I need to know more information. If you are interested, you can contact me personally. jankucerik@me.com
Good day. Mr. Kučerik. Would it be possible to answer here? I am dealing with a similar situation - a company exclusively on MS servers, but with about twenty iPads and ten iPhones. So far, the only control is to enforce the security policy via eXchange. But I would be interested in the possibility of remote settings, installing applications, configuring wi-fi, adding an email account. And like everywhere, we also save money (sometimes senselessly), so a free solution would be great. Perhaps one virtualized by a native Apple server? Or from my private Mac?
Hello Zdenek and thank you for your question. The MDM server from Apple has its great advantages, but it is impossible to cover the entire issue here. Not that I don't want to, but it's really too much. Rather, it occurs to me that we will prepare a workshop with jablickar.cz dealing with this method of deployment for those interested. We would make it simple and inexpensive, so that it would be really accessible to all interested parties, and we would prepare it for you in Prague. The aim of the workshop would be to solve how you can build an mdm server yourself and how to use it. If there is interest, in one day all participants in the workshop will be able to leave with their own MDM and without additional costs for licenses and other operations (except for their own human resources). It requires a dedicated Mac and knowledge.
I'm looking forward to it, nice article
Great ??
great, the idea of the workshop is certainly more of us who solve this problem in a corporate environment.
I just have to mention in advance that this MDM can only work with iOS and macOS. You cannot put other devices there.
I'm counting on that :)
Dobrý den.
Will there be other series? I can quite well imagine deploying some kind of device management within the family (blocking applications for children, blocking settings, central installation of educational applications, central distribution of multimedia to iPads). We are a bit of an atypical household (5 children, we all have iPads, we marry iPhones and iPads, capsules, I also have a Macbook), in addition, I am embarking on the field of smart home (first steps with Netatmo and Philps Hue), so installing control applications lights…. it would be great to somehow have the whole thing under control. Thanks
The Shared Household will also provide a lot of things for you. If you set it up, you pay for the app with one card, all of them can be installed in all iOS devices and if the children go to the appstore, you will receive an SMS request from the appstore if you authorize the purchase. Family calendars, shared music and more will be created.
Hello, Mr. Kučerik. Don't you know, is there a way to turn on purchase authorization for family members over 18?
Hello! Thank you for your question. I'm afraid I can't help with that. It is automatically turned on for children's accounts, but you probably can't set it for adults. I'll try to find out. If I find out otherwise, I will contact you.