Why Can Users Remove iPad MDM Management Profiles?

19

If you’re using an MDM solution with your iPads you may have noticed that your users can easily remove any management profile they wish. Here’s why, and what you can do about it.

meraki-profile

UPDATE March 2014: Apple has announced the Device Enrollment Program which will resolve this issue for many schools. Find out more about DEP here.

Mobile Device Management (MDM) is an extremely useful tool for schools managing large numbers of iPads allowing administrators to remotely push apps and settings to iOS devices.

There are a wide range of MDM solutions available from free cloud hosted services like Meraki, self-hosted options like SCCM 2012, and high-end feature rich services like AirWatch and Casper Suite.

But there’s a problem that affects every one of the available MDM services, including Apple’s own Profile Manager.

MDM profile settings are applied via Apple’s MDM API for iOS. One of the restrictions of the MDM API is that the end-user — your teachers and students — can simply remove any applied management profiles by opening Settings > About > Profiles.

The single exception to this are management profiles created and installed by Apple Configurator.

You’ve probably noticed in your MDM solution’s settings an option to enter a password to prevent the profile being removed. This does not resolve the problem. From Meraki’s website:

The ‘Meraki Management’ profile contains mobile device management settings for iOS devices. Apple does not allow profiles that contain these settings to be password protected. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the ‘Meraki Management’ profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.

How Can I Stop Teachers and Students Removing iPad Management Profiles?

At the time of writing there is no solution to this problem. The situation is the same for all MDM solutions, including high-end options like AirWatch and Casper Suite.

This issue is a major problem for administrators responsible for managing fleets of iPads. The fact that the end user can simply remove any settings, security, and apps that they wish is a huge oversight by Apple. Management profiles can be accidentally or maliciously removed deleting important settings for WiFi connections, proxy information, email accounts, and VPN settings. This results in an increased administrative overhead for those responsible for managing the devices and has knock on effects for hardware security, data protection, and e-Safety.

The problem emphasises the boundary between Apple’s propensity for all encompassing control of the user experience and a private organisation’s need to manage their devices. If a school buys an iPad for a student it should be the decision of the school which settings are applied to the device to enforce school policies, even if it does impinge on the user experience.

If a school wishes to leave the device open, that is fine, but this issue also prevents things such as limiting the network to which the device can connect, how the user stores work, and asset management.

I’m hopeful that this problem will be sorted out in iOS7. Apple are making clear signs that they’re prepared to improve iPad management for education, but only time will tell.

Has the ability for end users to remove management profiles caused any issues in your school? Share in the comments.

Share.

About Author

Karl is an award winning school Network Manager, IT Lead Professional for Bedfordshire Borough Council, and is an ICT Across the Curriculum Co-ordinator based near London, England. He has been working in education for more than ten years and founded ClassThink in 2013 to share technology best practice with other schools. In 2014 he won the NAACE Impact Award for support services in schools, and writes edtech articles for Education Executive Magazine.

19 Comments

  1. I think it is point less not having ability to stop users from removing the profile from device, the MDMs will only be help if we can stop users from removing profiles.

  2. Correct me if I’m wrong but Meraki can now prevent a profile from being removed by setting a password which you control from the dashboard. That’s what we’ve done for iPads we loan to customers to try our App. The other great thing you can do is to lock an iPad to only run one App. This is also a huge benefit if you want someone to try your App and only have the iPad used for that.

  3. Hi there, I bumped into this conversation as I was stuck at a similar situation. But I had access to the support guys (evaluating a trial version) and indeed was able to restrict the profile from being removed at the user level. So the restriction for “Allow Removal” under profile are “Always”, “With Authorization” & “Never”

    MDM -> Airwatch
    VErsion -> iOS 7.0.6
    Device – > iPhone 5

Tell us what you think!

x
The ClassThink Guide to Managing iPad in Education
Available on iTunes Soon!

If you'd like us to let you know when our guide is available, pop your email below to sign up to our edtech newsletter:

Subscribe to our newsletter