If you’re using an MDM solution with your iPads you may have noticed that your users can easily remove any management profile they wish. Here’s why, and what you can do about it.
UPDATE March 2014: Apple has announced the Device Enrollment Program which will resolve this issue for many schools. Find out more about DEP here.
Mobile Device Management (MDM) is an extremely useful tool for schools managing large numbers of iPads allowing administrators to remotely push apps and settings to iOS devices.
There are a wide range of MDM solutions available from free cloud hosted services like Meraki, self-hosted options like SCCM 2012, and high-end feature rich services like AirWatch and Casper Suite.
But there's a problem that affects every one of the available MDM services, including Apple's own Profile Manager.
MDM profile settings are applied via Apple's MDM API for iOS. One of the restrictions of the MDM API is that the end-user — your teachers and students — can simply remove any applied management profiles by opening Settings > About > Profiles.
The single exception to this are management profiles created and installed by Apple Configurator.
You've probably noticed in your MDM solution's settings an option to enter a password to prevent the profile being removed. This does not resolve the problem. From Meraki's website:
The 'Meraki Management' profile contains mobile device management settings for iOS devices. Apple does not allow profiles that contain these settings to be password protected. All other profiles pushed through Systems Manager can be password protected. However, if the user removes the 'Meraki Management' profile, all profiles (and, potentially, apps) pushed through Systems Manager will be deleted as well.
How Can I Stop Teachers and Students Removing iPad Management Profiles?
At the time of writing there is no solution to this problem. The situation is the same for all MDM solutions, including high-end options like AirWatch and Casper Suite.
This issue is a major problem for administrators responsible for managing fleets of iPads. The fact that the end user can simply remove any settings, security, and apps that they wish is a huge oversight by Apple. Management profiles can be accidentally or maliciously removed deleting important settings for WiFi connections, proxy information, email accounts, and VPN settings. This results in an increased administrative overhead for those responsible for managing the devices and has knock on effects for hardware security, data protection, and e-Safety.
The problem emphasises the boundary between Apple's propensity for all encompassing control of the user experience and a private organisation's need to manage their devices. If a school buys an iPad for a student it should be the decision of the school which settings are applied to the device to enforce school policies, even if it does impinge on the user experience.
If a school wishes to leave the device open, that is fine, but this issue also prevents things such as limiting the network to which the device can connect, how the user stores work, and asset management.
I'm hopeful that this problem will be sorted out in iOS7. Apple are making clear signs that they're prepared to improve iPad management for education, but only time will tell.
Has the ability for end users to remove management profiles caused any issues in your school? Share in the comments.