Weekly News Summary for Admins — 2019-05-03

The big news this week was that Apple has started removing certain iOS applications which allow fine-grained parental controls for their children’s iPhones and iPads. The first post on this in the New York Times speculated that Apple was removing products that compete with Screen Time. However, Apple clarified that these companies are using MDM (Mobile Devices Management servers) to get the features, which is a “guideline violation.”

Since this discussion involves MDM, I believe it is very relevant to Mac and iOS administrators.

You could discuss whether these services should be using MDM to get the feature set their customers desire. You could have (the ever repeating) discussion on how Apple reverses years’ worth of approvals because they now suddenly realize the app has been in violation all along. You could question how fair and reasonable the 30 days ultimatum for an updated app without MDM was, since there is no other API with a similar feature set, and how well the ultimatum was communicated.

But I want to point out that MDM enrollment, both on iOS and macOS, has to be manually initiated the user, and approved with a passcode. This required user approval, is a big hurdle for automated delpoyments, something which administrators are longing for.

The workaround for this, according to Apple is Automated Device Enrollment (formerly known as DEP) where the chain of possession from Apple, through a reseller, to the purchasing organisation is proven and logged in Apple’s servers. Even with DEP, user approval of the management features is necessay at first boot.

There have been cases where malware has installed MDM profiles on iOS and Macs and supposedly user approval should protect from these cases. Yet, when a service or application, which promises a solution the user desires, asks for approval, the user will click anything.

Users are trained to approve these security dialogs. The more dialogs the system throws at the user, the more they are trained to quickly approve and authorize them without really reading or understanding. Too much user approval can be detrimental to its purpose.

MDM servers need certificates from Apple to work. They need to register with the push notification service to communicate with the clients. The client applications that are distributed through the iOS and Mac App Stores, need developer certificates from Apple.

Apple would have many options to control and block malicious actors in this field without hurting legitimate services and administrators seeking automation.

If you would rather get the weekly newsletter by email, you can subscribe to the Scripting OS X Weekly Newsletter here!! (Same content, delivered to your Inbox once a week.)

📰News and Opinion

Parental Control Apps/MDM

🐦MacAdmins on Twitter

  • mikeymikey: “Different techniques, different goals. Internet recovery has been modified multiple times over the years (example change in 10.12.4), whereas netboot was a device independent standard that would have needed a total overhaul for Secure Boot.”
  • Steve Troughton-Smith: “Just 35 days to WWDC! 35 days to iOS apps on the Mac, 35 days to multi-window iPad homescreen revamp, 35 days to Dark Mode on iOS”
  • Steve Troughton-Smith: “Dashboard isn’t the only thing gone in 10.15 — so is 32-bit app & plugin support, Carbon, Ink, QuickTime 7 & QuickTime plugins, PPTP, and hardware RAID. You will get Python 3.7 and Ruby 2.6, at least” (Python 3 alongisde the soon-to be EOL’ed Python 2.7 would be good news.)
  • Emily kw, ph.d.: “Hello. I’m a Sr. Systems Engineer for a Fortune 25 company. I am not interested in your Technical Support Specialist job offers. Goodbye.”

🐞Bugs and Security

🔨Support and HowTos

🤖Scripting and Automation

🍏Apple Support

♻️Updates and Releases

🎈Just for Fun

📚 Support

There are no ads on my webpage or this newsletter. If you are enjoying what you are reading here, please spread the word and recommend it to another Mac Admin!

If you want to support me and this website even further, then consider buying one (or all) of my books. It’s like a subscription fee, but you also get a useful book or two extra!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.