iOS 12.1.3 (beta 4) changes to MDM enrolment workflow

From what we’ve seen with iOS 12.1.3 beta (verified in beta 4) Apple have changed the manual MDM enrolment workflow. This workflow will not be shipped with iOS 12.1.3 but will be shipped in a later version of iOS 12.

Instead of being re-directed automatically to settings after allowing profile install the user is presented with a new screen.

Profile Downloaded
Install this downloaded profile in Settings.

The user then must go manually into settings and hit “Install Profile”

This takes the user to the following screen where the user must hit “Install”

After this the prompts are same as before.

From Apple:

In order to to improve platform security by reducing misleading profile installations, iOS 12.1.3 beta includes a new workflow for manually installing configuration profiles. When you manually install a profile, for example from a website or an email message, you will receive a notification that the profile has been downloaded. To install the profile you must launch Settings and tap General then tap Profiles or Device Management. You will see a list of Downloaded Profiles. You can inspect each one and install or delete it. If you do not install the profile within 24 hours of downloading it, it will be deleted automatically.

There is no change for profiles installed by Mobile Device Management (MDM), or for MDM enrollment to servers assigned in Apple Business Manager or Apple School Manager. However, this does change the workflow for manually enrolling in MDM. Please test your MDM enrollment workflow and file feedback for any problems you find.

Apple plans to test this workflow in iOS 12.1.3 beta but revert it in iOS 12.1.3 GM. We plan to include it in a future iOS 12 GM update.

4 Likes

:frowning: This is not a good thing for customers to enroll theirs devices…

1 Like

Apple reference: Install a configuration profile on your iPhone or iPad - Apple Support (NZ)

Yes @benoit, I agree this does make it harder for BYOD enrollments and I expect additional impact on MSP’s.

This change aligns with Apple’s goal to shift all corporate devices to Apple Business Manager (ABM) and to improve users privacy on personal devices through manual user actions.

Would like to know which release they intend to target for production.

1 Like

Sadly , when MDM Profile is downloaded instead of Profile Service , it shows ‘Remove Management’ instead of ‘Remove downloaded profile’ before installing

1 Like

Do you see the “Profile Downloaded” message?

Sounds like you are either not on a beta build supporting the described profile process or your enrollment completed.

Can only confirm. I tested with DEP device.

Regards,

Dimitri

This is likely to be shipped with iOS 12.2

The enrolment steps changed slightly in iOS 12.2 beta 1

Now you get a prompt to “Install Downloaded Profile” as you open settings

The profile no longer has an install button underneath it

If you hit cancel on the installation screen profile is removed and you have to re-download the profile (there are no prompts warning you when you hit cancel)

Microsoft Intune article on this:

VMware blog post:

MaaS360:

https://www.ibm.com/developerworks/community/blogs/4d57676c-a8cd-4907-9910-b21f35a1e5c6/entry/iOS_12_Manual_MDM_Enrollment_Changes?lang=en

Citrix:

Microsoft have announced they are making client changes for this feature, even though the communications are still a little ambiguous I would expect the change in 12.2

iOS 12.2 has been released a few hours ago with this functionality shipped

Official Apple article here: Install a configuration profile on your iPhone or iPad - Apple Support

2 Likes

If a profile is not installed within 8 minutes of downloading it, it is automatically deleted.

Just tested on 12.2, but I can’t confirm this part for MDM profiles. It seems to just stay there after 8 minutes.