MDaemon, Airwatch and iPhones
Faced with the task of rolling out iPhones to near-100 users we thought it would be best to investigate some Mobile Device Management (MDM) vendors, trying to keep track of 100 free “find my iPhone” accounts might be achievable, but it certainly wouldn’t be fun.
We fairly quickly decided on Airwatch (http://www.air-watch.com/), relatively new to the market place in terms of MDM but cheap enough that we could give it a go without too much heartache.
At the same time as this MDaemon (our preferred e-mail server software) released an update which supported Exchange ActiveSync (if the word makes you shudder because of flashbacks of crappy PC-based synchronisation problems, fear not, it’s different): this presented us with an opportunity to roll out 100 centrally managed iPhones with vastly improved functionality and easy-of-use when compared to our previous implementation.
Any MDM
If you want to get started with this, you should know that any MDM implementation will require you to be a member of Apple’s enterprise development program – this is awkward because it costs about $300 to do, but it’s also neat because it means you officially have access to beta releases of iOS which means you can test enterprise functionality and confirm things work before Apple release an update to all of your users.
It’s worth noting as well that Apple’s approach to MDM is that, ultimately, the user owns the device. You can lock down a device and install profiles and everything to your heart’s content, and you can keep your corporate data totally secure in that respect, but if a user decides to, he or she can remove the profile and be left with a blank iPhone – your data is secure, but you could easily lose the device itself. They do this because they expect in the majority of cases that you’ll be allowing users to enrol their own mobile phones, unfortunately in my case I was doing the opposite!
Airwatch
Airwatch is a cool piece of software, and it only costs £2.00 per month, per device, which makes it quite readily scalable for small-to-medium size businesses. The Airwatch interface is fairly intuitive and they have an iOS app which can be used for tracking the phone via GPS and suchlike.
Creating a profile in Airwatch gives you all the same options as in the iPhone Configuration Utility, it’s simply web based and you can push those profiles down to any enrolled device. As well as the usual remote wipe feature Airwatch boasts a more useful “un-enrol” which simply removes all the corporate information such as e-mail accounts and data from the device.
Having the profiles in a central location drastically reduces turnaround time if users require a replacement handset for whatever reason, you just enrol the phone and push down the profiles and straight away they’ve got their e-mail, calendar and contacts working.
The only issues I’ve had with Airwatch were:
- Originally I wanted to do a local install (rather than use the website as SaaS) – this proved to be impossible when we established that I was required to change my entire database collaboration first.
- They have, in the past, released new iOS apps without warning, which is fine, until you have to deal with all the incoming support calls about a pending update – this seems to be getting better.
MDaemon and Exchange ActiveSync
MDaemon then bring out Exchange ActiveSync which means that we can now automatically synchronise the calendar and contacts of a given user with the iPhone seamelessly, over-the-air, and in the background – a huge advancement on the manual sync required before. There are two ways to configure this in Airwatch and it very much depends on the first point I raised about MDM as to which you use. If you want your users to enrol their own devices, then super, you can set up a single profile which will take the user’s email address and password and create an automatic Exchange account on their iPhone for you.
If you’re rolling out a fleet of iPhones however, you’re unlikely to want that to happen and so what I did was create a profile for each user with their ActiveSync details in and their e-mail account details in (at the time of deployment we did e-mail over IMAP, and even though it is now possible over ActiveSync with MDaemon there’s no real reason to change).
An extra note on the joy of Webclips
Webclips are just little shortcuts on the iPhone’s home screen which lead to web addresses – if you deploy them via profiles (and therefore Airwatch) you can force them to launch in a full screen safari window which makes them look just like full web applications rather than web pages. It’s been a brilliant way for us to deploy information to end users such as communicating the effects of upgrading their company iPhones to iOS5. I made some nice little webclip icons that looked like this:
And when you clicked on the iOS5 one, for example, a full-screen web-page (well, actually PDF on a website) that looked like this was displayed:
iTunes: Turning on Activation-only Mode
That’s right, unfortunately I didn’t find this out until after the deployment (and it wasn’t a huge issue as I was installing apps at the same time), but iTunes has an activation only mode which you can use to just plug in an iPhone, have it unlocked and then do the next one. With iOS5 due to be released in about a week’s time this will probably stop being an issue (as we’re all going PC-free), it’s here: iTunes: Turning on Activation-only Mode.
Backups as base images
It may seem obvious too, but if you hadn’t thought about deploying with a baseline iTunes backup – do! You can set a blank iPhone up with all the required apps on it (assuming you have licenses etc) and then simply restore that backup onto multiple phones as part of a roll-out process.