MaaS360 w/ Apple DEP Setup/Roll Out Issue

Eric Hoeberlein
Eric Hoeberlein used Ask the Experts™
on
We are starting to roll out Maas360 through Verizon at our company.  I have everything setup correctly i think as per this youtube video:  https://www.youtube.com/watch?v=VQlm7gksshE&feature=youtu.be

The Apple DEP is working and my devices show up in the Maas360 Portal after registering them in the Apple Business Portal.  I have one security policy setup that should lock the phone down for public use.  I want to remove all app's but for a select few Apple ones and then add 3-4 apps from the App Store like Verizon Push to Talk and Google Maps.

I have a policy setup that locks the phone down and i see in settings that MaaS360 is installed and the restrictions are in place.  When i start the phone and activate it the Remote Management screen comes up and configures the device, allows me to set the passcode and AppleID and then releases to the home screen when it downloads the MaaS360 app.

One thing i have noticed off the bat is i don't have to put the passcode in during setup (It should be enforced) and if i do not the phone shows in the portal as not having a passcode but the MaaS360 is not enforcing it or requesting one to be setup.

The other more pressing issue is its not downloading the additional apps that i have specified in the policy and added to the app catalog.  It also does not download the app MaaS360 catalog app to allow me to manually install them and since the Apple App Store is restricted i have no way of adding the apps.  Has anyone seen this behavior before?  Maybe im missing something in the initial configuration or in the policy that is effecting the roll out, any help would be greatly appreciated.

Thanks

-Eric
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Michael ElliottHelpDesk Technician

Commented:
Hi Eric,

I would recommend checking that the profile they are using was configured with the 'Supervised' option and that the apps they are trying to install are part of the Apple Volume Purchase Program.

Also make sure the application are set to install as device if they are not using an apple ID.
image2.png
Eric HoeberleinDirector of I.T.

Author

Commented:
Thanks for the feedback, ive been looking through tutorials and have made some progress in getting the apps to roll out now that i figured out how to configure the user groups and apply the apps to them (using the app catalog).  The thing im running into right now it we want to have alot of phones that will go to Valet and other shared groups in our hotel and not have to use a personal apple id.  Once a employees shift is done they hand the phone to the next user.

I can tell you that we are using Apple DEP but are not a part of the Apple Volume Purchase Program, im not sure what it is but our Verizon rep never mentioned it and the only apps we need are free ones from the APP Store.  

I am trying to get 2 phones provisioned that will not use any personal Apple ID's and only have Google Maps and the Weather Channel App installed (i tried a shared Apple ID but every-time i activate the phone it gives me issues getting the 2FA code) . The only way i have found to push the apps is include apple ID as part of the initial setup in the DEP Profile (then i run into the  2FA code issue), if i skip it nothing installs and the phone keeps asking for an Apple ID.

Can you provide any insight as to what i might be doing wrong.  I would be happy to send any screen caps if you just let me know what screen you need to see.  Thanks so much for your help.

-Eric
Michael ElliottHelpDesk Technician

Commented:
Hi again Eric,

The profile created for a device is what determines those features like Passcode, Apple ID.

If you had Apple ID checked that means that the device requires an apple ID.

For the apps, it doesn't matter if the app is free. You can still get a Volume Purchase Program token to use. Its just an easier way to install apps to multiple devices.
Become a Microsoft Certified Solutions Expert

This course teaches how to install and configure Windows Server 2012 R2.  It is the first step on your path to becoming a Microsoft Certified Solutions Expert (MCSE).

What profile did you use for the device? Did you skip the apple id option ?
Eric HoeberleinDirector of I.T.

Author

Commented:
I will look into the VPP to se what thats all about.  I have attached 2 screen caps of the DEP profile i have configured.  y understanding was it just skips the items in the initial configuration, if i skip the apple id when the initial config ends it just starts asking for it to install the apps.  Am I in the same profile you are talking about or is that a security policy you are referring to.

Thanks
Screen-Shot-2019-07-10-at-2.03.42-PM.png
Screen-Shot-2019-07-10-at-2.03.51-PM.png
This is why you need the VPP, to make the install faster without the need of an apple id. It doesn't matter if the app is free.
41:47 Volume Purchase Program (VPP) From the  https://www.youtube.com/watch?v=VQlm7gksshE&t=2507s

Hope this helps
Eric HoeberleinDirector of I.T.

Author

Commented:
Thanks, im going to watch that as soon as i put a fire or two out and I'll let you know if that fills in the missing gap of my knowledge.  I will update as soon as i get a handle on it.

-Eric
Your configuration profile looks good.  With the VPP you will be allowed to install apps silently.

Also, you mention
"One thing i have noticed off the bat is i don't have to put the passcode in during setup (It should be enforced) and if i do not the phone shows in the portal as not having a passcode but the MaaS360 is not enforcing it or requesting one to be setup."

That's because your skipping it according to the profile settings you are pushing to the phone.
Eric HoeberleinDirector of I.T.

Author

Commented:
Do you see that in the screen shots i posted or is that somewhere else in the policy.  If you let me know what screen its in ill cap and post my settings.  In my "Security" policy i have passcode enforced, I've attached a picture of the policy that im currently using, i only have one currently im testing with.  

Thanks
Screen-Shot-2019-07-10-at-2.20.35-PM.png
Eric HoeberleinDirector of I.T.

Author

Commented:
Ive setup VPP and the apps are starting to populate in my catalog.  Next i will create an app bundle with just the 3 i need.  Whats the best way to push them out?  I only want a couple phones to be locked down.  I was going to create one shared user in MaaS360 and add it to a User Group and then assign the apps to push to that single User Group.

Is there an easier way to do this?  If possible i would not even like to have a user assigned to these devices, just lock it down, have the 3 apps pushed and hand them out.

Thank you so much for your help with this setup, i feel like im almost at the finish line.
-Eric
on the app catalog you need to make sure that the app you are installing are set to deploy to the Device not the User. If the setting is set to user then it will require an apple id to install. To install without an apple id you must make sure the setting is set to install for the Device which will perform a silent install.

example:
appdeploymentJPG.JPG
Eric HoeberleinDirector of I.T.

Author

Commented:
I have it set and the apps are pushing without the need for an apple id.  Now i have a phone that will not wipe from the portal even though it says its in connect and one that says on activation the profile is invalid but those are separate issues for another time.  Thanks for all your help in getting this corrected for me.
Eric HoeberleinDirector of I.T.

Author

Commented:
Thanks for all your help, im on the right path now.

-Eric

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial