Apple Configurator

Apple Configurator 2 is an OSX program that allows one to create configuration profiles for Apple devices, including iPad, iPhone, Apple TV, and iPod Touch, for easily deploying in business or school. You can mass enroll and supervise devices with Apple Configurator.

With the new Intune on Azure portal released you can add iOS devices that are configured as Supervised devices via the Apple Configurator 2. Configuring the Apple iOS device via the Apple Configurator requires that you have the iOS device connected to a macOS device that is running the Apple Configurator.

1. Enrolling with Apple Configurator requires that you USB-connect each iOS/iPadOS device to a Mac computer to set up corporate enrollment. You can enroll devices into Intune with Apple Configurator in two ways: Setup Assistant enrollment - Wipes the device and prepares it to enroll during Setup Assistant.
2. What is Apple Configurator 2 Targeted toward schools and businesses, Apple Configurator 2 is a free macOS tool that allows you to manage all of the iOS devices in your organization from a central location. What does it do? With Apple Configurator 2, you can configure USB-connected devices all in one go.

Supervised mode is introduced by Apple in iOS version 5 which allows you to differentiate the company owned devices and the personally owned devices. When an iOS device is in supervised mode we can fully control the iOS by configuring settings that cannot be configured when it is not. You see supervised devices often in schools, retail environments and healthcare were the devices are used for one or more goal and often are locked down.

So how do we configure a device to be in supervised mode? This can be done in two ways, via the Apple Device Enrollment Program (Apple DEP) or via the Apple Configurator. In this blog, I will focus on the Apple Configurator and how this can help you fully control the iOS devices.

The Apple Configurator can be used to create MOBILECONFIG files that you want to deploy via Microsoft Intune, but you can also place the device in supervised mode and take care of the fact that the device will be auto enrolled in Microsoft Intune. Before we can configure an iOS device with the Apple Configurator we need to prepare the Intune service.

Configure Apple Configurator Profile

In the Intune on Azure Portal, go to Intune >> Device Enrollment >> Apple Enrollment and click AC Profiles. In the AC Profiles, click Create. Supply a name and choose if you want to enroll the device with or without user affinity.

If you have a device where a user needs to be active you may want to choose the option to enroll with user affinity, if you have a KIOSK device that is used by lots of people you may want to choose to enroll without user affinity. For this blog I have choosen to enroll without user affinity.

Click Create to create the AC Profile.

Import and assign iOS devices

Next we need to import the devices that you want to enroll via the Apple Configurator Profile via an comma separated-values (CSV) file with the serial numbers and names of the devices.

In the Intune on Azure Portal, go to Intune >> Device Enrollment >> Apple Enrollment and click Apple Configurator Devices. In the Apple Configurator Devices, click Add and select the CSV file with the iOS devices. (The CSV file must have a list of serial numbers and descriptions of the devices that needs to be imported, eg. XXXXXXXXXXXXX,iOS Test device Peter Daalmans)

Import AC devices

Click Add.

Export AC Profile

In the Intune on Azure Portal, go to Intune >> Device Enrollment >> Apple Enrollment and click AC Profiles. In the AC Profiles, click the profile that you just have created and click Export Profile.

Copy the URL and save it for later when configuring the Apple Configurator device.

( https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&AADTenantId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX )

Prepare device in Apple Configurator

So to be able to prepare a device for Supervised mode you need to disable Find My iPhone, this can be done by following the following steps;

On an iOS device:

1. Go to Settings
2. Click your name
3. Click iCloud
4. Click Find My iPhone
5. Disable Find My iPhone

Next step is to connect the device to a macOS device and start the Apple Configuration 2 application. In this application you will see your connected iOS device.

Select the device and click Prepare, this will start a wizard to configure the device into Supervised mode.

Select the iPhone and click Prepare.

Click Prepare

Next we need to configure the MDM enrollment, choose Manual since we will add the link to the configuration profile by not using DEP.

Click Next and select New Server. Click Next.

Supply a name and copy the URL we saved from the Intune portal earlier.

Past the URL

Apple Configurator 2 Download

Click Next.

Review the certificates for the MDM (Intune) and click Next.

Leave Supervise devices and optionally Allow devices to pair with other devices enabled and click Next.

Configure the Company information and choose to Generate a new supervision identity.

Click Next and configure the screens you would like to show to the user while setting up the device.

Click Prepare.

The Configurator will prepare the iOS device, which is still connected via the USB cable with the macOS device and it will be erased.

Note: be sure to have a sim in the device so that the Apple Configurator can take care of the activation process

While the device is being wiped the device will be activated automatically and the device will be configured in Supervised mode.

So after the device has been erased and rebooted it is ready to be used by the user.

Select the WiFi network or connect via 4G to connect to the Internet

Tap Apply configuration and Tap Next.

The configuration will be applied to the device and it will be automatically enrolled. If you enabled user affinity, then the user needs to authenticate with the user account.

After authenticating the configuration profile will be downloaded and installed to the device.

Next the user needs to accept the terms and conditions.

After the user has accepted the terms and conditions the iOS device ready for usage and can be managed via Microsoft Intune. If you enabled user affinity, then you are able to deploy policies, profiles and/or profiles to both the device and enrolled user. If you did not you are only able to deploy policies to devices in a (AAD) group.

Note: The last figure is taken from a device enrolled without user affinity

If we have a look at the figure of an iPad that is enrolled with user affinity you see that besides for instance the home screen layout, also other profiles are deployed.

Till next time!

Comments

Last updated October 29, 2019

What is Apple Configurator?

Apple Configurator is a macOS application that allows administrators to create configurations and apply them to iOS devices. Before Apple Configurator, Apple offered iPhone Configuration Utility. Apple Configurator is the continuation of this sunset utility.

The range of configuration options in Configurator is extensive. Administrators can control minimum security requirements for passcodes, VPN configurations, on-device certificates, and even fonts. Generally, any configurations that can be applied via mobile device management (MDM) are also available in Apple Configurator.

Additionally, Apple Configurator provides the ability for an administrator to select which apps to install to iOS. Sign in with an Apple ID and select any app downloaded or purchased previously under that Apple ID.

How Does it Work?

Apple Configurator combines these two capabilities to create a blueprint:

1. Configurations (aka profiles – made up of individual payloads)
2. Apps

An administrator is able to create multiple blueprints. Common groupings include role-based (executive, manager, contributor) or department-based (sales, marketing, support). Blueprints can also be layered on a device, allowing multiple configurations to overlap.

With blueprints configured, place Apple Configurator in ‘prepare' mode. Then, each iOS device connects via USB or lightning and Apple Configurator pushes the configuration to the device. Also during this time, administrators can wipe devices, upgrade iOS, place into supervision mode, enroll with an MDM, etc.

The process can be time-consuming if one's upgrading iOS or switching to supervised mode (which requires a system wipe). In these cases, we find many administrators use high-capacity USB hubs. Though we haven't used it personally, the Cambrionix PowerPad15 is an example of a USB hub for this very purpose.

Sidenote: If looking to purchase a hub, check the capacity of power to the hub. If the wattage is too low, devices may not charge while plugged in. Decide if this is a requirement for your organization.

Why Use Both Configurator and MDM?

After explaining the functionality of Apple Configurator, an often asked question is: So why do I need MDM if I can manage configurations and apps this way? The question is a fair one, and the answer largely depends upon your organizational needs.

Apple Configurator can provide parity with MDM for some organizations with limited requirements. The big difference is the ability to control configurations after deployment. With Configurator, once an administrator unplugs the device, no further communication occurs unless the device plugs back into a computer. With MDM, administrators control configurations via WiFi or cellular connection.

Apple Configurator 3

Limited abilities exist to manage apps in Configurator. It only enables the basic process of installing selected apps. However, MDM will allow administrators to distribute company-owned app licenses purchased through Apple Business Manager (formerly Volume Purchase Program – VPP) as well as remotely update and remove apps. MDM is even capable of pushing app-specific configurations.

If you're interested in how MDM can be used to simplify app deployment, we strongly recommend this read: Install Apps Remotely to iPads and iPhones which provides a comprehensive view of the many ways to deploy apps, each having its own strengths.

MDM provides additional features that an administrator can enable remotely. They can lock a device, wipe its contents, and monitor app installation. MDM also allows an administrator to access advanced functionalities, like forcing a device to only display a single app. A great example is the Square point of sale system.

Apple Configurator 2.5

Organizations learn to establish a balance when using both technologies. Apple Configurator is able to make sure all devices run the latest iOS version, are supervised and have an initial WiFi network connection. MDM is then used for all further configurations and management.

How To Enroll With MDM Using Apple Configurator

Enrolling a device with MDM generally occurs via a link either sent to the device by SMS or email or manually typed into a browser. This is reasonable for only a few devices or if employees will be enrolling their own devices. It absolutely does not scale for companies with a large number of company-owned devices that need to be set up. Instead, an organization will generally use the Apple Device Enrollment Program (read Explained: The Apple Device Enrollment Program) to have devices automatically configured with their MDM out-of-the-box, or they'll use Apple Configurator.

We'll now explain how to configure a device with MDM using Apple Configurator. To start, if you haven't already, download Apple Configurator from the Mac App Store. Install the app and run it.

Once the application is running, plug your device into the computer.

Next, click the ‘Prepare' button from the top bar of the app.

Configurator will ask you which mode you'd like to use. Select ‘Manual' unless you have an Apple Business Manager account and want to add devices to it.

Apple Configurator 2.5

Apple Configurator will ask you if you'd like to assign the device to an MDM. Select ‘New server…' if you haven't completed this process before. The following screen will allow you to specify a name for your MDM as well as the enrollment URL.

The process for getting an enrollment URL varies between MDM vendors. For SimpleMDM, you must create an Enrollment (either group or one-time) in order to generate the URL as shown below. Paste the enrollment URL into Apple Configurator.

The remaining steps are not MDM-specific. The prompt asks if you'd like to:

1. Supervise the device and block other computers from managing it
2. Provide information about your organization to display on the device
3. Skip certain set-up screens during the initial iOS startup
4. Create or use an existing configurator identity. This is essentially a certificate that allows you to re-access these devices down the road with Apple Configurator on the same or on a different computer.

Once you've completed these steps, Configurator will begin setting up the devices you selected initially or plugin subsequently. The devices appear automatically in your MDM as they configure.

Apple Configurator Csv

We run Windows. Can I Use Apple Configurator?

The strict answer is ‘no'. Apple Configurator software is only for macOS; Apple does not distribute a Windows version.

The nitty-gritty answer is ‘sort of'. None of these methods are recommended and may provide more pain than gain, so we generally recommend that organizations in this scenario purchase a Mac Mini to have as a resource for around the office. If interested in going down the rabbit hole, here are some methods that we've heard employed:

Copy the URL and save it for later when configuring the Apple Configurator device.

( https://appleconfigurator2.manage.microsoft.com/MDMServiceConfig?id=XXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX&AADTenantId=XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX )

Prepare device in Apple Configurator

So to be able to prepare a device for Supervised mode you need to disable Find My iPhone, this can be done by following the following steps;

On an iOS device:

1. Go to Settings
2. Click your name
3. Click iCloud
4. Click Find My iPhone
5. Disable Find My iPhone

Next step is to connect the device to a macOS device and start the Apple Configuration 2 application. In this application you will see your connected iOS device.

Select the device and click Prepare, this will start a wizard to configure the device into Supervised mode.

Select the iPhone and click Prepare.

Click Prepare

Next we need to configure the MDM enrollment, choose Manual since we will add the link to the configuration profile by not using DEP.

Click Next and select New Server. Click Next.

Supply a name and copy the URL we saved from the Intune portal earlier.

Past the URL

Apple Configurator 2 Download

Click Next.

Review the certificates for the MDM (Intune) and click Next.

Leave Supervise devices and optionally Allow devices to pair with other devices enabled and click Next.

Configure the Company information and choose to Generate a new supervision identity.

Click Next and configure the screens you would like to show to the user while setting up the device.

Click Prepare.

The Configurator will prepare the iOS device, which is still connected via the USB cable with the macOS device and it will be erased.

Note: be sure to have a sim in the device so that the Apple Configurator can take care of the activation process

While the device is being wiped the device will be activated automatically and the device will be configured in Supervised mode.

So after the device has been erased and rebooted it is ready to be used by the user.

Select the WiFi network or connect via 4G to connect to the Internet

Tap Apply configuration and Tap Next.

The configuration will be applied to the device and it will be automatically enrolled. If you enabled user affinity, then the user needs to authenticate with the user account.

After authenticating the configuration profile will be downloaded and installed to the device.

Next the user needs to accept the terms and conditions.

After the user has accepted the terms and conditions the iOS device ready for usage and can be managed via Microsoft Intune. If you enabled user affinity, then you are able to deploy policies, profiles and/or profiles to both the device and enrolled user. If you did not you are only able to deploy policies to devices in a (AAD) group.

Note: The last figure is taken from a device enrolled without user affinity

If we have a look at the figure of an iPad that is enrolled with user affinity you see that besides for instance the home screen layout, also other profiles are deployed.

Till next time!

Comments

Last updated October 29, 2019

What is Apple Configurator?

Apple Configurator is a macOS application that allows administrators to create configurations and apply them to iOS devices. Before Apple Configurator, Apple offered iPhone Configuration Utility. Apple Configurator is the continuation of this sunset utility.

The range of configuration options in Configurator is extensive. Administrators can control minimum security requirements for passcodes, VPN configurations, on-device certificates, and even fonts. Generally, any configurations that can be applied via mobile device management (MDM) are also available in Apple Configurator.

Additionally, Apple Configurator provides the ability for an administrator to select which apps to install to iOS. Sign in with an Apple ID and select any app downloaded or purchased previously under that Apple ID.

How Does it Work?

Apple Configurator combines these two capabilities to create a blueprint:

1. Configurations (aka profiles – made up of individual payloads)
2. Apps

An administrator is able to create multiple blueprints. Common groupings include role-based (executive, manager, contributor) or department-based (sales, marketing, support). Blueprints can also be layered on a device, allowing multiple configurations to overlap.

With blueprints configured, place Apple Configurator in ‘prepare' mode. Then, each iOS device connects via USB or lightning and Apple Configurator pushes the configuration to the device. Also during this time, administrators can wipe devices, upgrade iOS, place into supervision mode, enroll with an MDM, etc.

The process can be time-consuming if one's upgrading iOS or switching to supervised mode (which requires a system wipe). In these cases, we find many administrators use high-capacity USB hubs. Though we haven't used it personally, the Cambrionix PowerPad15 is an example of a USB hub for this very purpose.

Sidenote: If looking to purchase a hub, check the capacity of power to the hub. If the wattage is too low, devices may not charge while plugged in. Decide if this is a requirement for your organization.

Why Use Both Configurator and MDM?

After explaining the functionality of Apple Configurator, an often asked question is: So why do I need MDM if I can manage configurations and apps this way? The question is a fair one, and the answer largely depends upon your organizational needs.

Apple Configurator can provide parity with MDM for some organizations with limited requirements. The big difference is the ability to control configurations after deployment. With Configurator, once an administrator unplugs the device, no further communication occurs unless the device plugs back into a computer. With MDM, administrators control configurations via WiFi or cellular connection.

Apple Configurator 3

Limited abilities exist to manage apps in Configurator. It only enables the basic process of installing selected apps. However, MDM will allow administrators to distribute company-owned app licenses purchased through Apple Business Manager (formerly Volume Purchase Program – VPP) as well as remotely update and remove apps. MDM is even capable of pushing app-specific configurations.

If you're interested in how MDM can be used to simplify app deployment, we strongly recommend this read: Install Apps Remotely to iPads and iPhones which provides a comprehensive view of the many ways to deploy apps, each having its own strengths.

MDM provides additional features that an administrator can enable remotely. They can lock a device, wipe its contents, and monitor app installation. MDM also allows an administrator to access advanced functionalities, like forcing a device to only display a single app. A great example is the Square point of sale system.

Apple Configurator 2.5

Organizations learn to establish a balance when using both technologies. Apple Configurator is able to make sure all devices run the latest iOS version, are supervised and have an initial WiFi network connection. MDM is then used for all further configurations and management.

How To Enroll With MDM Using Apple Configurator

Enrolling a device with MDM generally occurs via a link either sent to the device by SMS or email or manually typed into a browser. This is reasonable for only a few devices or if employees will be enrolling their own devices. It absolutely does not scale for companies with a large number of company-owned devices that need to be set up. Instead, an organization will generally use the Apple Device Enrollment Program (read Explained: The Apple Device Enrollment Program) to have devices automatically configured with their MDM out-of-the-box, or they'll use Apple Configurator.

We'll now explain how to configure a device with MDM using Apple Configurator. To start, if you haven't already, download Apple Configurator from the Mac App Store. Install the app and run it.

Once the application is running, plug your device into the computer.

Next, click the ‘Prepare' button from the top bar of the app.

Configurator will ask you which mode you'd like to use. Select ‘Manual' unless you have an Apple Business Manager account and want to add devices to it.

Apple Configurator 2.5

Apple Configurator will ask you if you'd like to assign the device to an MDM. Select ‘New server…' if you haven't completed this process before. The following screen will allow you to specify a name for your MDM as well as the enrollment URL.

The process for getting an enrollment URL varies between MDM vendors. For SimpleMDM, you must create an Enrollment (either group or one-time) in order to generate the URL as shown below. Paste the enrollment URL into Apple Configurator.

The remaining steps are not MDM-specific. The prompt asks if you'd like to:

1. Supervise the device and block other computers from managing it
2. Provide information about your organization to display on the device
3. Skip certain set-up screens during the initial iOS startup
4. Create or use an existing configurator identity. This is essentially a certificate that allows you to re-access these devices down the road with Apple Configurator on the same or on a different computer.

Once you've completed these steps, Configurator will begin setting up the devices you selected initially or plugin subsequently. The devices appear automatically in your MDM as they configure.

Apple Configurator Csv

We run Windows. Can I Use Apple Configurator?

The strict answer is ‘no'. Apple Configurator software is only for macOS; Apple does not distribute a Windows version.

The nitty-gritty answer is ‘sort of'. None of these methods are recommended and may provide more pain than gain, so we generally recommend that organizations in this scenario purchase a Mac Mini to have as a resource for around the office. If interested in going down the rabbit hole, here are some methods that we've heard employed:

1. Apple used to distribute a Windows version of the iPhone Configuration Utility. It's still available on c|net here. The last software release was January of 2013. At best it's missing many features and at worse it won't work at all.
2. Run macOS as a virtual machine on Windows. We're pretty sure this breaks Apple macOS software licensing rules, so we cannot recommend this methodology. We've heard some reports that most virtual machine software handles USB emulation in a manner that causes issues when connecting and disconnection iOS devices, but we cannot confirm this.
3. Use Apple DEP instead. When using MDM, Apple DEP substitutes for Apple Configurator. Apple DEP devices are ready out-of-the-box, eliminating the need for USB/lightning connections and extra touches. Referenced earlier, you can learn more about Apple DEP via this article. If you'd like to use DEP, apply for an account at deploy.apple.com.

If you aren't already using MDM, manage your devices with a SimpleMDM account. Feel free to ask questions in the comments section. We're here to help!