ZCM 20.2 Built-in MDM has not Enforced Security Policies properly for quite some time.

On older ipads, which I believe are NOT based on ipadOS, the ZENworks/Apple Security policy works, IE: Hide the Apple APP store, restrict security settings etc. On newer ipads based on iPadOS the security policy DOES NOT work at all anymore. Is there any trick to getting this to work, or am I just SOL on this?  It's not been working for quite some time.

Parents
  • 0  

    See if this helps...

    https://www.novell.com/documentation/zenworks-23.4/zen_mobile/data/t4byrz764nhc.html

    Specific Support for iPadOS was added in 20.1, there was some configuration required to separate them out.

    This is enabled by default on a Fresh Install of 20.2, but still needs to be enabled for upgraded zones.

    There are not currently any known issues with ipadOS and maybe once you start treating it differently with ZCM it may work...or you may need to upgrade...

    One done you should have an ipadOS Dynamic Group...

    --

    If you found this post useful, give it a “Like” or click on "Verify Answer" under the "More" button

    Be sure to "Like" My (and a few others) Cool Solutions below! 

    https://community.microfocus.com/members/craigdwilson/bookmarks

  • Verified Answer

    +1 in reply to   

    I think I figured it out. before iOS 13, one could block the Apple app store and apply MOST security settings without enrolling the device in DEP and Apple School Manager. It could be directly enrolled with ZENworks, and those extended security features would work without DEP. At some point, apple decided to enforce DEP and the Device being Enrolled in Apple Schools Manager with an associated MDM (IE Supervised) for the extended security features.  Looks like I have a large summer project. If I enroll with DEP then ZEN MDM instead of just ZEN MDM, this will solve this, and I will be able to use features like "Block the APP store" and "Don't allow the user to erase content, etc" Things I wish I would have found out 3 years ago. I'm, not going to kick myself too hard as Apple is always changing things.

Reply
  • Verified Answer

    +1 in reply to   

    I think I figured it out. before iOS 13, one could block the Apple app store and apply MOST security settings without enrolling the device in DEP and Apple School Manager. It could be directly enrolled with ZENworks, and those extended security features would work without DEP. At some point, apple decided to enforce DEP and the Device being Enrolled in Apple Schools Manager with an associated MDM (IE Supervised) for the extended security features.  Looks like I have a large summer project. If I enroll with DEP then ZEN MDM instead of just ZEN MDM, this will solve this, and I will be able to use features like "Block the APP store" and "Don't allow the user to erase content, etc" Things I wish I would have found out 3 years ago. I'm, not going to kick myself too hard as Apple is always changing things.

Children
  • 0 in reply to 

    Craig, I have one more question related to this. Now that I know this is the case, I will start registering my Devices with DEP and the Apple School Manager portal for the extra security features. However, I want to ensure this won't interfere with all the ipads currently directly enrolled with ZENworks MDM, instead of via DEP. I imagine the app tokens still work the same for the store and ZEN, and it just makes the iPad also supervised now. So my question is if I create a virtual server in the Apple School manager portal that represents ZENworks IE:


    And then I configure DEP In the ZENworks MDM:

    And then I upload the Token from Apple School Manager, to the DEP Configuration, do you know if doing this, effects ANY of the devices that are Directly enrolled with the ZENworks MDM, OR do any new devices I enroll using Apple School Manager that are then assigned to ZENworks, do they just happily co-exist with the ones that are directly registered? And of course they are supervised and that point as well.