Converting Unmanaged to Managed devices in iOS 7 OTA

ios mobile-device-management

If all you care about is enrollment - you should be fine. OTA supervision isn't yet being provided according to all the information I've seen as of late October 2013.

There is great confusion out there as Apple did promote the idea that OTA Supervision was coming with iOS 7. That feature was dropped from the public list of features about a week before release and there is no official word if or when it may come back.

There is a difference between iOS supervision and iOS MDM enrollment. The latter item is easy - most all MDM can enroll devices over the air on iOS 6 and that ability continues on iOS 7.

Over the air supervision is not possible on iOS 6 and requires Apple Configurator to supervise devices before you choose to enroll them into MDM.

Over the air supervision is not possible on iOS 7.0.2 and even the "streamlined MDM enrollment" that is still listed is either not working or waiting on the MDM providers to update their software to take advantage of those new settings.

I would expect by late November, there would be good indications that we will or will not get OTA Supervision with iOS 7 this fall as well as which MDM providers (if any) work with the "streamlined" enrollment methods.

And a footnote, there are several reports that a bug in iOS 7 upgrade has caused a portion (but even a portion of 7,000 iPads could run into a hundred devices) where supervised iOS 6 devices were removed from supervision as part of the upgrade process to iOS 7. Anyone affected should contact AppleCare for assistance if you don't want to simple re-supervise the devices.


Using Profile Manager MDM (built into OS X Server), you can allow users to enroll devices OTA after deployment (but this does require some user interaction).

That interaction could be as easy as sending the user an enrollment profile through e-mail (or as a link to the profile hosted on an HTTP server?) Alternately, the users can visit the MDM enrollment portal (e.g., https://mdm.example.com/mydevices), and login with their domain (AD/OD?) credentials to enroll a device.

Although you mentioned that you'd like to avoid the individual device management at the Apple Configurator level, that tool (Apple Configurator) can be a helpful resource to use for adding the enrollment profiles to the unmanaged devices. This would allow you to use the Profile Manager to push application and device configuration profiles OTA in the future, and just requires a one-time enrollment using Apple Configurator.

As far as I know, Profile Manager cannot automatically (without some administrator/user intervention) reach out and enroll any arbitrary device OTA (as this would require that the device have the enrollment/trust profile installed before allowing itself to be enrolled with an MDM solution).

"Streamlined MDM Enrollment" is a service that may have been mentioned in WWDC 2013 seminar videos (based on cached versions of a particular session transcript). This service is purportedly available for Apple Education customers based on the release notes for iOS 7. Apparently Apple will configure newer iOS 7 devices for "out of the box" use in Education environments. Personally, I have no direct experience with this service - feedback from those who do would be informational. I assume that Apple is is simply pre-installing trust/enrollment profiles for the MDM solution that will be used. If you are in charge of unboxing your own iOS devices, you should have the same ability.


Streamlined enrollment and OTA Supervision are still MIA, even for EDU institutions. Last I heard from someone with Apple is un officially they are trying for sometime January to March 2014 and it's due to the major bugs they ran in to with supervision being lost for iPads upgraded to iOS 7 which originally used a backup to restore devices in configurator. This is the fix that was in 7.03. Personally, I'm not holding my breath which is too bad.

VPP tokens just launched a few weeks ago without documentation for MDM's to enable it so as of mid-December only one besides Apple's has.

Related

PowerPoint 2011 for Mac: How to Save As PDF and Hide Hidden slides?
Exploring the files in a MobileSync backup
Is there any way to seamlessly translate a mail inside Mail.app?
All files in Finder show 'Date Modified' with correct days but always the same hour: 19:08
How can a user reasonably project data usage before buying a new iPad?
Errorr kernel SMC::smcReadKeyAction in Console
Can entry duplicates (or multiples) in etc/hosts do any damage?
Is it impossible to listen to podcasts on iOS 6 now?
Yet Another Custom Sidebar Icon Question (System Info.plist Question)
iTunes sync stuck on step 5: Importing Photos
How to have Safari open links with the evil target attribute open in the same tab?
Another device is using your IP address mac, what do I change my IP address too?