Jul 23, 2019
Welcome to the History of Computing Podcast, where we explore the history of information technology. Because by understanding the past, we’re better prepared for the innovations of the future! Today we’re going to talk about Apple’s Mobile Device Management; what we now call Mobility. To kick things off we’ll take you back to the year 2001. 2001 was the year Nickelback released How You Remind Me. Destiny’s Child was still together. Dave Matthews released The Space Between, and the first real Mobile Device Management was born.
The first real mobile management solution to gain traction was SOTI, which launched in 2001 with an eye towards leveraging automation using mobile devices and got into device management when those options started to emerge. More and more IT departments wanted “Over The Air” management, or OTA management. So Airwatch, founded by John Marshall in 2003 as Wandering Wi-Fi, was the first truly multi-platform device management solution.
This time, rather than try to work within the confines of corporate dogma surrounding how the business of IT was done, Apple would start to go their own way. This was made possible by the increasing dominance of the iPhone accessing Exchange servers and the fact that suddenly employees were showing up with these things and using them at work. Suddenly, companies needed to manage the OS that ships on iPhone, iOS.
The original iPhone was released in 2007 and iOS management initially occurred manually through iTunes. You could drag an app onto a device and the app would be sent to the phone over the USB cable, and some settings were exposed to iTunes. Back then you had to register an iOS device with Apple by plugging it into iTunes in order to use it. You could also backup and restore a device using iTunes, which came with some specific challenges, such as the account you used to buy an app would follow the “image” to the new device. Additionally, if the backup was encrypted or not determined what was stored in the backup and some information might have to be re-entered.
This led to profiles. Profiles were created using a tool called the iPhone Configuration Utility, released in 2008. A Profile is a small xml file that applies a given configuration onto an iOS device. This was necessary because developers wanted to control what could be done on iOS devices. One of those configurations was the ability to install an app over the air that was hosted on an organization’s own web server, provided the .ipa mime type on the web server was defined. This basically mirrored what the App Store was doing and paved the way for internal app stores and profiles that were hosted on servers, both of which could be installed using in-house app stores. During that same time-frame, Jamf, Afaria (by SAP), and MobileIron, founded by Ajay Mishra and Suresh Batchu, in the previous year, were also building similar OTA profile delivery techniques leveraging the original MDM spec.
At this point, most OTA management tasks (such as issuing a remote wipe or disabling basic features of devices) were done using Exchange ActiveSync (EAS). You could control basic password policies as well as some rudimentary devices settings such as disabling the camera. With this in mind, Apple began to write the initial MDM specifications, paving the way for an entire IT industry segment to be born.
This was the landscape when the first edition of the Enterprise iPhone and iPad Administrator’s Guide was released by Apress in 2010. Additional MDM solutions were soon to follow. TARMAC released MDM for iOS devices using a server running on a Mac in late 2011. AppBlade and Excitor was also released in 2011. Over the course of the next 8 years, MDM became one part of a number of other lovely acronyms:
X-Men First Class came in 2011, although the mail server by the same name was all but gone by then. This was a pivotal year for Apple device management and iOS in the enterprise, as Blackberry announced that you would be able to manage Apple devices with their Blackberry Enterprise Server (BES), which had been created in 1999 to manage Blackberry devices. This legitimized using Apple’s mobile devices in enterprise environments and also an opportunistic play for licensing due to the fact that the devices were becoming such a mainstay in the enterprise and a shift towards UEM that would continue until 2018, when BlackBerry Enterprise Server was renamed to BlackBerry Unified Endpoint Manager.
An explosion of MDM providers has occurred since Blackberry added Apple to their platform, to keep up with the demand of the market. Filewave and LANrev added MDM to their products in 2011 with new iOS vendors NotifyMDM and SOTI entering into the Apple Device Management family. Then Amtel MDM, AppTrack, Codeproof, Kony, ManageEngine (a part of Zoho corporation), OurPact, Parallels, PUSHMANAGER, ProMDM, SimpleMDM, Sophos Mobile Control, and Tangoe MDM were released in 2012. MaaS360 was acquired by IBM in 2013, the same year auralis, CREA MDM, FancyFon Mobility Center (FAMOC), Hexnode, Lightspeed, and Relution were released, and when Endpoint Protector added MDM to their security products. Citrix also acquired Zenprise in 2013 to introduce XenMobile. Jamf Now (originally called Bushel), Miradore, Mosyle, and ZuluDesk (acquired by Jamf in 2018 and being rebranded to Jamf School) were released in 2014, which also saw VMware acquired Airwatch for $1.54 billion dollars and Good Technology acquire BoxTone, beefing up their Apple device management capabilities. 2014 also saw Microsoft extend Intune to manage iOS devices.
Things quieted down a bit but in 2016 after Apple started publishing the MDM specifications guide freely, an open source MDM called MicroMDM was initially committed to github, making it easier for organizations to build their own fork or implement that should they choose. Others crept on the scene as well during those year, such as Absolute Manage MDM, AppTech 360, Avalanche Mobility Center, Baramundi, Circle by Disney, Cisco Meraki (by way of the Cisco acquisition of Meraki), Kaseya EMM, SureMDM, Trend Micro Mobile Security, and many others. Each one of these tools has a great place in the space. Some focus on specific horizontal or vertical markets, while others focus on integrating with other products in a company’s portfolio. With such a wide field of MDM solutions, Apple has been able to focus efforts on building a great API and not spend a ton of time on building out many of the specific features needed for every possible market.
A number of family or residential MDM providers have also sprung up, including Circle by Disney. The one market Apple has not made MDM available to has been the home. Apple has a number of tools they believe help families manage devices. It’s been touted as a violation of user privacy to deploy MDM for home environments and in fact is a violation of the APNs terms of service. Whether we believe this to be valid or not, OurPact, initially launched in 2012, was shut down in 2019 along with a number of other screen time apps for leveraging MDM to control various functions of iOS devices.
The MDM spec has evolved over the years. iOS 4 in 2010 saw the first MDM and Volume Purchase Program. iOS 5 in 2011 added over the air os updates, Siri management, and provided administrators with the ability to disable the backups of iOS devices to Apple’s iCloud cloud service. iOS 6 saw the addition of APIs for 3rd party developers, managed open in for siloing content, device supervision (which gave us the ability to take additional management tasks on devices we could prove the ownership of) and MDM for the Mac. That MDM for the Mac piece will become increasingly important over the next 7 years.
Daft Punk weren’t the only ones that got lucky in 2013. That year brought us iOS 7 for macOS 10.9. The spec was updated to manage TouchID settings, give an Activation Lock bypass key for supervised devices, and the future of per-app settings management came with Managed App Config. 2014 gave us iOS 8 and MacOS 10.10. Here, we got the Device Enrollment Program which allows devices to enroll into an MDM server automatically at setup time and and Apple Configurator enrollments, allowing us to get closer to zero touch installations again. 2015 brought with it The Force Awakens and awakened Device-based VPP in iOS 9 and macOS 2015, which finally allowed administrators to push apps to devices without needing an AppleID, the B2B App Store which allowed for pushing out apps that weren’t available on the standard app store, supervision reminders which are important as it was the first inkling of prompting users in an effort to provide transparency around what was happening on their devices, the ability to enable and disable apps, the ability to manage the home screen, and kiosk mode, or the ability to lock an app into the foreground on a device.
The pace continued to seem frenzied in 2016, when Justin Timberlake couldn’t stop the feeling that he got when in iOS 10 and macOS 10.12 he could suddenly restart and shut down a device through MDM commands. And enable Lost Mode. This was also the year Apple shipped their first operating system in a long, long time when APFS was deployed to iOS. Millions of devices got a new filesystem during that upgrade, which went oh so smoothly due to the hard work of everyone involved. iOS 11 with macOS 10.13 saw less management being done on the Mac but a frenzy of updates bringing us Classroom 2 management, FaceID management, AirPrint management, the ability to add devices to DEP through Apple Configurator, QR code based enrollment, User Approved Kernel Extension Loading for Mac and User Approved MDM enrollment for Mac. These last two meant that users needed to explicitly accept enrollment and drivers loading, again trading ease of use out for transparency. Many would consider this a fair trade. Many administrators are frustrated by it. I kinda’ think it is what it is.
2018 saw the Volume Purchase Program, the portal to build an Apple Push Notification certificate, and the DEP portal collapsed into Apple Management Programs, with the arrival of Apple Business Manager. We also got our first salvo of Identity providers with oauth for managed Exchange Accounts, we got the ability to manage tvOS apps on devices and we could start restricting password auto-fill. And this year, we get new content caching configuration options, bluetooth management, autonomous single app mode, os update deferrals, and the automatic renewal of Active Directory Certificates. This year we also get a new enrollment type which uses a Managed Apple ID and then separate encrypted volumes for data storage.
What’s so special about Apple’s MDM push? Well, for starters, they took all that legacy IT industry dogma from the past 30 years and decided to do something different. Or did they? The initial MDM options looked a lot like At Ease, a tool from the 1980s. And I mean some of the buttons say the same thing they said on the screens for Newton management. The big difference here is that Push Notifications needed to be added as you couldn’t connect to a socket on a device running on your local network. Because most of the iPhones weren’t on that network. But the philosophy of managing only what you have to to make the lives of your coworkers better means pushing settings, not locking users from changing their background. Or initially it meant that at least.
The other thing that is so striking is that this was the largest and fastest adoption of enterprise technology I’ve seen. Sometimes the people who have survived this era tend to get a bit grumpy because the cheese is moved… EVERY YEAR! But keep in mind that Apple has sold 1.4 billion iPhones as have 423 million iPads, and don’t forget a couple hundred million Macs. That’s over 2 billion devices we’ve had to learn to cope with. Granted, not all of them are in the enterprise. But imagine this: that’s more than the entire population of China, the US, and Indonesia. How many people in those three out of the top 5 populated countries in the world go to work every day. And how many go to school. It’s been a monumental and rapid upheaval of the IT world order. And it’s been fun to be a part of!