iPad LockDown – .MobileConfig

It is possible to put an iPad or iPhone into ‘Store Demo’ mode so that the home button and swipe to home gesture is disabled. If you have seen the iPads in the Apple Store running the smart sign apps then you will know what I mean.

It is actually pretty trivial to make this work, all you need to do is install a correctly formatted mobile config plist over the air from a web server.

To deliver your config from the web all you have to do is direct the iPhone to a url containing the profile. Just open the link to your .mobileconfig file in safari. If you don’t have web space you can just use dropbox public folder URLs or switch on your mac webserver.

This config file will not load in the iPhone Configuration Utility as it uses keys that IPCU doesn’t know about. You can combine this with whatever other enterprise configuration profiles you have in play.

IPCU is not required to remove the profile. However note that to get your device back to normal you would need to do the following:

  1. Reboot
  2. Open the settings app FIRST – don’t open anything else or you will need to reboot again
  3. Settings->General->Profiles->[your profile] remove it.
  4. Reboot

you should be back to normal.

I have included an example plist that will disable the home button and lock your device into the app.

BEWARE

Once this profile is installed the first app that is launched when the device is rebooted will be the only app that will run until you reboot the device again. This completely disables the ability to return to the home screen (unless your app crashes) including accessibility assistive touch.

Note that after installing the profile you must reboot the device (power off, power on) for it to take effect. To remove the profile plug the device into IPCU and delete it then reboot the device. Everything will be back to normal.

<?xml version=”1.0″ encoding=”UTF-8″?>
<!DOCTYPE plist PUBLIC “-//Apple//DTD PLIST 1.0//EN” “http://www.apple.com/DTDs/PropertyList-1.0.dtd”&gt;
<plist version=”1.0″>
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>PayloadDescription</key>
<string>Disables home</string>
<key>PayloadDisplayName</key>
<string>Home Button Lock</string>
<key>PayloadIdentifier</key>
<string>com.hbkill.kiosk</string>
<key>PayloadOrganization</key>
<string>My Org</string>
<key>PayloadType</key>
<string>com.apple.defaults.managed</string>
<key>PayloadUUID</key>
<string>B2D02E2D-BAC5-431B-8A29-4B91F71C9FC1</string>
<key>PayloadVersion</key>
<integer>1</integer>
<key>PayloadContent</key>
<array>
<dict>
<key>DefaultsDomainName</key>
<string>com.apple.springboard</string>
<key>DefaultsData</key>
<dict>
<key>SBStoreDemoAppLock</key>
<true/>
</dict>
</dict>
</array>
</dict>
</array>
<key>PayloadDescription</key>
<string>Disables Home Button</string>
<key>PayloadDisplayName</key>
<string>Home Button Lock</string>
<key>PayloadIdentifier</key>
<string>com.hbkill</string>
<key>PayloadOrganization</key>
<string>My Org</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>614D1FE3-F80D-4643-AF6B-D10C4CC8737A</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>

Advertisements

Apple: How to Bind a Mac to Active Directory Domain

Awhile ago I wrote some documentation on how to Bind a Mac (specifically a Macbook Pro) running OS X 10.8 to Windows Active Directory Domain. I hope this helps some of you out.

Procedure

*NOTE* this has been tested with Mac OS X 10.8.

Binding Mac to Active Directory:
1. Create an computer within the appropriate OU in Active Directory
2. Make sure that your Mac is connected via a RJ45 cable (you cannot do this using the WiFi)
3. Log into your Mac with the Administrator account or know the Administrator Log in and Password.
4. Go to System Preferences (located under the Apple Symbol, top left corner)
5. Click on the Sharing section
6. Unlock this panel by clicking on the Lock icon in the bottom left hand corner
7. You will notice that the ‘Computer Name’ Section is now NOT grayed out
8. Click on the Edit Button
9. Type in the Computer Name that you have created within Active Directory
1. Make sure that the Local Hostname and the Dynamic Global Host name are the same
2. Add in your user name and password you use within AD (not your bang)
10. Click OK
11. Go Back, then..
12. Click on Users & Groups
13. Unlock this panel by clicking on the Lock icon in the bottom left hand corner
14. Once Unlocked, click on ‘Login Options’
15. On the right hand side, click on the ‘Edit’ button, this will open a dialogue box.
1. If you have previously added a ‘Network Account Server’, it will be displayed here
2. If there are no previous ‘Network Account Server’s’ available, click on the ‘Open Directory Utility’ box
16. Once the ‘Open Directory Utility’ box is open, unlock it by clicking on the lock in the bottom left hand corner
17. Double Click on Active Directory (if using Active Directory)
18. Add the following in the Dialogue box:
1. Active Directory Forest: ad.contoso.com
2. Active Directory Domain: contoso.com
3. Computer ID: “Whatever you named your computer previously” (Make sure that it is spelled the exact same)
1. There are more options available, but this is totally up to you:
1. If you have multiple active directory domains that you connect to, you can set a primary for the machine to always look for.
2. Click on ‘Show Advanced Options’, then the ‘Administrative’ tab.
3. Make sure ‘Prefer this domain server’ is checked and enter the domain you wish to prefer.
2. You can also allow ‘Administration’ by other groups within the domain.
1. If you are joining a Mac that will be supported by the ‘Domain Group’, please add ‘Domain Admins’ security group to this machine.
2. You do this, but making sure ‘Allow administration by’ is checked and you click the plus sign to add ‘Security Groups’
19. Press ‘OK’
20. Click ‘Apply’
21. Once back to the Users & Groups windows, make sure that ‘Allow network users to log in at login window’ is checked
1. If you click the ‘Options…’ button, you can specify individuals that will access to log in or leave it as it’ standard ‘All Network Users’
22. Restart the machine
23. Once the machine has rebooted you can enter a local account or a network account.
1. When entering the network account, I have found that it is not necessary for you to enter the domain before the user name, but you can do so either way.
Enjoy!