Author: Abdelkader Boui

Restoring an iPhone in recovery mode

Previously I explained how you could use an iPhone to add another iPhone or iPad to Apple Business Manager. There is another common task where you no longer need a Mac or PC: restoring iOS on an iPhone in recovery mode.

The process is very simple and only requires an iPhone or iPad running iOS 18.

  • Put the iPhone in recovery mode.
  • You will see a screen titled support.apple.com/iphone/restore showing a computer and USB cable.
  • While in this state, click the side button as fast as possible until the Apple logo appears and starts flashing. Release the button.
  • You will see an animation of two iPhones moving closer to each other. Your iPhone is now in the wireless restore mode.
  • On your other iPhone you will see a pop-up Restore Nearby iPhone
  • Click Continue.
  • Enter the six digit pairing code shown on the other iPhone. The pairing process will take a few moments to complete. The process will fail if your iPhone or iPad are connected to a Wi-fi network with a captive portal or where 802.1x authentication is required.
  • Select System Recovery and tap Continue.
  • Depending on your Internet bandwidth, the process can take time to complete. Be patient and make sure to connect both devices to a charger while the process is running.

So far, I have used this feature to restore an iPhone 16 and an iPad Pro 11″ M4. Apple states that this will work with an iPad mini with an A17 Pro CPU, too. I do not know if this works with older devices, e.g., iPhone 15. I am happy to test if someone sends me the older devices. Regardless, this feature can be particularly useful if you need to restore an iPhone and do not have access to a Mac or PC to complete the restore. Think of scenarios where you have users in a remote location, e.g., branch offices, with limited access to a Mac or PC. If you have successfully tested this process with older devices, I would appreciate your feedback in the comments.

Apple Intelligence per MDM deaktivieren

Apple hat heute iOS 18.4 veröffentlicht. Mit iOS 18.4 ist es nun ohne Umwege möglich Apple Intelligence in Deutschland zu nutzen. Nach einem Update auf iOS 18.4 wird der Nutzer aufgefordert Apple Intelligence einzurichten. Im Unternehmens- und Behördenumfeld wollt ihr Apple Intelligence gegebenenfalls deaktivieren. Dafür müssen die iPhones und iPads per MDM verwaltet sein. Dann könnt ihr den Geräten sogenannte SkipKeys mitgeben. Mit dem SkipKey Intelligence lässt sich die Aufforderung Apple Intelligence einzurichten ausblenden. Diese Aufforderung erscheint direkt nach dem iOS 18.4 installiert wurde und das iPhone oder iPad gebootet hat.

Im BlackBerry UEM müsst ihr dafür ein Custom Payload Profil erstellen. Dort fügt ihr den unten gezeigten XML-Text ein und weist es den Endgeräten bzw. Nutzern zu. Nach dem Update auf iOS 18.4 wird der Nutzer nicht mehr aufgefordert Apple Intelligence einzurichten.

<dict>
<key>SkipSetupItems</key>
<array>
<string>Intelligence</string>
</array>
<key>PayloadDisplayName</key>
<string>Post OS Update Skip Keys</string>
<key>PayloadIdentifier</key>
<string>com.example.mysetupassistantpayload</string>
<key>PayloadType</key>
<string>com.apple.SetupAssistant.managed</string>
<key>PayloadUUID</key>
<string>0dfccedc-e28f-4df5-bca7-a0807deab543</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>

In der IT Policy, auch bekannt als MDM Restrictions, solltet ihr noch folgende Einstellungen deaktivieren damit der Nutzer diese Apple Intelligence Funktionen nicht nutzen kann:

  • Allow Genmoji
  • Allow image playground
  • Allow image wand
  • Allow mail summary
  • Allow personalized handwriting results
  • Allow writing tools
  • Allow external intelligence integrations
  • Allow external intelligence integrations sign-in
  • Allowed external intelligence workspace IDs
  • Allow Mail smart replies
  • Allow Notes transcription
  • Allow Notes transcription summary
  • Allow Safari summary
  • Allow Visual Intelligence summary
  • Allow Apple Intelligence Report

Damit diese Richtlinien und der SkipKey greifen, müssen die iPhones und iPads supervised sein. Eine reine MDM-Aktivierung reicht nicht aus. Die genannten Einstellungen lassen sich auch in anderen MDM-Lösungen vornehmen. Eine direkte Übernahme des oben gezeigten XML-Beispiels wird in der Regel nicht möglich sein. Bei anderen MDM-Lösungen benötigt ihr eine vollständige .mobileconfig-Datei. Für Details müsst ihr in die Dokumentation eures MDM-Herstellers schauen.

Nutzen eure Anwender BlackBerry Dynamics, dann solltet ihr in der BlackBerry Dynamics Policy noch die Einstellung Allow Apple Intelligence in-app writing tools deaktivieren. Mehr muss man nicht tun um Apple Intelligence auf den verwalteten iPhones und iPads zu deaktivieren.

Und wie immer gilt mein Rat: testet eure Apps und Konfigurationen mit iOS 18.4 bevor ihre das Update für eure Nutzer erlaubt.

Opinion: e is for enterprise

Photo Apple

This week, Apple has launched the iPhone 16e. There are many commentators with a negative view on the iPhone 16e. Many of them called the iPhone 16e an inferior product and wrong product decision by Apple. I very much disagree with this view. I would like to explain why I disagree.

Who is going to buy the product? A person or an organization which wants to cheapest available iPhone. This will be a customer who does not care for the latest features or fancy colors. They have made the decision based on long term use and a proper support channel. This is especially true for large organizations which are frequently called enterprises. It is especially true for government organizations. These customers buy “fleet devices” by the thousands.

In this type of organisation, users will be issued their iPhone with a screen protector pre-installed, a case, and a USB charger. In some cases Bluetooth might be restricted. If they need a replacement for their accessories, they will call IT or get it from the vending machine. Therefore, there is not much upsell potential for Apple or any third-party accessories manufacturer. Even if these devices came with MagSafe and an UWB chip, it is unlikely that Apple or any other manufacturer would be able to sell any additional accessories to these user groups. So, no upsell on an AirTag or a MagSafe charger.

Enterprises need a device that can last them three to five years. This is a perfect fit for the iPhone 16e. Sure, there are organizations who are deploying iPhone 15 Pro or 16 Pro to their users. These are often VIP users, and the exception.

For the average office worker the iPhone 16e is perfect. The increased battery life is also important for these organisations, as some of them deploy their MDM solution in a darksite scenario where you need to use an Always On VPN or VPN On Demand. These VPN configuration can be very taxing on the battery life. Any increase in battery life is appreciated by these user groups.

Why not a cheaper Android? There are use cases in organisations where Android is the only choice. But often, at least in my experience, iPhones and iPads are much better to manage than most Android devices. The majority of my customers issues iPhones to their users. This is often driven by the fact that the TCO for any iPhone is much better than of most Android devices and the iPhones have a higher acceptance with the users. Even when given the choice between a comparably priced Android smartphone and an iPhone, e.g., iPhone 15 Pro and Samsung Galaxy S24, users tend to select the iPhone.

I am sure there are many enterprises and similar organizations out there which have delayed their smartphone device refresh because they were waiting for “the new iPhone SE”. That is why I think the e in iPhone 16e is for enterprise. If I would have the budget for a new test device, I would have pre-ordered an iPhone 16e.

#reklame

Leichtes Gepäck

Aufgeklapptes mophie Reiseladegerät lädt AirPods, iPhone und Watch

Das letzte Jahr war ich deutlich häufiger auf Dienstreisen. Um nicht immer verschiedene Ladegeräte mitzunehmen, habe ich versucht mein Setup zu optimieren. Dadurch habe ich nun ein leichtes Gepäck mit dem ich unterwegs alle meine Geräte gleichzeitig laden kann. Es funktioniert für mein iPhone, mein iPad, mein Laptop, meine AirPods Pro 2 und meine Apple Watch Ultra 2.

Mein Ladezubehör besteht aus diesen Komponenten:

Das mophie Reiseladegerät lässt sich sehr kompakt zusammenfalten

Mophie liefert ein 60W USB-C-Kabel mit. Das ist mir kaputt gegangen. Deswegen habe ich es gegen das Anker USB-C auf USB-C Kabel getauscht. Das Set von mophie kommt mit einem 30W USB-C-Netzteil. Das ist zu schwach um auch gleichzeitig mein Laptop bzw. iPad zu laden. Da ich nur ein Ladegerät mitnehmen wollte, habe ich es gegen das UGREEN 100W GaN-Netzteil getauscht. Das Set ist jetzt seit über einem Jahr bei mir im Einsatz und hat sich bewährt. Zur Aufbewahrung und zum Transport benutze ich eine kleine Zubehörtasche von Ikea Namens VÄRLDENS.

Aufgeklapptes mophie-Reiseladegerät mit 100W-Netzteil und 3x USB-Kabel

Für die seltenen Fälle in denen ich noch Geräte mit Lightning- oder micro-USB-Anschluss laden muss, habe ich einen Apple Ligthning auf microUSB-Adapter und einen USB-C auf microUSB-Adapter in der Tasche.

USB-C auf microUSB-Adapter und microUSB auf Lightning-Adapter

Von dem mophie-Reiseset wurde in der Zwischenzeit eine neue Variante veröffentlicht. Bei Amazon finden sich ähnliche Ladegeräte, z.B. dieses 3-in-1-Ladegerät von Anker. #reklame

How to manually add an iPhone to Apple Business Manager

Apple allows you to fully automate the MDM enrollment process for most of their devices using Automated Device Enrollment (ADE). In combination with the MDM, ADE allows you to customise and automate the device activation process without the need for an administrator to ever touch the device. To use ADE with your MDM of choice, the devices have to be purchased through an authorized reseller. The reseller can then add the devices to your Apple Business Manager (ABM) instance. There you can then assign them to your MDM servers. For devices that you already own or which were not purchased through a reseller that can add the devices to your ABM instance, there is a manual way to add them. The manual approach requires the use of Apple Configurator – either on an iPhone or Mac. The following steps describe how you can add an iPhone to ABM using another iPhone. It works exaclty the same when you want to add an iPad. I find these steps much easier than using a Mac to add a device to Apple Business Manager.

What you need to prepare and have ready before you begin

Before you begin, make sure to install Apple Configurator on your iPhone and login with your ABM account. After the login you should be presented with the below view. Notice the view finder in the center of the screen. We will use this view finder later on to scan the enrollment code.

Preparing Apple Configurator

  • Tap on the cogwheel in the lower left corner
  • Make sure the “Share Wi-Fi” is selected
  • Make sure that “None” is selected under “MDM SERVER ASSIGNMENT”
    • We will assign the device to the correct MDM server instance later
  • Tap on “Done” in the top left corner

Adding the iPhone to Apple Business Manager

  • Now get the iPhone or iPad you want to add.
  • Turn on the iPhone and swipe up on the “Hello” Screen
  • You will be presented with the language selection screen
  • Continue the OOBE (out of the box experience) setup until you get to the Quick Start screen. There you will have to tap on Set Up Without Another Device
  • Continue with the OOBE setup until you get to the Choose a Wi-Fi Network screen
  • Now get the iPhone where you have previously installed Apple Configurator. When iPhone is in proximity, the screen on the device you want to add, should change to the below view.
  • Make sure to position the image in the frame of the Apple Configurator to initiate the enrollment process into Apple Business Manager
  • The enrollment process will beginn immediately
  • Leave the iPhone with Apple Configurator open, unlocked and next to the device you are adding. If you close Apple Configurator to soon, the enrollment process will fail and you will have to repeate the whole procedure.
  • When the enrollment process is finished, you will get the below screen showing that the iPhone was added to your ABM instance. Please tap on Erase iPhone to complete the enrollment to your ABM instance

You can now login to your ABM and assign the device to your MDM server instance.

Apple Private Relay causing mail delivery issues

A few months ago, a customer reached out to me and reported that their users running iOS 18 on their iPhones and iPads were seeing an issue where they would not get push notifications for new mails. Unlike with iOS 17, the Mail app would not have fetched emails in the background. Users would have to open the Mail app to update their inbox.

All customer devices affected were running iOS 18 and enrolled to BlackBerry UEM. As the Exchange server is behind the firewall, we used Per-Account VPN to reach the users mailboxes. The VPN tunnel was configured to only allow access to the Exchange server as this was all we need for the mail profile to send and receive messages.

In our test environment we were unable to reproduce the issue. Activating the same device against the customer’s environment immediately showed the issue. As there were multiple variables, MDM, VPN setup, customer’s network, Exchange server configuration, the troubleshooting continued for a few weeks. The actual root cause could not be identified.

About two weeks ago, I was told that Apple’s Private Relay feature might causing the problem. Initially I ruled this out as a cause because none of the customer devices had Private Relay enabled. Apple documents which servers need to be reached for Private Relay to work: mask.icloud.com & mask-h2.icloud.com. I was told that mail delivery for IMAP mailboxes on iOS 18 can be delayed if these two host names cannot be resolved or reached.

  • Could it be that the Mail app is trying to reach these two hosts while Private Relay is disabled?
  • Could this be the cause for Exchange ActiveSync Push Notifications not working in my customer’s setup?

To test this theory, I prepared my test environment. To rule out any issues with the MDM setup, I worked with a manually added Exchange mailbox. For the VPN, I opted for a different solution than my customer. I used a device-wide VPN instead of a Per-Account VPN. This allowed me to simplify my testing a bit. I made sure that these two Private Relay hosts are reachable on my network. I sent multiple emails, and all were instantly delivered, and I got notifications for these emails.

I then repeated my testing with the two Private Relay hosts blocked. I would not get any push notifications for new e-mails. When opening the Mail app, it took very long for the messages to be downloaded to the device. It looked like the Mail app had to run into a timeout before it would fetch the emails from the Exchange server.

A second and third round of testing confirmed the results. With the two hosts mask.icloud.com & mask-h2.icloud.com blocked, no push notifications would appear on the device. For all my tests I kept Apple’s Private Relay feature disabled in the iOS settings. I did all my testing on a device with iOS 18.2.1. I did not test if this issue is fixed with iOS 18.3, which was released today.

Today I shared this finding with my customer. After they updated their VPN configuration and made sure that the Per-Account-VPN tunnel can reach the two Apple Private Relay hosts, the issue disappeared and the Mail app worked as expected. Push Notifications were delivered instantly and messages would be downloaded in the background. Finally, we can close this issue.

I know that Per-Account-VPN for Exchange mailboxes is not that common, especially with many organizations already on Exchange Online. Keep in mind that this issue was not caused by the Per-Account-VPN configuration, it only appeared in that specific setup. The VPN tunnel had only a limited set of hosts it was allowed to reach. There is a high chance that you will notice the same issue if mask.icloud.com and mask-h2.icloud.com are not reachable on your network, regardless of if VPN is used or not. It is not an issue occurring only with Microsoft Exchange mailboxes. This issue can also appear when accessing an IMAP mailbox while the device is on a network where the two hosts are blocked.

[Addendum, vowe] If you use Pihole, make sure you whitelist the two mask domains.

Mirror your iPhone screen to your Keynote presentation

This week I have learned a new trick with Keynote on macOS. Using the Live Video feature you can mirror the screen of an iPad or iPhone into your presentation slides.

To use the screen mirroring in Keynote, open an existing presentation or create a new one. From the menu bar select Insert-> Live Video. By default your Facetime camera will be added to the slide deck. To change view to your iPhone or iPad screen, make sure that your device is connected to your Mac using a USB C or Lightning cable. The cable that shipped with your device is sufficient for this to work. On the right side of the Keynote window, click on the plus sign next to Live Video Sources. Give the source a name, e.g., iPhone. Select the connected iPhone or iPad from the drop down list. Click on Add. Your iPhone or iPad screen should now be mirrored to your slide deck as shown below. To make the mirrored device look like the real device, you can overlay the screen mirror with the actual device frame. During your next presentation you can now show the live screen of your iPhone or iPad without the need to leave your presentation. I think this approach can be much more convenient than switching to QuickTime or a third-party app to show your device screen during a presentation.

Bonus tip: You can also use this to mirror your Apple Watch screen. On your iPhone navigate to Settings-> Accessibility-> Apple Watch Mirroring and turn on the mirroring feature.

Apple Platform Security Guide – December 2024 Edition

Just in time for these long Christmas nights, Apple has released an updated version of their Platform Security Guide. If you want to understand how security on Apple’s platforms works, you must read this document. But it will take time. The updated guide has 302 pages. If you did read the May 2024 edition, go to page 290. There you will find a revision history with all the updated and added topics.

Collect sysdiagnose logs using AssistiveTouch

When troubleshooting issues on iPhones or iPads, it can be helpful to collect sysdiagnose logs. To get the device to collect these types of logs, you must simultaneously press both volume buttons and the side or top button, depending on the iPhone or iPad model you have. When the device vibrates for a brief moment, the log collection was triggered successfully. It can be very trick to get the button pressing right. There is a much easier way to trigger sysdiagnose log collection. You can use AssistiveTouch to simplify the process.

  • Go to Settings-> Accessibility-> Touch-> AssistiveTouch.
  • Turn on the switch for AssistiveTouch. Your device will now display a bright button on your screen (not shown in the screenshots).
  • Under Custom Actions tap on Single-Tap.
  • Select Analytics from the menu list
  • Tap on the AssistiveTouch button shown on the device screen to trigger the log collection.

Your device will display a message (second device screen) that it is gathering analytics. The log collection will take about ten minutes to complete. When the log collection is completed, another message will be displayed (third device screen). You can then collect the logs from Settings-> Privacy & Security-> Analytics & Improvements-> Analytics Data. The log files you want always start with the name sysdiagnose_. As the log files are usually a few hundred Megabytes in size, I recommend sending them via AirDrop to your Mac for further analysis. Thank you, Markus B. for reminding me of this feature.

For extended logging, Apple provides debug profiles. Usually, Apple support or the software vendor will tell you when it is necessary to install these debug profiles.

Quick fix for slow iOS update downloads

When new iOS updates are released, it can happen that even small updates take exceptionally long to download. In my experience the easiest fix to speed up the download is to delete the partially downloaded update and start the software update again. To delete the update in progress, navigate to Settings-> General-> iPhone Storage. Scroll down to the list of apps. There you should have an entry for the iOS update, e.g., iOS 18.1.1. Open that entry and tap on Delete Update as shown in the screenshot. Go back to Settings-> General-> Software Update to start the download again. This time the download should happen much faster. The same fix will work on your iPad, too.