Author: Abdelkader Boui

How to manually add an iPhone to Apple Business Manager

Apple allows you to fully automate the MDM enrollment process for most of their devices using Automated Device Enrollment (ADE). In combination with the MDM, ADE allows you to customise and automate the device activation process without the need for an administrator to ever touch the device. To use ADE with your MDM of choice, the devices have to be purchased through an authorized reseller. The reseller can then add the devices to your Apple Business Manager (ABM) instance. There you can then assign them to your MDM servers. For devices that you already own or which were not purchased through a reseller that can add the devices to your ABM instance, there is a manual way to add them. The manual approach requires the use of Apple Configurator – either on an iPhone or Mac. The following steps describe how you can add an iPhone to ABM using another iPhone. It works exaclty the same when you want to add an iPad. I find these steps much easier than using a Mac to add a device to Apple Business Manager.

What you need to prepare and have ready before you begin

Before you begin, make sure to install Apple Configurator on your iPhone and login with your ABM account. After the login you should be presented with the below view. Notice the view finder in the center of the screen. We will use this view finder later on to scan the enrollment code.

Preparing Apple Configurator

  • Tap on the cogwheel in the lower left corner
  • Make sure the “Share Wi-Fi” is selected
  • Make sure that “None” is selected under “MDM SERVER ASSIGNMENT”
    • We will assign the device to the correct MDM server instance later
  • Tap on “Done” in the top left corner

Adding the iPhone to Apple Business Manager

  • Now get the iPhone or iPad you want to add.
  • Turn on the iPhone and swipe up on the “Hello” Screen
  • You will be presented with the language selection screen
  • Continue the OOBE (out of the box experience) setup until you get to the Quick Start screen. There you will have to tap on Set Up Without Another Device
  • Continue with the OOBE setup until you get to the Choose a Wi-Fi Network screen
  • Now get the iPhone where you have previously installed Apple Configurator. When iPhone is in proximity, the screen on the device you want to add, should change to the below view.
  • Make sure to position the image in the frame of the Apple Configurator to initiate the enrollment process into Apple Business Manager
  • The enrollment process will beginn immediately
  • Leave the iPhone with Apple Configurator open, unlocked and next to the device you are adding. If you close Apple Configurator to soon, the enrollment process will fail and you will have to repeate the whole procedure.
  • When the enrollment process is finished, you will get the below screen showing that the iPhone was added to your ABM instance. Please tap on Erase iPhone to complete the enrollment to your ABM instance

You can now login to your ABM and assign the device to your MDM server instance.

Apple Private Relay causing mail delivery issues

A few months ago, a customer reached out to me and reported that their users running iOS 18 on their iPhones and iPads were seeing an issue where they would not get push notifications for new mails. Unlike with iOS 17, the Mail app would not have fetched emails in the background. Users would have to open the Mail app to update their inbox.

All customer devices affected were running iOS 18 and enrolled to BlackBerry UEM. As the Exchange server is behind the firewall, we used Per-Account VPN to reach the users mailboxes. The VPN tunnel was configured to only allow access to the Exchange server as this was all we need for the mail profile to send and receive messages.

In our test environment we were unable to reproduce the issue. Activating the same device against the customer’s environment immediately showed the issue. As there were multiple variables, MDM, VPN setup, customer’s network, Exchange server configuration, the troubleshooting continued for a few weeks. The actual root cause could not be identified.

About two weeks ago, I was told that Apple’s Private Relay feature might causing the problem. Initially I ruled this out as a cause because none of the customer devices had Private Relay enabled. Apple documents which servers need to be reached for Private Relay to work: mask.icloud.com & mask-h2.icloud.com. I was told that mail delivery for IMAP mailboxes on iOS 18 can be delayed if these two host names cannot be resolved or reached.

  • Could it be that the Mail app is trying to reach these two hosts while Private Relay is disabled?
  • Could this be the cause for Exchange ActiveSync Push Notifications not working in my customer’s setup?

To test this theory, I prepared my test environment. To rule out any issues with the MDM setup, I worked with a manually added Exchange mailbox. For the VPN, I opted for a different solution than my customer. I used a device-wide VPN instead of a Per-Account VPN. This allowed me to simplify my testing a bit. I made sure that these two Private Relay hosts are reachable on my network. I sent multiple emails, and all were instantly delivered, and I got notifications for these emails.

I then repeated my testing with the two Private Relay hosts blocked. I would not get any push notifications for new e-mails. When opening the Mail app, it took very long for the messages to be downloaded to the device. It looked like the Mail app had to run into a timeout before it would fetch the emails from the Exchange server.

A second and third round of testing confirmed the results. With the two hosts mask.icloud.com & mask-h2.icloud.com blocked, no push notifications would appear on the device. For all my tests I kept Apple’s Private Relay feature disabled in the iOS settings. I did all my testing on a device with iOS 18.2.1. I did not test if this issue is fixed with iOS 18.3, which was released today.

Today I shared this finding with my customer. After they updated their VPN configuration and made sure that the Per-Account-VPN tunnel can reach the two Apple Private Relay hosts, the issue disappeared and the Mail app worked as expected. Push Notifications were delivered instantly and messages would be downloaded in the background. Finally, we can close this issue.

I know that Per-Account-VPN for Exchange mailboxes is not that common, especially with many organizations already on Exchange Online. Keep in mind that this issue was not caused by the Per-Account-VPN configuration, it only appeared in that specific setup. The VPN tunnel had only a limited set of hosts it was allowed to reach. There is a high chance that you will notice the same issue if mask.icloud.com and mask-h2.icloud.com are not reachable on your network, regardless of if VPN is used or not. It is not an issue occurring only with Microsoft Exchange mailboxes. This issue can also appear when accessing an IMAP mailbox while the device is on a network where the two hosts are blocked.

[Addendum, vowe] If you use Pihole, make sure you whitelist the two mask domains.

Mirror your iPhone screen to your Keynote presentation

This week I have learned a new trick with Keynote on macOS. Using the Live Video feature you can mirror the screen of an iPad or iPhone into your presentation slides.

To use the screen mirroring in Keynote, open an existing presentation or create a new one. From the menu bar select Insert-> Live Video. By default your Facetime camera will be added to the slide deck. To change view to your iPhone or iPad screen, make sure that your device is connected to your Mac using a USB C or Lightning cable. The cable that shipped with your device is sufficient for this to work. On the right side of the Keynote window, click on the plus sign next to Live Video Sources. Give the source a name, e.g., iPhone. Select the connected iPhone or iPad from the drop down list. Click on Add. Your iPhone or iPad screen should now be mirrored to your slide deck as shown below. To make the mirrored device look like the real device, you can overlay the screen mirror with the actual device frame. During your next presentation you can now show the live screen of your iPhone or iPad without the need to leave your presentation. I think this approach can be much more convenient than switching to QuickTime or a third-party app to show your device screen during a presentation.

Bonus tip: You can also use this to mirror your Apple Watch screen. On your iPhone navigate to Settings-> Accessibility-> Apple Watch Mirroring and turn on the mirroring feature.

Apple Platform Security Guide – December 2024 Edition

Just in time for these long Christmas nights, Apple has released an updated version of their Platform Security Guide. If you want to understand how security on Apple’s platforms works, you must read this document. But it will take time. The updated guide has 302 pages. If you did read the May 2024 edition, go to page 290. There you will find a revision history with all the updated and added topics.

Collect sysdiagnose logs using AssistiveTouch

When troubleshooting issues on iPhones or iPads, it can be helpful to collect sysdiagnose logs. To get the device to collect these types of logs, you must simultaneously press both volume buttons and the side or top button, depending on the iPhone or iPad model you have. When the device vibrates for a brief moment, the log collection was triggered successfully. It can be very trick to get the button pressing right. There is a much easier way to trigger sysdiagnose log collection. You can use AssistiveTouch to simplify the process.

  • Go to Settings-> Accessibility-> Touch-> AssistiveTouch.
  • Turn on the switch for AssistiveTouch. Your device will now display a bright button on your screen (not shown in the screenshots).
  • Under Custom Actions tap on Single-Tap.
  • Select Analytics from the menu list
  • Tap on the AssistiveTouch button shown on the device screen to trigger the log collection.

Your device will display a message (second device screen) that it is gathering analytics. The log collection will take about ten minutes to complete. When the log collection is completed, another message will be displayed (third device screen). You can then collect the logs from Settings-> Privacy & Security-> Analytics & Improvements-> Analytics Data. The log files you want always start with the name sysdiagnose_. As the log files are usually a few hundred Megabytes in size, I recommend sending them via AirDrop to your Mac for further analysis. Thank you, Markus B. for reminding me of this feature.

For extended logging, Apple provides debug profiles. Usually, Apple support or the software vendor will tell you when it is necessary to install these debug profiles.

Quick fix for slow iOS update downloads

When new iOS updates are released, it can happen that even small updates take exceptionally long to download. In my experience the easiest fix to speed up the download is to delete the partially downloaded update and start the software update again. To delete the update in progress, navigate to Settings-> General-> iPhone Storage. Scroll down to the list of apps. There you should have an entry for the iOS update, e.g., iOS 18.1.1. Open that entry and tap on Delete Update as shown in the screenshot. Go back to Settings-> General-> Software Update to start the download again. This time the download should happen much faster. The same fix will work on your iPad, too.

What are Passkeys?

Inspired by Ludwig’s comment, here is my explanation what Passkeys are. Foremost Passkeys are a replacement for passwords. Passkeys are trying to solve the issue of passwords being stolen by attackers and reused to access resources. When a Passkey is generated, your device generates a public and private key pair. The public key you have generated, is stored on the server you are trying to authenticate against. The private key remains on our device. When you try to login to the server, the server sends a challenge to your device. Using your private key, the device generates a response. The server verifies your response using the public key it has stored for your account. If the verification is successful, you will be allowed to login.

As the private key for a given service or server is only stored on your device, there is no risk that the private key gets leaked when the server is compromissed. Neither is there is a risk that the password is leaked on your client device because there is no password you have to enter. This approach makes it impossible to phish a passkey.

Besides storing the passkeys on your device, e.g., your smartphone or laptop, you can use FIDO keys (#reklame) that support passkeys. When using these physical keys, you don’t need to rely on cloud sync services to use your passkeys across multiple devices. The Yubico Yubikeys support up to 25 passkeys, starting with firmware version 5.7 up to 100 passkeys. If you are planning to store a larger number of passkeys, you should consider this FIDO key from Token2. This key allows you to store up to 300 passkeys. Another option is the Titan Security key offered by Google. The Google key can store up to 250 passkeys. Should you go the physical FIDO key route, make sure to get two keys for backup purposes. Else you could potentially lockout yourself in case your FIDO key gets lost or damaged.

Share Wi-Fi passwords

Apple devices have this neat feature to share Wi-fi passwords with other Apple devices, e.g., iPhone, iPad and Mac. With iOS 18 Apple introduced an easier way to share Wi-Fi credentials even outside the Apple ecosystem, e.g., with Android smartphones. Within the Passwords app you can display a QR code that can be used by any other device to join a Wi-Fi network. Open the Passwords app on your iPhone, navigate to the Wi-Fi section. The Wi-Fi network you are currently connected to is shown at the top of the list. All other Wi-Fi networks your device has saved, are shown in alphabetical order. Search for the Wi-Fi network you want to share and open that entry. Tap on Show Network QR Code. Scan the QR code with the camera app of the Android smartphone and the device will join the Wi-Fi network. The QR code can be used by Apple devices, too.

Passwords app on an iPhone showing the QR code for a Wi-Fi network

Note: Wi-Fi networks that do not require a password or have other means of authentication, e.g., WPA2 Enterprise, will not have the Show Network QR code option in the Passwords app.

Neuer ist besser für die Sicherheit

iOS 18.0.1 Release Notes

Ich freue mich immer, wenn Hersteller kontinuierlich Softwareupdates für ihre Produkte veröffentlichen. Damit werden die Geräte ein Stück sicherer und hoffentlich länger genutzt. Ein Hersteller, der hier einen guten Track Record hat, ist Apple. Hier gibt es teilweise noch für alte Geräte Software- und Sicherheitsupdates. Was aber bei diesen Updates gerne übersehen wird, ist die Tatsache, dass nur die aller neuesten Apple Betriebssystemversionen alle Sicherheitsupdates enthalten. Ein Gerät, das heute mit iOS 17.7 betrieben wird, dem aktuellen Update für den 17.x Branch, enthält gegebenenfalls Schwachstellen, die mit dem neuesten iOS 18.x Update, zurzeit iOS 18.0.1, geschlossen sind. Diese Regel gilt auch für macOS. Apple beschreibt das auf ihrer Webseite in einem kurzen Hinweis:

Hinweis: Aufgrund von Abhängigkeiten der Architektur und Systemänderungen in jeder aktuellen Version der Apple Betriebssysteme (beispielsweise von macOS 14. iOS 17 usw.) werden nicht alle bekannten Sicherheitsprobleme in früheren Versionen behoben, etwa von macOS 13, iOS 16 usw.

Daher mein Rat: Im Zweifel sollte man, wenn es keine anderen Abhängigkeiten gibt, sein iPhone besser auf iOS 18 aktualisieren als es auf iOS 17 zu belassen.

P.S.: Wenn ich iOS schreibe, meine ich damit auch immer iPadOS.

Profilinstallation unter iOS 18

Unter iOS 17 war es möglich, ein Profil von einer Webseite über den Safari-Browser herunterzuladen und dann direkt in den iOS-Einstellungen zu installieren. Das ist unter iOS 18 nicht mehr möglich. Unter iOS 18 wird das Profil nur heruntergeladen. Safari unter iOS 18 fügt das Profil nicht in die Installationsliste hinzu. Beim Versuch ein heruntergeladenes Profil aus der Download-Liste zu installieren, wird nur der Klartext des Profils angezeigt.

Installationsversuch auf einem iPhone mit iOS 18

Um das Profil zu installieren, muss in den Downloads-Ordner in der Dateien-App gewechselt werden. Von dort aus kann man das Profil öffnen und bekommt den Hinweis die Profilinstallation in den Einstellungen abzuschließen.

Profil-Installation aus der Dateien-App

Diese Änderung betrifft nur die Installation von Profilen über den Safari-Browser. Empfängt man das gleiche Profil per AirDrop, z.B. von einem anderen iPhone oder Mac, dann wird das Profil direkt der Liste der zu installierenden Profile in den Einstellungen hinzugefügt. Dort kann man die Installation des Profils abschließen, so wie es schon unter iOS 17 möglich war. Es bleiben, wie bisher, acht Minuten zum Abschluss der Profilinstallation. Das beschriebene Verhalten gilt auch für die Installation von Zertifikaten, da deren Installation auf iOS wie eine Profilinstallation behandelt wird. Soweit ich das recherchieren konnte, ist das neue Verhalten unter iOS 18 von Apple gewollt. Das ist nicht die enizige Änderung im Kontext von Profilen unter iOS 18. Mit iOS 18 ist z.B. auch die profilbasierte Benutzerregistrierung (Profile-based User Enrollment) weggefallen.

Danke an Steffen, der mich auf das Problem hingewiesen hatte.