Using Configurator 2 to prep iOS for CSC

Uncategorized 6 Minutes

In order to use Cisco Security Connector (CSC) for iOS, the endpoint must first be in supervised mode and managed by an MDM.

The easiest way to manage Apple iOS devices is to use Apple’s Device Enrollment Program (DEP); which is now rolled into their new Apple Business Manager (ABM) program.

However, there are certainly times when you may want to test CSC for iOS before setting up DEP or on a device you may not want to enroll in DEP.

There is a more manual approach to put an iOS device into supervised mode, leveraging Apple’s Configurator 2 app for macOS. To leverage this approach, you simply need an Apple computer running macOS, and install the Apple Configurator 2 app from the App Store. Connect the iOS device to the macOS computer via the USB to Lightning cable.

AppleConfigurator2_setup_2
Figure 1 – Setup macOS w/ app connected to iOS device via USB

With the Apple Configurator 2 app, you can configure a device one at a time, or you can create what’s known as a “Blueprint”. The configuration of the blueprint is identical to that of a physical device, but a blueprint can then be applied to any of the iOS devices you plug in. It’s a great time saver when you know you will be configuring more than one device with the exact same settings.

Creating a blueprint

In this example, I am showing you how to create a blueprint for a rather basic configuration that includes:

  • MDM registration
  • How much to ask the end-user during the setup wizard

With the Apple Configurator 2 application open on a macOS computer:

Click on Blueprints > Edit Blueprints

Figure 2 shows that you can have multiple blueprints. In my case, I have one blueprint for each of the MDMs that I test with. Most of the companies that I work with will typically only have one blueprint that corresponds to the one MDM they use.

Figure 2 - BluePrints
Figure 2 – Blueprints

To configure a device or a blueprint, the steps are the same. You use the prepare function, either way.

With the newly created blueprint highlighted, click on Prepare

The Prepare Devices drop-down screen appears, as seen in Figure 3.  The choices are for automated enrollment (DEP) or manual configuration. Select Manual Configuration

You have an option to add the endpoints to the Device Enrollment Program as they are prepared, assuming your organization is already setup with DEP. If so, select the “Add to Device Enrollment Program” checkbox. Else, leave that checkbox disabled.

Enable the Supervise devices checkbox.  This is after-all why we are using this tool in the first place.

Click Next

Figure 3 shows the Prepare Devices drop-down screen.

Figure 3 - Prepare Devices
Figure 3 – Prepare Devices drop-down

The screen to enroll devices into an MDM server will appear next. If you have defined MDMs in Apple Configurator 2 already, they will be in this list. Otherwise, you will need to add a new server here, as seen in Figure 4.

Select New Server

Click Next

Figure 4 - New Server
Figure 4 – New Server

Every MDM that I’ve worked with has a slightly different enrollment process. However, most MDMs should have an option to use a URL for Apple Configurator 2, such as the screenshot from Meraki Systems Manager shown in Figure 5.

Figure 5 - URLs
Figure 5 – URL for Apple Configurator 2.0+

Copy the URL for Apple Configurator 2

Name the MDM server object

Paste the URL into the Host name or URL field, as shown in Figure 6

Click Next

Figure 6 - Define MDM Server
Figure 6 – Define an MDM Server

The MDM’s certificate chain will be displayed, as you see in Figure 7.  Just click Next to continue.

Figure 7 - MDM Certificates
Figure 7 – MDM certificate chain

The Assign to Organization screen is next. If you have an existing organization, it will be in the drop down. Assuming you are setting up a New Organization, click Next.

Figure 8 - Assign to Organization
Figure 8 – Assign to Organization

Even though you did not check the box to use the Device Enrollment Program (DEP), the configurator still attempts to get you to login to the DEP program with your Apple ID, as seen in Figure 9. Assuming you do not have DEP already, click Skip.

Figure 9 - Skip DEP
Figure 9 – Skip the DEP login

After skipping the DEP login, you will be able to create an Organization object that will be used with device supervision, as seen in Figure 10. Fill out the fields, and click Next. A supervised iOS device may be moved from one MDM to another, as long as the same organization is used.

Figure 10 - Create an Org
Figure 10 – Creating the new Organization

With the organization created, you then setup up a supervision identity, as seen in Figure 11. Select Generate a new supervision identity & click Next.

Figure 11 - Supervision ID
Figure 11 – Generate a new supervision identity

The last step of the preparation is to select which aspects of the iOS Setup Assistant to display to the end-user when the device is started up for the first time after the blueprint is applied.  Figure 12 shows the selection process.

Figure 12 - Setup Assistant
Figure 12 – The setup assistant steps to show the user

Click Prepare to finish the blueprint.

Click Done to exit the blueprint screen and return to the main Apple Configurator 2 window.

Applying the Blueprint to an iOS endpoint

Now that the blueprint is fully prepared, you can apply it to the iOS device. With the iOS endpoint connected to your macOS computer, highlight it in the Apple Configurator 2 app.  Note: You can highlight/select multiple devices simultaneously.

Right Click on the device, and select Apply & choose your blueprint.

Figure 14 - Apply Blueprint
Figure 13 – Applying the Blueprint

The configurator 2 app will prompt you again to be sure you wish to apply the configuration.  Click Apply.

Figure 15 - Yes I want to Apply Blueprint
Figure 14 – Yes, I really mean to apply it

If your device has a cellular radio in it, the device has to be “activated”. Your cellular provider should not matter (ATT, Verizon, Sprint, T-Mobile or Bob’s Cellular Discount) this step appears to be true for all cellular capable iOS endpoints.

Sometimes the device is activation locked, and needs to be removed from the owners iCloud devices either from the phone or from http://www.icloud.com.

Figure 15 shows the configurator app downloading the activation record.

Figure 16 - Downloading activatin record
Figure 15 – Downloading the activation record

Figure 16 shows the activation of this iPhone.

Figure 17 - Activating iOS
Figure 16 – Activating the iPhone

At this point, you are finished in the Apple Configurator 2 app. Now you’re ready to interact with the phone itself & go through the setup assistant (or hand it back to the device owner, who will go through the setup assistant). Figure 17 shows the setup assistant step where the remote management (MDM) configuration is applied. This information was passed to the device by the blueprint during the setup stage.

The end user should click on Apply configuration, and then Next, as seen in Figure 17.

Figure 18 - Remote Management
Figure 17 – Remote Management

Figure 18 shows the MDM configuration from Meraki Systems Manager (the MDM) being applied to the device.

Figure 19 - Installing the Configuration from MDM
Figure 18 – MDM configuration being applied

The device is ready! If you navigate to Settings in the iOS device, you will see that the device is supervised and managed by your organization, as shown in Figure 19.

Figure 20 - iPhone is Supervised
Figure 19 – Device is supervised!

Now, you can go into Settings > General > Device Management, and see the MDM profile that was installed. if your MDM was configured to automatically send down the configuration profile related to the Cisco Security Connector, you will see the Web Content Filter and the DNS Proxy settings are listed, as shown in Figure 20.

Figure 21 - MDM Profile
Figure 20 – the MDM Configuration Profile

If the MDM was configured to automatically provision the Cisco Security Connector APP, then it will appear on the desktop, as shown in Figure 21.

Figure 22 - CSC on Home Screen
Figure 21 – CSC is on the Desktop

 

That’s it folks!

I hope you found this helpful. As always, please feel free to leave comments.

-Aaron

Published by Loxx

Aaron Woland, CCIE No. 20113, is a Principal Engineer in Cisco’s Advanced Threat Security group and works with Cisco’s Largest Customers all over the world. His primary job responsibilities include security design, solution enhancements, standards development, advanced threat solution design, endpoint security and futures. Aaron joined Cisco in 2005 and is currently a member of numerous security advisory boards, and standards body working groups. Prior to joining Cisco, Aaron spent 12 years as a Consultant and Technical Trainer. Aaron is the author of: both editions of the Cisco ISE for BYOD and Secure Unified Access book; the All-in-one Cisco ASA Firepower Services, NGIPS and AMP book; the CCNP Security SISAS 300-208 Official Cert Guide; the CCNA Security 210-260 Complete Video Course; and many published white papers and design guides. Aaron is one of only five inaugural members of the Hall of Fame Elite for Distinguished Speakers at Cisco Live, and is a security columnist for Network World where he blogs on all things related to Security. His other certifications include: GHIC, GCFE, GSEC, Certified Ethical Hacker, MCSE, VCP, CCSP, CCNP, CCDP and many other industry certifications. You can follow Aaron on Twitter: @aaronwoland

Published

Leave a Reply

Please log in using one of these methods to post your comment:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

This site uses Akismet to reduce spam. Learn how your comment data is processed.