Thank you everyone for contributing to this group. I have found some information pertaining to my EMM setup useful already. I have been given the task of supporting our EMM environment and have two questions for you all, but first, here is my current setup:
First question: Can I update the Push cert on the fly without any ramifications to end users and their devices? Will there be a need to re-provision a device after the cert update?
Second question: Can I upgrade from version 9.7.2 to 10.1.1 without any impact to the devices? Again, will there be a need to re-provision those devices after the update?
Thanks in advance for the help!
For your second question, be carefull about this upgrade. I had somes troubles when i tried to migrate from 9.7 to 10.1.0.
Result : reprovisioning of all my devices !
For the first question, Push cert is only defined into your EMM proxy server to speak with Apple server. Modification of push cert on the fly dont affect your end users.
IT Security Consultant for NetStaff.fr
McAfee Products Specialist
Q1) Yes you will need to reprovision but it should not happen all at once. The new 10.1 patch 3 seems to cause devices to reprovision when thier compliance runs out rather than all devices failing as soon as you upgrade. This is nice because it allows people to filtern in for assistance slowly rather than eveyone at one time. You also may not have to reprovision at all if you make no changes to the policy but I would plan for a reprovision as more often than not that is the case. This is likely because even though you make no changes to the policy there is still an updated version of the policy new available options.
If you are on a virtual environment you can snapshot and rollback if you have issues, but I have done the upgrade a few times now with no problem.
Q2) Romain is completely correct.
Thank you both!
I have updated the certs without any troubles. I am hoping to update EMM to a newer rev here soon, but fear this is not going to happen because of the extra work which could be incurred to my small team to provide end user assistance. Are there any versions to upgrade to which will not impact provisioing?
Also, do any of the newer versions have better Android support? As my company moves toward a BYOD plan, we have 99% IOS devices and a few users that have the OK to test Android.
No and Yes. No there is no version that wont liklely require provisioning. Users will likely always need to provision after an upgrade because there are litterally modifications to the policy in the form of new management features and technical controls so that even if you don't make any changes and dont check the box, the device need to have the latest version of the policy in order to know that you didn't check the box if that makes sence. The best way to deal with this is to get users used to reprovisioning, document the process and send it out prior to making changes to the server or policies with notification that they may need to reprovision and here is how, and here is what will change or be reset to defaults.
Yes the newest version 10.1 has the secure container for androids and better android support all together. 10.2 will have support a much improved version of the secure container for androids and will incude some awesome featutures for managing and deploying apps in iOS, not sure if this will work on android to but I would assume so...
You should always run on the latest version because the old versions do not contain the new features provided by OS updates, for instance 9.7 does not know about or contain features pertaining to icloud, 10.2 will contain new features for managing iOS 6. 10.3 will likely contain even more features for iOS 6 as they probably wont be able to include all of the updates in thier 10.2 release timeline.
Having users know how to reprovision is also helpful in case someone mistakenly updates a policy so that you don't suddenly have everyone unable to access what they need and so that you can support running multiple policies and switching users between them easily. For instance our default policy disbales roaming and users need to be switched to another policy that enables it if they travel outside the US for work. They are already familiar with provisioning so they just let me know they are traveling and I send them an email or text saying that I'm switching thier policy and they will need to reprovision. Also if your doing BYOD you will want users to be able to self-provision new devices so they don't bug you every time they have a new phone or tablet....
So educate and update! :-)