Install the WatchGuard Mobile Security iOS App on Supervised Devices (WatchGuard MDM Solution)
Applies To: WatchGuard Advanced EPDR, WatchGuard EPDR, WatchGuard EPP
To use the URL filtering capabilities provided by WatchGuard Endpoint Security, the iOS devices must be in supervised mode. This topic describes the steps to configure an iOS device in supervised mode and then enroll it in the WatchGuard MDM solution.
Caution: When you configure a device in supervised mode, the device resets to factory-default settings. All data, programs, and settings are deleted. You can restore data stored in iCloud when you sign in with your Apple ID on the reset device. For information on how to back up and restore apps and data when iCloud is not available or sufficient, see the Knowledge Base article, Supervised iOS Devices: Back Up and Restore without Losing Data, before you enable supervised mode.
If a device is already in supervised mode, you can proceed to install the WatchGuard Mobile Security app from the WatchGuard MDM solution. For more information, see Install the WatchGuard Mobile Security App on iOS Devices Enrolled in the WatchGuard MDM Solution
The high-level steps for the WatchGuard MDM are:
Step 1: Create a Wi-Fi Configuration Profile (Optional)
Step 3: Get the URL for Enrollment in the WatchGuard MDM Solution
Step 4: Add Preparation Steps to the Blueprint
Step 5: Apply the Blueprint to iOS Devices
Step 6: Enroll the Supervised iOS Device in the WatchGuard MDM Solution
For information on how to install the app on supervised iOS devices enrolled in a third-party MDM solution, see Install the WatchGuard Mobile Security iOS App on Supervised Devices (Third-Party MDM Solution).
Before You Begin
- Review the Requirements for Supervised Mode.
- If your device uses AuthPoint for multi-factor authentication, you must migrate the WatchGuard tokens from your device before you reset the device and enable supervised mode. For information on how to migrate a token, see Migrate Your Token.
- The macOS computer (macOS 10.15.6 or higher) must have Apple Configurator 2 installed. To download and install Apple Configurator 2, go to https://apps.apple.com/es/app/apple-configurator-2/id1037126344?mt=12.
Step 1: Create a Wi-Fi Configuration Profile (Optional)
A configuration profile is a container of settings and restrictions to apply to a functional area of an iOS device, such as Wi-Fi or email. You can create profiles and then add them to a blueprint that you prepare and apply to a device. In this procedure, we create a Wi-Fi profile for the device. The settings are applied automatically the first time the user turns on the device.
This step is optional. If you do not create a Wi-Fi profile , you can configure these settings manually on the device after it restarts in supervised mode.
To create a Wi-Fi configuration profile, in Apple Configurator 2:
- Select File > New Profile.
- From the sidebar, select General.
A form opens. - In the Name text box, type a profile name.
- In the Organization text box, type the company name.
- Set Automatically Remove Profileto Never.
- From the sidebar, select Wi-Fi.
The Wi-Fi dialog box opens.
- Click Configure.
- Enter the parameters the iOS device will use to connect to the Wi-Fi network.
These settings are applied automatically the first time the user powers on the device. - Select File > Save.
The Save dialog box opens. - Select the location where you want to save the profile.
- In the Save as text box, type the name of the file.
- Click Save.
Step 2: Create the Blueprint
The blueprint stores the profiles and apps you want to send to a device to configure it. The blueprint includes information for the WatchGuard mobile device management (MDM) solution. You can create a blueprint and then add configuration profiles to the blueprint. You can also use the blueprint to enable or disable parts of the Setup Assistant that the user sees the first time they power on the device.
To create the blueprint and add a Wi-Fi configuration profile, in Apple Configurator 2:
- Select File > New Blueprint.
The All Blueprints page opens with the new blueprint selected. - Type a name for the new blueprint. Press Enter.
- Select the blueprint you created.
- In the toolbar, click Add > Profiles.
A list shows available profiles. - Select profiles you want to add to the blueprint.
- Click Add.
The profile is added to the blueprint.
Step 3: Get the URL for Enrollment in the WatchGuard MDM Solution
The enrollment URL is required for Step 6: Enroll the Supervised iOS Device in the WatchGuard MDM Solution.
Before you begin, make sure that:
- You have an Apple push certificate. For more information, see Manage the Apple Push Certificate.
- The push certificate is not near its expiration date. For more information, see Renew the Push Certificate.
- The iOS devices do not have a third-party MDM profile already installed. If they do, delete the profile from your devices. For information about the feature implications of a third-party MDM profile, see Mobile Device Management for iOS Devices.
Caution: Renew your Apple push certificate well before its expiration date. If your certificate expires, you cannot manage your iOS devices from the Endpoint Security management UI. You will have to create a new certificate and reintegrate all of your iOS devices.
Caution: If your iOS devices were already enrolled in a third-party MDM solution and you decide to enroll them in the WatchGuard MDM solution, you lose the centralized management capabilities provided by your third-party MDM solution. You will not be able to access any software you deployed through it.
To get the enrollment URL for the WatchGuard MDM solution:
- In WatchGuard Cloud, select Configure > Endpoints.
- Select Computers.
- Click Add Computers.
- Click the iOS icon.
A dialog box opens with information about the previously uploaded certificate.
- From the Add Computers to this Group list, select the group to which you want to add the device.
- Click Send URL by Email.
The email application on the computer opens. - Send the URL by email to the account that will be configured on the iOS device.
You must have this URL to complete Step 6: Enroll the Supervised iOS Device in the WatchGuard MDM Solution.
Step 4: Add Preparation Steps to the Blueprint
After you create a configuration profile and blueprint, add preparation steps to the blueprint so that each device receives the same manual configuration for the MDM solution.
To add preparation steps to the blueprint, in Apple Configurator 2:
- Select the blueprint you created.
- In the toolbar, click Prepare.
The Prepare Devices wizard opens. - From the Prepare with list, select Manual Configuration.
- Select the Supervise devices and Allow devices to pair with other computers check boxes.
- Click Next.
The Enroll in MDM Server page opens. - From the Server list, select Do not enroll in MDM.
The Sign in to the Device Enrollment Program page opens. - Click Skip.
The Create an Organization page opens.
- Enter your company details. Click Next.
- Select the Generate a new supervision identity option.
- Click Next.
The Configure iOS Setup Assistant page opens. - Select the steps you want the user to see in the Setup Assistant the first time they turn on the iOS device. You can also select to show no steps to the user.
- Click Prepare.
- Enter the administrator credentials for the computer.
- Click Update Settings.
A status bar indicates the status of the configuration process. When the process completes, the blueprint is created and is ready to apply to iOS devices.
Step 5: Apply the Blueprint to iOS Devices
WARNING: Before you apply the blueprint to an iOS device and enable supervision, make sure the Find My iPhone option is disabled on the device. If you do not disable this feature, the process will fail and you will be locked out of the device. You can enable Find my iPhone when the device is supervised. For information on how to turn off Find My iPhone, see the Apple support article, https://support.apple.com/en-us/HT210400.
To disable Find My iPhone, on the iOS device:
- Open the Settings app.
- Tap your name.
- Tap Find My.
- Tap Find My iPhone.
On an iPad, tap Find My iPad. - Disable the Find My iPhone toggle.
The Apple ID Password page opens. - Enter the Apple ID password.
- Tap Turn Off.
To apply the blueprint to iOS devices:
- Open Apple Configurator 2 on the computer.
- Connect the iOS device to the computer with a Lightning or USB cable.
The message Trust This Computer? appears on the mobile device. - Tap Trust.
- In Apple Configurator 2, click Unsupervised below the toolbar.
You can see your device in the Apple Configurator window. - Right-click the device. Select Apply.
- Select the blueprint you created.
A dialog box opens to confirm that you want to apply the blueprint. - Click Apply.
- If the device was used previously, a message prompts you to erase and restore the device. Click Erase.
These actions occur on the device:- The device resets to factory-default settings.
- All data and apps are deleted from the device.
- The device enters supervised mode.
- To confirm that the device is supervised, click Supervised below the toolbar.
The supervised device shows on the page. On the device, open Settings to see if the device is supervised. The supervision message shows in the heading of the Settings page.
To disable supervised mode, reset the device to factory-default settings.
Step 6: Enroll the Supervised iOS Device in the WatchGuard MDM Solution
After you configure the device as supervised, you can enroll it in the WatchGuard MDM solution.
For information on how to enroll a supervised device in a third-party MDM solution, see Install the WatchGuard Mobile Security iOS App on Supervised Devices (Third-Party MDM Solution).
Before you begin, make sure you have configured the email app on the device and that you have access to the URL link sent by email in Step 3: Get the URL for Enrollment in the WatchGuard MDM Solution.
To enroll the supervised device in the WatchGuard MDM solution, on the iOS device:
- In the email message, tap the URL link.
The message, This website is trying to download a configuration profile. Do you want to allow this? appears. - Tap Allow.
The WatchGuard MDM profile downloads to the device. - Select Settings > General > VPN and Device Management.
The WatchGuard MDM solution profile shows. - Tap WatchGuard MDM Service.
- In the upper-right corner, tap Install.
- Enter the device passcode.
A message indicates that the device will be managed remotely. - In the upper-right corner, tap Install.
The Remote Management page opens. - Tap Trust.
The profile installs and, after a few minutes, the WatchGuard Agent downloads and installs automatically. - Open the WatchGuard Mobile Security app.
IThe message WatchGuard Mobile Security Would Like to Send You Notifications appears. - Tap Allow.
The device now appears as managed in the Endpoint Security management UI.