Page 1 of 2 12 LastLast
Results 1 to 10 of 11

Thread: iPhone Provisioning / Deprovisioning

  1. #1
    Join Date
    Mar 2008
    Location
    Redford, MI
    Posts
    8
    Rep Power
    7

    Default iPhone Provisioning / Deprovisioning

    I was testing the mobile policy on an iPhone (4 w/ iOS 4.0.1) and when I turned off the mobile policy, the phone no longer allows me to select the "grace period" i.e. Require Passcode only allows Immediately. Is it possible that Zimbra (6.0.7) does not deprovision the device correctly?

  2. #2
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    Could be. If you see this consistently you should post repro steps at Bugzilla, and post the bug # here.

  3. #3
    Join Date
    Mar 2008
    Location
    Redford, MI
    Posts
    8
    Rep Power
    7

    Default

    Bug #49407 has been filed.

  4. #4
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    Hang on, did you just remove the checkmark from the checkbox "Enable Mobile Policy" in the users account, or did you remove the policy from the iphone itself?

  5. #5
    Join Date
    Mar 2008
    Location
    Redford, MI
    Posts
    8
    Rep Power
    7

    Default

    Quote Originally Posted by Dirk View Post
    Hang on, did you just remove the checkmark from the checkbox "Enable Mobile Policy" in the users account, or did you remove the policy from the iphone itself?
    I just removed the checkmark. I did not see any policy to remove from the iPhone.

  6. #6
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    Gotcha.
    So how did you provision the iphone? If you used the user interface and added an Exchange (style) server under Mail, Contacts & Calendars then technically speaking, that's not provisioning.

    Bear with me here, short version is, Zimbra's not at fault.

    Provisioning is accomplished using Apple's iPhone Configuration Utility, or IPCU. From here you can build a profile or set of profiles that are sent to the phone and can control almost any setting. You'd make one which defines the exchange account, and the required security levels and send that to the phone, either via USB, or remotely using a mail server or an email account.

    Removing that profile from the phone will undo all those settings, removing any server based restrictions.

    By clearing the checkmark in the Zimbra admin, you've just told Zimbra that the account is not allowed to use ActiveSync, which means cutting off communication to the phone, as such the phone is still believes it's tied to the server and wont wind out all it's settings correctly.

    I recommend downloading the IPCU and the documentation and using that to control the iphone settings. We have ~15 iphones in the business and they're all configured this way.
    Apple - Support - iPhone - Enterprise

  7. #7
    Join Date
    Mar 2008
    Location
    Redford, MI
    Posts
    8
    Rep Power
    7

    Default

    Quote Originally Posted by Dirk View Post
    Gotcha.
    So how did you provision the iphone? If you used the user interface and added an Exchange (style) server under Mail, Contacts & Calendars then technically speaking, that's not provisioning.

    Bear with me here, short version is, Zimbra's not at fault.

    Provisioning is accomplished using Apple's iPhone Configuration Utility, or IPCU. From here you can build a profile or set of profiles that are sent to the phone and can control almost any setting. You'd make one which defines the exchange account, and the required security levels and send that to the phone, either via USB, or remotely using a mail server or an email account.

    Removing that profile from the phone will undo all those settings, removing any server based restrictions.

    By clearing the checkmark in the Zimbra admin, you've just told Zimbra that the account is not allowed to use ActiveSync, which means cutting off communication to the phone, as such the phone is still believes it's tied to the server and wont wind out all it's settings correctly.

    I recommend downloading the IPCU and the documentation and using that to control the iphone settings. We have ~15 iphones in the business and they're all configured this way.
    Apple - Support - iPhone - Enterprise
    Just to be clear here, I did not uncheck "Enable Mobile Sync" in the admin console. I unchecked "Enable Mobile Policy" and clicked save. I did not install an iPhone configuration file. Turning on "Enable Mobile Policy" forces the security settings (i.e. forces a PIN to be used, can force complexity of the pin (i.e. alphanumeric,) and forces a wipe after X (default 4) bad PIN entries, etc.)

    To be honest, I'm not sure if it's a Zimbra bug or an iPhone bug. I've filed bugs with Apple as well as with Zimbra.

  8. #8
    Join Date
    May 2006
    Location
    England.
    Posts
    927
    Rep Power
    10

    Default

    Right, I slightly confused myself there.
    So, enabling mobile policy in Zimbra enables the sending of security settings to the phone.

    The issue comes about as to the expected outcome of turning that option off.
    Looks like what is happening is a literal opposite to "Send settings" which is "stop sending settings" as opposed to the possibly more expected "Remove settings"

    You could have a look in the sync logs to see the communication between the phone and zimbra, that may clarify things (or may not)

    It may indeed be a bug, and it probably is, I just suspect it's a terminology/expectation issue more though.

    As you didnt use IPCU, does the phone show in Preferences|Mobile as provisioned and can you use remote wipe on it? I dont know if it's still the case but remote wipe was not available unless the phone was provisioned with IPCU, but that was back in IOS3 / ZCS5

  9. #9
    Join Date
    Jun 2008
    Location
    Berkeley, CA
    Posts
    1,474
    Rep Power
    9

    Default

    No need to use ipcu to enable remote wipe. My colleague tested it using an iPad (ios 3.x) and ZCS 6.0.6.

    If the phone's still visible and showing as provisioned in ZWC prefs, maybe you can manually delete it. And then maybe it'll re-provision to pick up the new policy.

    Otherwise, delete the activesync setup on the phone and recreate it.

  10. #10
    Join Date
    Mar 2008
    Location
    Redford, MI
    Posts
    8
    Rep Power
    7

    Default

    Quote Originally Posted by ewilen View Post
    No need to use ipcu to enable remote wipe. My colleague tested it using an iPad (ios 3.x) and ZCS 6.0.6.

    If the phone's still visible and showing as provisioned in ZWC prefs, maybe you can manually delete it. And then maybe it'll re-provision to pick up the new policy.

    Otherwise, delete the activesync setup on the phone and recreate it.
    I turned on "Enable Mobile Policy" which changed "Needs provisioning" to "Provisioned" in the web client. When I turned off "Enable Mobile Policy" the status stayed "Provisioned" I then removed the "Exchange" account from the phone, and re-added it. Neither of these changed the "Require Passcode" setting on the phone. I found 2 ways to "fix" this: 1) Use the iPhone Configuration utility to set the passcode settings, or 2) restore the phone to factory default. I tried #1, but ended up doing #2 to remove all traces of the "Mobile Policy."

    What I'm thinking is that turning off "Enable Mobile Policy" does not send any deprovisioning info to the handset, it merely turns it off on the server side.

    In all reality this could even be a bug with the ActiveSync protocol.

    I'm going to have a look through the logs the afternoon to see what I can find.

Similar Threads

  1. Provisioning question, iphone
    By jars99 in forum Zimbra Mobile
    Replies: 2
    Last Post: 02-09-2010, 01:56 PM

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •