This article is intended for system administrators at businesses and educational institutions.
Activation Lock is a feature of Find My. It's designed to keep information safe and prevent reactivation of lost or stolen devices. Lost Mode is used to lock a missing device, display a message on its screen, and find its location.
Learn how to use MDM tools to manage Activation Lock and Lost Mode on supervised devices.
Unified endpoint management (UEM) enables IT to stop using separate tools to manage mobile, desktop and now Internet of Things (IoT) devices.UEM solutions provide a holistic and user-centric approach to managing all endpoints by combining traditional client management of desktop and PC systems with a modern enterprise mobility management (EMM) framework. Although AirWatch Container application is built just for Google's Android in addition to iOS by undefined. You're able to install AirWatch Container on PC for MAC computer. We shall find out the criteria that will help you download AirWatch Container PC on Windows or MAC computer without much struggle. Once we moved to AirWatch, I was happy to find that they also had an OS update mechanism in place. Their agent was able to download and install updates also using the softwareupdate utility (more on that later), and also interact with the VMware AirWatch Agent GUI in order to show prompts to customers and alert them that they needed to reboot.
Activation Lock on supervised devices
You can use a compatible MDM solution to enable Activation Lock during setup or when the user turns on Find My. Then you can clear Activation Lock to erase the device and deploy it to a new user. Learn how to manage Activation Lock with Profile Manager. Or refer to your MDM solution documentation for details.
Lost Mode and Managed Lost Mode
If Find My is turned on, the user can activate Lost Mode when they sign in to iCloud. They can use Lost Mode to lock a missing device and track its location.
With iOS 9.3 or later, you can use MDM to put a supervised device into Managed Lost Mode. Managed Lost Mode is a dedicated mode that you must disable before anyone can use the device again. You can send messages to the device while the device is in Managed Lost Mode. But only the MDM server can access device location information when the device is in Managed Lost Mode. The user can’t unlock the device until you turn off Managed Lost Mode. The user is notified if anyone accessed location information during that time.
Refer to your MDM solution documentation for additional details.
Activation Lock on unsupervised devices
MDM can't control Activation Lock on unsupervised devices. On an unsupervised device, Activation Lock is enabled when the user signs in to iCloud and turns on Find My.
If you deploy unsupervised devices, the previous user must turn off Find My before you deploy the device to a new user. Follow these steps:
- If the user has access to the iPhone, iPad, or iPod touch, they can turn it off in Settings > [your name] > iCloud > Find My [device].*
- If the user has access to the Mac, they can turn it off in System Preferences > Apple ID > iCloud > Find My Mac.*
- If the user doesn't have access to their device, they can sign in to iCloud.com or the Find My app on another device, erase their device, then remove it from the device list.
The Find My app is available in iOS 13, iPadOS, and macOS Catalina.
As I’ve discussed before, I work in a high-compliance organization, meaning, when OS updates are released, we need to be able to test them, roll the updates out to customers, and then ensure their successful installation. Up until recently, we had been using LANrev for Mac management and patching, which had the interesting ability to run the softwareupdate utility on a client machine, grab that update package(s), and then upload them to the server. With this method, we would deploy the OS update package like any other to the devices that required the update, after being vetted and approved internally. And overall it worked well. Since the update was treated as a standard package, the typical install status and reporting in LANrev worked the same way. We could audit failures, successes, etc., and repush the update as needed. This however became less and less stable over time, specifically starting with 10.12, where the updates would never install successfully on clients. Once we moved to AirWatch, I was happy to find that they also had an OS update mechanism in place. Their agent was able to download and install updates also using the softwareupdate utility (more on that later), and also interact with the VMware AirWatch Agent GUI in order to show prompts to customers and alert them that they needed to reboot, among other things.
In order to utilize the AirWatch Agent for Software Updates, you need to create a “Software Update” profile in AirWatch for macOS. This looks like so:
This profile specifies things like:
- Update Source – This can be pointed at Apple’s catalogs, or an internal SUS
- How to install updates and what updates to install – This has options like “Install Updates Automatically,” or “Download updates in the background,” or “Check for updates only.” It also specifies whether macOS beta updates should be allowed, or app updates should be installed by the Agent.
- Schedule – This allows you to schedule how often to check for software updates.
- Restart – This allows specifying whether or not the agent should restart after updates are installed (for those that require a reboot), and should the customer be given a grace period before the reboot is forced.
Once you have those settings in place, you can push that profile to the client, and two things should happen:
Airwatch App
- A Software Update profile should get installed with any customizations to things like the Software Update Server
- A launch daemon and plist file should end up on the device which are used by the AirWatch agent
So why talk about any of this in the first place? AirWatch does make this quite easy to setup, so is a blog post really necessary? Probably not… But, we recently noticed that devices were not being updated even though the Software Update profile was on the system. This unfortunately meant that if new updates were made available, the devices may see them in the App Store like normal, but we couldn’t ensure their installation, and thus our device’s compliance. The other issue is that since AirWatch does some under the hood magic when setting this profile up with regards to the agent actually enforcing the updates, there was no indication from our console that anything had gone wrong. AirWatch saw that the profile was reported as being installed on the device, so why would it think anything was wrong?
Vmware Airwatch Download
Once I realized we had a bit of an issue with the launch daemon not being present on the systems, the first thing I did was open a ticket with AirWatch to report it!
I started thinking of other ways we could automate software updates, and now that we have a Chef infrastructure setup, I figured that should be pretty easy. We would just need to setup a launch daemon that calls the softwareupdate utility, and then the next time the customer rebooted their machines, the latest updates would all get installed.
No, don’t do this. This does not offer us very good compliance, as we know customers often go days, weeks, maybe months, maybe only once something stops working, before rebooting their machines. AirWatch has also done all of the hard work for us in having their agent be able to alert a customer, set deferral times, and enforce the reboot if needed, and I wanted to make sure those efforts didn’t go wasted!
I started looking at what was happening on a device that had the Software Update profile installed, and found that on devices that were being successfully updated, a launch daemon was present that was not on other systems. The launch daemon was called com.airwatch.AWSoftwareUpdateScheduler.plist and looked something like this:
This declares two important things, 1) the binary to run (AWSoftwareUpdateScheduler), and 2) the interval at which to run that binary, which corresponded to the software update check interval we set in our Software Update profile.
In calling this binary manually and monitoring the logs that it spits out, it became clear that at its core, it was in fact just calling the Apple softwareupdate utility. But, it also opened a socket to the AirWatch agent binary in order to be able to show the prompts to the user regarding the reboots, and could essentially wait idle for an extended time and then reboot the machine, again after notifying the user. The interesting thing was when calling this binary on a device that had the Software Update profile installed, had a macOS Update available, but did not have the launch daemon present, it would run the softwareupdate utility, the update would get installed/staged, but that would be it. There would be no GUI prompt or anything. Running it again, same thing, it would just re-stage the update, but no GUI prompts.
This led me to begin looking for other pieces or files that might be on properly configured devices, but not on problem devices. This is when I discovered the Scheduler.plist, which contains all of the settings that you specify when setting up the Software Update profile in the AirWatch console. This file lives under /Library/Application Support/AirWatch/Data/
Download Airwatch Agent Windows 10
The Scheduler.plist file looks something like this:
Most of these keys are self explanatory and correspond directly to a setting in the Software Update profile we setup earlier.
Vmware Airwatch Agent
With that new knowledge, I copied that file to a problem device, re-ran the AWSoftwareUpdateScheduler tool and lo and behold, when the update was installed/staged, the GUI prompt appeared! This means it should be pretty easy to utilize the AirWatch agent for prompts to our users, but set the settings and ensure they were on the devices using Chef! I would just need to deploy a launch daemon, which with Chef is done using the launchd resource, and put the Scheduler.plist file on disk, which can be done using the cookbook_file resource.
The other interesting thing I found while looking into this, is that the Scheduler.plist file contains a key called gracePeriod which was set to 7200 seconds for us. This corresponds to the Grace Period set in the Software Update profile, which (annoyingly) has a max value of 2 hours. This is actually something we had wanted to extend further, but since it wasn’t in the GUI, didn’t think it would be possible. But now that we were creating the Scheduler.plist with Chef, maybe we can make the initial reboot grace period longer, something like 8 hours? And wouldn’t ya know it, after setting the gracePeriod key to 28800 seconds, and running the AWSoftwareUpdateScheduler, I received a prompt like so:
This then would mean that you should be able to get far more granular with just about all of the keys in the Scheduler.plist if managing it directly (i.e. not using the AirWatch console). You could add more deferrals than the GUI allows, get more granular with time in between deferrals, etc.
I did eventually open a support case with AirWatch, since this needs to be fixed in the end as I’m sure many customers rely on it. But, this was a fun way to learn a bit more about the underlying “technology” AirWatch is using to perform and enforce macOS updates, and was once again a reminder of how awesome having a configuration management tool is. Yes, this all could have been done with relatively straight forward bash scripts and deployed via package or something, but this way it is centrally managed and we can ensure it’s compliance on the system.
As always, thanks for reading!