Almost every other day, organizations I’ve had the pleasure of working with express their desire to manage cellular data. Whether they don't believe it’s possible to the full extent their looking for in their existing mobile device management (MDM) solution or they're not using an MDM at all, many are pleasantly surprised when I let them know that Jamf has workflows to help.
The demand for Apple and the need to incorporate iPhones and iPads in the enterprise is on the rise. IT departments that come to us rely on Jamf and the gold standard in Apple device management, Jamf Pro, to help streamline deployments, security and configuration settings — all the usual management suspects. However, with iOS devices, there is often one additional burden — managing data plans.
Organizations that offer employees Apple technology do so because they believe it provides the best experience and fastest path to productivity. And while employees are enjoying their devices and achieving their goals, businesses don’t want to incur additional and unnecessary costs.
“These iPhones we deployed to our employees are great! But they’re going over the cellular data allowance playing Pokemon Go or streaming Pandora. I wish there was a way to help with this,” is a phrase that echoes in my mind.
Whether the devices in your organization are entirely corporate-owned or you’re offering a bring your own device program, there are workflows to save on data overages.
Inventory: Stay in the know
The first place to start is with your inventory. Once devices are enrolled in Jamf, Jamf Pro scrapes for information that allows you to start grouping information in smart groups. This really helps give you a bird’s-eye view of what you’re looking at. While there are many different ways to group your technology, here are a few ways smart groups can give you the information you need to manage cellular data:
Smart Group Name: Apps Not Managed or Distributed by IT
Criteria: Apps Not in the App Catalog Are Installed > is > True.
Smart Group Name: Data Roaming is enabled
Criteria: Data Roaming > is > Yes
Smart Group Name: Device has Pokemon Go
App Name > has > Pokemon
Note: I did a more broad search in case other variations or versions were released.
Having these groups and criteria upfront allows you to proactively manage cellular data and helps you quickly take action (and potentially put the kibosh) on apps and features that are causing you to go over the cellular allowance.
Tell devices how to behave with configuration profiles
Here is where things get nifty and we can really start to get that control we’re looking for. All workflows below are available in Jamf Pro.
Removing App/iTunes Stores
To restrict the App Store, go to Configuration Profiles > Restrictions > deselect Allow installing apps using Apple Configurator and iTunes (iOS 9 and later) / Allow installing apps using App Store (iOS 5–iOS 8 only) and/or Allow installing apps using App Store (iOS 9 and later, supervised only).
Now you have removed the App Store. While you can still deliver apps from your Jamf Pro console, employees won’t be able to access other apps on their own.
Block specific apps
To build this, go to Configuration Profiles > Restrictions > Applications > scroll down to Restrict App usage > search for the app you wish to block . You can do this with Pandora, YouTube, Spotify, just to name a few.
Let’s unravel this conversation a little further through our Network Usage Rules feature.
Maybe you don't want to block the app. Maybe you *want* your employees to still use these apps and have fun on their lunch breaks. For some of these folks, this is the only device they have and it is their work/personal device and you don't want to be perceived as the “Grinch in IT who stole fun.” But at the end of the day, your company is still footing the bill. So you need to find that balance of “have fun” and “don't cost us a bunch of money.”
Jamf Pro helps by allowing you to specify that an app can only play over Wi-Fi. Therefore, employees can still run around catch Pikachu or stream music, but they must be connected to a Wi-Fi network so they're not burning through cellular data.
If we go back to Configuration Profiles and scroll down to Network Usage Rules; this is where you can determine if apps can/or should run on cellular data or not. Here you can specify that you want employees out in the field to be able to access Salesforce, but you don’t want office employees streaming Pandora and bogging down the Wi-Fi.
As an added bonus, you can also “fast lane” certain apps to take priority over others. Configuration Profiles > Wi-Fi > Fast Lane Quality and then mark which apps you want to have priority.
When you deploy these profiles, you will get logs to make sure that everything took place and is working correctly. As an added failsafe, you can go back to smart groups and create a group to double-check that the profiles and restrictions are enforced and installed, and that you remain in compliance.
Additional restrictions to save on cellular data
Hotspot is a tricky one and one that is sure to come up. If your device is supervised, you can “disable bluetooth modification” under Restrictions. Bluetooth is a potential requirement for hotspot. An example would be if you restricted users in the field from using bluetooth, they wouldn’t be able to use their hotspot and burn through data.
Jamf Pro’s spring 2019 release 10.11 has a new feature to disable or enable the Personal Hotspot setting. This is for iOS devices that are supervised running iOS 12.2 or later. This is best for company-owned devices where the hotspot feature may not be required for a specific job role.
Disable voice data roaming on the device. Note: Disabling voice roaming automatically disables data roaming in iOS 5 or later.
Content filter. This is another “fail-proof” way to make sure that the apps that are blocked are also unavailable in web browsers. If you find that someone is on Facebook all day, you can block the Facebook app and this would stop a clever user from simply using a web browser to surf Facebook. Some apps, such as Hulu or Netflix, don't work on Safari iOS web browsers because they need plug-ins, but it doesn't hurt to give these entertainment platforms the same restrictive treatment.
VPN. You can make it so some apps only work on VPN with Jamf Pro. This can help with app security, as well as cellular data management
Apps to self-monitor cellular data usage. You can always work with your cell carrier to see if they can do anything to assist with usage, but as a last resort, you could deploy a free app to the employees for them to monitor their own cellular data usage. I would do this only if this is a real problem.
If you find someone who is a habitual offender, you can place them in their own smart group. No need to punish or restrict the whole team if it is just one person. So you could do what I like to do, and make a smart group called “naughty list” and restrict all the things for the offender. Why does one person need to ruin it for the bunch?
As you can see, there are many different workflows, possibilities and resources that Jamf can do to help organizations manage cellular data. If you’re looking for more information or want to see how we can help with your own environment, let’s talk.