How to Uniquely Identify an iPad Using an MDM Solution
Privacy is a big selling point for Apple. As the company says, “We design Apple products to protect your privacy and give you control over your information.”
But that can be a big pain for projects where an enterprise wants to manage the devices that end users employ to access its business software.
In this case the participants were certain retailers who were offered the chance to move away from a cumbersome paper-based system and start using a much more convenient electronic system.
AOT Technologies’ client would issue iPads to the retailers, who in turn would register their details through those iPads. Our client needed to make sure that each registration stayed secure and the app could confirm the retailer’s ID through the iPad’s ID.
But Apple goes out of its way to make sure app IDs can change, and users can reinstall apps anyways.
Here’s how an AOT Technologies team solved the problem.
An AOT Technologies team recently faced an interesting challenge: how to design mobile software for certain retailers so it could match each iPad to the retailer who registered it. It’s a particularly daunting challenge since Apple’s iOS makes persistent ID difficult to maintain so that privacy can be protected.
For this project, retailers would consent to have their iPads managed by the project administrators, so there was less of a privacy issue. Retailers would also be able to use their own iPads provided the tablets were managed by the project administration team. Otherwise the admin team would provide the mobile devices.
Each iPad goes through a registration process before the retailer can start using the point-of-sale (POS) application. The registration would be happening from inside the app itself, into which the retailer enters store details and contact information. For the process to work properly, we needed to map that registration information to a specific iPad. We therefore needed a way to create and keep track of a unique identifier for each device.
However, Apple goes out of its way to make it hard to match iPads to their users. It even eliminated a Universally Unique Identifier (UUID) from iOS in the name of privacy. That left just two built-in options:
- advertisingIdentifier, which lets advertisers target an app’s users with customized ads
- identifierForVendor, which is unique to the same vendor of one or more apps on an iPad
Although they’re useful in some situations, they have big limitations:
- Users can reset their advertisingIdentifier, and as of iOS 14.5, they can opt out of ad tracking altogether or for specific apps
- identifierForVendor changes if all the installed apps by the same vendor are deleted from an iPad and then one or more are reinstalled
The Flutter SDK provides a device_info_plus package that can provide the unique ID of an app in the form of identifierForVendor, but because our application’s registration API required an identifier unique to the retailer’s particular iPad, we needed to take a different approach.
We realized we could still use Flutter’s device_info_plus package, but we’d pair a name key of our choosing with Apple’s own device name, and then restrict the user’s ability to change that name key. So first we needed to choose the right mobile device management (MDM) solution.
MDM is used to remotely manage an organization’s mobile devices such as tablets and smartphones—in our use case, Apple iPads running our POS application. The MDM administrator can manage a device’s various applications and restrict a user’s actions according to the organization’s policies.
To use an MDM we needed to connect it to Apple Business Manager (ABM), a web application to manage Apple’s mobile devices. To make things easier, devices purchased through an Apple ecommerce portal can be automatically enrolled in the MDM service.
In our case, we used the Hexnode MDM app to give us the ability to assign a name to each iPad and to stop that name from being changed by the user. Once we connected Hexmode MDM to Apple Business Manager, we could follow these steps:
Go to the “Manage” page, then click on the device name and navigate to its details:
Click on the “Actions” drop-down menu, then select the “Rename Device” option:
Enter the unique “Device Name” of your own choosing, then click the “Execute” button:
Go to the device’s “Policies” page and click on the “Manage” drop-down menu. Click “Modify.”
Select “Advanced Restrictions” from the left menu.
Scroll down to “Allow Security and Privacy Settings” and deselect the “Modify device name” checkbox.
Click “Save” and wait for a few minutes to get it applied to the iPad. Once that is done, the user won’t be able to edit the name from iPad settings, and you can retrieve that uniquely identifiable name from the device_info.
It should be noted that this solution can be adapted to native iOS code. We can use the UIDevice class available in the Swift or Objective-C programming language to get the device name.
A mobile app for retailers that AOT developed needed to match application registration with a unique and consistent device ID. The user should not be able to change that identification, nor should reinstalling or upgrading the app make such a change.
The process we came up with at AOT was to use our ability as device administrator to use an MDM to assign a name ID of our choosing, and then select policies to prevent a user from changing that ID. This ID served as a name key that Flutter could use to return Apple’s own device ID to our project’s registration API.
About the Author