iOS Device Management and ACP Tools
This article provides context around Mobile Device Management(MDM) services and teaches you the best practices for deploying the ACP Tools App to iOS devices in your organization.
Why should I use device management?
Device management providers can help streamline a few following areas:
- Configuring and Updating iOS Devices quickly and easily
- Enforcing Security Policies
- Locating, Deactivating, and Erasing Devices
- Naming Devices Consistently (e.g. Nursing Home iPad 1, Nursing Home iPad 2)
- Assigning Devices to Users within Your Organization
- Automatically Installing Third Party Apps, Books, and other Content
What are the requirements for automatically setting up devices remotely?
If you want to setup devices remotely and automatically (instead of plugging in devices), you'll need three things:
- Purchase your iOS devices from Apple or an Authorized Reseller
- Enroll in Apple's Device Enrollment Program (DEP)
- Provide configuration profile(s) using a Mobile Device Management(MDM) service to control and setup your devices
How does device management work?
Device management installs a small file called a Configuration Profile on a device. This file is a bundle of settings that the device will adhere to. A device can have one or many different installed configuration profiles depending on management needs. Examples might include:
- Having devices automatically join a password protected Wi-Fi network
- Preventing users from adding or removing specific apps
- Hiding unused apps on a device
- Disabling the camera
In this example, each of these configuration options could be combined as a single configuration profile or 4 distinct profiles.
For example, settings specific to an advance care planning project could be added in addition to organizational security policies. Configuration Profiles can be installed locally by connecting to a computer, or remotely by enrolling a device in a Mobile Device Management (MDM) Service.
How would I setup a device management service?
Wouldn't it be great if each device you handed to your staff was setup automatically? What if devices you ordered from Apple or an Apple Authorized reseller was configured out of the box? The best way to roll out device management is by partnering with your organization's technology team. The initial setup requires some technical knowledge, but once configured, the process is a seamless and wonderful experience for your team.
Please familiarize yourself with Apple's Device Enrollment program and guide found here: http://www.apple.com/business/dep/.
How do I make sure that every device is setup correctly?
Ensuring that you can effectively manage the devices for your ACP project is essential. There are two main workflows for managing devices in an organization:
- Apple Configurator 2 — This is a free application provided by Apple—this makes it easy to deploy iPad, iPhone, iPod touch, and Apple TV devices in your school or business. To learn more about this process, please visit Apple’s Business & Education Support for guidance on device management best practices. It requires devices to be connected to a computer and is an attractive option if your organization does not have a Mobile Device Management (MDM) service available.
- Mobile Device Management (MDM) Service — This is a remote service that sends commands to enrolled devices depending on your management needs.
The options listed above are not mutually exclusive and can be leveraged together. You can think of the MDM service as high-level master controller for all devices and Apple Configurator
For example, a school could manage security and network settings through an MDM service, but a cart of iPads would be configured on a per classroom basis. Additionally, a hospital could manage security and network settings through an MDM service, and configure iPads on a per clinical team basis preload different content (e.g. cardiology vs. pediatric focused apps) based on clinical settings.
How do I make sure the ACP Tools App is installed?
Using Apple Configurator 2 and/or an MDM service allows you to specify which Apps you would like installed on enrolled devices.
How does the ACP Tools App fit into a Bring Your Own Device (BYOD) strategy?
In some organizations, users may be allowed to bring their own phone, tablet, or computer, as long as it meets the security and management policies of the organization. This is commonly referred to as a "Bring Your Own Device" or BYOD strategy. As long as a device is enrolled in an MDM service, it can adhere to your policies, regardless of who purchased it originally.
How do I lock a device down with an MDM service?
Device management services on iOS 9 support a feature called blueprints. These are an easy way to lock features down and make sure apps are always installed. If a blueprint is applied to a device, it will honor the rules you've specified. The procedure to create a blueprint will vary depending on your device management service. We use a service called Bushel, which out of the box supports a lot of restrictions found here.
In this example, we want ACP Tools to be automatically installed and the camera to be disabled:
- Login to Bushel
- Select the Blueprints Tab
- Select the + button to create a new blueprint and save it
- Choose the devices you want the blueprint to apply to
- Select the Apps tab and choose ACP Tools
- Select the Restrictions tab and choose Disable Camera
- Click the "Sync" button to apply these changes to your specified devices
What is the best way to keep track of devices?
Device management allows an organization to assign devices to individuals. Using an MDM service allows an organization to remotely locate and erase devices that go missing.
Recommended Device Restrictions
MDM services allow you to lock down many aspects of a device.
Bushel provides a comprehensive list of available restrictions here which are standard for iOS 9 devices and above. Depending on your MDM service, these restrictions may vary.
Is there a common approach you recommend?
Your requirements will vary depending on your internal policies, so it is important that you coordinate with your technology and security teams. Many aspects of devices can put PHI at risk and should be turned off, these include the camera, messaging, and backups, syncing and other sharing services. If you want the highest level of control over the device, you must follow these steps:
- Make your device's Supervised using Apple Configurator 2
- Enroll your devices in your MDM service (such as Bushel)
- Select the restrictions you would like and save a Blueprint
- Apply the blueprint to the enrolled devices
What restrictions do most customers enable or disable?
For all devices, we typically see customers do the following:
- Require WiFi to join only Authorized Networks
- Disable Camera, Siri, iCloud Backups, Screenshots, iCloud Keychain
- Pre-Install Important Third Party Apps
- If Siri is enabled, Force Profanity Filter on Siri
When a device is Supervised you can restrict additional settings:
Disable installing Apps
Prevents your staff from installing Apps from the App store.
Example: A user could not download a note taking app that might be able to capture patient data.
Disable Air Drop
This is a quick way to transfer files from an iOS device to a Mac.
Example: A user could not quickly transfer a note from an iPad to their personal phone or laptop.
Disable iCloud Backup, Disable iCloud Document Sync
These services backup information to Apple's servers. With these enabled, you may put PHI at risk.
Example: A clinician takes notes about a patent using the iPad. If these are backed up using iCloud and contain PHI, that user has violated HIPAA.
Disable Erase Content and Settings
This makes it so users cannot erase the device and change its settings later.
Example: A malicious user could not steal an iPad, erase it, and reconfigure it.
Disable “Enable Restrictions"
This prevents your users from modifying the device's restrictions.
Example: A malicious user could not remove your security policies and reconfigure the device for their own use.
Disable Account Modification
This prevents users from adding their own email, calendar, and social media accounts to the device.
Example: A clinician could not add their Twitter or Facebook account to the device.
Disable Device Name Modification
If you have a naming standard for your devices, this prevents users from changing the device's name.
Example: "iPad - Nursing Homes" could not be changed to "John's iPad".
Security and Legal Considerations
Is a sign in required every time a resource is viewed?
A user can stay signed in to the App for up to two weeks. Staying signed in is designed to provide quick access to the ACP Decisions content library and save health care professionals' time.
Does a patient need to provide consent each time a resource is viewed?
Each time a resource is viewed, a consent form will appear. This must be agreed to by the patient directly viewing the video or PDF.
Does the App store any private healthcare data on the device?
No private health care information is stored on the iOS device even when a user is signed in. When a patient or health care professional signs in, the user enters their email address and a password. These credentials are securely sent to My ACP Servers using industry standard SSL encryption and sensitive information is viewed remotely. The app stays signed in using an anonymous session returned by the server.
App Network and Bandwidth Considerations
Is an internet connection required to sign in?
All users need to be connected to the internet via WiFi or cellular data when signing in. If a health care professional plans to be at a location without connectivity, we recommend signing in and downloading the necessary resources in advance.
Is an internet connection required to play a video or view a PDF?
All users in the ACP Tools App have the option of downloading content they use most often. Downloaded resources do not require a network connection to access. If your WiFi network has issues supporting the minimum bandwidth requirements of streaming ACP Decisions videos, please coordinate with your technology team accordingly.
How much space is required for downloads?
We recommend downloading only the content you need most. The ACP Decisions content library is growing constantly, with new videos and PDFs added every few weeks. 2 minutes of video requires about 20 MB of space to download. A 2-Page PDF requires 400 KB.
The ACP Tools App includes a screen for managing downloads. This lists each resource and the space required to download. If the download is too big for the remaining space on the device, an alert informing the user of the issue will be shown. Additionally, the download management screen can be used to remove downloaded resources from the device to free up space.