Tags Guide Part VI: AppleTV
Profile
Profiles for each device type are managed independently allowing separate configuration and management of profiles for each device type. When a device is provisioned, it will be provisioned with the profile configuration at the time the device was enrolled. When a profile change is made, new devices will receive the new configuration as well as devices that are currently managed and/or blocked. When any Profiles are changed, ensure the settings are correct as these will be applied immediately to all applicable devices. Please ensure you click on the Save or Save & Close button on the bottom right of the screen to commit your changes before selecting another page.
Restrictions
Restrictions are usually simple on/off settings that extend the configuration options of your managed devices and increase the security options. By enabling or disabling them, users are either authorized or explicitly prohibited from configuring certain settings on the device.
| Setting | Options | Requirement | Description |
|---|---|---|---|
| Allow Remote Pairing | Enabled or Disabled | tvOS 10.2 | If set to false, the AppleTV cannot be paired for use with the Remote App or Control Center widget. |
| Allow iBookstore Erotica | Enabled or Disabled | tvOS 11.3 | If set to false, the user will not be able to download media from Apple Books that has been tagged as erotica. |
| Maximum Age Rating For Allowed App Content |
|
tvOS 11.3 | This value defines the maximum level of app content that is allowed on the device. |
| Maximum Age Rating For Allowed Movie Content |
|
tvOS 11.3 | This value defines the maximum level of movie content that is allowed on the device. |
| Maximum Age Rating For Allowed TV Content |
|
tvOS 11.3 | This value defines the maximum level of TV content that is allowed on the device. |
| Ratings Region |
|
The region that profile tools use to display the proper ratings for the given region. | |
| *supervised devices only: | |||
| Allow Explicit Music or Video | Enabled or Disabled | tvOS 11.3 | When false, explicit music or video content purchased from the iTunes Store is hidden. Explicit content is market as such by content providers, such as record labels, when sold through the iTunes Store. |
| Allow Changing Device Name | Enabled or Disabled | tvOS 11.0 | If set to false, prevents device name from being changed. |
| Force Set Date and Time Automatically | Enabled or Disabled | tvOS 12.2 | If set to true, the Date & Time "Set Automatically" features is turned on and can't be turned off by the users. Note: The device's time zone will only be updated when the device can determine its location. |
| Allow Password Proximity Requests | Enabled or Disabled | tvOS 12 | If set to false, a user's device will not request passwords from nearby devices. |
| Allow Incoming AirPlay Requests | Enabled or Disabled | tvOS 10.2 | If set to false, the Apple TV cannot be paired for use with the Remote app or Control Center widget. |
| Allow Device Sleeping | Enabled or Disabled | tvOS 13 | If set to false, the Apple TV will not go to sleep. |
| Prevent Listed Bundle IDs From Being Shown or Launchable | e.g. com.apple.facetime | tvOS 11.0 | If present, prevents listed bundle IDs from being shown or launchable. Include the value com.apple.webapp to blacklist all webclips. |
| Allow Only Listed Bundle IDs To Be Shown or Launchable | e.g. com.apple.facetime | tvOS 11.0 | If present, allows listed bundle IDs from being shown or launchable. Include the value com.apple.webapp to blacklist all webclips. |
Application Lock
With the application lock profile, you can turn the device into a device that runs only one application. This feature is very useful in demonstration areas like promotion shops or roadshows to let users only use one specific application. Within the Application Lock profile, you can setup your desired App Identifier (Bundle ID) with additional options to Disable Touch (touch surface on the Apple TV Remote), Disable Auto Lock and Enable Voice Over. Upon receiving the profile, the home button is in a disabled state, and the device returns to the app automatically upon wake or restart. The feature is supported on supervised tvOS devices running version 10.2+.
| Setting | Options | Description |
|---|---|---|
| Application Lock | Enabled or Disabled | Enables the Application Lock profile |
| App Identifier | e.g., com.apple.TVMovies | Enter here the bundle id for the application that should run in the Single App Mode. |
| Disable Touch | Enabled or Disabled | Disables the touch surface on the Apple TV Remote. |
| Disable Auto Lock | Enabled or Disabled | Controls if the device doesn't automatically go to sleep after an idle period. |
| Enable Voice Over | Enabled or Disabled | Enables or Disables Voice Over. |
Wi-Fi
Silverback offers the ability to pre-populate multiple Wi-Fi Profile and settings on your devices, so the user does not need to know the password for these networks. If you having a WPA Enterprise protected network (e.g. with a RADIUS Server), please refer to WPA Enterprise Settings for additional information.
| Setting | Apple TV | Description |
|---|---|---|
| General Settings | ||
| Wi-Fi Settings | Enabled or Disabled | Enables the sending of Wi-Fi settings. |
| SSID | e.g. Corporate Wi-Fi | Service Set Identifier of the wireless network. |
| Security Type |
|
Defines the used Wireless network encryption. |
| Hidden Network | Enabled or Disabled | Enable if the target network is not open or hidden. |
| Automatically Join | Enabled or Disabled | The device will automatically join the Wi-Fi network. |
| Password | e.g. Pa$$w0rd | Password for authenticating to the wireless network. |
| Proxy Settings | ||
| Proxy |
|
Ensures the device talks to the necessary Proxy. Review WPA Enterprise Settings for additional information. |
| Protocol Settings (only Enterprise) | ||
| Accepted EAP Types |
|
Defines the protocol utilized by encryption type. Review WPA Enterprise Settings for additional information.
|
| Protected Access Credentials |
|
Defines the PAC configuration. Review WPA Enterprise Settings for additional information. |
| Authentication Settings (only Enterprise) | ||
| Username and Password |
|
Defines the used authentication mechanism. Review WPA Enterprise Settings for additional information. |
| Certificate-based authentication |
|
Defines the used authentication mechanism. Please refer to: Certification Authority Integration Guide for Certificate Based Authentication |
| Allow Two Rands | Enabled or Disabled | Allow authenticating to server providing only two RAND values (EAP-SIM). |
| Trust Settings (only Enterprise) | ||
| Trust |
|
Defines the chain of trust. Review WPA Enterprise Settings for additional information. |
Global HTTP Proxy
Enabling the Global HTTP Proxy will force all Network Traffic through a designated proxy server.
| Setting | Apple TV | Description |
|---|---|---|
| Global HTTP Proxy | Enabled or Disabled | Enables the Global HTTP proxy. |
| Proxy Type |
|
Allows the administrator to select a proxy type. |
| Server | e.g. http:// proxy.imagoverum.com or 192.168.0.101 | The FQDN or IP address of the proxy server. |
| Port | e.g. 80 or 443 | The port of the proxy server. |
| Individual Usernames | Enabled or Disabled | Controls the user ability to enter their own credentials. |
| Username | e.g. Proxyuser | Allows the administrator to define the group username. |
| Password | e.g. Pa$$w0rd | Allows the administrator to define the group password. |
| PAC URL | e.g. http:// proxy.imagoverum.com/proxy.pac or 192.168.0.101/proxy.pac | Allows the administrator to specify the location of the PAC script. |
AirPlay Security
The AirPlay Security payload locks the Apple TV to a particular style of AirPlay Security.
| Setting | AppleTV | Description |
|---|---|---|
| AirPlay Security | Enabled or Disabled | Enables or disables the profile. |
| Profile Name | e.g. AirPlay | Defines the profile name. |
| Access Type |
|
Any allows connections from both Ethernet/WiFi and AWDL. WiFi only allows connections only from devices on the same Ethernet/WiFi network as the Apple TV. |
| Security Type |
|
Passcode once will require an on-screen passcode to be entered on the first connection from a device. Subsequent connections from the same device will not be prompted. Passcode always will require an on-screen passcode to be entered upon every AirPlay connection. Password will require a passphrase to be entered as specified in the Password key. |
TV Remote
This profile allows restricting the connections from the Apple TV Remote app to an Apple TV and restricting the available Apple TV devices in the Apple TV Remote app. Press + to add devices or - to remove listed devices.
| Setting | AppleTV | Description |
|---|---|---|
| TV Remote | Enabled or Disabled | Enables or disables the profile. |
| Name | e.g. TV Remote | Defines the profile name. |
| Allowed remote devices | e.g. 14:20:5e:6f:16:d5 | Displays all allowed devices. |
Conference Room Display
If you are using an Apple TV in a business setup or in any classroom, Silverback helps you to set the Conference Room Display mode remotely on any AppleTV device. Instead of showing the home screen of the Apple TV, with Silverback you can add instructions for how to connect via AirPlay. This will help to ensure an easy and convenient connection to an AppleTV from other Apple devices.
| Setting | AppleTV | Description |
|---|---|---|
| Conference Room Display | Enabled or Disabled | Enables or disables the profile. |
| Name | e.g. Conference Room | Defines the profile name. |
| Message | e.g. On your Smartphone, Tablet or MacBook choose Screen Mirroring and select the Apple TV | This message will be displayed on the Apple TV Conferece Room display. |
Custom Profiles
Custom Profiles are a very helpful option to configure additional payloads for your managed devices. You can utilize the Apple Configurator 2 to create custom profiles in a *.mobileconfig format. Additionally, you might create or receive a custom XML from a third-party vendor, like for the Cisco Security Connector Umbrella Setup for iOS and iPadOS. Depending on the format or the way how you create or receive the profile, you can either upload the *.mobileconfig to Silverback or add the XML content into the provided section inside the profile. Created profiles with the Apple Configurator 2 can easily be adjusted by replacing the file type to *.txt (e.g., on Windows 10) or opening these files directly with the Text Editor (e.g., on macOS devices). System Variables are supported in the Use XML option or by uploading a *.mobileconfig file that contains a System Variable. Silverback will adjust the XML or the mobileconfig on the fly and convert the System Variables to the individual values and install this payload with the desired content on your devices.
- Click New Custom Profile
| Setting | Apple TV | Description |
|---|---|---|
| Name | e.g. AppleTVRemote | Display Name for the Custom Profile. |
| Description | e.g. AppleTVRemote | Description for the Custom Profile. |
| Use XML | Enabled or Disabled | Use this option if have a profile that is not saved as a *.mobileconfig file. |
| XML Text |
Your XML custom profile content |
Enter in the section your custom profile content in case it is not saved as a*.mobileconfig file. |
| Mobileconfig File | Choose File | Uploads the *.mobileconfig file. |
Home Screen Layout
Please refer to: iOS Guide VII: Add your Home Screen Layout
Policy
With Policy or Policies Administrators have the ability to enforce rules with Silverback, such as enforcing what Apps are installed on the devices, what Cellular Networks the device is on through to enforcing the Serial Numbers of the devices as they are enrolled into the system. These are the environmental conditions that Silverback will continue to monitor for and ‘police’ for any devices that are associated with the Tag.
OS Version Compliance
Administrators have the ability to control which OS versions are allowed within their environment. To allow an OS version, simply ensure the checkbox next to the respective OS version is ticked. Enrolling a device with a disabled OS version will result in the device automatically being blocked.
- Alert Administrators: When the checkbox is checked, all administrators will receive an email when a device that violates OS compliance is detected, or when a new OS version is discovered.
- Automatically Approve New OS Versions: When an OS platform is enrolled to Silverback for the first time, the OS is automatically added to the list. By default, unknown OS platforms are disabled and relevant devices will be blocked. To automatically authorize new OS versions as they are discovered, ensure the checkbox is ticked.
Use this feature where you do not want devices to be automatically blocked when a user upgrades their device to a new future OS version that is released by their software vendor.
OS Updates*
A common question that you may face is how can we prevent our devices from updating updating to the latest version of iOS and how can we test the new iOS update before all of our users will install it? Often, organizations wish to check the latest iOS release, verifying that the business-related apps they use will continue to function properly on the devices used by their organization. Starting with iOS 11.3 and for supervised devices Apple began to offer the possibility to specify a number of days to delay software updates, with a maximum of 90 days. With this option enabled, the user of the device will not see a software update until the specified number of days has passed since the release.
| Setting | iPhone | iPad | iPod | Description |
|---|---|---|---|---|
| Defer Operating System updates for X | Enabled or Disabled | Enabled or Disabled | not available | Enables the deferral of operating system updates. |
| Days | 1-90 | 1-90 | not available | Defines the time period of how long updates will be deferred. |
Create different Tags with different values to allow new OS updates in waves. Here is an example how it could look like:
- Do not use the feature for the internal IT or MDM department.
- Enable and restrict set the policy for Pilot Users to 14 days
- Enable and restrict set the policy for non-critical departments to 30 days
- For critical department use the maximum value of 90 days.
Hardware Compliance
Administrators have the ability to enforce a hardware compliance policy through Silverback. Simply uncheck the boxes for hardware types that should not be supported and any devices that match the hardware type and are managed by Silverback will be blocked. The list of hardware types is managed via the Device Types option in the Admin Tab of the Silverback Console. If a mapping from device type to hardware type exists, the hardware type will be displayed in the hardware compliance list. When a Device Manufacturer release a new version of their hardware the model numbers may not be known by Silverback, in this case Silverback will ‘learn’ them and store them as ‘Unknown’ in the Device Types section under the Admin Tab where the Administrator can update them manually. To allow these devices into your system you enable the ‘Unknown’ checkbox option. This will allow the device into your Silverback Environment and you can later re-classify this device type in the Admin > Device Types section.
- Alert Administrators: When the checkbox is checked it will ensure that administrators receive an email when a device that violates hardware compliance is detected.
Time Zone
Silverback offers several different ways to change the time zone on your managed devices or to define which time zone should be set on all Apple platforms. Firstly, iOS, iPadOS and Apple TV offer the ability for supervised devices to remotely set the time zone with a one-time command. The alternative option is to define a policy where Silverback checks the target and actual status at each device check-in based on the device's reported information and, if there is a discrepancy, resets the time zone to the one defined in the policy. For additional information please refer to Set and configure Time Zones for Apple devices.