Prevent iOS devices from being registered with Xcode

As a large organisation, we have the problem that we cannot put a policy on which devices are being registered as development devices by connection them to Xcode.

Basically anyone with a registered account can connect and accept the request from Xcode which makes it hard to enforce a policy that would limit the total number of devices to 100.

Is there a way to intercept/prevent either

  • The process in Xcode

  • The overall USB connection of certain devices

Our macOS and iOS hardware is MDM managed and we should be able to install custom daemon processes in macOS in case that would help.

Any advice appreciated,
Andreas Pardeike

Post not yet marked as solved Up vote post of a.p Down vote post of a.p
1.3k views
Posted by
a.p
Reply
Add a Comment

Replies

Have you tried deploying the devices as supervised, and either blocked or restricted host pairing by policy from the MDM server ?

https://developer.apple.com/documentation/devicemanagement

Take a look at the Restrictions payload here:

https://developer.apple.com/documentation/devicemanagement/restrictions

"allowHostPairing

If false, disables host pairing with the exception of the supervision host. If no supervision host certificate has been configured, all pairing is disabled. Host pairing lets the administrator control if an iOS device can pair with a host Mac or PC."
Posted by
Security Engineer
Post not yet marked as solved Up vote reply of Security Engineer Down vote reply of Security Engineer
Add a Comment
Reading the documentation on allowHostPairing I assume it disables all kind of USB connectivity to a computer. Is that the case? We need to allow our corporate (non dev) devices to be used to transfer camera roll content to a computer.
Posted by
a.p
Up vote reply of a.p Down vote reply of a.p
Add a Comment
Your assumption is correct. Restricting host pairing will disable all USB connectivity to the Mac, which would make it impossible for developers to test apps on real hardware. While you can restrict a developer's ability to register devices directly on the developer website, you cannot restrict Xcode from doing it automatically using Automatic Signing.

Please file feedback for this here.

Posted by
Developer Tools Engineer
Up vote reply of Developer Tools Engineer Down vote reply of Developer Tools Engineer
Add a Comment
You can also deploy a seperate camera app for company-related photography that doesn't use the camera roll. That keeps "work related" and "personal" photographs/videos quite separate in separate apps. Some MDM vendors include that functionality in pre-built Apps they provide, and some customers will build and deploy their own camera apps that sync to corporate systems of record automatically, rather than the camera roll.
Posted by
Uroshnor
Up vote reply of Uroshnor Down vote reply of Uroshnor
Add a Comment
Uroshnor, we already have a corporate camera app. USB connectivity would still be necessary to allow users to copy their personal camera roll to a computer and to maybe connect the phone to other USB devices.
Posted by
a.p
Up vote reply of a.p Down vote reply of a.p
Add a Comment