Shared iPadOS TemporarySessionTimeout Experience

I have implemented some Shared iPads at my company. These are to be single-purpose devices that are shared among the staff at particular offices and are used to run a single App that is important to them.

It should be noted that the app requires some permissions before it can be used properly and so these, while not amazingly hard to agree to, are just kind of annoying for the end user to constantly be challenged with while trying to get on with their job (Camera access kind of things). The app has its own security so locking down the device and then making use of the Guest (Temporary) session meets our needs.

I also have a need to keep the devices’ iPadOS up-to-date* and this requires that they are signed off of the device to work correctly.

Counting on the end user to reliably sign out at the end of the week so the OS updates can occur over the weekend is not likely to be successful, so Apple thoughtfully provided an attribute that I could use called TemporarySessionTimeout. The only problem is… it didn’t work.

But finally, after over 5 months working with Microsoft and Apple it seems the issue is now settled.

Here are my conclusions:

  1. iPadOS 15.5 is required for the TemporarySessionTimeout attribute to work correctly.
  2. Apple assures me that any value from 1 to 129,600 seconds (36 hours) will work. I am using this as my upper limit.
  3. I have tested, multiple times now, 86,400 seconds (24 hours) and this works fine. This is the value I agreed upon with my business partner that should permit the session to persist throughout the week but then timeout on the weekend and leave enough time for iPadOS updates* to occur.
  4. The timer is reset with pretty much ANY interaction with the device. In my earlier testing I was checking at 16 hours, 20 hours, etc. with the intent of catching if the device was timing out sooner than expected. But when I did this, it would also NOT timeout after 24 hours. Only if I left it completely alone and then checked after 24 hours was the guest session signed-out. All I did was press the power button to check if the “Sign out” button was still present.

* I keep mentioning iPadOS updates like they work. They don’t. I have cases open with both Microsoft and Apple on this issue. As of iPadOS 15.5, using an Intune iOS/iPadOS Update policy does not cause the update to occur successfully, at least on my devices. There is some kind of permissions error buried in the logs and the direction I’m getting from Apple is that we will need to wait for a future release of iPadOS to see if it’s fixed. Yay team!

iOS 15 Managed Pasteboard and Intune MAM/MDM Protections

I recalled reading about the Managed Pasteboard feature in the iOS 15 release notes but the full import of it hadn’t hit me until today.

If you are using an Intune App Protection policy to “sandbox” your managed apps and you are also using Intune’s MDM, you will find that Pasting from the clipboard behaves a bit differently after upgrading your devices to iOS and iPadOS 15.

Previously, in Microsoft’s Office 365 ecosystem you used App Protection policies to specify which apps are “Managed”. You would specify what kind of actions could be done with data with respect to those apps. Only certain apps were “enlightened” or compiled with the SDK that recognized Intune’s MAM requirements so you had a very limited ecosystem of apps you could use in this fashion.

Things like saving files from a managed app to local storage, or copy-and-pasting data from inside of one of those apps to another app would be controlled this way.

In my institution, we allow people to copy-and-paste into these managed apps, but not vice-versa.

I’m not an expert on other MDM solutions having only worked with MobileIron and BlackBerry in the past, but I understand Intune’s approach is a bit different in that, for the Office 365 primary apps (Outlook, Word, OneDrive, etc.), the apps themselves are primarily responsible for enforcing the MAM requirements imposed by the Administrators.

More so, each app discriminates between Corporate data and personal data on an account-by-account basis. i.e. You can be using Outlook to access your Corporate email AND your personal Gmail account. This means you can have emails side by side in your aggregated inbox and you can copy-and-paste from the personal Gmail messages to any other app you please on your device, but try to paste from any of your Corporate emails and all you get is “Your organization’s data cannot be pasted here.” pasted in any non-managed receiving apps.

This was fine and worked well enough. We were satisfied that our data was protected.

However, it seems Apple understood the MDM piece of the equation, which would allow data from managed apps to be pasted to non-managed apps to be a gap which they rectified in iOS / iPadOS 15 with the Managed Pasteboard. The issue here is that it cannot have the nuance of Microsoft’s App Protection policy solution. Apple doesn’t know about the contents of the Managed apps, it’s unaware that some data contained in the app is personal and some is Corporate. Basically, if the MDM pushed down the app, then it’s managed and you’re not moving ANY data out of this to any but another managed app.

I’m using cut-and-paste as my typical use-case, but this will affect any data movement from managed to unmanaged apps – saving files, opening files in other apps, etc.

I’m hopeful that Apple will introduce the ability to disable the Managed Pasteboard feature should we want to. I recognize that their approach is probably a bit more “standard” but I feel that usability suffers.

Android gets around this issue by having an entire area sectioned off (Work Profile) where EVERYTHING inside the work profile is work only – nothing leaves there, and everything outside is personal. The distinction is so clear that you will actually have two separate copies of any app that would be used for work purposes. So you can use Outlook for your personal Gmail account outside of the work profile completely unfettered and you use another copy of Outlook for your Corporate mail within the work profile under the limitations your company feels are appropriate to prevent the data from being exfiltrated in some undetectable fashion.

I recall that Apple seemed to be working on a similar scheme but I have not heard anything about it for a few years now.

Moving Back to Quicken from Banktivity (Long)

TLDR; I moved from Quicken to Banktivity a little over 3 years ago and now I’m going back. I basically don’t trust the Banktivity registers and it takes WAY too much time manually inspecting, auditing, and repairing to be worth my effort.

I have tracked my finances in detail since my university days in the mid-80s when I created a complicated set of macros in Quattro to handle the basics required to record, track, and reconcile all of my accounts. This continued until I got my first job and decided I wanted a more polished system, whereupon I migrated over to Intuit’s Quicken product.

I continued to use Quicken for a little over 25 years when they started faltering and appeared about to go out of business. Their support had gone very much downhill, updates to the product were unspectacular and, frankly, it seemed as if Intuit regarded the Quicken product as just an advertising means to push their TurboTax product.

I was disenchanted and looked around for a native MacOS product that could handle my personal finance needs. In late 2018 I decided that Banktivity (which had *just* rebranded from “iBank”) had the comprehensive set of features that I needed, and so I migrated to this platform.

Banktivity was still a bit rough around the edges, but it had just been overhauled and they looked like they were eager to build a world-class personal finance solution so I tolerated some of the fairly glaring shortcomings and found workarounds with the assistance of their support folks.

Continue reading Moving Back to Quicken from Banktivity (Long)

Sengled Window & Door Sensor Review

Sengled Window & Door Sensor Box

I picked these up for a decent price from Amazon. Most of my contact sensors are Z-Wave so this was my first foray into Zigbee sensors.

I was a bit uncertain about them after reading so many reviews that said the devices would report in for a while and then kind of stop.

As of this writing I’ve had these Sengled Smart Door sensors installed for just under 2 months and I couldn’t be more pleased.

Setting them up was simple, I took to heart the warnings that the battery protector tab might leave behind some residue which caused issues for some other reviewers, and just popped out the button batteries to remove the tab instead of just tugging on it.

I then popped the battery back in, put the case back together and then set my hub to “Zigbee Discovery” mode. After pressing the reset button with a paper-clip, each one of these sensors paired immediately.

Mounted on TOP of the door just under the slide

I have 2 of these installed on lesser-used hall closet doors (maybe used once a day), one on a much more used wife-primary closet door (half dozen times a day) and a final one installed on one of my most-used doors which leads to my garage / workshop (maybe 20-30 times a day). This replaced a previous sensor that was acting up. I just attached the Sengled and it worked fine. I didn’t immediately remove the old sensor bracket while I was evaluating the Sengled as you can see in the image, but I’ll clean that up next month.

Sengled Sensor on door to garage
Kinda messy temporary installation replacing an older sensor.

None of these have ever failed to report their status IMMEDIATELY and consistently. They are all used to primarily activate lights – 3 of them activate Philips Hue bulbs, and the garage one activates a GE Enbrighten paddle switch, all via Hubitat’s Rule Machine logic.

Even without being on sale (Currently $70 for 4 sensors), these are among the least expensive Door/Window sensors I’ve found. When I bought them in December they had a 40% off sale which made them THE most cost-effective sensors I’ve purchased. Combine that with their great reliability (so far…) and these are really a great deal.

You definitely HAVE to use a hub with these. I’m using them with a Hubitat Elevation, but I know that SmartThings’ hub also works with Zigbee. So that should cover a pretty substantial portion of the hub user’s demographic out there.

I will be buying more of these both for new projects and to backfill some less reliable older sensors on my property.

Microsoft Intune “Defer software updates” and iOS Patch releases

Right now I’m trying to allow my fleet of devices to access iOS 15.0.2 but I do not want them to have access to iOS 15.1 yet (being released later today). Typically I like to allow a couple of weeks before upgrading devices to new minor releases to allow other folks to uncover any issues that might be introduced before my fleet tries to use them.

Intune has implemented, as part of their Device Configuration policies for iOS, the ability to take advantage of Apple iOS’ ability to defer a software update by up to 90 days.

This is potentially a great feature and has worked so far on Major and Minor releases. However, this is the first time I’ve attempted to use it to limit folks to a specific patch release (Major.Minor.Patch i.e. 15.0.2).

In my testing I find that just having the “Defer Software Updates” option set to Yes regardless of how many days delay specified causes iOS’ Software Update to completely ignore the patches.

If I watch closely, I sometimes see a ghost “iOS 15.0” zero byte offering that will disappear on a subsequent refresh. I find it appears immediately after I Check Status of my device in Intune Company portal. Then goes away after I refresh the Software Update page until the next time I refresh.

I cannot say for sure if the flaw is with Microsoft’s Intune implementation or in iOS’ Implementation, I can only say that I cannot take advantage of this feature for Patch versions while trying to safeguard the integrity of my iOS fleet.

One other thing – a defect in the Device Configuration policy. It seems if you EVER set and save the Defer Software Update setting, even if you subsequently set it to Not Configured, this will permanently enable the number of days parameter. This parameter defaults back to 30 when you set the Defer parameter to Not Configured and still be sent to the devices…

Tesla Firmware Update 2021.24.5 Resolves My Car’s Sleeping issues

As you probably know, today’s cars are almost more like our smartphones than like the cars we knew and loved from the 70’s and 80’s. Electric Vehicles (EVs) even moreso.

I have a 2017 Tesla Model X. Most of the time I have it parked at home where I can leave it plugged in as much as I want to ensure that it’s always topped up and ready to go with a full tank of “gas”.

One big difference between EVs and Internal Combustion Engine (ICE) cars is that, unless you leave your headlights on, there is very little that will impact your ICE car if you leave it just sitting somewhere like an airport parking lot while you are traveling to some far away destination. EVs, or at least Teslas, have a relatively low power “Idle” mode that they enter immediately after you lock the car and walk away.

They also have an ultra-low power consumption mode referred to as “sleeping” that they are supposed to enter soon after that. They are supposed to remain in this sleep mode most of the time they are not in use, waking now and then to check for software updates or to perform some internal housekeeping.

Since I’ve owned my car, it has be very reticent to actually sleep. This didn’t affect me much except to be concerned for what the long-term impact of the car basically staying active all the time might do to its components. This was dramatically exacerbated when I upgraded my Full Self Driving computer and Media Control Unit (MCU) to the latest and greatest versions.

When I was at home any drain was not an issue since the car could be plugged in all the time if I so chose. But I found my “Phantom Drain” (as the excess power consumption caused by not sleeping is called) was pretty impactful when away from home. I was on a cruise a while ago and lost just under 30% of my battery state of charge just sitting in the hotel parking lot for a week.

Anyway, this is all just a preamble to say that the latest firmware update – called 2021.24.5 (I get these, on average, about every 18 days) seems to have absolutely addressed the sleep issue for my vehicle.

I mean it’s night and day. Where it was alternating 16 minutes sleep, 45 minutes idle for much of the day, ever since the update it sleeps for literally HOURS at a time regardless of whether it’s plugged in or not!

It even sleeps when it’s not at home (Sentry mode off, of course) which was a rarity before. But now it appears to be the norm.

I imagine this does not affect a lot of people, but I’m pretty pleased with this update.

Oh, and as a sidenote, as of about 3 software updates ago (2021.12.25.7 or 2021.24.2) I was finally able to log into YouTube in my Tesla’s entertainment system.

So somebody on Tesla’s engineering team seems to be fixing these ancient issues…

Wemo Smart Plug – Not there yet

I have a love/hate relationship with Belkin’s Wemo products. When they work they work very well but when they decide to misbehave, they are miserable to get working again.

Wemo Smart Switch

I already have 9 Wemo switches in my smart home. These took a long time to settle down but back when I first got them they were at the “bleeding edge” so, like everything else at the time, things were expected to be somewhat rough around the edges.
I credit creating DNS reservations on my router for most of their current stability and improvements in device driver code for much of the rest.

When I added the first of these new smart plugs to the Wemo app it seemed to work perfectly. So I went ahead and added the other two and had them distributed throughout the house.
By the next morning I found the first one was no longer responding (just flashing orange LED) and it had to be reset – after that it worked perfectly, it even integrated with IFTTT just fine.

The other two were not so good, they just kept losing connectivity, regardless of where I located them in the house.

A real deal killer for me, and something I had not initially considered was that these were not recognized by SmartThings (which is not a problem for the Wemo Smart Switches). Likewise, Hubitat Elevation – which was going to be my primary hub for these new plugs – only has a user supported device driver for Wemo switches, dimmers, etc. and these new ones apparently do something funky (respond unexpectedly or on random ports, who knows) such that they cannot be identified for use as a device with this hub.

The real kicker is that, in introducing these to the Wemo app, it started doing all sorts of interesting things both with these plugs and my existing stable of switches. Random switches / plugs would show up as disconnected at different times. Never less than two and typically no more than four even though the switches were still working just fine with my existing hubs.

So I have returned these and am going to instead use Ikea’s Tradfri Wireless Control Outlets. I have 5 of these controlling various lighting fixtures in my house already and do you know what has never given me any problems? These Tradfri outlets! They are somewhat more limited in that they do not have an on/off switch on the unit to override them if things go awry or if you just feel like manually turning something on or off. But I’ve ordered a bunch more and am unlikely to look back at the Wemos for a long long time.

Even now, days after removing these Smart Plugs from my Wemo app, one of my Smart Switches still shows as disconnected, even tough my SmartThings hub can still control it just fine.

tldr; don’t use with SmartThings or Hubitat Elevation and beware the Wemo app. If you do get these working, don’t ever, ever change your setup…

Evernote Android Photo (Document) doesn’t do OCR

This is as of 20210131

I was fooled by this. I’m using a Samsung Galaxy S20.

I create a new note in Evernote by taking a photo and specify that it is a color document.

I can then never find it via OCR.

Using iPhone 12 Pro Max and Scannable with the same document results in an Evernote note that is perfectly searchable OCR works fine.

Intune – Send Custom Notifications – but not to too many people

I’ve been wrestling back and forth with Microsoft on this for the past few weeks. I’m able to use Intune’s “Send Custom Notifications” feature to send messages to a very small number of people.

But, recently, I wanted to notify just under a couple of hundred of my users that the version of iOS they are running will no longer be supported by my system. I thought this notification feature would be a neat way to reach out directly to them so they knew that I meant *them* specifically and not *them* generically as tends to happen with email communication of this sort.

So I sent my notification to a tiny number of people (me especially) to ensure that the message being sent looks good for the target folks on the mobile platform. Works fine.

Sent the identical message to a single group of 171 people (again, including me) and… nothing.
The next day I sent it again after confirming that, not only did none of my half dozen test mobile devices receive it, but NOBODY received it. And… again… nothing. This time I verified that the resulting Intune notification (bell at the top in Intune) confirmed “Success”.
Sent another notification to just myself and a coworker and…. works just fine.

Well… crap. So I sent off an email instead to the users to give them their warning and opened a ticket with Microsoft regarding this.

Basically Microsoft is telling me that I must have missed the dozen or so notifications across my devices, as did all of my users. They took pains to explain to me how end users sometimes don’t notice notifications when they come up and that must be the situation… on both days.

Long and short it turns out that there is no real auditing or logging of this feature so Microsoft cannot tell the notification disposition beyond the original “Success” which apparently only means Intune has acknowledged that I’ve submitted the request.

I wanted to put this warning out to you. Not only should you not be using this feature for time-sensitive information, but also there appears to be a threshold number of people – certainly in my case – to whom it can be sent before it will give up the ghost and just not do anything.

Be absolutely certain to include yourself and some sympathetic coworkers on ANY Intune Custom notification that you send out if you want to have any assurance that it actually made it to your audience.

In my opinion Microsoft needs to update this feature so it:

  1. Logs all sent messages,
  2. Provides a disposition for the message as to whether or not a device has acknowledged receiving it.

I don’t imagine there is a lot more I could ask for. The end user is welcome to ignore the message after delivery. At that point my goal has been achieved.

I would be interested to know if there are any other folks who have run up against this issue.

Turns out “Plug In EV” Plan is better for us

If you’ll recall, back in September (2018) I switched us *from* the Plug In EV plan *to* the Smart Usage Plan.

Welp, that was not the way to go. Besides Georgia Power’s ability to charge whatever they like, whenever they like (read the above article), it’s extraordinarily difficult to figure out in advance what your peak usage is going to be. Georgia Power only offers a daily electrical consumption summary if you remain on their hyper costly legacy plan. Despite having the very same smart meter and, ostensibly, the ability to report the total number of kWhs that were consumed over the past 24 hours.
I shouldn’t think it would be terribly difficult to report back to you what consumption was during what time frames (since the charges vary by time of day on the plans in question) and surely the meter can show your peak consumption spike for that period as well. I understand you are charged (penalized really) based on a peak that lasts 30 minutes or more. But I have no way of measuring or monitoring that.

So, for my case, it seems that we have a base load of energy consumption (not unexpected) that would include all the electrical bits and pieces that run constantly throughout the day – furnace fan motor, fridge, lights, computers, etc. – that I have no means to measure. Then, despite my extended efforts to schedule things like pool pumps, car charging, air conditioning, oven / stove use, clothes dryer use, etc. I still managed to hit significant peaks that lead to my bills being far greater than I was/would have been paying under the Plug In EV plan.

Fortunately, to Georgia Power’s credit, it’s not terribly difficult to switch back again which I did after reviewing the past few bills.

My December bill showed as 1,280 kWh consumed with a peak consumption of 13.4 (!) kW for a total of $189.43.
My November bill showed as 1,344 kWh consumed With a peak consumption of 9 kW for a total of $155.78.

Similarly my December bill from LAST year showed as 1,620 kWh consumed (686 kWh Super Off Peak and 0 on peak) for a total of $157.06.
My November bill from last year showed as 1,715 kWh (771 Super Off Peak, 10 kWh On Peak) for a total of $164.25

Part of the lower consumption during the past few months was that I was able to charge my car at work more often recently. Regardless, I had already reduced my car charging consumption to around 3.5 kW. This was done on the car charging page where I can limit the amperage draw. This was part of my strategy to avoid hitting the onerous peak consumption penalty.

Just grossly speaking, it seems that I could take my total consumption for the December and November bills from this year and divide them into the cost to get an average of 13.16 cents a kWh.
Doing likewise for the same months from 2018 yields about 9.63 cents a kWh or about a 40% increase in my per kWh rate.

I understand that this is not super accurate, were I to look at ONLY my November bill the average per kWh rate would be somewhat more reasonable (maybe 20 % more costly).
I guess, at core, my issue is that it is much more impactful on our day-to-day living to try to avoid the Smart Usage peak use penalty and I am chafing because Georgia Power appears to be withholding a very effective tool (daily consumption email) that might make it feasible to try to keep going down this path.

The fact remains that, for me, the increase was significant enough that I decided to fall back to the Plug In EV plan.

YMMV