Shared iPadOS TemporarySessionTimeout Experience

I have implemented some Shared iPads at my company. These are to be single-purpose devices that are shared among the staff at particular offices and are used to run a single App that is important to them.

It should be noted that the app requires some permissions before it can be used properly and so these, while not amazingly hard to agree to, are just kind of annoying for the end user to constantly be challenged with while trying to get on with their job (Camera access kind of things). The app has its own security so locking down the device and then making use of the Guest (Temporary) session meets our needs.

I also have a need to keep the devices’ iPadOS up-to-date* and this requires that they are signed off of the device to work correctly.

Counting on the end user to reliably sign out at the end of the week so the OS updates can occur over the weekend is not likely to be successful, so Apple thoughtfully provided an attribute that I could use called TemporarySessionTimeout. The only problem is… it didn’t work.

But finally, after over 5 months working with Microsoft and Apple it seems the issue is now settled.

Here are my conclusions:

  1. iPadOS 15.5 is required for the TemporarySessionTimeout attribute to work correctly.
  2. Apple assures me that any value from 1 to 129,600 seconds (36 hours) will work. I am using this as my upper limit.
  3. I have tested, multiple times now, 86,400 seconds (24 hours) and this works fine. This is the value I agreed upon with my business partner that should permit the session to persist throughout the week but then timeout on the weekend and leave enough time for iPadOS updates* to occur.
  4. The timer is reset with pretty much ANY interaction with the device. In my earlier testing I was checking at 16 hours, 20 hours, etc. with the intent of catching if the device was timing out sooner than expected. But when I did this, it would also NOT timeout after 24 hours. Only if I left it completely alone and then checked after 24 hours was the guest session signed-out. All I did was press the power button to check if the “Sign out” button was still present.

* I keep mentioning iPadOS updates like they work. They don’t. I have cases open with both Microsoft and Apple on this issue. As of iPadOS 15.5, using an Intune iOS/iPadOS Update policy does not cause the update to occur successfully, at least on my devices. There is some kind of permissions error buried in the logs and the direction I’m getting from Apple is that we will need to wait for a future release of iPadOS to see if it’s fixed. Yay team!

iOS 15 Managed Pasteboard and Intune MAM/MDM Protections

I recalled reading about the Managed Pasteboard feature in the iOS 15 release notes but the full import of it hadn’t hit me until today.

If you are using an Intune App Protection policy to “sandbox” your managed apps and you are also using Intune’s MDM, you will find that Pasting from the clipboard behaves a bit differently after upgrading your devices to iOS and iPadOS 15.

Previously, in Microsoft’s Office 365 ecosystem you used App Protection policies to specify which apps are “Managed”. You would specify what kind of actions could be done with data with respect to those apps. Only certain apps were “enlightened” or compiled with the SDK that recognized Intune’s MAM requirements so you had a very limited ecosystem of apps you could use in this fashion.

Things like saving files from a managed app to local storage, or copy-and-pasting data from inside of one of those apps to another app would be controlled this way.

In my institution, we allow people to copy-and-paste into these managed apps, but not vice-versa.

I’m not an expert on other MDM solutions having only worked with MobileIron and BlackBerry in the past, but I understand Intune’s approach is a bit different in that, for the Office 365 primary apps (Outlook, Word, OneDrive, etc.), the apps themselves are primarily responsible for enforcing the MAM requirements imposed by the Administrators.

More so, each app discriminates between Corporate data and personal data on an account-by-account basis. i.e. You can be using Outlook to access your Corporate email AND your personal Gmail account. This means you can have emails side by side in your aggregated inbox and you can copy-and-paste from the personal Gmail messages to any other app you please on your device, but try to paste from any of your Corporate emails and all you get is “Your organization’s data cannot be pasted here.” pasted in any non-managed receiving apps.

This was fine and worked well enough. We were satisfied that our data was protected.

However, it seems Apple understood the MDM piece of the equation, which would allow data from managed apps to be pasted to non-managed apps to be a gap which they rectified in iOS / iPadOS 15 with the Managed Pasteboard. The issue here is that it cannot have the nuance of Microsoft’s App Protection policy solution. Apple doesn’t know about the contents of the Managed apps, it’s unaware that some data contained in the app is personal and some is Corporate. Basically, if the MDM pushed down the app, then it’s managed and you’re not moving ANY data out of this to any but another managed app.

I’m using cut-and-paste as my typical use-case, but this will affect any data movement from managed to unmanaged apps – saving files, opening files in other apps, etc.

I’m hopeful that Apple will introduce the ability to disable the Managed Pasteboard feature should we want to. I recognize that their approach is probably a bit more “standard” but I feel that usability suffers.

Android gets around this issue by having an entire area sectioned off (Work Profile) where EVERYTHING inside the work profile is work only – nothing leaves there, and everything outside is personal. The distinction is so clear that you will actually have two separate copies of any app that would be used for work purposes. So you can use Outlook for your personal Gmail account outside of the work profile completely unfettered and you use another copy of Outlook for your Corporate mail within the work profile under the limitations your company feels are appropriate to prevent the data from being exfiltrated in some undetectable fashion.

I recall that Apple seemed to be working on a similar scheme but I have not heard anything about it for a few years now.

Microsoft Intune “Defer software updates” and iOS Patch releases

Right now I’m trying to allow my fleet of devices to access iOS 15.0.2 but I do not want them to have access to iOS 15.1 yet (being released later today). Typically I like to allow a couple of weeks before upgrading devices to new minor releases to allow other folks to uncover any issues that might be introduced before my fleet tries to use them.

Intune has implemented, as part of their Device Configuration policies for iOS, the ability to take advantage of Apple iOS’ ability to defer a software update by up to 90 days.

This is potentially a great feature and has worked so far on Major and Minor releases. However, this is the first time I’ve attempted to use it to limit folks to a specific patch release (Major.Minor.Patch i.e. 15.0.2).

In my testing I find that just having the “Defer Software Updates” option set to Yes regardless of how many days delay specified causes iOS’ Software Update to completely ignore the patches.

If I watch closely, I sometimes see a ghost “iOS 15.0” zero byte offering that will disappear on a subsequent refresh. I find it appears immediately after I Check Status of my device in Intune Company portal. Then goes away after I refresh the Software Update page until the next time I refresh.

I cannot say for sure if the flaw is with Microsoft’s Intune implementation or in iOS’ Implementation, I can only say that I cannot take advantage of this feature for Patch versions while trying to safeguard the integrity of my iOS fleet.

One other thing – a defect in the Device Configuration policy. It seems if you EVER set and save the Defer Software Update setting, even if you subsequently set it to Not Configured, this will permanently enable the number of days parameter. This parameter defaults back to 30 when you set the Defer parameter to Not Configured and still be sent to the devices…

Evernote Android Photo (Document) doesn’t do OCR

This is as of 20210131

I was fooled by this. I’m using a Samsung Galaxy S20.

I create a new note in Evernote by taking a photo and specify that it is a color document.

I can then never find it via OCR.

Using iPhone 12 Pro Max and Scannable with the same document results in an Evernote note that is perfectly searchable OCR works fine.

Apple iPhone Xs Max vs Galaxy S10+: One of these smartphones wins in three key categories – MarketWatch

A friend forwarded me this article knowing I’d have an opinion. *Shockingly*, I do.

You can read the original article here

Part of my job is to certify new devices for my work environment.
I haven’t picked up the S10 yet, but I think most of the “key” aspects Jurica points out are kind of trivial.

It depends wholly on the person but, for me, once you get beyond 256 GB of storage it’s all just .. more. Sure, in a few years I’ll probably be pushing up against the 1 TB limit, but that will be for the phones of that generation to accommodate.

When you’re talking about $1,000 plus for a smartphone I think that $50 here or $100 there can’t be a big deal. If it is you *really* should not be at the luxury end of the market. And make no mistake, Apple’s recent offerings and Samsung’s Galaxy 10 are the at the pinnacle. 

With respect to power and the ability to use your phone to charge up other devices, I see this as the same as when I had a separate MP3 player and cell phone. At the time, the idea of extracting power from my phone to play music seemed ludicrous when I had a separate device that did this excellently without eating into my call time or smartphone usage. 
If I’m in a situation where I’m charging someone else’s phone, I’m probably in a situation where I need to be conserving my phone’s power and *shouldn’t* be inefficiently wirelessly charging other devices.

When I travel I ALWAYS have chargers (yes plural) and cables capable of charging all my devices. If I’m with someone who needs a charge at the airport, I’d rather they use my charger than sucking my critical link to the world dry of power.

The comment about still accepting microphone jacks is cute. Again, these are luxury devices. People whine that they are being forced to use the latest in headphone technology while they blow over a thousand dollars (a year?) on their smartphone. 
1) if you can’t afford a bluetooth headset, you really can’t afford the phone, 
2) if you don’t like new tech and would rather have a wired headset, why the hell are you buying one of the most technologically advanced smartphones in the world? There are plenty of less expensive, less advanced phones that cater to people who don’t need or want next-year’s tech.

The final decision comes down to OS preference and ecosystem preference (dependency).

As someone who moves between iOS and Android OSes all day every day I am careful to avoid getting locked too deeply in any ecosystem that makes it a nuisance to use the other device.

My preference has gone back and forth throughout the years but, in spite of the (correctly called-out) dismal tech support, the iOS devices are what I go to at the end of the day.

After mucking about problem solving and tweaking and resolving assorted god-knows-what issues with these devices all day, I’m happy enough to use the one that just works out of the box and that presents me with the fewest headaches.

As of today, iOS, in the form of the iPhone Xs Max, is my choice.

AutoWake iOS App

I bought AutoSleep, Autowake and HeartWatch (all by Tantsissa) as a bundle.

While I believe that AutoWake and HeartWatch are excellent apps (and have reviewed them as such), I cannot say the same for AutoWake.

You can set AutoWake up to automatically wake you at a certain time for each day of the week. In my case I have it set to wake me at 7:00 Mon-Fri.

You can also override this behavior as needed, i.e. I disable the alarm if I am taking a day off work or have a holiday.

Its greatest advantage IMHO is that it is supposed to find a time when you are sleeping lightly near to your set alarm time and then tap your wrist to wake you up.

It more or less works most of the time. And when it works it works very well.

I have AutoWake added as a complication on my primary watch face (my ONLY watch face) as required and my phone sits charging on the end table beside my bed so there should be no reason for failure.

But the alarm has failed to go off in the morning 4 times over the past two months. This might not seem terrible, but if you need to catch a plane the next morning – which I sometimes do – I don’t want my alarm to be flakey.

What usually, but not always, happens is that the alarm will go off later in the morning, 9:40 and 10:20 AM are two times that I recall specifically.
This morning it just didn’t go off at all.

I will be deleting this app and falling back to the Apple Watch’s built in alarm.

McDonald’s iOS App

I’m pretty enthusiastic about
1) McDonald’s, and
2) Apps that can simplify my fast-food ordering experience.

IMHO the Chick-Fil-A app came out of the gate working exactly the way ALL fast food apps should work. It’s intuitive, pretty much bulletproof, and every Chick-Fil-A restaurant I went to understood what to do when you showed up with a mobile order.

McDonald’s Menu in iOS App

Admittedly the McDonald’s app has come a long way from the days when it would just discard my credit card information and it’s been a while since I’ve visited a McDonald’s that was hopelessly confused with what to do with me and my order.

Having the curbside, drive thru and take out options are great and I’ve used each option for different circumstances (nice to have the curbside when you order food for a lot of people).
However, the app itself still leaves much to be desired:

  1. The order cart never seems to empty after I’ve picked up my order. Obviously the back end knows I’ve claimed the order since they’ve charged me the correct amount, provided the correct order and given me a receipt indicating such. 
  2. There is NO WAY TO EMPTY the cart when it’s stuck like this. Trying to just delete all the items yields interesting results to say the least. Basically it trashes the order you are now trying to make.
  3. I have now resorted to just deleting the app wholesale every time I want to use it again (and see stuff still in the cart) and re-download it from the App Store. This works very well to clear the cart without completely losing everything. How it remembers me and my payment information after removing and reinstalling the app I try to ignore as it seems to be a security hole.
  4. The user interface breaks my number one rule. When I go back from a screen, I need to end up on the screen I came from in the same state it was in when I left it. Every time I select something and add it to the cart, I’m brought back to the beginning of the top menu.  If I want to order two kinds of sundae I can’t order one and then select the other one. I end up hunting for the desserts menu and then choose my next Sundae. 
  5. It always defaults me to the closest restaurant
  6. I can’t *tell* you how long it took me to figure out how to find my list of “Favorited” restaurants. This is not intuitive at all. Most of the time when I’m ordering from a McDonald’s I’m heading somewhere and want the restaurant nearest to that destination so the food will be as fresh as possible. This is not something this app excels at.

It would be nice if I could have a blacklist of McDonald’s restaurants. There are some that I will not go to even if they were the last ones on earth. My nearest one I’ve never managed to get an order from. I’ve lived here for well over 20 years and have never made it all the way through the drive thru line. I don’t even know how they stay in business but after about 10 minutes of just sitting in place, I drive away and go elsewhere. I try it every 4-5 years and it’s always the same. 

HeartWatch iOS App

I bought AutoSleep, Autowake and HeartWatch (all by Tantsissa) as a bundle.

HeartWatch Today View

While I wasn’t originally looking for a separate Heart Rate app, HeartWatch had excellent reviews and looked like it would appeal to a stats geek like me.

I’m super-impressed with it. I actually use it over the the included Apple Exercise app because I like capturing my HR recovery explicitly after a workout.

There is no shortage of stats you can review: Average and Maximum heartrate while exercising, (separately) while sedentary, and while sleeping.

I especially like the history calendar where you can look at nearly 2 months worth of each stat individually and see how things are changing over time.

I’m very pleased with this quasi-impulse purchase!

AutoSleep iOS App

I bought AutoSleep, Autowake and HeartWatch (all by Tantsissa) as a bundle.

AutoSleep Clock View

AutoSleep has absolutely met my expectations, I used to use FitBit’s sleep function and before that my Jawbone UP!’s app.

I did the most research around the Jawbone app and found that it was *very* accurate and was happy with it. If only the hardware was a bit more durable. The UP! wristband kept failing after around 6-8 months.

Next was FitBit, I got a good deal on a FitBit Charge HR 2 through my work and have been using it for well over 2 years. I felt it’s sleep recording was nowhere near as accurate as the UP! but it was good enough for a gross relative estimate of how I’m doing night by night.
I picked up an Apple Watch Series 4 and, after a bit of research settled on AutoSleep.

Wow.

In addition to it being at LEAST as accurate as the UP! (blowing the FitBit completely out of the water), it has more stats and tweaks than you can shake a stick at!

I admit it was initially overwhelming and I pretty much ignored all but the most basic stats at first. But after a few days I got my bearings and started to see what it’s capturing and how it relates to the real world. I’m *very* impressed with this app. 

If you forget to tell it you’re going to sleep it does an excellent job of figuring that out on its own. If you want to tell it when you’re putting your head down (to figure out how long it takes you to fall asleep once you start trying) you can do that too.

It sends me a nice summary of my night’s sleep at 10 AM the next day that helps me stay aware. And it detects naps with great accuracy so those properly count when evaluating your fatigue. 
Excellent purchase and HIGHLY recommended!