Best Practices for Clinical iPhones

Created: Knowledge Base

Here are several best practices and considerations for using GroundControl in a critical, clinical setting. This may include nursing communications (Voalte, Mobile Heartbeat, Vocera), secure texting and alarms, and medication safety (Epic Rover, Patient Safe).

Ideally, you can use GroundControl to make device setup as close to zero touch as possible. This includes:

  • Enroll in DEP and VPP
  • DEP Profile Setup & Supervision Identity
  • MDM integration with GroundControl
  • Baselining: Erase & iOS Update
  • WiFi
  • MDM Enrollment
  • Device Settings
  • Device Restrictions
  • App Installation & caching
  • App Settings
  • Self Heal

Zero touch device setup means easier setup for your fleets of devices, of course. But zero touch also unlocks a very powerful achievement: full remote control of device updates and repairs, while devices are in the field.

Initial Setup

Enroll in DEP and VPP

We recommend Apple’s Device Enrollment Program for clinical devices. By enforcing MDM enrollment, DEP effectively “bricks” stolen devices. Although DEP is not strictly necessary for GroundControl, it does make things easier. Your institution should be enrolled in DEP, your devices should be purchased as DEP devices, and DEP should be integrated into your MDM.

The iTunes Volume Purchase Program is used to distribute “App Store” apps to devices without Apple IDs. VPP works with both paid and free apps. More than a best practice, it is absolutely critical to avoid Apple IDs on shared devices. Apple IDs simply do not scale.

DEP Profile Setup & Supervision Identity

A DEP “profile” is configured within your MDM system. For clinical application, we strongly recommend setting your DEP profile to skip all setup screens. iPhones prevent app installation while they are in setup, so if your DEP profile shows even a single screen, then provisioning process can not be fully automated. (Instructions vary by MDM system.)

The DEP profile is also where you add GroundControl’s Supervision Identity. The identity gives GroundControl additional control over your devices, avoiding problems with host pairing and management lockout.

Set up MDM Integration with GroundControl

By giving GroundControl access to your MDM, GroundControl can reset the device in MDM as it resets the device itself. GroundControl can also trigger “forced check-ins” to make sure your MDM pushes apps and profiles as quickly as possible after device setup. The integration varies by MDM system.

Workflow Details

You will create the workflow interactively, starting simply and adding complexity step by step.

 Baselining: Erase & iOS Update

We recommend that nearly every GroundControl workflow start with “Erase” and “iOS Update” actions. With these steps, you are guaranteed that every iPhone begins from a common state. Although you may think that incremental updates can save time, we’ve found that the “nuke and rebuild” approach produces more reliable results at scale.

Apple delivers security updates within iOS updates, so iOS updates can not be ignored. On the other hand, constant and unpredictable OS updates can be disruptive to application stability. For this reason, GroundControl’s iOS Update step should be step to include iOS Update Delay. This is our unique feature to delay the update cycle by a week or more. During this window, your team should be testing the update, to make sure there are no ill effects. If there are, then the update action may be removed from the workflow, until a fix is found.

Keeping up with updates is a year-round activity, unfortunately. At least GroundControl can buy you some time for testing.


GroundControl should be set up to automate WiFi authentication. One or more of the strategies below can be used.

The simplest strategy for WiFi authentication is to use shared WPA2 credentials. GroundControl supports adding one or more WiFi profiles, including credentials, to devices.

Some organizations distribute unique device certificates for authentication. GroundControl does not integrate with SCEP servers and can not directly install these certificates. Instead, we recommend one of the following options:

  • Provision the devices using an open, or shared-key WiFi network, but with a profile expiration set in GroundControl. GroundControl will get your devices into MDM, and MDM will install the device-specific certificate. Then when the profile expires, the device will automatically join the protected WiFi network.
  • Provision using a Mac and network tethering. This way, the device will piggyback off the Mac’s network for initial provisioning, and MDM will install the device-specific certificate. When the device is unplugged from the Mac, the device will automatically join the protected WiFi network.

Networks which display a banner, for authentication or to accept an acceptable use policy, should be avoided. GroundControl can be configured to send device WiFi addresses to your WiFi controller, whitelisting these devices to avoid the banners.

MDM Enrollment

We’ve found it beneficial to enroll devices to MDM using a shared service account, for example “nursingiphones”. Larger institutions may instead create separate accounts for separate units, so that different apps and policies can be assigned to different units.

GroundControl makes it easy to use a single workflow for multiple units. A custom attribute, assigned to either the device or the launchpad, would contain the enrollment username. Use this attribute as a variable in the MDM Enrollment dialog.

dep-enrollSince we set up the MDM integration, add a “Perform MDM Command” action to your workflow, to delete or retire the device. GroundControl will perform this step at the very beginning of the deployment.


Device Settings

Create a device with all the settings you desire, such as brightness, location services, battery display, app trust, and settings for specific apps. This master device should be a DEP device with the same DEP profile your fleet will use, including the GroundControl supervision identity. Back up this master using Apple Configurator 2.4 or above. Then zip and upload this backup to GroundControl. We provide step-by-step instructions for this.

GroundControl can restore this backup to every device in your fleet. Note that only a single backup should be needed for your entire fleet. GroundControl makes sure that it is usable with multiple device models, multiple usernames, and multiple operating systems.

Device Name

It is important to choose a unique device name, so that the devices are identifiable in your MDM. GroundControl has powerful tools to algorithmically set device name. You may choose “Nursing [Unit] [##]” for example, which would result in name like “Nursing Cardiology 01”.

Wallpaper & Lock Screen Personalization

Set up wallpaper with the logo of the institution, and use it for both the lock screen and home screen. In addition, GroundControl can add custom text to the lock screen. Use this area to display the device name, unit name, or any other helpful info. Remember you can use variables for any attribute in GroundControl for this function.

Device Restrictions

Restrictions may be set using either GroundControl or your MDM. The choice is yours. We recommend the following restrictions, at a minimum:

  • Disable Apple ID & Account Changes
  • Disable Unapproved WiFi Networks
  • Disable changes to Device Name
  • Disable changes to Passcode
  • Disable changes to Wallpaper
  • Disable changes to Bluetooth
  • Disable Touch ID
  • Disable App Removal
  • Disable AirDrop
  • Disable Siri
  • Disable Messages
App Installation & Caching

Generally, your MDM takes responsibility for app installation. Using iTunes VPP, you should be able to avoid Apple IDs, so that apps begin installing without a single prompt.

App installation can be accelerated by two methods.

You may choose to set up a Mac running the $20 app “macOS Server” at each site, and turn on caching services. With almost no configuration, this server will begin listening for app install requests, locally caching copies of these apps, and serving these to your iOS devices over your WiFi network. For best results, the Mac should be on the same network as your iPhones. Also the Mac should have an SSD hard drive, so it can serve the apps at sufficient speed.

If you can use Macs as the GroundControl Launchpads, then you can skip the Mac Server. Macs running OS 10.13 include a built-in app caching service, in System Preferences > Sharing. Additionally, the service works through the same USB tethering that GroundControl uses, meaning that apps are installed through copper, which is much quicker than wireless.

App Settings

Apps often need specific configurations, such as a server name for your institution. If supported by your app, the best way to set these configurations is to use your MDM with AppConfig, also called Managed App Configuration. This is the most flexible and robust approach, but it is not yet supported by many apps.

An alternative is to save the app configuration in the master iPhone backup that GroundControl deploys. This becomes less practical as you need to support more variations of app settings. It is easier to maintain a “thin” AppConfig setting than a “fat” device backup. But if you do need to maintain several device backups, GroundControl can dynamically select the right one, using custom device attributes.

Self Heal

Once you have a fully automated workflow, you can add Self Heal. Self Heal add a button to the device. When a device are not functioning 100%, the nurse may tap this button and re-dock the phone. GroundControl will then erase and re-provision the phone, fixing just about any software issue. It’s a true time saver.