Monthly Archives: May 2012

Apple Workshops – Deploying iPads in Bulk

After a week of looking at the best way to cover the different variations of using Apple Configurator it seemed like destiny to come across a thread on EduGeek which looked at one of the principle methods by which schools could make use of Apple Configurator and iTunes. The thread can be found HERE and will no doubt have numerous updates where further questions get answered.

A massive thank you to Rydra for allowing me to reproduce the original post in the thread. I would heartily recommend people keep a track of this conversation, and other similar ones, over on EduGeek.net.

Process for bulk imaging an Ipad using mac OSX + Apple Config + iTunes

So I finally managed to pin down how to do this, though it took a while, and I’m going to have trouble in the future till Apple fix their entire operating ethos.

The problem, is that Apples configurator program, for mass deploying iOS devices, now only support the Apple Volume Purchasing Program. This is bad, because that is only available in the US for fully registered companies with a DUNS ID (cant be bothered to explain, but it’s a database in the US for businesses to register themselves.)
This means, that only free apps can be deployed as part of Apple configurator, not paid apps, unless you are in the US, where you can buy volume licensing for them.

So this is what I’ve had to do to get around it.

I recommend that you either run seperate accounts for your different device sets, or, if you have what I have, and that’s a single account, make different itunes libraries (it might be worth doing anyway even if you have multiple accounts)
To do this, hold down Alt + click on the itunes icon. Then create library…

This means, that for the different ipad varieties, yes you have to keep multiple copies of the same apps, but it makes your life a lot easier to manage the apps on your device.

The general process flow to follow is this

-Update iOS to latest version using Apple configurator; you can either let it go and download it, or you can download it yourself and point it at the upgrade file. You can plugin as many ipads as you’ve got USB ports (or hubs), but even better, once you set it up, you simply unplug the ones that were done, and plugin the next one(s) and it just carries on going till you hit the ‘stop’ button.
-From the apple configurator window (Prepare Tab > Settings), only select from the dropdown the iOS version you want. Do not change anything else in the window.
-Hit Prepare
-Swap in/out till done.
NOTE: HIT THE STOPP BUTTON WHEN YOUR DONE! I forgot at one point, and nearly factory wiped my master ipad when i plugged it in for imaging!)

-Install all apps, books, music, movies etc and arrange the way you want (NOTE: it’s best to do this using Itunes. I’ll explain later.)

-Transfer purchases from the ipad to itunes/the pc. This makes sure your PC has all the apps you want if any were added via the device rather than itunes.

-Hit sync. This makes sure what your ipad has, so does the PC and vice versa.

-Right click the Ipad in Itunes, and do a backup.

This will now give Itunes a full backup of the SETTINGS. Note, this does not save the apps themselves.

Now, the reason I said above that you need to use Itunes to setup the layout, is that there are 2 kinds of restore for the ipad.

If you use the summary page restore, it is a factory reset, and reinstalls the iOS from scratch, giving you a vanilla ipad. It will then apply your settings/preferences. The problem is, that it hasn’t put all your apps back on at this point. And if you were unlucky enough to have ticked ‘sync apps on setup’ and/or ‘sync new apps’, then it will put every single App on your account (that you’ve downloaded to the PC) on the device.

Now this is not really that cool. At one point we had more than 270 apps in our library here, most of it junk, and we ran out of home screens to put them all on. This is why I suggest having different libraries. Seperate libraries means you keep each library with only the apps you need for that set, and applying the app sets is as simple as shift selecting all the apps and dumping it onto the ipad.

Onto the restore part:
-Stick in your new ipad with nothing on it, fire up itunes, and then tick to sync apps (suggest unticking auto install new apps, this gets annoying if your trying out apps etc.) along with anything else you want to sync up. Because you have a seperate library with just the apps you want in it, you can just shift select all the apps, and dump them on the ipad!
-Wait till this is done syncing
-Once it has all the apps you want on the device, Right click the ipad in itunes, and select Restore.

THIS IS IMPORTANT.

This right click menu option does NOT reinstall the iOS! It ONLY restores the settings, therefore all apps on the device are left alone. Since all the apps you want are on the device, it can create your home screen layout the way you want it. Anything on the device it’s not sure of, it’ll dump it loose on the home screen (so you can have some customisation where required)

-Once this is done for all your ipads, it’s time to go back to the configurator.

-Setup profiles the way you want (To create a profile, click the ‘+’ at the bottom of the window). You can set restrictions, wifi settings, mail settings, whatever is in the settings on the device, you can control it here.

From the top:
-Give the set name. Tick the ‘number sequentially starting at 1’ button. If you want the numbers to start from a different number, tick it, then change the number and it updates itself.
-Supervision on/off means if you set it, only your PC can alter the settings on the device.
-iOS: assuming you did it earier, don’t touch this setting.
-Restore: don’t touch this setting, you did this stage during itunes.
-Profiles: Tick next to the profile you want to apply
-Hit prepare, and swap in/out devices till all are done.
-HIT STOP!

This will give you a set of ipads all with the same layout, same iOS, same app sets.

-From Apple config, select from the restore drop down: ‘Backup’
This makes an Apple config backup file for later use. label it appropriately.

In the event of needed to reinstall from scratch, follow the processes above entirely.
If you just want to reset the layout/settings, and assuming no apps were removed/added, you can simply hit ‘restore’ from here and it’ll restore back to your master. If you update your app set, you’ll have to do it all from scratch again.

—————-

(Original post by Rydra on Edugeek.net : http://www.edugeek.net/forums/mac/95070-process-bulk-imaging-ipad-using-mac-osx-apple-config-itunes.html)

The Data Protection Interlude – Apple

And so I take a quick interlude from my look at the recent Apple Workshops to think about a few queries some schools have raised in the last few weeks about Apple and Data Protection.

When it comes to their OS X devices (desktops and laptops) Apple have had some built in encryption for some time. FileVault was introduced in Mac OS X 10.3 and used to just encrypt user files. Not a perfect solution but the introduction of FileVault 2 in Mac OS X 10.7 (Lion) we now have a solution to encrypt the whole drive. The ICO has raised the need to encrypt laptops so if you have personal data on your MacBook then you should seriously look at FileVault for encryption. There are other commercial offerings and solutions which cover a variety of platforms, allowing for better audit and control … but yes, there are going to be at some cost. In the same way that BitLocker is a fantastic way to deal with the issue on Windows 7 laptops (which has been blogged about by the Microsoft Education UK team) then it is good to consider making use of the built-in tools provided by Apple.

When we come to Apple’s mobile OS, iOS, and the newer devices being used (iPhone 3GS and later models, all models of iPads and iPod Touch 3rd gen and later models) then these are all capable of going onto iOS 5. By default these devices make use of hardware encryption. Apple say, “Data protection enhances the built-in hardware encryption by protecting the hardware encryption keys with your passcode. This provides an additional layer of protection for your email messages and attachments. Third-party applications can use the data protection APIs in iOS 4 and later to further protect application data.”

The growing use of iOS devices as tools for Senior Leaders and teachers in schools will mean that sensitive emails and files are likely to be on these devices and so you need to take appropriate action to protect the data.

Apple do have a larger paper about iPad security and from my perspective it boils down to a few key facts.

1 – Set a passcode on your device. This will mean that should someone repeatedly attempt to get in then it will be wiped.

2 – Don’t rely on a simple passcode. Whilst it is nice and easy to have a simple code of 4 numbers, it is not exactly secure. You wouldn’t have a password of 4 characters for your desktop or laptop to log into your school network so why do it for a mobile device? If you look at your iPhone and check the pattern of smudges where your fingers type you can see where you enter it in … and the direction of the smudge can make it easy to guess. Other mobile OS have a similar problem so it is nothing new.

3 – If you are using smart covers on iPads then make sure that you turn off the feature to automatically unlock when you open the cover. This sort of defeats the object of security. Fine for classroom devices but not for those with personal / sensitive data on.

4 – Tools such as the iPhone Configuration Utility (ICPU) allow you to create a profile for devices to change some of these settings. If you are creating settings for school devices or to allow devices to connect to school systems then you should look at this to force improvements. This will include password length, complexity, Autolock time period (I have mine for 1 minute and the maximum number of failed attempts to login before the device is wiped (mine is set to 4).

5 – Remote wipe should be available … either via management tools within the school or if a personal device then via iCloud with Find My iPad.

Not an extensive list of how to deal with this and there are some other really pod guides out there, but hopefully this gets more people considering how they use Apple mobile devices and take a bit more care.

(image : Padlock by Marc Kjerland CC BY-SA 2.0 http://www.flickr.com/photos/marckjerland/4254099567/)

Apple Leadership Summit – The Workshops pt 3

We have now covered the most simplistic methods which many schools are using to manage iOS devices, and frequently these are shared devices we are talking about, not individual devices owned by the user. The issues that this can bring is that as you grow with the number of devices you have or reduce the amount of time you have available to cover support of the devices you have to look at more efficient and practicable solutions.

The next area covered in the workshop was the concept of profiles. Those who have looked into Group Policy Objects (GPOs) in the world of Windows or the use of WorkGroup Manager (WGM) on Mac OS X can see easy parallels and might look to apply the exact same concepts used to lock down machines. Apple were keen to stress that it is not about locking down but more a case of ensuring that certain settings were enabled and that you knew where the responsibility lay for control / changes of the settings.

In a similar way to the nuts and bolts of GPOs just being a method of forcing changes to the registry on a  Windows client, and WGM forcing changes of .plist files on a Mac OS X Client, the iPhone Configuration Utility (IPCU) creates a text file which, when loaded onto an iOS device, changes settings.

It covers a number of areas including security, Wi-Fi, VPN, email, calendar, address book and some application restrictions. We covered some of these setting in the previous post when we looked at on-device settings, but a profile can also be used to set up part of the information required and allowing the user to complete the rest. An example would be to put in all the details for the Exchange Server but leaving some fields blank so the user enters the information relevant to themselves. A more details guide on this can be found on the help section of the Apple website

Another important security area is around passcodes where you can set the complexity including whether you allow simple passcodes (ie repeating / ascending / descending sequences), whether you require alphanumeric values (must contain at least one letter), minimum length, age, auto-lock time period, history and, possibly the most important if considering the device would be used by a member of staff, how many failed attempts before the device is wiped (I’ll talk a bit more at a later date about encryption on iOS devices).

We also have to consider whether the profile can be removed by the user. The options include Always, With Authorization and Never … remembering that if you wipe the device (there are a variety of methods) it will take it back to requiring activation and you start again anyway with a clean slate. Also remember that, in the most basic setup, the profile is something a user (or the person setting it up) has to accept to install. When we look at Profile Manager later on we can consider some of the ethos behind putting particular settings into the profile so that the user has to agree to various settings as a method of gaining access to certain areas (eg email) and a common method of control for this is the granting of access to the secure, wireless network.

Profiles can be loaded via USB, can be emailed out to users to install, can be pulled down from websites or pushed out wirelessly via MDM solutions. One important thing to remember when exporting profiles from IPCU is security. These are text files and if you do a simple export can be read and changed via a plain text editor. You can sign the profile so any changes will noticed by the device if you try to install it but this basically changes it to read only mode. What should be considered as the only option is sign and encrypt the file. Just think … this profile could have all the settings needed by a user to join your hidden wireless network, usernames and passwords for mail servers (if using a profile per person or allocating a specific email account per device) and so on … do you really want that in plain text?

It is simple to sort though by just ensuring you export it signed and encrypted.

The next post will look at some of the uses of the new tool on the block, Apple Configurator, and what we were shown about what looks to be the first stage of a good methodology for managing and deploying devices in bulk.