Tag Archives: IPCU

Apple Leadership Summit – The Workshops pt 3

We have now covered the most simplistic methods which many schools are using to manage iOS devices, and frequently these are shared devices we are talking about, not individual devices owned by the user. The issues that this can bring is that as you grow with the number of devices you have or reduce the amount of time you have available to cover support of the devices you have to look at more efficient and practicable solutions.

The next area covered in the workshop was the concept of profiles. Those who have looked into Group Policy Objects (GPOs) in the world of Windows or the use of WorkGroup Manager (WGM) on Mac OS X can see easy parallels and might look to apply the exact same concepts used to lock down machines. Apple were keen to stress that it is not about locking down but more a case of ensuring that certain settings were enabled and that you knew where the responsibility lay for control / changes of the settings.

In a similar way to the nuts and bolts of GPOs just being a method of forcing changes to the registry on a  Windows client, and WGM forcing changes of .plist files on a Mac OS X Client, the iPhone Configuration Utility (IPCU) creates a text file which, when loaded onto an iOS device, changes settings.

It covers a number of areas including security, Wi-Fi, VPN, email, calendar, address book and some application restrictions. We covered some of these setting in the previous post when we looked at on-device settings, but a profile can also be used to set up part of the information required and allowing the user to complete the rest. An example would be to put in all the details for the Exchange Server but leaving some fields blank so the user enters the information relevant to themselves. A more details guide on this can be found on the help section of the Apple website

Another important security area is around passcodes where you can set the complexity including whether you allow simple passcodes (ie repeating / ascending / descending sequences), whether you require alphanumeric values (must contain at least one letter), minimum length, age, auto-lock time period, history and, possibly the most important if considering the device would be used by a member of staff, how many failed attempts before the device is wiped (I’ll talk a bit more at a later date about encryption on iOS devices).

We also have to consider whether the profile can be removed by the user. The options include Always, With Authorization and Never … remembering that if you wipe the device (there are a variety of methods) it will take it back to requiring activation and you start again anyway with a clean slate. Also remember that, in the most basic setup, the profile is something a user (or the person setting it up) has to accept to install. When we look at Profile Manager later on we can consider some of the ethos behind putting particular settings into the profile so that the user has to agree to various settings as a method of gaining access to certain areas (eg email) and a common method of control for this is the granting of access to the secure, wireless network.

Profiles can be loaded via USB, can be emailed out to users to install, can be pulled down from websites or pushed out wirelessly via MDM solutions. One important thing to remember when exporting profiles from IPCU is security. These are text files and if you do a simple export can be read and changed via a plain text editor. You can sign the profile so any changes will noticed by the device if you try to install it but this basically changes it to read only mode. What should be considered as the only option is sign and encrypt the file. Just think … this profile could have all the settings needed by a user to join your hidden wireless network, usernames and passwords for mail servers (if using a profile per person or allocating a specific email account per device) and so on … do you really want that in plain text?

It is simple to sort though by just ensuring you export it signed and encrypted.

The next post will look at some of the uses of the new tool on the block, Apple Configurator, and what we were shown about what looks to be the first stage of a good methodology for managing and deploying devices in bulk.

Apple Leadership Summit – The Workshops pt 2

The workshop spent some time looking at the range of tools to support and manage iOS devices and so I’ll run through some of the areas which it covered. I’ll also try to highlight where most of us are when it comes to many schools trying to do ad-hoc management of devices. For the sake of short-hand I will use iPad to describe an iOS device … but I could easily say iPhone or iPod Touch.

The first things we are generally all used to using is iTunes. Those of us with personal devices or those who are using BYOD / student leased devices are likely to not see a lot of use of iTunes as it is done by the user instead. Some schools with only a handful of devices might be using iTunes managed from one machine to look after devices .

All devices, whichever method you use, needs to go through 4 phases and iTunes can manage all those.

  1. Activate
  2. Update
  3. Configure
  4. Sync

When you get an iPad out the box or when you do a remote wipe it needs to be activated. It can be done over the air (with the advent of iOS5) or it is commonly done using iTunes for many users. This allows you to set up basic things like language, country, enable / disable location services, connect to a network and restoring from a saved backup (an important idea to come back to later).  It is also possible to put iTunes in Activation-only mode so that the update / config / sync can be done by other users and other tools.

The iPad will then check to ensure that it has the latest version of iOS (remembering that it cannot restore a backup from a newer iOS version). You then configure the iPad as to how it will backup, whether it can sync over Wi-Fi, what it will sync (going into detail in the tabs for Apps, Tones, Music, Movies, TV Shows, etc), type of video quality (i.e. between HD and SD) and so on. In the general summary tab I personally think that people should have a good look at the ‘Configure Universal Access’ button as the use of voiceover and zoom can be quite handy for many learners.

Once you have the device the way you want it with the relevant Apps and media then it will sync, taking us through to the final action of setting up an iPad in the simplest manner, via iTunes. Of course, trying to do this for a raft of devices is neither practical nor efficient. The simplest method of doing this on bulk is to take one iPad, build it the way you like it and then restore the backup onto each new iPad as you activate it, which will go some way to automating the configuration and sync sections.

And this is where a lot of school stay … an ad-hoc arrangement where a HLTA or IT Technician has to build a new ‘image’ (well … backup an exemplar iPad) and load it onto the other devices. There is little ‘locking down’ of the machine and whilst it is a bit of a mess to cope with it can be a lot cheaper than spending a lot of time and money on the other tools.

There are some quick wins though. iTunes on its own will allow you to configure certain things but to really perfect a device you need delve into the on-device configuration. Setting up for home sharing can make it easy for learners to access resources shared via iTunes (always use a second AppleID for this in my experience) but the real benefits come when you look into Settings > General > Restrictions. Here you can turn off access to iTunes, installing or deleting apps, YouTube and even Safari … though Ned and co did warn us to be careful about this as some Apps make use of Safari to work. You can set the ratings for content, allow or block In-App purchases, and more. Well worth having a look at the Online Manual of iOS 5 for more information about what setting you can control.

And this deals with basic setup of the iPad. Fine for a handful of devices and there are some tools to make bulk restore / sync a possibility when also tied in with storage / security trolleys.

In the next blog post we look at iPhone Configuration Utility and who this will build a profile of setting for you similar to the manual job of using iTunes / on-device settings.

Apple Leadership Summit – The Workshops

There were 3 streams at the event and, although I really wanted to buck the stereotype and get more involved in the content creation stream, I really had to go to the infrastructure stream as there are so many questions and queries about Mobile Device Management (MDM) that needed looking into.

I blog fairly extensively about the last Leadership Summit here and here so I already had a good idea what we were in store for, and I have also done a fair bit of investigations already. The introduction of Lion Server changed a number of things, and newer tools which have been added on since are also changing ideas about how to plan and manage devices.

I’ve got to say a big thanks to Ned and the rest of the Apple team in the workshop. We all know that companies will toe a certain party line, and these folk are no different, but the allowances for healthy interjection from delegates, questions ranging from the slightly enquiring to the in-depth technical and still managing to keep the workshop pretty much on track meant that they had to field some difficult questions and gave some pretty good answers, and tried not to disappoint when they could offer no more than some basic “sorry, but there is no VPP yet” responses.

I’ve also got to say that there are some legal and regional things about MDM which were covered. The Apple folk did remind us that *we* have to make sure that *we* are happy that *we* are following the T&Cs, laws of the land, etc. The session was a technical one, not a legal and contracts one. There are differences about how we might opt to manage things in UK compared to US because of a number of facts, but the main one is that the Volume Purchase Program (VPP) does not operate in the UK so solutions which talk about bulk purchase and pushing out apps are technically possible in the UK, but not following the rules at this time! We did look at options about how to ensure you are fully licenced and that is another key fact to remember.

So, caveats done and we can continue.

The session started with each delegate introducing themselves and explaining what they were looking for from the session. It was good to see a range of primary, secondary and special schools, people employed by schools and 3rd party support firms, as well as representatives from RM and Jigsaw24. In general most are looking for ideas about how to deploy and manage devices, and about app deployment and the legalities behind it.

Presently we tend to think of traditional IT deployments of suites in classrooms, or we have started to move away from them to mobile classrooms. We then also have those who have gone (or are starting to go) down the one to one route to give an easy way of all being able to access devices (a common theme from the day, to be honest). iOS devices are slightly different and we have a number of options. How you plan your infrastructure is dependant on how you want to plan to use the devices.

We can split it into 3 areas. Device Sharing (closest to present day), One to One (mix of institutional and personal data) and User Responsible (highly personalised and almost anything goes). Once you have thought about which option you want then you can start to plan how to get there. Personally I think it is likely that once you start planning then you might find barriers to going down certain routes and you might have to make compromises … sometimes down to money, sometime down to the need to change the curriculum … it doesn’t mean you shouldn’t try but there might be times you have to be a little pragmatic.

Looking at the methods of managing devices we can see 6 areas.

iTunes – which we are pretty used to with them being consumer devices, but with a large manual requirement

On-device configuration – where we use the settings on the device or on particular apps, again a familiar task with a large manual requirement

iCloud – again something we might be used to

iPhones Configuration Utility (IPCU) – a way of generating profiles which can be applied to one or more devices. Those of us used to GPOs within Windows AD or WorkGroup Manager with macs will find this fairly familiar and the idea that a GPO is just a series of registry changes, or in WGM generates changes to .plist files … profiles are pretty similar.

Apple Configurator – the new kid on the block which is likely to be key for many of us. It allows for prep for mass deployment, supervising devices and assigning devices to individuals within the organisation.

And finally … Mobile Device Management (MDM) – the full blown tool which makes use of a framework provided by Apple to do all of the above. Within Apple’s toolset we have Profile Manager on Lion Server (used in conjunction with some of the above where needed) and you have an MDM lite solution …

There are a number of good 3rd party MDM solutions out there and to some extent it is a bit like making the decision about whether to use middleware on your network to manage Windows, whether it be RM’s CC3 or CC4 or one of the other products out there (Viglin’s Classlink, CSE, etc). It also depends on the mindset of the school. If it the attitude is “lock it all down” then you might want one route, and if you prefer a more ‘enabling’ and user reliant option then you go down another path.

So … there we have the first post … with the above tools you can go from delivering a shared device in a library which can be set up quickly for each user as it is booked out to them, a device which has all the settings for email etc and just requires the user to finish it off by putting in their username and password, you can stop the buying, deleting or even access to various apps, or you can bulk prep personal devices but to get access to your wifi settings they have to ‘log on’ to a certain managed profile. Over the next week I will try to cover each tool in a separate post.

The final thing I will say is that, whilst not explicitly mentioned, it is important to have a decent infrastructure for the devices to run over, and a presumption that most of the management / config will be done on a Mac (some tools don’t require a Mac but the significant ones will do).

Apple Leadership Summit – Intro

It is good to see Apple throw themselves into the education arena a bit more after having been notoriously shy over the last few years. With the corporate stance on attending tradeshow meaning that the official presence at BETT has not been a possibility it was wonderful to see a number of combined ASE/ADE/AASP stands, actually staffed by many of the same people who came along and worked on the Apple stand in previous years.

Having attended a previous Apple Leadership Summit last October I was glad to be able to get an invite to the latest one, held yesterday at Silverstone. Over the next post or two I’ll be covering most of my notes from the event and hopefully be able to give a significant update on where I left things after my blog posts after last year’s Summit.

The notes will take from my own notes, my tweets and some tweets from others.

I’ll try to split the posts into 3 areas: vision, practice and infrastructure design … the last one is likely to be a biggie so I will probably start there. Whilst most of what was covered is about mobile devices from Apple, a lot of the principles about how you plan and think about it can be translated to other offerings.