Tag Archives: MDM

Apple Workshops – Deploying iPads in Bulk

After a week of looking at the best way to cover the different variations of using Apple Configurator it seemed like destiny to come across a thread on EduGeek which looked at one of the principle methods by which schools could make use of Apple Configurator and iTunes. The thread can be found HERE and will no doubt have numerous updates where further questions get answered.

A massive thank you to Rydra for allowing me to reproduce the original post in the thread. I would heartily recommend people keep a track of this conversation, and other similar ones, over on EduGeek.net.

Process for bulk imaging an Ipad using mac OSX + Apple Config + iTunes

So I finally managed to pin down how to do this, though it took a while, and I’m going to have trouble in the future till Apple fix their entire operating ethos.

The problem, is that Apples configurator program, for mass deploying iOS devices, now only support the Apple Volume Purchasing Program. This is bad, because that is only available in the US for fully registered companies with a DUNS ID (cant be bothered to explain, but it’s a database in the US for businesses to register themselves.)
This means, that only free apps can be deployed as part of Apple configurator, not paid apps, unless you are in the US, where you can buy volume licensing for them.

So this is what I’ve had to do to get around it.

I recommend that you either run seperate accounts for your different device sets, or, if you have what I have, and that’s a single account, make different itunes libraries (it might be worth doing anyway even if you have multiple accounts)
To do this, hold down Alt + click on the itunes icon. Then create library…

This means, that for the different ipad varieties, yes you have to keep multiple copies of the same apps, but it makes your life a lot easier to manage the apps on your device.

The general process flow to follow is this

-Update iOS to latest version using Apple configurator; you can either let it go and download it, or you can download it yourself and point it at the upgrade file. You can plugin as many ipads as you’ve got USB ports (or hubs), but even better, once you set it up, you simply unplug the ones that were done, and plugin the next one(s) and it just carries on going till you hit the ‘stop’ button.
-From the apple configurator window (Prepare Tab > Settings), only select from the dropdown the iOS version you want. Do not change anything else in the window.
-Hit Prepare
-Swap in/out till done.
NOTE: HIT THE STOPP BUTTON WHEN YOUR DONE! I forgot at one point, and nearly factory wiped my master ipad when i plugged it in for imaging!)

-Install all apps, books, music, movies etc and arrange the way you want (NOTE: it’s best to do this using Itunes. I’ll explain later.)

-Transfer purchases from the ipad to itunes/the pc. This makes sure your PC has all the apps you want if any were added via the device rather than itunes.

-Hit sync. This makes sure what your ipad has, so does the PC and vice versa.

-Right click the Ipad in Itunes, and do a backup.

This will now give Itunes a full backup of the SETTINGS. Note, this does not save the apps themselves.

Now, the reason I said above that you need to use Itunes to setup the layout, is that there are 2 kinds of restore for the ipad.

If you use the summary page restore, it is a factory reset, and reinstalls the iOS from scratch, giving you a vanilla ipad. It will then apply your settings/preferences. The problem is, that it hasn’t put all your apps back on at this point. And if you were unlucky enough to have ticked ‘sync apps on setup’ and/or ‘sync new apps’, then it will put every single App on your account (that you’ve downloaded to the PC) on the device.

Now this is not really that cool. At one point we had more than 270 apps in our library here, most of it junk, and we ran out of home screens to put them all on. This is why I suggest having different libraries. Seperate libraries means you keep each library with only the apps you need for that set, and applying the app sets is as simple as shift selecting all the apps and dumping it onto the ipad.

Onto the restore part:
-Stick in your new ipad with nothing on it, fire up itunes, and then tick to sync apps (suggest unticking auto install new apps, this gets annoying if your trying out apps etc.) along with anything else you want to sync up. Because you have a seperate library with just the apps you want in it, you can just shift select all the apps, and dump them on the ipad!
-Wait till this is done syncing
-Once it has all the apps you want on the device, Right click the ipad in itunes, and select Restore.

THIS IS IMPORTANT.

This right click menu option does NOT reinstall the iOS! It ONLY restores the settings, therefore all apps on the device are left alone. Since all the apps you want are on the device, it can create your home screen layout the way you want it. Anything on the device it’s not sure of, it’ll dump it loose on the home screen (so you can have some customisation where required)

-Once this is done for all your ipads, it’s time to go back to the configurator.

-Setup profiles the way you want (To create a profile, click the ‘+’ at the bottom of the window). You can set restrictions, wifi settings, mail settings, whatever is in the settings on the device, you can control it here.

From the top:
-Give the set name. Tick the ‘number sequentially starting at 1’ button. If you want the numbers to start from a different number, tick it, then change the number and it updates itself.
-Supervision on/off means if you set it, only your PC can alter the settings on the device.
-iOS: assuming you did it earier, don’t touch this setting.
-Restore: don’t touch this setting, you did this stage during itunes.
-Profiles: Tick next to the profile you want to apply
-Hit prepare, and swap in/out devices till all are done.
-HIT STOP!

This will give you a set of ipads all with the same layout, same iOS, same app sets.

-From Apple config, select from the restore drop down: ‘Backup’
This makes an Apple config backup file for later use. label it appropriately.

In the event of needed to reinstall from scratch, follow the processes above entirely.
If you just want to reset the layout/settings, and assuming no apps were removed/added, you can simply hit ‘restore’ from here and it’ll restore back to your master. If you update your app set, you’ll have to do it all from scratch again.

—————-

(Original post by Rydra on Edugeek.net : http://www.edugeek.net/forums/mac/95070-process-bulk-imaging-ipad-using-mac-osx-apple-config-itunes.html)

Apple Leadership Summit – The Workshops pt 3

We have now covered the most simplistic methods which many schools are using to manage iOS devices, and frequently these are shared devices we are talking about, not individual devices owned by the user. The issues that this can bring is that as you grow with the number of devices you have or reduce the amount of time you have available to cover support of the devices you have to look at more efficient and practicable solutions.

The next area covered in the workshop was the concept of profiles. Those who have looked into Group Policy Objects (GPOs) in the world of Windows or the use of WorkGroup Manager (WGM) on Mac OS X can see easy parallels and might look to apply the exact same concepts used to lock down machines. Apple were keen to stress that it is not about locking down but more a case of ensuring that certain settings were enabled and that you knew where the responsibility lay for control / changes of the settings.

In a similar way to the nuts and bolts of GPOs just being a method of forcing changes to the registry on a  Windows client, and WGM forcing changes of .plist files on a Mac OS X Client, the iPhone Configuration Utility (IPCU) creates a text file which, when loaded onto an iOS device, changes settings.

It covers a number of areas including security, Wi-Fi, VPN, email, calendar, address book and some application restrictions. We covered some of these setting in the previous post when we looked at on-device settings, but a profile can also be used to set up part of the information required and allowing the user to complete the rest. An example would be to put in all the details for the Exchange Server but leaving some fields blank so the user enters the information relevant to themselves. A more details guide on this can be found on the help section of the Apple website

Another important security area is around passcodes where you can set the complexity including whether you allow simple passcodes (ie repeating / ascending / descending sequences), whether you require alphanumeric values (must contain at least one letter), minimum length, age, auto-lock time period, history and, possibly the most important if considering the device would be used by a member of staff, how many failed attempts before the device is wiped (I’ll talk a bit more at a later date about encryption on iOS devices).

We also have to consider whether the profile can be removed by the user. The options include Always, With Authorization and Never … remembering that if you wipe the device (there are a variety of methods) it will take it back to requiring activation and you start again anyway with a clean slate. Also remember that, in the most basic setup, the profile is something a user (or the person setting it up) has to accept to install. When we look at Profile Manager later on we can consider some of the ethos behind putting particular settings into the profile so that the user has to agree to various settings as a method of gaining access to certain areas (eg email) and a common method of control for this is the granting of access to the secure, wireless network.

Profiles can be loaded via USB, can be emailed out to users to install, can be pulled down from websites or pushed out wirelessly via MDM solutions. One important thing to remember when exporting profiles from IPCU is security. These are text files and if you do a simple export can be read and changed via a plain text editor. You can sign the profile so any changes will noticed by the device if you try to install it but this basically changes it to read only mode. What should be considered as the only option is sign and encrypt the file. Just think … this profile could have all the settings needed by a user to join your hidden wireless network, usernames and passwords for mail servers (if using a profile per person or allocating a specific email account per device) and so on … do you really want that in plain text?

It is simple to sort though by just ensuring you export it signed and encrypted.

The next post will look at some of the uses of the new tool on the block, Apple Configurator, and what we were shown about what looks to be the first stage of a good methodology for managing and deploying devices in bulk.

Apple Leadership Summit – The Workshops pt 2

The workshop spent some time looking at the range of tools to support and manage iOS devices and so I’ll run through some of the areas which it covered. I’ll also try to highlight where most of us are when it comes to many schools trying to do ad-hoc management of devices. For the sake of short-hand I will use iPad to describe an iOS device … but I could easily say iPhone or iPod Touch.

The first things we are generally all used to using is iTunes. Those of us with personal devices or those who are using BYOD / student leased devices are likely to not see a lot of use of iTunes as it is done by the user instead. Some schools with only a handful of devices might be using iTunes managed from one machine to look after devices .

All devices, whichever method you use, needs to go through 4 phases and iTunes can manage all those.

  1. Activate
  2. Update
  3. Configure
  4. Sync

When you get an iPad out the box or when you do a remote wipe it needs to be activated. It can be done over the air (with the advent of iOS5) or it is commonly done using iTunes for many users. This allows you to set up basic things like language, country, enable / disable location services, connect to a network and restoring from a saved backup (an important idea to come back to later).  It is also possible to put iTunes in Activation-only mode so that the update / config / sync can be done by other users and other tools.

The iPad will then check to ensure that it has the latest version of iOS (remembering that it cannot restore a backup from a newer iOS version). You then configure the iPad as to how it will backup, whether it can sync over Wi-Fi, what it will sync (going into detail in the tabs for Apps, Tones, Music, Movies, TV Shows, etc), type of video quality (i.e. between HD and SD) and so on. In the general summary tab I personally think that people should have a good look at the ‘Configure Universal Access’ button as the use of voiceover and zoom can be quite handy for many learners.

Once you have the device the way you want it with the relevant Apps and media then it will sync, taking us through to the final action of setting up an iPad in the simplest manner, via iTunes. Of course, trying to do this for a raft of devices is neither practical nor efficient. The simplest method of doing this on bulk is to take one iPad, build it the way you like it and then restore the backup onto each new iPad as you activate it, which will go some way to automating the configuration and sync sections.

And this is where a lot of school stay … an ad-hoc arrangement where a HLTA or IT Technician has to build a new ‘image’ (well … backup an exemplar iPad) and load it onto the other devices. There is little ‘locking down’ of the machine and whilst it is a bit of a mess to cope with it can be a lot cheaper than spending a lot of time and money on the other tools.

There are some quick wins though. iTunes on its own will allow you to configure certain things but to really perfect a device you need delve into the on-device configuration. Setting up for home sharing can make it easy for learners to access resources shared via iTunes (always use a second AppleID for this in my experience) but the real benefits come when you look into Settings > General > Restrictions. Here you can turn off access to iTunes, installing or deleting apps, YouTube and even Safari … though Ned and co did warn us to be careful about this as some Apps make use of Safari to work. You can set the ratings for content, allow or block In-App purchases, and more. Well worth having a look at the Online Manual of iOS 5 for more information about what setting you can control.

And this deals with basic setup of the iPad. Fine for a handful of devices and there are some tools to make bulk restore / sync a possibility when also tied in with storage / security trolleys.

In the next blog post we look at iPhone Configuration Utility and who this will build a profile of setting for you similar to the manual job of using iTunes / on-device settings.

Apple Leadership Summit – The Workshops

There were 3 streams at the event and, although I really wanted to buck the stereotype and get more involved in the content creation stream, I really had to go to the infrastructure stream as there are so many questions and queries about Mobile Device Management (MDM) that needed looking into.

I blog fairly extensively about the last Leadership Summit here and here so I already had a good idea what we were in store for, and I have also done a fair bit of investigations already. The introduction of Lion Server changed a number of things, and newer tools which have been added on since are also changing ideas about how to plan and manage devices.

I’ve got to say a big thanks to Ned and the rest of the Apple team in the workshop. We all know that companies will toe a certain party line, and these folk are no different, but the allowances for healthy interjection from delegates, questions ranging from the slightly enquiring to the in-depth technical and still managing to keep the workshop pretty much on track meant that they had to field some difficult questions and gave some pretty good answers, and tried not to disappoint when they could offer no more than some basic “sorry, but there is no VPP yet” responses.

I’ve also got to say that there are some legal and regional things about MDM which were covered. The Apple folk did remind us that *we* have to make sure that *we* are happy that *we* are following the T&Cs, laws of the land, etc. The session was a technical one, not a legal and contracts one. There are differences about how we might opt to manage things in UK compared to US because of a number of facts, but the main one is that the Volume Purchase Program (VPP) does not operate in the UK so solutions which talk about bulk purchase and pushing out apps are technically possible in the UK, but not following the rules at this time! We did look at options about how to ensure you are fully licenced and that is another key fact to remember.

So, caveats done and we can continue.

The session started with each delegate introducing themselves and explaining what they were looking for from the session. It was good to see a range of primary, secondary and special schools, people employed by schools and 3rd party support firms, as well as representatives from RM and Jigsaw24. In general most are looking for ideas about how to deploy and manage devices, and about app deployment and the legalities behind it.

Presently we tend to think of traditional IT deployments of suites in classrooms, or we have started to move away from them to mobile classrooms. We then also have those who have gone (or are starting to go) down the one to one route to give an easy way of all being able to access devices (a common theme from the day, to be honest). iOS devices are slightly different and we have a number of options. How you plan your infrastructure is dependant on how you want to plan to use the devices.

We can split it into 3 areas. Device Sharing (closest to present day), One to One (mix of institutional and personal data) and User Responsible (highly personalised and almost anything goes). Once you have thought about which option you want then you can start to plan how to get there. Personally I think it is likely that once you start planning then you might find barriers to going down certain routes and you might have to make compromises … sometimes down to money, sometime down to the need to change the curriculum … it doesn’t mean you shouldn’t try but there might be times you have to be a little pragmatic.

Looking at the methods of managing devices we can see 6 areas.

iTunes – which we are pretty used to with them being consumer devices, but with a large manual requirement

On-device configuration – where we use the settings on the device or on particular apps, again a familiar task with a large manual requirement

iCloud – again something we might be used to

iPhones Configuration Utility (IPCU) – a way of generating profiles which can be applied to one or more devices. Those of us used to GPOs within Windows AD or WorkGroup Manager with macs will find this fairly familiar and the idea that a GPO is just a series of registry changes, or in WGM generates changes to .plist files … profiles are pretty similar.

Apple Configurator – the new kid on the block which is likely to be key for many of us. It allows for prep for mass deployment, supervising devices and assigning devices to individuals within the organisation.

And finally … Mobile Device Management (MDM) – the full blown tool which makes use of a framework provided by Apple to do all of the above. Within Apple’s toolset we have Profile Manager on Lion Server (used in conjunction with some of the above where needed) and you have an MDM lite solution …

There are a number of good 3rd party MDM solutions out there and to some extent it is a bit like making the decision about whether to use middleware on your network to manage Windows, whether it be RM’s CC3 or CC4 or one of the other products out there (Viglin’s Classlink, CSE, etc). It also depends on the mindset of the school. If it the attitude is “lock it all down” then you might want one route, and if you prefer a more ‘enabling’ and user reliant option then you go down another path.

So … there we have the first post … with the above tools you can go from delivering a shared device in a library which can be set up quickly for each user as it is booked out to them, a device which has all the settings for email etc and just requires the user to finish it off by putting in their username and password, you can stop the buying, deleting or even access to various apps, or you can bulk prep personal devices but to get access to your wifi settings they have to ‘log on’ to a certain managed profile. Over the next week I will try to cover each tool in a separate post.

The final thing I will say is that, whilst not explicitly mentioned, it is important to have a decent infrastructure for the devices to run over, and a presumption that most of the management / config will be done on a Mac (some tools don’t require a Mac but the significant ones will do).

Apple Leadership Summit – Intro

It is good to see Apple throw themselves into the education arena a bit more after having been notoriously shy over the last few years. With the corporate stance on attending tradeshow meaning that the official presence at BETT has not been a possibility it was wonderful to see a number of combined ASE/ADE/AASP stands, actually staffed by many of the same people who came along and worked on the Apple stand in previous years.

Having attended a previous Apple Leadership Summit last October I was glad to be able to get an invite to the latest one, held yesterday at Silverstone. Over the next post or two I’ll be covering most of my notes from the event and hopefully be able to give a significant update on where I left things after my blog posts after last year’s Summit.

The notes will take from my own notes, my tweets and some tweets from others.

I’ll try to split the posts into 3 areas: vision, practice and infrastructure design … the last one is likely to be a biggie so I will probably start there. Whilst most of what was covered is about mobile devices from Apple, a lot of the principles about how you plan and think about it can be translated to other offerings.