2015 in Review

I guess it’s worth trying to summarize what, if anything, I accomplished or at least experienced in the past year. Working in education, there’s a constant reminder to self that reflection is as important to growth and learning as absorbing new ideas and doing things.  So here goes:


As a nerd this is the most easily quantified as I look at the digital trail I’m leaving behind. In 2015 I tried out quite a few new programming platforms, languages and frameworks. I built things in the cloud with Javascript, Ruby, Python, Go, Swift, PHP, Reactive.JS and the Flux paradigm, Flask, Bootstrap, Material Design, d3 (a Javascript data visualization library), Grape (a Ruby API builder), Android and iOS SDKs, Xcode, Eclipse, Google App Engine and Google APIs, Amazon Web Services, Docker, HTTP Live Streaming (both on the client and on the server side), and static website generators (Pelican and Jekyll).

I created 5 new and updated 20 public source code repositories on Github.com.

To get acquainted with the Internet of Things, I tinkered with Arduino, the Particle Spark, RFM69 wireless chips, and the BeagleBone Black single-board computer. My electronics (and construction) tools and skills are still very rudimentary, so here’s a place for growth in the coming year.

I also got hands-on about (especially the MakerBot Replicator) 3D printers (how they work, how to calibrate them, how to repair them).

I upgraded my school district’s network to a new firewall and helped move students and staff toward a cloud-based future and away from reliance on individual workstations and physical servers (bidding farewell to 9-year-old Apple Xserves when they fail ungracefully).


Because of my school district’s master plan to modernize our school campuses, I learned a lot about (and generated even more questions about) what the physical and technological demands of a 21st century classroom should be. EdCamps, Google Hangouts, and face-to-face meetings (especially with talented groups of people like those on the CETPA Edtech mailing list, BAISNet, the Stanford FabLearn attendees, and the Bay Area Maker Educators Google Plus community) helped immensely, and I hope that I might have provided a few useful comments in return.

Personal Growth

I don’t think I changed substantially for the better in 2015, but some milestones made an impact. There was an afternoon in April at a magnificent villa in Rio de Janeiro that my family and I spent reviewing touching correspondence that my late father received 40 years ago and that was essentially sealed away until recently. And my mother’s passing after a slow 10 year decline into forgetfulness and silence as sad as it was, did create opportunities to reach out to my siblings and their families and to eventually have a short but meaningful reunion on a beautiful New England October weekend.

In the dubious distinction category I logged 269 films on Letterboxd during 2015. Films continue to impart meaning to me, and my watchlist (films I need to see) grows longer every year, and I hope you had or have a chance to see some of the films on my 19-best list of 2015.

Leave a comment

Filed under Education, Miscellany, Travel

More fun and games (not) with iPad management

So because of Apple’s restrictions on their Device Enrollment Program (devices must have been purchased by your organization directly from AI), I have a handful of donated iPads and iPads purchased through generous and thoughtful third-party support organizations (for instance the Dedication to Special Education group) that can’t be managed via the DEP.

To keep these under my JAMF MDM management umbrella alongside the DEP devices, I must do it the old fashioned way, using Apple Configurator to “supervise” them with an enrollment profile exported from JAMF.

Problem was that after they were “prepared” and “supervised” in Configurator and magically showed up in my JAMF database, certain pieces, like the restriction profiles and the JAMF Self Service application were not showing up on the devices the way the do with the DEP devices.

After struggling awhile, the bug apparently comes down to (can you guess?): Apple IDs!

Under the JAMF Management History there were two types of failures:

  • “The app “com.jamfsoftware.selfservice” is already scheduled for management.”
  • “The iTunes Store ID of the application could not be validated.”

Turns out that to get the Self Service app on the device, the command to install the app comes from Apple (as requested by the JAMF MDM server) on a push notification, and if you’ve never set up the Apple ID fully in the iTunes App Store on the device, the command fails.

By setting up fully I mean:

  • Signing in with the Apple ID and password.
  • Changing the “Password Settings” from empty to either “Require Always” or “Require after 15 minutes.” (BTW “Require Always: seems to be Apple’s motto; I get a prompt to log in about every 30 seconds or so on these newly enrolled devices). Also it’s interesting to me that to change the password settings, you have to log in again with your Apple ID and password. Then if you’re lucky and change the password settings, you get access to the “Require Password for Free Downloads” magic slider that lets you opt out of having to sign in to “purchase” free apps (such as the JAMF Self Service).
  • Going to the App Store app and accepting the 47 pages of changed Terms and Conditions.
  • Saying “Not Now” to Apple’s pestering about setting up Family Sharing. (These are institutional iPads, not family iPads).
  • Downloading All of the “Apple Apps” (or saying “Not Now” and hoping that you remember to download them individually later). As of iOS 8.4 these are:
    • Pages
    • Numbers
    • Keynote
    • iMovie
    • GarageBand (shows up only on some iPad models)
    • iTunes U (shows up only on some iPad models)
    • Apple Store (shows up only on some iPad models)
    • Find My Friends (shows up only on some iPad models)
    • Find My iPhone (shows up only on some iPad models)
  • Keeping your fingers crossed that the “Install Self Service app” push notification will arrive in time that you don’t have to do this all over again.

Finally I learned how to jump start the process. In JAMF you have to select the device, go to Management, issue an “Update Inventory” command, and then wait.  JAMF will check the device, see that it still needs the Self Service app and issue a Self Service app install command.  Right then you have to all the “setting up fully” steps listed above.  If all is OK you will get a notice that the Self Service app will be installed.

Leave a comment

Filed under Education

So you wanna manage some shared iPads

Or, “Flirting With Disaster”

I have 250 shared iPads to manage for my school district, and have struggled with various simple management schemes.  When Apple announced the Device Enrollment Program last year and some of my IT friends recommended it, I decided to take the plunge.  For those who have never had the pleasure of managing iPads for a shared environment I thought it would be important to document some of the quirks as well as the official requirements for managing iPads the Apple way, which is not simple.  iPads were designed by Apple to be personal, not institutional devices, and if you need to use them in a shared setting, like we do (with between 8 and 12 iPads shared by students in a classroom), you really have to jump through some big hoops, as you’ll see below.

Compared to the Chromebooks we use in our upper grades (where you pay Google $30 one time for access to an administration console, spend one or two hours setting up organizational units and restrictions and then maybe 15 seconds per Chromebook for enrollment in your Google domain), iPad management with the DEP looks like it’s going to take about 10-15 minutes per iPad, or between 45 and 65 hours to set up 250 iPads.  It’s a factor of 40 or 60 in terms of time compared to the Chromebooks.  This will change somewhat when iOS 9 comes out, because Apple has already released some information about a per-device app licensing model that may obviate the need for setting up institution-owned Apple IDs on each iPad.

In the meantime, this summer I am lucky to have a high school intern working with me to share this load (thanks, Carter, for putting up with my rants today).  I’m hoping we can blast through those 45 hours of work in two weeks and have the iPads ready to go by mid-July. I’ll let you know, dear reader, when it’s all done.

So in the style of a cookbook recipe, here are the steps taken to “bake” some iPads.  If you’ve been through this before and found some shortcuts that I missed, let me know in a comment or private email (to pzingg at kentfieldschools dot org) and I’ll try it out and update this post if it worked for me.  Thanks in advance for those who help.


Here’s the list of accounts, servers, applications and other tools I used.

Email Accounts

We are a Google school, so all of these are set up in our Google Apps for Education domain. I use Google Account Manager (“GAM”) to create and manipulate bulk email accounts. The accounts we’ll need are:

  • An email account for your organization’s DEP access.
  • A generic Apple ID administrative email account that can accept “+” addresses, so that you can create multiple Apple IDs that communicate with a single email inbox.
  • A rescue email account for the Apple IDs you will be generating.
  • A device-specific email address for each shared iPad (we have 250 of these).


  • A Mac laptop with a USB cable to run Apple applications, a web browser.
  • A mobile phone that Apple will send you 2-factor authentication codes when you use their DEP portal.
  • One or more 1o-port USB hubs or (preferably) Bretford (or other manufacturer’s) sync-and-charging stations, to be able to prepare 10-30 iPads at a time.

Cloud Servers and Services

  • A SolarWinds Web Help Desk trouble ticket and inventory server to hold iPad asset and purchase information. This can be set up on any CentOS-compatible Linux server.
  • A CentOS 389 Directory Server LDAP server installed to hold authentication, user and location information. I set this up on an Amazon Linux EC2 instance.
  • A JAMF JSS server as the Mobile Device Management server (an MDM server is required by Apple DEP). JAMF now offers hosted subscriptions of JSS.
  • Apple’s Device Enrollment Program (“DEP”) service. You need to contact Apple to get this set up for your organization.

Mac Laptop Applications

  • Google Account Manager, a python script that lets us create the device-specific email accounts we will install on the shared iPads.
  • Apple Configurator to update the iOS version on the iPads and to return each iPad to a clean, pre-activated state.
  • Apple Script Editor with an automation script to automate the creation of Apple IDs.
  • Other Tools
    Google Sheets to keep track of deployment information and status

Recipe, Part I. One Time Data and Server Setup

Now that we have all the servers hardware and other tools in the kitchen, we can do some prep work. Give yourself a week to get this all done.

Step 1. Create an inventory and deployment spreadsheet. [Prep time: 1-2 hours.]

The initial data for the deployment comes from purchase order records. As we purchase devices, I put the data into our existing help desk ticket and asset inventory manager, Web Help Desk. I use Web Help Desk to keep track of which devices are for which schools and classrooms, etc.

We’re a Google Apps school, so I export the iPad records into a Google Sheet, with these columns:

  • Asset Tag
  • Serial No.
  • Model (“Apple iPad mini 2”)
  • Apple Order No. (if known)
  • Purchase Order No.
  • Purchase Date
  • Building (school site, like “Bacich”)
  • Department (to make the deployment group, like “Bacich 2nd Grade”)
  • Room (like “Room 22”)
  • Teacher (if assigned to a teacher; otherwise I use “Shared Use” as the teacher name)
  • iPad No. (a sequential number or number based on the asset tag)
  • Device Name (calculated from iPad No., like “ipad-33”)
  • Username (same as the Device Name for shared devices)
  • Full Name (calculated from iPad No., like “iPad 33”)
  • Email address (calculated from iPad No., like “ipad-33@mydomain.org”)
  • Apple ID (calculated from iPad No., like “ipad+0033@mydomain.org”)
  • Deployment Group (like “Bacich 2nd Grade iPads”)

And I add a bunch of status columns to keep track of things:

  • DEP Eligible?
  • AppleID Created?
  • DEP Enrolled?
  • PreStage Assigned?
  • MDM Enrolled?
  • Post-Enrollment Done?
  • Profiles Installed?
  • Apps Installed?

Step 2. Apply for and receive access to the Apple Device Enrollment Program. [Prep time: 1 hour. Cooking time: 1-2 days.]

You have to fill out an online form to get into the DEP. Apple will contact you to confirm your organization. This might take a few days. Once you are in, all of your iOS devices that were purchased with your organization’s Apple Customer ID since March 2011 should be able to be added to DEP.

When you are finally enrolled, you’ll need to give DEP a mobile phone number. Every time you need to log into DEP, it will send an authentication code via SMS and won’t let you log in until you enter this code.

Step 3. Recover unredeemed or supervised VPP app redemption codes. [Prep time: 1 email. Cooking time: 2-3 hours.]

At this time you should contact Apple to get any unredeemed VPP spreadsheet codes for apps that your organization purchased converted to “managed distribution” licenses. If you had previously redeemed VPP codes for apps on iPads that were set up as “Supervised” with Apple Configurator, you should unsupervise these iPads first, so that they will be reclaimed and so that Apple can convert them to managed distribution. I didn’t have any iPads under Configurator supervision so this saved me some time (at the cost of maybe a hundred bucks in lost VPP codes).

Step 4. Create user records on the LDAP server. [Prep time: 1-2 hours.]

I wrote a small script to parse the data in the Google Sheet and create an LDIF import file that I send to the LDAP server. For each shared iPad, I create an entry (LDAP object class “inetOrgPerson”) in the “People” tree on the LDAP server:

  • Username (“uid” LDAP attribute), like “ipad-33”
  • Email address (“mail” attribute), like “ipad-33@mydomain.org”
  • Password (“userPassword” attribute)
  • Full Name (“cn”), like “iPad 33”
  • First name (“givenName”), like “iPad”
  • Last name (“sn”), like “33”
  • Building (“physicalDeliveryOfficeName”), like “Bacich”
  • Department( “departmentNumber”), like “Bacich 2nd Grade”

Once these are set up, you can connect to your LDAP server in JSS, and map the attributes in the user record to JSS attributes that will populate device records when the devices get enrolled. JSS can also install an email configuration profile on each device that will setup the email account in iOS, based on these attributes. Nice.

Step 5. Set up your MDM server. [Prep time: 1-2 hours.]

The details here are pretty vendor-specific, but I’ll explain what I had to do to get a brand new JAMF JSS server to be ready. You can connect the MDM server to the LDAP server you set up previously. You will also need to create an Apple Push Certificate, which means generating a CSR, importing it into the Apple Push Notification portal and then downloading the certificate and bringing it back into your MDM. Finally you need to add the MDM server to your DEP, which means exporting a public key from your MDM, importing it into the DEP portal (in DEP go to “Manage Servers” and click “Add MDM Server”), downloading the token for your MDM from the DEP portal and importing it into your MDM.

Once your MDM server is good with Apple (for Push Notifications and DEP), you can set up things like Buildings, Departments, configuration profiles, and (I believe this is mandatory) at least one Enrollment Profile. Note that we don’t really need to install the configuration profiles on the devices at enrollment time–they can be pushed out later once the devices are all enrolled. This will keep the wireless network traffic low while you are enrolling new devices. Which restrictions to put on iPads is another subject (maybe for another post in this series this summer).

For now I create two configuration profiles:

  • A Wi-Fi profile that will tell the iPads which wireless network to connect to, what the WPA2 password is and what proxy information to use for our school network.
  • A restrictions profile that disables FaceTime, iMessage and a lot of iCloud stuff that we don’t want to use.

In the MDM, I “scope” these two profiles to “All Mobile Devices”, so they will take effect right after the devices are enrolled.

Then before you are ready to enroll individual iPads, you will need to create a PreStage Enrollment profile. This is where you set up which “Setup Assistant” screens will be presented to the user when he/she/you activates the iPad. You probably also want to use these “General” settings:

  • Require Authentication.
  • Supervise Devices.
  • Enable Pairing.
  • Disallow MDM Profile Removal.
  • Make MDM Profile Mandatory.
  • Skip all activation Steps except “Apple ID”, because I want to have the Apple ID ready to go and don’t want my teachers to have to do this step later.
  • Use “Serial Numbers” and “Enforce Mobile Device Names” under “Mobile Device Names”. Note to self: There is a feature request for JAMF to set the device name to something it can fetch from the LDAP server, but for now I think Serial Numbers is the way to go. Once we have supervision over these devices, we can use JAMF to change the device name later; at least the serial number will help me figure out which iPad is which.

Step 6. Configure an open wireless network. [Prep time: 15 minutes.]

If you can install a Wi-Fi access point temporarily with an open network, you can save yourself having to type in a password or SSID name as each iPad is enrolled.

Recipe, Part II – Batch Processing

Now we’ve gotten our kitchen equipped with one-time setups, like making a party’s worth of cookies, we will prepare and enroll our iPads in batches. I think 20 or 30 at a time is a good number to shoot for. The limiting factors for the batch size are:

  • Your Wi-Fi network capacity and Internet bandwidth
  • How many devices can be connected to Apple Configurator at a time through USB
  • Apple ID script timeout limits (see below)

I run through each of the following steps for each batch. The times are what it seemed to take for 20 iPads.

Step 6.5 (Update!). Manually erase all content and settings to remove possible Activation Lock problems — see information below (if you know the Apple ID password on the iPad). [Cooking time: 5 minutes].

Launch the Settings app on each iPad, and try to erase all content and settings by choosing Settings > General > Reset > Erase All Content and Settings. If the device had Activation Lock enabled, you will need to provide the Apple ID and password.

Step 7. Update the iOS version for each iPad with Configurator, and get it ready for enrollment. [Prep time: 10 minutes. Cooking time: 30 minutes.]

I plan to use 3 Bretford charging stations daisy chained together via USB to do up to 30 iPads at a time. For the older style of iPad connectors, I temporarily removed the plastic holding “trays” from the Bretfords so that I have a free length of USB cable to the iPads (because of how you have to put them into recovery mode). The newer-style “lightning” USB cables are skinny and long enough to work well with the plastic trays left in the station.

Plug the USB cable from the last Bretford cart into your Mac laptop and launch Apple Configurator.

On the “Prepare” pane in Configurator, set the “Supervision” slider to “On”. click the “Set Organization Info…” button and save the name of your organization. Supervising the iPads wipes them clean and installs the latest iOS version (make sure your laptop has an internet connection, so it can fetch this from Apple). We’re going to Supervise the iPads and then Unsupervise them. This will make sure that they all start out fresh and de-activated. If there’s a simpler way to get the latest iOS on them and have them ready for DEP enrollment, please let me know! To get each iPad ready for supervision, I had to:

  • Power the iPad off. Hold the top button for 5 seconds, then “Slide to power off” and wait until it’s really off (about 15 seconds).
  • Put the iPad into recovery mode. This requires some dexterity. Plug in the Bretford USB connector for the iPad while the iPad is still powered off, at the same time that you hold the iPad’s Home button down. Keep holding that button down until you see the “iTunes” recovery mode screen appear.

Back in Configurator’s “Prepare” screen, click the “Prepare” button (if it’s the first time, get rid of confirmation–”all USB devices?”). You can go ahead and add more iPads while the Prepare steps are processed. In general here’s I found that this takes about 20 minutes (maybe longer if you have more than 10 iPads):

  • You’ll wait 8 minutes for iOS version to be downloaded.
  • Then 5 minutes for iOS version to be unpacked.
  • Then 5 minutes for iOS version to be installed.
  • Then a final 1-2 minutes for all the supervision checks to be completed.

Once all the checks are done, as shown in Configurator, click the Stop button. Go to Supervise pane, choose “All iPads”, right click and choose “Unsupervise”. This will reboot them all and remove all data as a last step.

Now the 10-30 iPads can be unplugged and are ready for DEP enrollment. EXCEPT you may find later that some of them won’t take (see below). I’m still trying to figure out why some don’t work after they all have been through the same process.

Step 8. Generate device-specific email addresses. [Prep time: 2 minutes. Cooking time: 2 minutes.]

I just make a text file that has a line like “gam create user ipad-33 firstname iPad lastname 33 password emailpass” for each shared iPad in it. Then it’s trivial to run the script (which calls the “GAM” application on each line) and create 20 email addresses in our Google domain in a matter of 1 or 2 minutes. Later when I install the email configuration profile in JSS, each iPad will get it’s own email address we can use to share projects created on the iPad.

Step 9. Generate device-specific Apple IDs. [Prep time: 5 minutes to customize script. Cooking time: 30 minutes for 20 Apple IDs].

This is a big hassle that will go away once iOS 9 comes out this fall. For now, each device needs an Apple ID so that we can deploy VPP apps to it. While you can in theory share an Apple ID across multiple devices, this leads to craziness (been there, done that). So to avoid going to the Apple Store or Apple ID website 250 times and filling out a lot of repetitive information, there’s an Apple Script to automate that. There are several versions floating around on the ‘net. Be aware that each version is slightly different and will only work with specific versions of ITunes. The script pumps keyboard and mouse clicks into the iTunes application. The script I use (which I have modified slightly), creates Apple IDs in the form “ipad+0033@mydomain.org”, all with a common, but cryptic password. By using a “+” email address, confirmation email messages will arrive at the base email address, “ipad@mydomain.org” (see next step for what you have to do there).

Before you create the Apple IDs you will have to contact your Apple engineer to arrange to have your IP address whitelisted for 30 days. If you don’t Apple will refuse more than a handful of new Apple IDs per IP address per day.

Once you have the script tweaked so that it works with iTunes and has the right domain, secret question answers, and password information, you can run it in Script Editor, specify the starting and ending “ipad numbers”, and the script will generate batches of Apple IDs with sequential email addresses. Because of timing that the script allows for selecting menu items, it takes about a minute to generate each Apple ID. And there is a maximum clock time that Applescripts are allowed to run, so (at least in my environment, I can only generate about 25 new Apple IDs at a time).

Step 10. Confirm Apple ID Email Addresses. [Prep time: 10 minutes for 20 Apple IDs].

Log into the catch-all email account. Since all my Apple IDs were given addresses of the form “ipad+0033@mydomain.org”, all of the confirmation email messages will be sent to the base address, “ipad@mydomain.org”. Log in there and look at the Inbox. You will see a message for each Apple ID you created with a subject line like “Verify your Apple ID”. Open each message and click the link that says “Verify now >”. You will be taken to the Apple ID website, where you will have to dutifully copy the email address into the Apple ID text field (why can’t they do that for us), and type or paste in the difficult-to-crack password that you specified in your Apple ID generation script. Then click the “Verify Address” button. Hopefully this becomes easier after time.

You had better not skip this step, or your newly enrolled iPads will harangue you to the ends of the earth to confirm your email address and any iCloud features will be disabled until that address is confirmed.

Step 11. Enroll the iPads in the DEP. [Prep time: 1-2 minutes for the batch if you have the serial numbers or Apple order number].

Log into DEP. Remember, you’ll have to have your mobile phone handy to be able to log in. Go to the “Manage Devices” page. Grab the serial numbers for the batch of iPads you are going to enroll from your Google Sheet and paste them into the box under “Choose Devices by Serial Number”. You can also try and enter a serial number into the Search box and press Return. If you’re lucky DEP will show you the Apple order number and you can use that to enroll a whole batch of iPads. Sometimes you’ll be unlucky and the search results dialog won’t pop up but you can still enroll by pasting the serial number into the box.

If you’re feelin’ lucky, go ahead and paste those serial numbers into the box, set the action “Assign to Server” and select your MDM server. Then click “OK”. If you typed things in correctly, you’ll get confirmation of the assignment. After devices are assigned you can go over and click “View Assignment History” and see the Apple Order Numbers there, as well (only if all the devices were on a single Order, alas).

But if you’re really unlucky, when you enter the serial numbers for enrollment, you might a dialog that says, “Couldn’t Assign Your Devices.” You can download a CSV “assignment error file” if this is the case and you’ll probably get this wonderful description for the unsuccessful devices:


My guess is that (assuming you typed in the serial numbers right), this means that your organization didn’t purchase the iPad(s) from Apple. They might have been bought on Amazon, through DonorsChoose, or even if they were bought from Apple, it wasn’t your organization that was the customer from Apple’s point of view. You can call your Apple rep, but these iPads will have to be managed the old-fashioned way, using Configurator. I’ll write up my experiences using Configurator and JAMF on another day after I finish with my 240+ DEP iPads.

Step 12. Assign iPads (now assigned to MDM) to your MDM server’s PreStage Enrollment. [Prep time: 1 minute for the batch].

Log into your MDM. In JAMF, I go to Mobile Devices, PreStage Enrollments. I select the PreStage Enrollment I set up in Part I, click the “Refresh” button, then look at the “Scope”. I click “Edit” then sort by the “Device Assigned” (time of DEP assignment) column to show the devices I just assigned in Step 11 at the top of the list. I check off the new iPads and assign them to the PreStage and then click Save.

Step 13. Enroll the iPads and do initial post-enrollment setup (only 12 steps to get here!) [Prep time: 2 minutes PER iPad plus more time to re-do the ones that burned in the oven.]

Now we’re finally ready to get the iPads enrolled (wirelessly!). From each iPad’s Hello screen, you should proceed to choose the language and the Wi-Fi network. After connecting to Wi-Fi, if all goes well, you should see a message indicating that the iPad will be managed by your organization.

This worked for me only about 85% of the time. The other 15% of the iPads showed the “Location” setup screen (which I had disabled in my PreStage), meaning that they were headed toward a non-managed activation. I don’t have a solution for why these few but significant numbers of iPads didn’t “take” the PreStage after Step 12, nor an easy way to “reset” them so they can try again.

Anyway if it works, and you opted for Authentication in your MDM PreStage setup, you will be prompted for a username and password. If you authenticate successfully to your MDM (through its LDAP connection), the MDM will assign the LDAP attributes, like username, email address, building, department, etc., to the device as it is being enrolled.

Update: Here are four more things that can go wrong (and did):

iPad is “activation locked”.  “This iPad is currently linked to an Apple ID (i*****@k*****.org). Sign in with the Apple ID that was used to set up this iPad.” If you guess and type in the incorrect Apple ID you get: “Incorrect Apple ID. email_address@kentfieldschools.org cannot be used to unlock this iPad.” If the iPad was hooked up to “Find My iPad” before, or was supervised, and then erased, you can’t re-activate it without remembering the previous Apple ID.  Nice if the iPad happened to be set up by an employee who has now left your school district. (This really did happen to me). In a last resort, Apple has a process that you can certify legally that the iPad is owned by the school district and you wait 7 to 10 days for them to release the lock.  Sheesh. Moral of this story: ALWAYS know what Apple ID has been assigned to an iPad before you erase it!  So one more step that should be inserted into the process.  See the new Step 6.5 in the process above for what you can do to prevent this from happening.  My next update will explain the painful Apple appeal process.

Invalid profile. After the authentication step, you might get this: “The configuration for this iPad could not be downloaded from Kentfield Elem School District. Invalid Profile.” The ones that give me this problem were probably low on battery and if you look at the clock in the status bar it’s not correct, so the TLS handshake and signing stuff is probably failing.

Activation server inaccessible. “Your iPad could not be activated because the activation server cannot
be reached.”  I think that this is a system clock or other network issue that prevents the SSL handshake between the iPad and Apple’s activation server.  Rebooting, charging to full battery, waiting overnight and/or wiping the iPad again eventually solved this issue.

Invalid SCEP server response.  “Profile Installation Failed. The SCEP server returned an invalid response.”  This was fixed by wiping (several times actually) and trying again.

On the Apple ID activation step, assuming you generated and confirmed the device-specific Apple ID, you can type in the Apple ID and password (or just skip that step).

After I’m done with the enrollment, there are a number of ways I can verify that the device was enrolled correctly:

  • In JSS it now should show up in the Mobile Devices search results
  • On the iPad if I go to the Settings app and click General, there is a message the the device is managed by my organization
  • Also in the Settings app, you can also inspect the MDM profile and any other profiles that the MDM has installed. In our case, you should see the Wi-Fi configuration profile and you should be able to connect to the private, WPA2-protected Wi-Fi network without having to type in a password.
  • On the iPad’s Home Screen, JSS installs an app named “Self Service”.

After enrollment, I do a few things on each iPad to help out teachers managed the device as a shared resource. I go to Settings, iCloud and turn off photo sharing, contacts, etc. I turn everything associated with iCloud off. But I leave the iCloud account there, so I can use “Find my iPad”.

In the meantime iOS and iTunes are bugging me to confirm the Apple ID password even though I typed it in 30 seconds ago. And they want me to tell them it’s OK to only require typing in the dang password after 15 minutes have gone by. This is a real annoyance and one I will be so glad to have disappear in the iOS 9 era.

So now after 5 days for Part 1 of the recipe (Steps 1-6), and then about 2 hours for a batch of 20 iPads in Part II (Steps 7-13), all but 3 of the batch are ready to receive apps and additional configuration profiles. In fact it took about 5 hours of solid work today to get about 30 iPads through this process (and I still haven’t set up the Apple IDs for some of them).  We’ll see over the next two weeks if it gets any easier.

Leave a comment

Filed under Education

Bye, Bye Brasil

Sunset on the Morro da Urca

Sunset on the Morro da Urca

Just got back (April 2015) from an unstressed two weeks in Brazil and wanted to document just some of the highlights of my vacation for those of you who might be going.

Best Neighborhood in São Paulo (SP) – Vila Madalena

Ok well, those who have been living in Vila Madalena for 10 years or more say that it has been ruined by the publicity and crowds from the World Cup 2014, but it’s still a pleasant walkable place with restaurants, art galleries and bars of all stripes. And if you need a place to stay, you would be hard pressed to find a nicer place than this.

Best Modern Buildings – Edificios Copan and Italia, Centro, SP and MEC, Centro, Rio de Janeiro (RJ)

The Copan is undergoing a facial right now, covered in pale blue scrim, so if you go next year you might be lucky enough to see its beautiful mosaic-tiled brise-soleil facade restored.  In the meantime if you don’t know a resident who can get you into the buidling, you can still visit the free, public art space PIVÔ and get a sense of Niemeyer’s greatness.  Meanwhile, if you’re in Rio’s Centro on a weekday, you really should visit the MEC (aka Palacio Capanema), where Le Corbusier, Lucio Costa and Roberto Burle-Marx created an early masterpiece of urban architecture and planning without the crushing scale of some of Costa/Corb’s later projects.

Best Museum Space – Instituto Moreira Salles, Gávea, RJ

The former residence of Walter Moreira Salles in Gávea is another mid-20th century modern classic, this time on a residential scale, now converted into a elegant public gallery for photography and cultural events. Burle-Marx did the wonderful garden and swimming pool area. The cafe is charming.

Best 19th Century Building – Real Gabinete Português de Leitura, Centro, RJ

This reading room is among the world’s finest tributes to the power of books. The exterior is pretty great, too, with statues of emperors and of course, Vasco da Gama.

Best Espresso Coffee – Coffee Lab, Vila Madalena, SP

These folks are serious about their beans. The baristas ask you personally for your coffee selection and the atmosphere is conducive to philosophical discussions.

Best Drip Coffee and Pão de Queijo – Confeitaria Atlântica, Copacabana, RJ

Go in and get a café com leite at the bar on a workday morning. Super strong and good, and brewed hourly due to the popularity of this corner pastry store in working-class Copacabana.

Best Restaurant Closed for a Special Event – Bossa, Jardins, SP

Stunning wood-screened space in Jardins that is supposed to have great food as well. Too bad we picked the wrong night and couldn’t get in.

Best Restaurant in a Small Town – Banana da Terra, Paraty

We signed up (somewhat unwillingly) for the Thursday night tasting menu, and it was sublime. I’m not normally a foodie, but this was a pleasant experience with nice waiters and a combination of old Brazilian standbys like coxinha, and new ideas like lemongrass and squid soup.

Best Pizza – Ferro e Farinha, Catete, RJ

You have to go 30 minutes prior to opening to find a seat at one of their sidewalk tables. Don’t pass up the ginger spritzer while you eat all of their 5 different pizza combinations.

Best Gelato – Sorvetes Artesanais Nirulas, Paraty

We just stumbled into an art gallery with a gelato fridge in the back by happenstance.  Turns out the Nirulas (based in the city of Itu in São Paulo State) makes some of the best gelato I have had anywhere. Interesting flavors, and a really nice guy who runs the store.

Best Unnoticed Bars – Seu Zé, Vila Madalena, SP and Urca Grill, Urca, RJ

No special reason to go to these places, but they are typical of the hospitality and cheap eats you can find in Brazil. Urca Grill has a fantastic location across the street from Urca’s little harbor. Go at night and hang out at the seawall.

Best Juice Bar – Lanches Hobby, Glória, RJ

Ask for the açaí natural (bananas instead of cane/corn syrup).

Best Caipirinha – Galería do Engenho, Paraty

You can get these with lime, pineapple (my choice) or mango and with a wide variety of local cachaças. Strong, fruity and satisfying. The restaurant serves healthy portions of authentically Brazilian staples.

Best Pousada with Hammocks – Morro do Forte, Paraty

Very nice staff and calming spot above picture-perfect Paraty.  Plenty of shady and sunny spots to recline, ponder and lie in a hammock.

Hippest Haircut (Guys Only) – Barbearia 9 de Julho, Vila Madalena (SP)

Hole in the wall spot with some very good young haircutters. This is where Vila Madalena guys with full beards, coiffed hair and mustaches go for hour-long sessions that are old-world pampering to the max (facials, steaming towels, etc.); but gringos like me can also get a quick cut.

Best Public Art – Escadaria de Selaron, Lapa, RJ

A massive project by an expat artist, equivalent in scope and ambition to Simon Rodia’s Watts Towers in Los Angeles. Every square inch of this stairway was hand-crafted. Amazing, even in a country with extraordinary graffiti work seemingly in every neighborhood.

Best 3.5 Km Early Morning Stroll – Aterro do Flamengo, Flamengo, RJ

Aterro do Flamengo

Aterro do Flamengo

Burle-Marx left his masterful mark on the Avenida Atlântica in Copacabana, but his real gift to Rio is the Aterro, a linear park wedged between Zona Sul’s automobile-dominated parkways and the beaches of Glória, Flamengo and Botafogo. Every 100 meters is a new combination of Brazilian trees. People run and walk by without noticing that they are moving through paradise.

Best Park for Meandering or Picnicking – Parque Lage, Lagoa, RJ

Mysterious caves, castles and a swimming pool court in a neo-baroque palace. The grounds are beautifully landscaped.

Best Park for Just Soaking it In – Largo das Letras, Santa Teresa, RJ

The cafe / bookstore / cultural center here was closed, but folks were still taking advantage of the quiet courtyard right above Santa Teresa’s “downtown” square, the Largo do Guimarães.

Best Park for Concerts and a View – Parque das Ruinas, Santa Teresa, RJ

Charming little cafe and terrace at the top of Santa Teresa. We were there on the Dia Nacional de Choro for a lilting noontime choro concert. Perfect views over Botafogo and Pão de Açucar.

Best Overlooked Beach – Cepilho’s, Trindade

Praia do Cepilho

Praia do Cepilho

While all tourists take the bus to the end of the line in Trindade (45 minutes and $2 from the Paraty bus station) and then begin the walk to the isolated beaches in the nature preserve to the south of the town, we jumped off at the first sight of water at Cepilho, a beer-and-shrimp shack on a beach hemmed in by massive rocks. It was a Friday in April and we had the place to ourselves. Space to wander around or sit under a palm tree, just like in the picture books.

Best Bar with Music in the Mata Atlântica (Atlantic Rainforest) – Poço de Tarzan, Penha

Another short bus ride from Paraty takes you onto the former gold pipeline royal road in Penha. Beautiful waterfalls you can surf down, and, slightly up river, the Tarzan bar. Saturday afternoon an MPB trio of guitarists play under a tent while happy vacationing Brazilians while away the hours having snacks and beer.  Apparently this place is for sale if you like the idea of operating a bar with a private waterfall and hanging bridge.

Best Hyped Samba Scene – Bip Bip, Copacabana, RJ

Everybody’s heard about this place that’s been a nightly jam session for sambistas for 30 years or more, but it’s still real and a delightful place to go and get scolded for applauding or talking during performances (snapping your fingers in appreciation is allowed). Newcomers quickly figure out the deal: you leave your name and the number of beers you’ve picked out of the kitchen with Alfredo, who is there every night parked by his telephone with a stack of dishes that act as a cash register and a big notebook where he keeps your tab.

Places We Didn’t Get To (Next Time!)

  • Sunday stroll on the Minhocão, SP
  • Hiking to Dos Irmãos, Vidigal, RJ
  • The top of Pão de Açucar (we only got halfway), RJ
  • The new Saraiva super-bookstore by Artur Casas, Barra de Tijuca, RJ
  • Floresta de Tijuca and Restaurante Os Esquilos, RJ
  • MAC (Niemeyer museum), Niterói
  • Sítio Burle-Marx, Barra de Guaratiba, RJ (currently closed for flood repairs and improvements)
  • Ilha Grande and Angra dos Reis
  • Serra dos Orgãos National Park, Teresópolis

Leave a comment

Filed under Architecture, Travel

Her: A Gentrified Blade Runner



Update: Of course I’m not the only one to get upset about Her’s Los Angeles.

Her is a movie as we know about a near future where interactions with operating system helpers, our “OS”es, displace those with our fellow humans, until they have no more use for us. This line of thinking, which runs from the Velveteen Rabbit to I, Robot, is well trod, and Spike Jonze adds a well-thought-out story to the canon.

What I found more fascinating than the CHI (computer-human interface) plot was Jonze’s depiction of the future of Los Angeles. Having just seen Thom Andersen’s critical film, Los Angeles Plays Itself, about the credibility gap between Los Angeles’s ever-widening economic inequality over the last 70 years and its portrayal in Hollywood film, walking into Jonze’s 21st century Southern California is an even more disorienting and disquieting experience.

Our hero, Theodore Twombley, lives in Beverly Wilshire City (a proxy for Los Angeles’s westside) and works either there or in a simulacrum of Downtown Los Angeles (the One Wilshire building and other towers still standing in this near future). These cityscapes bleed together, so that from higher up there is a vision of Sao Paulo-like skyscapers that extend to the mountains and to the sea.  Gleaming highrises are linked by windswept, uncrowded elevated walkways. Along these paths are gaudy security cameras mounted on every lamppost. By 2060 or whenever, the clunky-looking camera mounts would most likely be a thing of the past, so I guess these are here to assure the public that the L.A.P.D. has things under strict control.

There is no garbage on these “streets”.  Even entrances to the subway seem clean and efficient, with a steady stream of nearly-all-white knowledge workers moving to and fro. The subways run quietly and happily everywhere (the happy Los Angeles Metro map of the future has already been posted on today’s internet for the curious), and bullet trains can take our workers on vacation to Donner Pass for the weekend.

Her Metro Map

Her Metro Map

The people who live and work here are predominantly white and well-educated. There is one scene where a dapper black man busks with a fedora upturned for tips, and a split-second shot of a middle-aged woman sweeping the floors of Beverly Wilshire City while Theodore is not feeling too well about his inevitable break-up with his OS. And while Samantha is being given a early tour of the variety of humans who live here through Theodore’s iPhone camera, we do see one or two Latinos.

The rest are all white hipster or post-hipster young and middle-aged types. They work in what seem to be low-stress, high-paying creative endeavors, letter-writing or game-designing. And they have all gone to or talk about “Harvard”, “magna cum laude”; they strive to become the “class mom”, and if they are not lucky enough to get one of these sweet creative jobs, they can at least work as “lawyers”, so that’s OK. Luckily we can check off that there is no gender inequality in Her L.A. Theodore’s brilliant PhD ex-wife was raised in a household of “high expectations”, he tries to date a Harvard woman with an incredible CV, and so on.

These lucky folk spend their days in workplaces  colored by Deborah Sussman in pastel, so that cube workers are always seeing things through rose-colored glasses. People eat well, remembering to chew their fruit for the fiber (if you want to juice anything, juice the vegetables).  They wear sustainable fabrics in unpretentious styles (lots of sweaters and J. Crewish colored shirts).

They sport overly large messenger bags (Amy Adams’s is especially big) or gym bags or backpacks, and talk blithely to each other or to their OS through earpieces.  There are no dramas beyond those of sexual tension and marriage; apparently no one lacks for money.

What we don’t see is what happened to the 12 million or so Southern Californians who didn’t go to Harvard or didn’t become lawyers. I expect that they have been sent over those mountains to the desert and for the few who are employed as moppers, they can take the bullet trains to work 100s of miles away.

You have to wonder whether Jonze is consciously mocking such a future for Los Angeles or accepting it as the positive end result of the marriage of capitalism and technology. His is a surfer’s dream world, always looking on the positive sunny side of things, a day at the beach of the Emerald City without any economically-depressed denizens.

And I wonder if the beauty and navel-gazing aspect of the whole thing (even the OSes are expert self-analysts following the precepts of Alan Watts) has been tamely accepted by the Hollywood Industry, the folks whose children go to Harvard Westlake school and do actually yacht out to Catalina for a picnic away from the masses on a regular basis.

Thom Andersen had an interesting insight into the environment presented in Blade Runner. Where most viewers saw it as menacing, Andersen delights in the fact that the Los Angeles streets in Blade Runner are filled with real people, density and there are shops and interaction going on.

The surroundings of Her are scarily too similar to where I sit in Kentfield. The “class mom” game is being played out for real every day here, and the one percent meet in quiet cafes to talk about their marital problems; the rest of society (poverty, under-education, a future without the promise of work) is hard to see.

1 Comment

Filed under Architecture, Film

Los Angeles 1973 in 12 Acts

The Outside Man

The Outside Man

Last night I finally had the opportunity to watch Thom Andersen’s superb meditation on the politics, public relations and naivete of filmmakers who have used Los Angeles as a backdrop or a character in their movies. Andersen who grew up in Los Angeles, was associated with the USC film school and now is a professor at Cal Arts, created Los Angeles Plays Itself in 2003.  The two-hour film is apparently “unplayable” outside of personal screenings because it makes use of clips of more than 200 copyrighted works to demonstrate Andersen’s points about what is and is not in the frame. Obtaining the clearances for these beautiful images (including some from my personal favorites: from Kiss Me, Deadly to Zabriskie Point to The Long Goodbye) apparently would require a very large budget (perhaps AFI could step in and foot the bill?), so you have to find a time and place where Andersen might want to show the film privately if you want to enjoy it on the big screen.

However,the film is available on YouTube either as a single video, or in a series of 12, with an index to the set provided on the Open Culture website, which is the way I saw it. After watching you can see also find the complete list of films referenced in a posted copy of the script or in a Letterboxd list.  All that remains is for the book to be published, with footnotes to further reading on the history of Los Angeles’s studios, city politics and events.

Andersen covers the Los Angeles built environment in the first half of the film but then gradually shifts focus to the social. In his view of the history of movie-era Los Angeles, there are a series of earthquake-like events that have occurred decade after decade and that reveal how the public image of Los Angeles as portrayed in just about every Hollywood production (as well as in the movies of artists and European outsiders) has become ever more distant from the reality on the ground. He also goes to other well-know critics of Los Angeles’s built environment, David Gebhard and MIke Davis, to support his argument of the social decline of Los Angeles.

Chronologically, he relates these damaging events:

The 1920’s consideration and subsequent rejection of a regional, municipal trolley system that would have been a complement to the ever expanding influence of suburban development and the dominance of the automobile.

The Zoot Suit riots of 1943, that exposed the cruel victimization of the Los Angeles Latino community.

The 1949 Los Angeles City Council rejection of a light-rail plan, in favor of postwar freeway expansion.

The debate over public housing in 1951-53, where newly appointed police chief William Parker conspired with media and business interests in the McCarthy era to portray the public housing movement as Communist-influenced. The program was abandoned, prefiguring the further decline of poor areas of Los Angeles.

The Parker era’s step-by-step deepening of a climate of paranoia (coinciding with the Film Noir years), where the L.A.P.D. strove to meet the idea robotic, all-powerful, all-seeing ideals of Jack Webb’s Dragnet.

The Watts riots of 1965.

The destruction of downtown’s Bunker Hill neighborhood, unleashed by real-estate deals set up by the Richard Riordan administration from 1973-86.

Coincident with the sterility of downtown redevelopment was a planned further deteriorization of public transit. Andersen gives examples that were brought in a class-action suit: reductions in routes, de-publication of route maps, etc.

The Rodney King riots of 1991.

Andersen carefully observes how “enlightened” filmmakers from the Hollywood tradition realized how Los Angeles’ dream era has ended and that the social fabric is torn, but could not work outside of their privileged viewpoint and their scant knowledge about the vast plain of the Los Angeles basin, confining their protagonists’ psychological problems to the white suburban motifs of Raymond Carver (as in Altman’s Short Cuts). Finally, Andersen finds praise in the film’s last segment for the more truthful people- and family-focused work of African-American neo-realist filmmakers working in the 90s in the films Bush Mama, Killer of Sheep and Bless Their Little Hearts. He also returns again and again to the rarely seen Kent MacKenzie neo-realist picture about Native Americans in downtown, The Exiles, made in 1971, at a time when the dream mirror was really cracked.

Parallel to the main line of social commentary, Andersen does bring up the treasure trove of film stock that can be mined for archeological and historical purposes. For me, an outsider who arrived in Los Angeles in 1973 to study its architecture, and remained there until 1982, watching the film was a beautiful nostalgic journey, and the concept of nostalgia or period-piece films is a large theme in Los Angeles Plays Itself.  In particular, I now need to find a copy of Jacques Deray’s 1973 film The Outside Man, which Andersen describes as an almost perfect snapshot of the city at that moment in time. He separates the non-Hollywood films of the 70s and 80s as either “low-tourist” or “high-tourist”. The distinction for me is that “low-tourist” films play Los Angeles for laughs or thrills through stereotypes, and “high-tourist” films attempt to reveal the kitsch, the ugly and the dysfunctional parts of the basin with more sublety, using art-film techniques.

I found a few of Andersen’s grind-axes a bit humorous. He is a consummate East sider and mocks the gilded movie-industry that can’t bear to locate a movie east of Vine St unless the location is in the hills, at landmarks like Griffith Park or Union Station, or downtown with its dead-world skyways and office towers. He does admit to overcoming his East-sider prejudice against Jacques Demy’s exquisite Model Shop, on subsequent rewatching, at least. And he is repulsed by the acronym “L.A.” That kind of crankiness is widespread in the Bay Area, too, where “S.F.” and “Frisco” and “San Fran” are looked down on.  I love L.A.

I had a few great flashbacks while enjoying Los Angeles Plays Itself. And I will be adding some of these great and not-so-good films to my Letterboxd watchlist, thanks to Andersen’s teasers: D.O.A., Detour, The Night Holds Terror, The Street With No Name, Love Streams, Messiah of Evil, and Gone in 60 Seconds (the 1974 H.B. Halicki original, that Andersen describes as the best car-chase movie ever made). I don’t think I will be watching these however (you have to draw the line somewhere): The Glimmer Man, The Omega Man, Earthquake, Escape From L.A.L.A. Story or Hanging Up.

If you love or hate Los Angeles (Andersen delights in showing quite a few apocalypse-L.A. film clips), don’t miss this film.


Leave a comment

Filed under Architecture, Film

Beaglemania, Day 1

Beaglebone Black

Beaglebone Black

Just purchased a BeagleBone Black kit from MakerShed as part of my retirement planning (entering a 4th career phase as a tinkerer/coding teacher).

First off, had a bit of a problem finding a 5V DC power supply. One that I spent $25 on didn’t work, then found a “Verizon” 4A power adapter recommended by another Beagler. Meantime I’m testing out the networking of the little guy.

# opkg update
# opkg upgrade

That took about 3 hours, but in the midst of it, the ethernet connection was established, and I could find out the IP address of the Bone by using nmap. So far so good.

Changed the timezone (thanks, dwatts):

# cd /etc/
# rm localtime
# ln -s /usr/share/zoneinfo/America/Los_Angeles localtime

Now I’m installing emacs and trying to get the Realtek wi-fi dongle to work with my home network.  Apparently emacs doesn’t work (swallows keystrokes when used over ssh).  So I’ll have to learn nano.

The wi-fi connection is a mess.  The opkg upgrade did seem to install the realtek drivers.  Then you modify /var/lib/connman/wifi.config, and hope you put in the right parameters.  I have to reboot everytime I change this file. Then you might try removing the ethernet cable,  or just use a heftier (2A minimum) power supply, or turn off powersave for wlan0 (on startup?),:

# iw wlan0 set power_save off

Or you might have to disable IPv6 (how?).  Here’s some information from dmesg (and a little help for the reason codes):

[ 22.481941] wlan0: authenticate with 88:1f:a1:44:f3:ec
[ 22.527731] wlan0: authenticated
[ 27.594450] wlan0: deauthenticated from 88:1f:a1:44:f3:ec (Reason: 2) <- not authorized
[ 27.820069] wlan0: authenticate with cc:a4:62:cb:9b:f0
[ 28.449651] wlan0: authentication with cc:a4:62:cb:9b:f0 timed out
[ 29.338261] wlan0: authenticate with 88:1f:a1:44:f3:ec
[ 29.399841] wlan0: authenticated
[ 29.595382] wlan0: deauthenticating from 88:1f:a1:44:f3:ec by local choice (reason=3) <- went offline

Here are the packages I have installed manually:

# opkg install wireless-tools python-pip python-setuptools python-smbus
# pip install Adafruit_BBIO

Fun fact of the day: If the Beaglebone is plugged into an ethernet network, it broadcasts its name using Bonjour.  So you can do this if you’re on the same subnet (like on a Mac in the Terminal):

# ping beaglebone.local
# ssh root@beaglebone.local

Or open Cloud9 by going to http://beaglebone.local:3000 (!)

Leave a comment

Filed under Education, Uncategorized