Or, “Flirting With Disaster”
I have 250 shared iPads to manage for my school district, and have struggled with various simple management schemes. When Apple announced the Device Enrollment Program last year and some of my IT friends recommended it, I decided to take the plunge. For those who have never had the pleasure of managing iPads for a shared environment I thought it would be important to document some of the quirks as well as the official requirements for managing iPads the Apple way, which is not simple. iPads were designed by Apple to be personal, not institutional devices, and if you need to use them in a shared setting, like we do (with between 8 and 12 iPads shared by students in a classroom), you really have to jump through some big hoops, as you’ll see below.
Compared to the Chromebooks we use in our upper grades (where you pay Google $30 one time for access to an administration console, spend one or two hours setting up organizational units and restrictions and then maybe 15 seconds per Chromebook for enrollment in your Google domain), iPad management with the DEP looks like it’s going to take about 10-15 minutes per iPad, or between 45 and 65 hours to set up 250 iPads. It’s a factor of 40 or 60 in terms of time compared to the Chromebooks. This will change somewhat when iOS 9 comes out, because Apple has already released some information about a per-device app licensing model that may obviate the need for setting up institution-owned Apple IDs on each iPad.
In the meantime, this summer I am lucky to have a high school intern working with me to share this load (thanks, Carter, for putting up with my rants today). I’m hoping we can blast through those 45 hours of work in two weeks and have the iPads ready to go by mid-July. I’ll let you know, dear reader, when it’s all done.
So in the style of a cookbook recipe, here are the steps taken to “bake” some iPads. If you’ve been through this before and found some shortcuts that I missed, let me know in a comment or private email (to pzingg at kentfieldschools dot org) and I’ll try it out and update this post if it worked for me. Thanks in advance for those who help.
Here’s the list of accounts, servers, applications and other tools I used.
We are a Google school, so all of these are set up in our Google Apps for Education domain. I use Google Account Manager (“GAM”) to create and manipulate bulk email accounts. The accounts we’ll need are:
- An email account for your organization’s DEP access.
- A generic Apple ID administrative email account that can accept “+” addresses, so that you can create multiple Apple IDs that communicate with a single email inbox.
- A rescue email account for the Apple IDs you will be generating.
- A device-specific email address for each shared iPad (we have 250 of these).
- A Mac laptop with a USB cable to run Apple applications, a web browser.
- A mobile phone that Apple will send you 2-factor authentication codes when you use their DEP portal.
- One or more 1o-port USB hubs or (preferably) Bretford (or other manufacturer’s) sync-and-charging stations, to be able to prepare 10-30 iPads at a time.
Cloud Servers and Services
- A SolarWinds Web Help Desk trouble ticket and inventory server to hold iPad asset and purchase information. This can be set up on any CentOS-compatible Linux server.
- A CentOS 389 Directory Server LDAP server installed to hold authentication, user and location information. I set this up on an Amazon Linux EC2 instance.
- A JAMF JSS server as the Mobile Device Management server (an MDM server is required by Apple DEP). JAMF now offers hosted subscriptions of JSS.
- Apple’s Device Enrollment Program (“DEP”) service. You need to contact Apple to get this set up for your organization.
Mac Laptop Applications
- Google Account Manager, a python script that lets us create the device-specific email accounts we will install on the shared iPads.
- Apple Configurator to update the iOS version on the iPads and to return each iPad to a clean, pre-activated state.
- Apple Script Editor with an automation script to automate the creation of Apple IDs.
- Other Tools
Google Sheets to keep track of deployment information and status
Recipe, Part I. One Time Data and Server Setup
Now that we have all the servers hardware and other tools in the kitchen, we can do some prep work. Give yourself a week to get this all done.
Step 1. Create an inventory and deployment spreadsheet. [Prep time: 1-2 hours.]
The initial data for the deployment comes from purchase order records. As we purchase devices, I put the data into our existing help desk ticket and asset inventory manager, Web Help Desk. I use Web Help Desk to keep track of which devices are for which schools and classrooms, etc.
We’re a Google Apps school, so I export the iPad records into a Google Sheet, with these columns:
- Asset Tag
- Serial No.
- Model (“Apple iPad mini 2”)
- Apple Order No. (if known)
- Purchase Order No.
- Purchase Date
- Building (school site, like “Bacich”)
- Department (to make the deployment group, like “Bacich 2nd Grade”)
- Room (like “Room 22”)
- Teacher (if assigned to a teacher; otherwise I use “Shared Use” as the teacher name)
- iPad No. (a sequential number or number based on the asset tag)
- Device Name (calculated from iPad No., like “ipad-33”)
- Username (same as the Device Name for shared devices)
- Full Name (calculated from iPad No., like “iPad 33”)
- Email address (calculated from iPad No., like “firstname.lastname@example.org”)
- Apple ID (calculated from iPad No., like “email@example.com”)
- Deployment Group (like “Bacich 2nd Grade iPads”)
And I add a bunch of status columns to keep track of things:
- DEP Eligible?
- AppleID Created?
- DEP Enrolled?
- PreStage Assigned?
- MDM Enrolled?
- Post-Enrollment Done?
- Profiles Installed?
- Apps Installed?
Step 2. Apply for and receive access to the Apple Device Enrollment Program. [Prep time: 1 hour. Cooking time: 1-2 days.]
You have to fill out an online form to get into the DEP. Apple will contact you to confirm your organization. This might take a few days. Once you are in, all of your iOS devices that were purchased with your organization’s Apple Customer ID since March 2011 should be able to be added to DEP.
When you are finally enrolled, you’ll need to give DEP a mobile phone number. Every time you need to log into DEP, it will send an authentication code via SMS and won’t let you log in until you enter this code.
Step 3. Recover unredeemed or supervised VPP app redemption codes. [Prep time: 1 email. Cooking time: 2-3 hours.]
At this time you should contact Apple to get any unredeemed VPP spreadsheet codes for apps that your organization purchased converted to “managed distribution” licenses. If you had previously redeemed VPP codes for apps on iPads that were set up as “Supervised” with Apple Configurator, you should unsupervise these iPads first, so that they will be reclaimed and so that Apple can convert them to managed distribution. I didn’t have any iPads under Configurator supervision so this saved me some time (at the cost of maybe a hundred bucks in lost VPP codes).
Step 4. Create user records on the LDAP server. [Prep time: 1-2 hours.]
I wrote a small script to parse the data in the Google Sheet and create an LDIF import file that I send to the LDAP server. For each shared iPad, I create an entry (LDAP object class “inetOrgPerson”) in the “People” tree on the LDAP server:
- Username (“uid” LDAP attribute), like “ipad-33”
- Email address (“mail” attribute), like “firstname.lastname@example.org”
- Password (“userPassword” attribute)
- Full Name (“cn”), like “iPad 33”
- First name (“givenName”), like “iPad”
- Last name (“sn”), like “33”
- Building (“physicalDeliveryOfficeName”), like “Bacich”
- Department( “departmentNumber”), like “Bacich 2nd Grade”
Once these are set up, you can connect to your LDAP server in JSS, and map the attributes in the user record to JSS attributes that will populate device records when the devices get enrolled. JSS can also install an email configuration profile on each device that will setup the email account in iOS, based on these attributes. Nice.
Step 5. Set up your MDM server. [Prep time: 1-2 hours.]
The details here are pretty vendor-specific, but I’ll explain what I had to do to get a brand new JAMF JSS server to be ready. You can connect the MDM server to the LDAP server you set up previously. You will also need to create an Apple Push Certificate, which means generating a CSR, importing it into the Apple Push Notification portal and then downloading the certificate and bringing it back into your MDM. Finally you need to add the MDM server to your DEP, which means exporting a public key from your MDM, importing it into the DEP portal (in DEP go to “Manage Servers” and click “Add MDM Server”), downloading the token for your MDM from the DEP portal and importing it into your MDM.
Once your MDM server is good with Apple (for Push Notifications and DEP), you can set up things like Buildings, Departments, configuration profiles, and (I believe this is mandatory) at least one Enrollment Profile. Note that we don’t really need to install the configuration profiles on the devices at enrollment time–they can be pushed out later once the devices are all enrolled. This will keep the wireless network traffic low while you are enrolling new devices. Which restrictions to put on iPads is another subject (maybe for another post in this series this summer).
For now I create two configuration profiles:
- A Wi-Fi profile that will tell the iPads which wireless network to connect to, what the WPA2 password is and what proxy information to use for our school network.
- A restrictions profile that disables FaceTime, iMessage and a lot of iCloud stuff that we don’t want to use.
In the MDM, I “scope” these two profiles to “All Mobile Devices”, so they will take effect right after the devices are enrolled.
Then before you are ready to enroll individual iPads, you will need to create a PreStage Enrollment profile. This is where you set up which “Setup Assistant” screens will be presented to the user when he/she/you activates the iPad. You probably also want to use these “General” settings:
- Require Authentication.
- Supervise Devices.
- Enable Pairing.
- Disallow MDM Profile Removal.
- Make MDM Profile Mandatory.
- Skip all activation Steps except “Apple ID”, because I want to have the Apple ID ready to go and don’t want my teachers to have to do this step later.
- Use “Serial Numbers” and “Enforce Mobile Device Names” under “Mobile Device Names”. Note to self: There is a feature request for JAMF to set the device name to something it can fetch from the LDAP server, but for now I think Serial Numbers is the way to go. Once we have supervision over these devices, we can use JAMF to change the device name later; at least the serial number will help me figure out which iPad is which.
Step 6. Configure an open wireless network. [Prep time: 15 minutes.]
If you can install a Wi-Fi access point temporarily with an open network, you can save yourself having to type in a password or SSID name as each iPad is enrolled.
Recipe, Part II – Batch Processing
Now we’ve gotten our kitchen equipped with one-time setups, like making a party’s worth of cookies, we will prepare and enroll our iPads in batches. I think 20 or 30 at a time is a good number to shoot for. The limiting factors for the batch size are:
- Your Wi-Fi network capacity and Internet bandwidth
- How many devices can be connected to Apple Configurator at a time through USB
- Apple ID script timeout limits (see below)
I run through each of the following steps for each batch. The times are what it seemed to take for 20 iPads.
Step 6.5 (Update!). Manually erase all content and settings to remove possible Activation Lock problems — see information below (if you know the Apple ID password on the iPad). [Cooking time: 5 minutes].
Launch the Settings app on each iPad, and try to erase all content and settings by choosing Settings > General > Reset > Erase All Content and Settings. If the device had Activation Lock enabled, you will need to provide the Apple ID and password.
Step 7. Update the iOS version for each iPad with Configurator, and get it ready for enrollment. [Prep time: 10 minutes. Cooking time: 30 minutes.]
I plan to use 3 Bretford charging stations daisy chained together via USB to do up to 30 iPads at a time. For the older style of iPad connectors, I temporarily removed the plastic holding “trays” from the Bretfords so that I have a free length of USB cable to the iPads (because of how you have to put them into recovery mode). The newer-style “lightning” USB cables are skinny and long enough to work well with the plastic trays left in the station.
Plug the USB cable from the last Bretford cart into your Mac laptop and launch Apple Configurator.
On the “Prepare” pane in Configurator, set the “Supervision” slider to “On”. click the “Set Organization Info…” button and save the name of your organization. Supervising the iPads wipes them clean and installs the latest iOS version (make sure your laptop has an internet connection, so it can fetch this from Apple). We’re going to Supervise the iPads and then Unsupervise them. This will make sure that they all start out fresh and de-activated. If there’s a simpler way to get the latest iOS on them and have them ready for DEP enrollment, please let me know! To get each iPad ready for supervision, I had to:
- Power the iPad off. Hold the top button for 5 seconds, then “Slide to power off” and wait until it’s really off (about 15 seconds).
- Put the iPad into recovery mode. This requires some dexterity. Plug in the Bretford USB connector for the iPad while the iPad is still powered off, at the same time that you hold the iPad’s Home button down. Keep holding that button down until you see the “iTunes” recovery mode screen appear.
Back in Configurator’s “Prepare” screen, click the “Prepare” button (if it’s the first time, get rid of confirmation–”all USB devices?”). You can go ahead and add more iPads while the Prepare steps are processed. In general here’s I found that this takes about 20 minutes (maybe longer if you have more than 10 iPads):
- You’ll wait 8 minutes for iOS version to be downloaded.
- Then 5 minutes for iOS version to be unpacked.
- Then 5 minutes for iOS version to be installed.
- Then a final 1-2 minutes for all the supervision checks to be completed.
Once all the checks are done, as shown in Configurator, click the Stop button. Go to Supervise pane, choose “All iPads”, right click and choose “Unsupervise”. This will reboot them all and remove all data as a last step.
Now the 10-30 iPads can be unplugged and are ready for DEP enrollment. EXCEPT you may find later that some of them won’t take (see below). I’m still trying to figure out why some don’t work after they all have been through the same process.
Step 8. Generate device-specific email addresses. [Prep time: 2 minutes. Cooking time: 2 minutes.]
I just make a text file that has a line like “gam create user ipad-33 firstname iPad lastname 33 password emailpass” for each shared iPad in it. Then it’s trivial to run the script (which calls the “GAM” application on each line) and create 20 email addresses in our Google domain in a matter of 1 or 2 minutes. Later when I install the email configuration profile in JSS, each iPad will get it’s own email address we can use to share projects created on the iPad.
Step 9. Generate device-specific Apple IDs. [Prep time: 5 minutes to customize script. Cooking time: 30 minutes for 20 Apple IDs].
This is a big hassle that will go away once iOS 9 comes out this fall. For now, each device needs an Apple ID so that we can deploy VPP apps to it. While you can in theory share an Apple ID across multiple devices, this leads to craziness (been there, done that). So to avoid going to the Apple Store or Apple ID website 250 times and filling out a lot of repetitive information, there’s an Apple Script to automate that. There are several versions floating around on the ‘net. Be aware that each version is slightly different and will only work with specific versions of ITunes. The script pumps keyboard and mouse clicks into the iTunes application. The script I use (which I have modified slightly), creates Apple IDs in the form “email@example.com”, all with a common, but cryptic password. By using a “+” email address, confirmation email messages will arrive at the base email address, “firstname.lastname@example.org” (see next step for what you have to do there).
Before you create the Apple IDs you will have to contact your Apple engineer to arrange to have your IP address whitelisted for 30 days. If you don’t Apple will refuse more than a handful of new Apple IDs per IP address per day.
Once you have the script tweaked so that it works with iTunes and has the right domain, secret question answers, and password information, you can run it in Script Editor, specify the starting and ending “ipad numbers”, and the script will generate batches of Apple IDs with sequential email addresses. Because of timing that the script allows for selecting menu items, it takes about a minute to generate each Apple ID. And there is a maximum clock time that Applescripts are allowed to run, so (at least in my environment, I can only generate about 25 new Apple IDs at a time).
Step 10. Confirm Apple ID Email Addresses. [Prep time: 10 minutes for 20 Apple IDs].
Log into the catch-all email account. Since all my Apple IDs were given addresses of the form “email@example.com”, all of the confirmation email messages will be sent to the base address, “firstname.lastname@example.org”. Log in there and look at the Inbox. You will see a message for each Apple ID you created with a subject line like “Verify your Apple ID”. Open each message and click the link that says “Verify now >”. You will be taken to the Apple ID website, where you will have to dutifully copy the email address into the Apple ID text field (why can’t they do that for us), and type or paste in the difficult-to-crack password that you specified in your Apple ID generation script. Then click the “Verify Address” button. Hopefully this becomes easier after time.
You had better not skip this step, or your newly enrolled iPads will harangue you to the ends of the earth to confirm your email address and any iCloud features will be disabled until that address is confirmed.
Step 11. Enroll the iPads in the DEP. [Prep time: 1-2 minutes for the batch if you have the serial numbers or Apple order number].
Log into DEP. Remember, you’ll have to have your mobile phone handy to be able to log in. Go to the “Manage Devices” page. Grab the serial numbers for the batch of iPads you are going to enroll from your Google Sheet and paste them into the box under “Choose Devices by Serial Number”. You can also try and enter a serial number into the Search box and press Return. If you’re lucky DEP will show you the Apple order number and you can use that to enroll a whole batch of iPads. Sometimes you’ll be unlucky and the search results dialog won’t pop up but you can still enroll by pasting the serial number into the box.
If you’re feelin’ lucky, go ahead and paste those serial numbers into the box, set the action “Assign to Server” and select your MDM server. Then click “OK”. If you typed things in correctly, you’ll get confirmation of the assignment. After devices are assigned you can go over and click “View Assignment History” and see the Apple Order Numbers there, as well (only if all the devices were on a single Order, alas).
But if you’re really unlucky, when you enter the serial numbers for enrollment, you might a dialog that says, “Couldn’t Assign Your Devices.” You can download a CSV “assignment error file” if this is the case and you’ll probably get this wonderful description for the unsuccessful devices:
My guess is that (assuming you typed in the serial numbers right), this means that your organization didn’t purchase the iPad(s) from Apple. They might have been bought on Amazon, through DonorsChoose, or even if they were bought from Apple, it wasn’t your organization that was the customer from Apple’s point of view. You can call your Apple rep, but these iPads will have to be managed the old-fashioned way, using Configurator. I’ll write up my experiences using Configurator and JAMF on another day after I finish with my 240+ DEP iPads.
Step 12. Assign iPads (now assigned to MDM) to your MDM server’s PreStage Enrollment. [Prep time: 1 minute for the batch].
Log into your MDM. In JAMF, I go to Mobile Devices, PreStage Enrollments. I select the PreStage Enrollment I set up in Part I, click the “Refresh” button, then look at the “Scope”. I click “Edit” then sort by the “Device Assigned” (time of DEP assignment) column to show the devices I just assigned in Step 11 at the top of the list. I check off the new iPads and assign them to the PreStage and then click Save.
Step 13. Enroll the iPads and do initial post-enrollment setup (only 12 steps to get here!) [Prep time: 2 minutes PER iPad plus more time to re-do the ones that burned in the oven.]
Now we’re finally ready to get the iPads enrolled (wirelessly!). From each iPad’s Hello screen, you should proceed to choose the language and the Wi-Fi network. After connecting to Wi-Fi, if all goes well, you should see a message indicating that the iPad will be managed by your organization.
This worked for me only about 85% of the time. The other 15% of the iPads showed the “Location” setup screen (which I had disabled in my PreStage), meaning that they were headed toward a non-managed activation. I don’t have a solution for why these few but significant numbers of iPads didn’t “take” the PreStage after Step 12, nor an easy way to “reset” them so they can try again.
Anyway if it works, and you opted for Authentication in your MDM PreStage setup, you will be prompted for a username and password. If you authenticate successfully to your MDM (through its LDAP connection), the MDM will assign the LDAP attributes, like username, email address, building, department, etc., to the device as it is being enrolled.
Update: Here are four more things that can go wrong (and did):
iPad is “activation locked”. “This iPad is currently linked to an Apple ID (i*****@k*****.org). Sign in with the Apple ID that was used to set up this iPad.” If you guess and type in the incorrect Apple ID you get: “Incorrect Apple ID. email@example.com cannot be used to unlock this iPad.” If the iPad was hooked up to “Find My iPad” before, or was supervised, and then erased, you can’t re-activate it without remembering the previous Apple ID. Nice if the iPad happened to be set up by an employee who has now left your school district. (This really did happen to me). In a last resort, Apple has a process that you can certify legally that the iPad is owned by the school district and you wait 7 to 10 days for them to release the lock. Sheesh. Moral of this story: ALWAYS know what Apple ID has been assigned to an iPad before you erase it! So one more step that should be inserted into the process. See the new Step 6.5 in the process above for what you can do to prevent this from happening. My next update will explain the painful Apple appeal process.
Invalid profile. After the authentication step, you might get this: “The configuration for this iPad could not be downloaded from Kentfield Elem School District. Invalid Profile.” The ones that give me this problem were probably low on battery and if you look at the clock in the status bar it’s not correct, so the TLS handshake and signing stuff is probably failing.
Activation server inaccessible. “Your iPad could not be activated because the activation server cannot
be reached.” I think that this is a system clock or other network issue that prevents the SSL handshake between the iPad and Apple’s activation server. Rebooting, charging to full battery, waiting overnight and/or wiping the iPad again eventually solved this issue.
Invalid SCEP server response. “Profile Installation Failed. The SCEP server returned an invalid response.” This was fixed by wiping (several times actually) and trying again.
On the Apple ID activation step, assuming you generated and confirmed the device-specific Apple ID, you can type in the Apple ID and password (or just skip that step).
After I’m done with the enrollment, there are a number of ways I can verify that the device was enrolled correctly:
- In JSS it now should show up in the Mobile Devices search results
- On the iPad if I go to the Settings app and click General, there is a message the the device is managed by my organization
- Also in the Settings app, you can also inspect the MDM profile and any other profiles that the MDM has installed. In our case, you should see the Wi-Fi configuration profile and you should be able to connect to the private, WPA2-protected Wi-Fi network without having to type in a password.
- On the iPad’s Home Screen, JSS installs an app named “Self Service”.
After enrollment, I do a few things on each iPad to help out teachers managed the device as a shared resource. I go to Settings, iCloud and turn off photo sharing, contacts, etc. I turn everything associated with iCloud off. But I leave the iCloud account there, so I can use “Find my iPad”.
In the meantime iOS and iTunes are bugging me to confirm the Apple ID password even though I typed it in 30 seconds ago. And they want me to tell them it’s OK to only require typing in the dang password after 15 minutes have gone by. This is a real annoyance and one I will be so glad to have disappear in the iOS 9 era.
So now after 5 days for Part 1 of the recipe (Steps 1-6), and then about 2 hours for a batch of 20 iPads in Part II (Steps 7-13), all but 3 of the batch are ready to receive apps and additional configuration profiles. In fact it took about 5 hours of solid work today to get about 30 iPads through this process (and I still haven’t set up the Apple IDs for some of them). We’ll see over the next two weeks if it gets any easier.