2015 in Review

I guess it’s worth trying to summarize what, if anything, I accomplished or at least experienced in the past year. Working in education, there’s a constant reminder to self that reflection is as important to growth and learning as absorbing new ideas and doing things.  So here goes:

Technology

As a nerd this is the most easily quantified as I look at the digital trail I’m leaving behind. In 2015 I tried out quite a few new programming platforms, languages and frameworks. I built things in the cloud with Javascript, Ruby, Python, Go, Swift, PHP, Reactive.JS and the Flux paradigm, Flask, Bootstrap, Material Design, d3 (a Javascript data visualization library), Grape (a Ruby API builder), Android and iOS SDKs, Xcode, Eclipse, Google App Engine and Google APIs, Amazon Web Services, Docker, HTTP Live Streaming (both on the client and on the server side), and static website generators (Pelican and Jekyll).

I created 5 new and updated 20 public source code repositories on Github.com.

To get acquainted with the Internet of Things, I tinkered with Arduino, the Particle Spark, RFM69 wireless chips, and the BeagleBone Black single-board computer. My electronics (and construction) tools and skills are still very rudimentary, so here’s a place for growth in the coming year.

I also got hands-on about (especially the MakerBot Replicator) 3D printers (how they work, how to calibrate them, how to repair them).

I upgraded my school district’s network to a new firewall and helped move students and staff toward a cloud-based future and away from reliance on individual workstations and physical servers (bidding farewell to 9-year-old Apple Xserves when they fail ungracefully).

Education

Because of my school district’s master plan to modernize our school campuses, I learned a lot about (and generated even more questions about) what the physical and technological demands of a 21st century classroom should be. EdCamps, Google Hangouts, and face-to-face meetings (especially with talented groups of people like those on the CETPA Edtech mailing list, BAISNet, the Stanford FabLearn attendees, and the Bay Area Maker Educators Google Plus community) helped immensely, and I hope that I might have provided a few useful comments in return.

Personal Growth

I don’t think I changed substantially for the better in 2015, but some milestones made an impact. There was an afternoon in April at a magnificent villa in Rio de Janeiro that my family and I spent reviewing touching correspondence that my late father received 40 years ago and that was essentially sealed away until recently. And my mother’s passing after a slow 10 year decline into forgetfulness and silence as sad as it was, did create opportunities to reach out to my siblings and their families and to eventually have a short but meaningful reunion on a beautiful New England October weekend.

In the dubious distinction category I logged 269 films on Letterboxd during 2015. Films continue to impart meaning to me, and my watchlist (films I need to see) grows longer every year, and I hope you had or have a chance to see some of the films on my 19-best list of 2015.

Advertisements

More fun and games (not) with iPad management

So because of Apple’s restrictions on their Device Enrollment Program (devices must have been purchased by your organization directly from AI), I have a handful of donated iPads and iPads purchased through generous and thoughtful third-party support organizations (for instance the Dedication to Special Education group) that can’t be managed via the DEP.

To keep these under my JAMF MDM management umbrella alongside the DEP devices, I must do it the old fashioned way, using Apple Configurator to “supervise” them with an enrollment profile exported from JAMF.

Problem was that after they were “prepared” and “supervised” in Configurator and magically showed up in my JAMF database, certain pieces, like the restriction profiles and the JAMF Self Service application were not showing up on the devices the way the do with the DEP devices.

After struggling awhile, the bug apparently comes down to (can you guess?): Apple IDs!

Under the JAMF Management History there were two types of failures:

  • “The app “com.jamfsoftware.selfservice” is already scheduled for management.”
  • “The iTunes Store ID of the application could not be validated.”

Turns out that to get the Self Service app on the device, the command to install the app comes from Apple (as requested by the JAMF MDM server) on a push notification, and if you’ve never set up the Apple ID fully in the iTunes App Store on the device, the command fails.

By setting up fully I mean:

  • Signing in with the Apple ID and password.
  • Changing the “Password Settings” from empty to either “Require Always” or “Require after 15 minutes.” (BTW “Require Always: seems to be Apple’s motto; I get a prompt to log in about every 30 seconds or so on these newly enrolled devices). Also it’s interesting to me that to change the password settings, you have to log in again with your Apple ID and password. Then if you’re lucky and change the password settings, you get access to the “Require Password for Free Downloads” magic slider that lets you opt out of having to sign in to “purchase” free apps (such as the JAMF Self Service).
  • Going to the App Store app and accepting the 47 pages of changed Terms and Conditions.
  • Saying “Not Now” to Apple’s pestering about setting up Family Sharing. (These are institutional iPads, not family iPads).
  • Downloading All of the “Apple Apps” (or saying “Not Now” and hoping that you remember to download them individually later). As of iOS 8.4 these are:
    • Pages
    • Numbers
    • Keynote
    • iMovie
    • GarageBand (shows up only on some iPad models)
    • iTunes U (shows up only on some iPad models)
    • Apple Store (shows up only on some iPad models)
    • Find My Friends (shows up only on some iPad models)
    • Find My iPhone (shows up only on some iPad models)
  • Keeping your fingers crossed that the “Install Self Service app” push notification will arrive in time that you don’t have to do this all over again.

Finally I learned how to jump start the process. In JAMF you have to select the device, go to Management, issue an “Update Inventory” command, and then wait.  JAMF will check the device, see that it still needs the Self Service app and issue a Self Service app install command.  Right then you have to all the “setting up fully” steps listed above.  If all is OK you will get a notice that the Self Service app will be installed.

So you wanna manage some shared iPads

Or, “Flirting With Disaster”

I have 250 shared iPads to manage for my school district, and have struggled with various simple management schemes.  When Apple announced the Device Enrollment Program last year and some of my IT friends recommended it, I decided to take the plunge.  For those who have never had the pleasure of managing iPads for a shared environment I thought it would be important to document some of the quirks as well as the official requirements for managing iPads the Apple way, which is not simple.  iPads were designed by Apple to be personal, not institutional devices, and if you need to use them in a shared setting, like we do (with between 8 and 12 iPads shared by students in a classroom), you really have to jump through some big hoops, as you’ll see below.

Compared to the Chromebooks we use in our upper grades (where you pay Google $30 one time for access to an administration console, spend one or two hours setting up organizational units and restrictions and then maybe 15 seconds per Chromebook for enrollment in your Google domain), iPad management with the DEP looks like it’s going to take about 10-15 minutes per iPad, or between 45 and 65 hours to set up 250 iPads.  It’s a factor of 40 or 60 in terms of time compared to the Chromebooks.  This will change somewhat when iOS 9 comes out, because Apple has already released some information about a per-device app licensing model that may obviate the need for setting up institution-owned Apple IDs on each iPad.

In the meantime, this summer I am lucky to have a high school intern working with me to share this load (thanks, Carter, for putting up with my rants today).  I’m hoping we can blast through those 45 hours of work in two weeks and have the iPads ready to go by mid-July. I’ll let you know, dear reader, when it’s all done.

So in the style of a cookbook recipe, here are the steps taken to “bake” some iPads.  If you’ve been through this before and found some shortcuts that I missed, let me know in a comment or private email (to pzingg at kentfieldschools dot org) and I’ll try it out and update this post if it worked for me.  Thanks in advance for those who help.

Ingredients

Here’s the list of accounts, servers, applications and other tools I used.

Email Accounts

We are a Google school, so all of these are set up in our Google Apps for Education domain. I use Google Account Manager (“GAM”) to create and manipulate bulk email accounts. The accounts we’ll need are:

  • An email account for your organization’s DEP access.
  • A generic Apple ID administrative email account that can accept “+” addresses, so that you can create multiple Apple IDs that communicate with a single email inbox.
  • A rescue email account for the Apple IDs you will be generating.
  • A device-specific email address for each shared iPad (we have 250 of these).

Hardware

  • A Mac laptop with a USB cable to run Apple applications, a web browser.
  • A mobile phone that Apple will send you 2-factor authentication codes when you use their DEP portal.
  • One or more 1o-port USB hubs or (preferably) Bretford (or other manufacturer’s) sync-and-charging stations, to be able to prepare 10-30 iPads at a time.

Cloud Servers and Services

  • A SolarWinds Web Help Desk trouble ticket and inventory server to hold iPad asset and purchase information. This can be set up on any CentOS-compatible Linux server.
  • A CentOS 389 Directory Server LDAP server installed to hold authentication, user and location information. I set this up on an Amazon Linux EC2 instance.
  • A JAMF JSS server as the Mobile Device Management server (an MDM server is required by Apple DEP). JAMF now offers hosted subscriptions of JSS.
  • Apple’s Device Enrollment Program (“DEP”) service. You need to contact Apple to get this set up for your organization.

Mac Laptop Applications

  • Google Account Manager, a python script that lets us create the device-specific email accounts we will install on the shared iPads.
  • Apple Configurator to update the iOS version on the iPads and to return each iPad to a clean, pre-activated state.
  • Apple Script Editor with an automation script to automate the creation of Apple IDs.
  • Other Tools
    Google Sheets to keep track of deployment information and status

Recipe, Part I. One Time Data and Server Setup

Now that we have all the servers hardware and other tools in the kitchen, we can do some prep work. Give yourself a week to get this all done.

Step 1. Create an inventory and deployment spreadsheet. [Prep time: 1-2 hours.]

The initial data for the deployment comes from purchase order records. As we purchase devices, I put the data into our existing help desk ticket and asset inventory manager, Web Help Desk. I use Web Help Desk to keep track of which devices are for which schools and classrooms, etc.

We’re a Google Apps school, so I export the iPad records into a Google Sheet, with these columns:

  • Asset Tag
  • Serial No.
  • Model (“Apple iPad mini 2”)
  • Apple Order No. (if known)
  • Purchase Order No.
  • Purchase Date
  • Building (school site, like “Bacich”)
  • Department (to make the deployment group, like “Bacich 2nd Grade”)
  • Room (like “Room 22”)
  • Teacher (if assigned to a teacher; otherwise I use “Shared Use” as the teacher name)
  • iPad No. (a sequential number or number based on the asset tag)
  • Device Name (calculated from iPad No., like “ipad-33”)
  • Username (same as the Device Name for shared devices)
  • Full Name (calculated from iPad No., like “iPad 33”)
  • Email address (calculated from iPad No., like “ipad-33@mydomain.org”)
  • Apple ID (calculated from iPad No., like “ipad+0033@mydomain.org”)
  • Deployment Group (like “Bacich 2nd Grade iPads”)

And I add a bunch of status columns to keep track of things:

  • DEP Eligible?
  • AppleID Created?
  • DEP Enrolled?
  • PreStage Assigned?
  • MDM Enrolled?
  • Post-Enrollment Done?
  • Profiles Installed?
  • Apps Installed?

Step 2. Apply for and receive access to the Apple Device Enrollment Program. [Prep time: 1 hour. Cooking time: 1-2 days.]

You have to fill out an online form to get into the DEP. Apple will contact you to confirm your organization. This might take a few days. Once you are in, all of your iOS devices that were purchased with your organization’s Apple Customer ID since March 2011 should be able to be added to DEP.

When you are finally enrolled, you’ll need to give DEP a mobile phone number. Every time you need to log into DEP, it will send an authentication code via SMS and won’t let you log in until you enter this code.

Step 3. Recover unredeemed or supervised VPP app redemption codes. [Prep time: 1 email. Cooking time: 2-3 hours.]

At this time you should contact Apple to get any unredeemed VPP spreadsheet codes for apps that your organization purchased converted to “managed distribution” licenses. If you had previously redeemed VPP codes for apps on iPads that were set up as “Supervised” with Apple Configurator, you should unsupervise these iPads first, so that they will be reclaimed and so that Apple can convert them to managed distribution. I didn’t have any iPads under Configurator supervision so this saved me some time (at the cost of maybe a hundred bucks in lost VPP codes).

Step 4. Create user records on the LDAP server. [Prep time: 1-2 hours.]

I wrote a small script to parse the data in the Google Sheet and create an LDIF import file that I send to the LDAP server. For each shared iPad, I create an entry (LDAP object class “inetOrgPerson”) in the “People” tree on the LDAP server:

  • Username (“uid” LDAP attribute), like “ipad-33”
  • Email address (“mail” attribute), like “ipad-33@mydomain.org”
  • Password (“userPassword” attribute)
  • Full Name (“cn”), like “iPad 33”
  • First name (“givenName”), like “iPad”
  • Last name (“sn”), like “33”
  • Building (“physicalDeliveryOfficeName”), like “Bacich”
  • Department( “departmentNumber”), like “Bacich 2nd Grade”

Once these are set up, you can connect to your LDAP server in JSS, and map the attributes in the user record to JSS attributes that will populate device records when the devices get enrolled. JSS can also install an email configuration profile on each device that will setup the email account in iOS, based on these attributes. Nice.

Step 5. Set up your MDM server. [Prep time: 1-2 hours.]

The details here are pretty vendor-specific, but I’ll explain what I had to do to get a brand new JAMF JSS server to be ready. You can connect the MDM server to the LDAP server you set up previously. You will also need to create an Apple Push Certificate, which means generating a CSR, importing it into the Apple Push Notification portal and then downloading the certificate and bringing it back into your MDM. Finally you need to add the MDM server to your DEP, which means exporting a public key from your MDM, importing it into the DEP portal (in DEP go to “Manage Servers” and click “Add MDM Server”), downloading the token for your MDM from the DEP portal and importing it into your MDM.

Once your MDM server is good with Apple (for Push Notifications and DEP), you can set up things like Buildings, Departments, configuration profiles, and (I believe this is mandatory) at least one Enrollment Profile. Note that we don’t really need to install the configuration profiles on the devices at enrollment time–they can be pushed out later once the devices are all enrolled. This will keep the wireless network traffic low while you are enrolling new devices. Which restrictions to put on iPads is another subject (maybe for another post in this series this summer).

For now I create two configuration profiles:

  • A Wi-Fi profile that will tell the iPads which wireless network to connect to, what the WPA2 password is and what proxy information to use for our school network.
  • A restrictions profile that disables FaceTime, iMessage and a lot of iCloud stuff that we don’t want to use.

In the MDM, I “scope” these two profiles to “All Mobile Devices”, so they will take effect right after the devices are enrolled.

Then before you are ready to enroll individual iPads, you will need to create a PreStage Enrollment profile. This is where you set up which “Setup Assistant” screens will be presented to the user when he/she/you activates the iPad. You probably also want to use these “General” settings:

  • Require Authentication.
  • Supervise Devices.
  • Enable Pairing.
  • Disallow MDM Profile Removal.
  • Make MDM Profile Mandatory.
  • Skip all activation Steps except “Apple ID”, because I want to have the Apple ID ready to go and don’t want my teachers to have to do this step later.
  • Use “Serial Numbers” and “Enforce Mobile Device Names” under “Mobile Device Names”. Note to self: There is a feature request for JAMF to set the device name to something it can fetch from the LDAP server, but for now I think Serial Numbers is the way to go. Once we have supervision over these devices, we can use JAMF to change the device name later; at least the serial number will help me figure out which iPad is which.

Step 6. Configure an open wireless network. [Prep time: 15 minutes.]

If you can install a Wi-Fi access point temporarily with an open network, you can save yourself having to type in a password or SSID name as each iPad is enrolled.

Recipe, Part II – Batch Processing

Now we’ve gotten our kitchen equipped with one-time setups, like making a party’s worth of cookies, we will prepare and enroll our iPads in batches. I think 20 or 30 at a time is a good number to shoot for. The limiting factors for the batch size are:

  • Your Wi-Fi network capacity and Internet bandwidth
  • How many devices can be connected to Apple Configurator at a time through USB
  • Apple ID script timeout limits (see below)

I run through each of the following steps for each batch. The times are what it seemed to take for 20 iPads.

Step 6.5 (Update!). Manually erase all content and settings to remove possible Activation Lock problems — see information below (if you know the Apple ID password on the iPad). [Cooking time: 5 minutes].

Launch the Settings app on each iPad, and try to erase all content and settings by choosing Settings > General > Reset > Erase All Content and Settings. If the device had Activation Lock enabled, you will need to provide the Apple ID and password.

Step 7. Update the iOS version for each iPad with Configurator, and get it ready for enrollment. [Prep time: 10 minutes. Cooking time: 30 minutes.]

I plan to use 3 Bretford charging stations daisy chained together via USB to do up to 30 iPads at a time. For the older style of iPad connectors, I temporarily removed the plastic holding “trays” from the Bretfords so that I have a free length of USB cable to the iPads (because of how you have to put them into recovery mode). The newer-style “lightning” USB cables are skinny and long enough to work well with the plastic trays left in the station.

Plug the USB cable from the last Bretford cart into your Mac laptop and launch Apple Configurator.

On the “Prepare” pane in Configurator, set the “Supervision” slider to “On”. click the “Set Organization Info…” button and save the name of your organization. Supervising the iPads wipes them clean and installs the latest iOS version (make sure your laptop has an internet connection, so it can fetch this from Apple). We’re going to Supervise the iPads and then Unsupervise them. This will make sure that they all start out fresh and de-activated. If there’s a simpler way to get the latest iOS on them and have them ready for DEP enrollment, please let me know! To get each iPad ready for supervision, I had to:

  • Power the iPad off. Hold the top button for 5 seconds, then “Slide to power off” and wait until it’s really off (about 15 seconds).
  • Put the iPad into recovery mode. This requires some dexterity. Plug in the Bretford USB connector for the iPad while the iPad is still powered off, at the same time that you hold the iPad’s Home button down. Keep holding that button down until you see the “iTunes” recovery mode screen appear.

Back in Configurator’s “Prepare” screen, click the “Prepare” button (if it’s the first time, get rid of confirmation–”all USB devices?”). You can go ahead and add more iPads while the Prepare steps are processed. In general here’s I found that this takes about 20 minutes (maybe longer if you have more than 10 iPads):

  • You’ll wait 8 minutes for iOS version to be downloaded.
  • Then 5 minutes for iOS version to be unpacked.
  • Then 5 minutes for iOS version to be installed.
  • Then a final 1-2 minutes for all the supervision checks to be completed.

Once all the checks are done, as shown in Configurator, click the Stop button. Go to Supervise pane, choose “All iPads”, right click and choose “Unsupervise”. This will reboot them all and remove all data as a last step.

Now the 10-30 iPads can be unplugged and are ready for DEP enrollment. EXCEPT you may find later that some of them won’t take (see below). I’m still trying to figure out why some don’t work after they all have been through the same process.

Step 8. Generate device-specific email addresses. [Prep time: 2 minutes. Cooking time: 2 minutes.]

I just make a text file that has a line like “gam create user ipad-33 firstname iPad lastname 33 password emailpass” for each shared iPad in it. Then it’s trivial to run the script (which calls the “GAM” application on each line) and create 20 email addresses in our Google domain in a matter of 1 or 2 minutes. Later when I install the email configuration profile in JSS, each iPad will get it’s own email address we can use to share projects created on the iPad.

Step 9. Generate device-specific Apple IDs. [Prep time: 5 minutes to customize script. Cooking time: 30 minutes for 20 Apple IDs].

This is a big hassle that will go away once iOS 9 comes out this fall. For now, each device needs an Apple ID so that we can deploy VPP apps to it. While you can in theory share an Apple ID across multiple devices, this leads to craziness (been there, done that). So to avoid going to the Apple Store or Apple ID website 250 times and filling out a lot of repetitive information, there’s an Apple Script to automate that. There are several versions floating around on the ‘net. Be aware that each version is slightly different and will only work with specific versions of ITunes. The script pumps keyboard and mouse clicks into the iTunes application. The script I use (which I have modified slightly), creates Apple IDs in the form “ipad+0033@mydomain.org”, all with a common, but cryptic password. By using a “+” email address, confirmation email messages will arrive at the base email address, “ipad@mydomain.org” (see next step for what you have to do there).

Before you create the Apple IDs you will have to contact your Apple engineer to arrange to have your IP address whitelisted for 30 days. If you don’t Apple will refuse more than a handful of new Apple IDs per IP address per day.

Once you have the script tweaked so that it works with iTunes and has the right domain, secret question answers, and password information, you can run it in Script Editor, specify the starting and ending “ipad numbers”, and the script will generate batches of Apple IDs with sequential email addresses. Because of timing that the script allows for selecting menu items, it takes about a minute to generate each Apple ID. And there is a maximum clock time that Applescripts are allowed to run, so (at least in my environment, I can only generate about 25 new Apple IDs at a time).

Step 10. Confirm Apple ID Email Addresses. [Prep time: 10 minutes for 20 Apple IDs].

Log into the catch-all email account. Since all my Apple IDs were given addresses of the form “ipad+0033@mydomain.org”, all of the confirmation email messages will be sent to the base address, “ipad@mydomain.org”. Log in there and look at the Inbox. You will see a message for each Apple ID you created with a subject line like “Verify your Apple ID”. Open each message and click the link that says “Verify now >”. You will be taken to the Apple ID website, where you will have to dutifully copy the email address into the Apple ID text field (why can’t they do that for us), and type or paste in the difficult-to-crack password that you specified in your Apple ID generation script. Then click the “Verify Address” button. Hopefully this becomes easier after time.

You had better not skip this step, or your newly enrolled iPads will harangue you to the ends of the earth to confirm your email address and any iCloud features will be disabled until that address is confirmed.

Step 11. Enroll the iPads in the DEP. [Prep time: 1-2 minutes for the batch if you have the serial numbers or Apple order number].

Log into DEP. Remember, you’ll have to have your mobile phone handy to be able to log in. Go to the “Manage Devices” page. Grab the serial numbers for the batch of iPads you are going to enroll from your Google Sheet and paste them into the box under “Choose Devices by Serial Number”. You can also try and enter a serial number into the Search box and press Return. If you’re lucky DEP will show you the Apple order number and you can use that to enroll a whole batch of iPads. Sometimes you’ll be unlucky and the search results dialog won’t pop up but you can still enroll by pasting the serial number into the box.

If you’re feelin’ lucky, go ahead and paste those serial numbers into the box, set the action “Assign to Server” and select your MDM server. Then click “OK”. If you typed things in correctly, you’ll get confirmation of the assignment. After devices are assigned you can go over and click “View Assignment History” and see the Apple Order Numbers there, as well (only if all the devices were on a single Order, alas).

But if you’re really unlucky, when you enter the serial numbers for enrollment, you might a dialog that says, “Couldn’t Assign Your Devices.” You can download a CSV “assignment error file” if this is the case and you’ll probably get this wonderful description for the unsuccessful devices:

“NOT_ACCESSIBLE”

My guess is that (assuming you typed in the serial numbers right), this means that your organization didn’t purchase the iPad(s) from Apple. They might have been bought on Amazon, through DonorsChoose, or even if they were bought from Apple, it wasn’t your organization that was the customer from Apple’s point of view. You can call your Apple rep, but these iPads will have to be managed the old-fashioned way, using Configurator. I’ll write up my experiences using Configurator and JAMF on another day after I finish with my 240+ DEP iPads.

Step 12. Assign iPads (now assigned to MDM) to your MDM server’s PreStage Enrollment. [Prep time: 1 minute for the batch].

Log into your MDM. In JAMF, I go to Mobile Devices, PreStage Enrollments. I select the PreStage Enrollment I set up in Part I, click the “Refresh” button, then look at the “Scope”. I click “Edit” then sort by the “Device Assigned” (time of DEP assignment) column to show the devices I just assigned in Step 11 at the top of the list. I check off the new iPads and assign them to the PreStage and then click Save.

Step 13. Enroll the iPads and do initial post-enrollment setup (only 12 steps to get here!) [Prep time: 2 minutes PER iPad plus more time to re-do the ones that burned in the oven.]

Now we’re finally ready to get the iPads enrolled (wirelessly!). From each iPad’s Hello screen, you should proceed to choose the language and the Wi-Fi network. After connecting to Wi-Fi, if all goes well, you should see a message indicating that the iPad will be managed by your organization.

This worked for me only about 85% of the time. The other 15% of the iPads showed the “Location” setup screen (which I had disabled in my PreStage), meaning that they were headed toward a non-managed activation. I don’t have a solution for why these few but significant numbers of iPads didn’t “take” the PreStage after Step 12, nor an easy way to “reset” them so they can try again.

Anyway if it works, and you opted for Authentication in your MDM PreStage setup, you will be prompted for a username and password. If you authenticate successfully to your MDM (through its LDAP connection), the MDM will assign the LDAP attributes, like username, email address, building, department, etc., to the device as it is being enrolled.

Update: Here are four more things that can go wrong (and did):

iPad is “activation locked”.  “This iPad is currently linked to an Apple ID (i*****@k*****.org). Sign in with the Apple ID that was used to set up this iPad.” If you guess and type in the incorrect Apple ID you get: “Incorrect Apple ID. email_address@kentfieldschools.org cannot be used to unlock this iPad.” If the iPad was hooked up to “Find My iPad” before, or was supervised, and then erased, you can’t re-activate it without remembering the previous Apple ID.  Nice if the iPad happened to be set up by an employee who has now left your school district. (This really did happen to me). In a last resort, Apple has a process that you can certify legally that the iPad is owned by the school district and you wait 7 to 10 days for them to release the lock.  Sheesh. Moral of this story: ALWAYS know what Apple ID has been assigned to an iPad before you erase it!  So one more step that should be inserted into the process.  See the new Step 6.5 in the process above for what you can do to prevent this from happening.  My next update will explain the painful Apple appeal process.

Invalid profile. After the authentication step, you might get this: “The configuration for this iPad could not be downloaded from Kentfield Elem School District. Invalid Profile.” The ones that give me this problem were probably low on battery and if you look at the clock in the status bar it’s not correct, so the TLS handshake and signing stuff is probably failing.

Activation server inaccessible. “Your iPad could not be activated because the activation server cannot
be reached.”  I think that this is a system clock or other network issue that prevents the SSL handshake between the iPad and Apple’s activation server.  Rebooting, charging to full battery, waiting overnight and/or wiping the iPad again eventually solved this issue.

Invalid SCEP server response.  “Profile Installation Failed. The SCEP server returned an invalid response.”  This was fixed by wiping (several times actually) and trying again.

On the Apple ID activation step, assuming you generated and confirmed the device-specific Apple ID, you can type in the Apple ID and password (or just skip that step).

After I’m done with the enrollment, there are a number of ways I can verify that the device was enrolled correctly:

  • In JSS it now should show up in the Mobile Devices search results
  • On the iPad if I go to the Settings app and click General, there is a message the the device is managed by my organization
  • Also in the Settings app, you can also inspect the MDM profile and any other profiles that the MDM has installed. In our case, you should see the Wi-Fi configuration profile and you should be able to connect to the private, WPA2-protected Wi-Fi network without having to type in a password.
  • On the iPad’s Home Screen, JSS installs an app named “Self Service”.

After enrollment, I do a few things on each iPad to help out teachers managed the device as a shared resource. I go to Settings, iCloud and turn off photo sharing, contacts, etc. I turn everything associated with iCloud off. But I leave the iCloud account there, so I can use “Find my iPad”.

In the meantime iOS and iTunes are bugging me to confirm the Apple ID password even though I typed it in 30 seconds ago. And they want me to tell them it’s OK to only require typing in the dang password after 15 minutes have gone by. This is a real annoyance and one I will be so glad to have disappear in the iOS 9 era.

So now after 5 days for Part 1 of the recipe (Steps 1-6), and then about 2 hours for a batch of 20 iPads in Part II (Steps 7-13), all but 3 of the batch are ready to receive apps and additional configuration profiles. In fact it took about 5 hours of solid work today to get about 30 iPads through this process (and I still haven’t set up the Apple IDs for some of them).  We’ll see over the next two weeks if it gets any easier.

Beaglemania, Day 1

Beaglebone Black
Beaglebone Black

Just purchased a BeagleBone Black kit from MakerShed as part of my retirement planning (entering a 4th career phase as a tinkerer/coding teacher).

First off, had a bit of a problem finding a 5V DC power supply. One that I spent $25 on didn’t work, then found a “Verizon” 4A power adapter recommended by another Beagler. Meantime I’m testing out the networking of the little guy.

# opkg update
# opkg upgrade

That took about 3 hours, but in the midst of it, the ethernet connection was established, and I could find out the IP address of the Bone by using nmap. So far so good.

Changed the timezone (thanks, dwatts):

# cd /etc/
# rm localtime
# ln -s /usr/share/zoneinfo/America/Los_Angeles localtime

Now I’m installing emacs and trying to get the Realtek wi-fi dongle to work with my home network.  Apparently emacs doesn’t work (swallows keystrokes when used over ssh).  So I’ll have to learn nano.

The wi-fi connection is a mess.  The opkg upgrade did seem to install the realtek drivers.  Then you modify /var/lib/connman/wifi.config, and hope you put in the right parameters.  I have to reboot everytime I change this file. Then you might try removing the ethernet cable,  or just use a heftier (2A minimum) power supply, or turn off powersave for wlan0 (on startup?),:

# iw wlan0 set power_save off

Or you might have to disable IPv6 (how?).  Here’s some information from dmesg (and a little help for the reason codes):

[ 22.481941] wlan0: authenticate with 88:1f:a1:44:f3:ec
[ 22.527731] wlan0: authenticated
[ 27.594450] wlan0: deauthenticated from 88:1f:a1:44:f3:ec (Reason: 2) <- not authorized
[ 27.820069] wlan0: authenticate with cc:a4:62:cb:9b:f0
[ 28.449651] wlan0: authentication with cc:a4:62:cb:9b:f0 timed out
[ 29.338261] wlan0: authenticate with 88:1f:a1:44:f3:ec
[ 29.399841] wlan0: authenticated
[ 29.595382] wlan0: deauthenticating from 88:1f:a1:44:f3:ec by local choice (reason=3) <- went offline

Here are the packages I have installed manually:

# opkg install wireless-tools python-pip python-setuptools python-smbus
# pip install Adafruit_BBIO

Fun fact of the day: If the Beaglebone is plugged into an ethernet network, it broadcasts its name using Bonjour.  So you can do this if you’re on the same subnet (like on a Mac in the Terminal):

# ping beaglebone.local
# ssh root@beaglebone.local

Or open Cloud9 by going to http://beaglebone.local:3000 (!)

Educators as Self-Directed Learners and Collaborative Communicators

Sharing

I had the pleasure of spending three hours with Marin County educators and our special guest, George Couros, the Division Principal of Innovative Teaching and Learning at Parkland School Division in Alberta, Canada. The discussions and presentation that George brought were thought-provoking, and I’m sure everyone who attended had a busy mind throughout the hours after the meeting.

Update: Eric Saibel spent his post-George evening putting together a very good summary of the roundtable and presentation.

Here are some of the ideas I took away from the afternoon:

  • Everyone in the education community needs to be on a continual learning path (students, teachers, administrators, board members and parents). When you get to the point where you know it all, you really should change jobs. If administrators and teachers can model learning themselves, it will start to create a culture of innovation.
  • To explain to others why innovation might improve learning for students, you have to be convinced yourself and communicate ideas from the heart. Blogging and getting involved in discussions can help hone your ideas.
  • There is tremendous power in one-on-one learning for staff (or even small group learning) where teachers and administrators can ask questions and work on solutions relevant to their practice.
  • Isolation is a choice that educators make. Sharing through blogging and Twitter makes learning happen faster; we can learn so much more from sharing with others and from others.
  • There’s also a great benefit of transparency if teachers and educators consistently use a district Twitter hashtag to connect educators, students, parents, community, as well as to invite in educators from around the world to share their learning. Everyone in George’s district uses the #psd70 hashtag whenever they post information about what they are learning.

Right before I went to George’s roundtable and presentation, I had been working on our new elementary school report cards, which were developed collaboratively by our teaching staff and a consultant from the County Office of Education. The teachers decided that two profiles that students would be assessed on are the “Self-Directed Learner” and the “Collaborative Communicator”. I suddenly had a brainstorm that these categories would also be relevant for our staff, and that maybe I should start assessing my own abilities and actions according to these profiles. For example, here are the standards that we will be assessing our fourth graders on:

Self-Directed Learner

  • Works toward personal best
  • Demonstrates self-control
  • Respects classroom expectations
  • Respects school expectations
  • Works independently
  • Stays on task
  • Organizes self and materials
  • Completes classwork on time
  • Completes homework on time
  • Checks work for accuracy
  • Presents work neatly and legibly

Collaborative Communicator

  • Recognizes and respects authority
  • Communicates respectfully
  • Follows directions
  • Listens attentively
  • Contributes relevant ideas to discussions
  • Works with diverse partners
  • Applies constructive feedback

When I thought of how I would start to evaluate my own performance, I also thought of the norms that our Board of Trustees grades itself on:

  • Focus on the best interest of all students at every grade level
  • Begin and end on time
  • Work as a team
  • Respect and listen to all options, opinions, and styles
  • Actively participate in meetings, workshops and district events
  • Come prepared and be fully present and engaged
  • Be open to new ideas
  • Exhibit positive body language, mannerism, and tone of voice
  • Engage in active listening; do not interrupt; avoid side conversations
  • Disagree agreeably
  • No surprises
  • Assume good will

So maybe here is the beginning of a self-assessment report card for educators, incorporating what I learned from George:

Self-Directed Learner

  • Is open to new ideas
  • Is always looking for ways to improve student engagement and learning
  • Is always looking for ways to reach each student or staff person in his or her own learning process
  • Questions his or her own comfort
  • Is not afraid to play and experiment if he or she doesn’t know the answer
  • Is persistent in finding solutions to problems
  • Reaches out to peers and mentors face-to-face and through social networks to learn from others

Communicative Collaborator

  • Communicates from the heart
  • Avoids isolation
  • Shares with others regularly face-to-face and through social networks
  • Respects and listens to all options, opinions, and styles
  • Is not afraid to disagree agreeably
  • Builds teams with peers

So, for you educator readers, what other standards should we be using to gauge our effectiveness as learners and communicators?