I talked to several of you at JNUC 2012 and ACPE 2013 about how I’ve used Casper to “push” App Store apps out to iPads wirelessly without requiring the end user to enter an Apple ID or a password. I thought I’d share the current step-by-step process that has been working for me in our iPad pilot since the start of the 2012-13 school year.
Yes, it is a long process. But once everything is set up, you only need to do a few steps to upload and push out new apps to groups of your iPads OTA. I can set up a new app and have it ready to distribute to all of my iPads in about 3 minutes.
Is this the perfect way to deploy apps? No. There are pros and cons to this process like anything else. I’m not here to discuss whether it is the “right way” or “wrong way” of doing things. There are definitely some caveats. I’m just sharing these instructions to show that it is technically possible to do so with Casper’s tools, and might be something you may want to consider depending on your deployment plan.
DISCLAIMER: This process is not supported by JAMF or by Apple. They are both aware of this workaround and have told me that if it ever stops working they won’t be able to help. Its been working just fine for me the past 8-9 months (since August 2012). Other MDM providers have a similar workaround and I’ve talked to several folks who have been doing it on other MDMs for over a year. The process below is what has been working for me with the Casper Suite v8.6 and v8.7.
WARRANTY: There is none. Use at your own risk.
IMPORTANT: This process will only work if the (1) imaging computer, (2) master iPad “image” (i.e. encrypted backup), and (3) App Store app purchases are all linked to the same “master” Apple ID at the time of imaging/restoring the iPad. Once the iPad has been “imaged” with the steps below, you can log off the school’s “master” Apple ID on the iPad and the process will still work. So you can use this process if you want to have a 1-to-1 “Layered Ownership” deployment model. For example your school or district could use this method to “push” paid apps when VPP codes have been purchased so that your organization maintains ownership of the apps, but have teachers and students use their own Apple IDs to download free apps from the App Store.
Phase 1: The Initial Setup
Set up an imaging computer. Authorize iTunes with your school’s “master” Apple ID (iTunes -> Store -> Authorize This Computer). If you are going to image a large number of iPads and need a lot of imaging computers, you will want to contact your Apple SE to allow you to authorize more than 5 computers with this “master” Apple ID (the normal limit is 10 devices, but only 5 of them can be computers... have Apple temporarily lift that limit to the number of imaging computers you plan to use for your initial deployment).
Set up a web server folder where you can upload app .ipa files (iPads will be downloading apps from this location). If you don’t have a web server available, you can upload directly to the JSS (the JSS upload works for most apps, but in testing last fall there were several apps that didn’t upload properly for me. I’ve heard of other issues too with uploading directly to the JSS. The web server process has worked 100% of the time for me so that is the process that I will focus on below).
Build a master “image” on a new iPad. For a faster imaging/restore process (outlined in Step 7 below), don’t install too many apps on this master “image” (they can be installed later). Configuration profiles can also be sent out later. Some things you may want to include in the master image:
--a. WiFi setting (required for OTA enrollment into the JSS)
--b. At least one iPad app using your school’s “master” Apple ID
--c. Safari bookmarks
--d. Casper enrollment webclip or bookmark (unless you plan to enroll with Apple Configurator)
--e. Adjust various preferences in SettingsSync the iPad with iTunes on your imaging computer. Be sure to select Automatically sync apps to my iPad.
Make an encrypted backup of the master iPad on the imaging computer. Make sure it is encrypted (in the iTunes Summary screen, scroll down and select "Encrypt local backup"). Encrypting the backup saves many of the usernames and passwords entered during the building of the master iPad. You might want to duplicate and store a copy of this backup in another location in case it needs to be used again. It is located in ~/Library/Application Support/MobileDevice/Backup.
Disable automatic backups in iTunes.
--a. Quit iTunes
--b. Open Terminal
--c. Type or copy/paste the line below:
defaults write com.apple.iTunes AutomaticDeviceBackupsDisabled -bool true
--d. This will prevent automatic backups from running. You can still manually run backups by Ctrl+clicking the device in iTunes and selecting “Back up.” If you ever want to change iTunes back to running auto backups, copy/paste the same code above, but change “true” to “false.”Activate and restore the encrypted backup to new iPads.
--a. Launch iTunes
--b. Plug an iPad into the imaging computer. It will show up under Devices in iTunes.
--c. If it prompts you to activate and register the iPad, enter the “master” Apple ID and password to register the device. If there is an iOS update available then click the restore button from the summary screen in iTunes to update it. Once the iOS upgrade is complete, the iPad will reboot.
--d. Perform a restore from the "master" backup (created in Step 5 above).
--e. The iPad will reboot once more when this is complete.
--f. Now the device will start to sync any apps that were added on your “master” iPad image.
--g. When syncing is complete, change the name the iPad by highlighting the name in the left column of iTunes and typing a new name (to whatever your naming convention will be). Then eject the iPad.Enroll the iPad into the JSS. You can enroll it via Configurator with an enrollment profile, or hand the iPad to the user and have him/her enroll it via a Casper enrollment webclip or bookmark.
At this point you have completed the initial setup and deployment of an iPad, ready to be handed over to the end user. The iPad is now configured to accept apps that you “push” out to it.
Phase 2: Pushing The App
For paid apps, you must be enrolled in Apple’s Volume Purchase Program. Only scope to the number of iPads that you have purchased VPP codes for.
On page 23 of Apple's iOS 6 Education Deployment Guide it states, "For app purchases, education institutions have the option of redeeming one app code per iTunes authorized computer, or “configuration station,” and retaining the rest of the codes as proof of purchase. For these configuration stations, the End User iTunes account may be created using a school-controlled email address, and the configuration station administrator should be an authorized user."
We’re going to do something similar to that.
On the imaging computer (which was activated with the school’s “master” Apple ID), use the iTunes store to download an iPad app (for paid apps, redeem one VPP code). These downloaded apps will be located at ~/Music/iTunes/Mobile Applications. After downloading the app (or multiple apps), make a copy the .ipa file, and place the copy on your Desktop. Work from the copied file on your Desktop (just in case something goes wrong in the process, you still have the original .ipa file in your Mobile Applications folder).
Get information about the app file for the JSS.
--a. From your copied .ipa file on the Desktop, change the file extension from .ipa to .zip.
--b. Double-click on the .zip file to open it.
--c. Double-click on the iTunesMetadata file. Keep this TextEdit file open. In the next step you will need the information in this file under (1) playlistName, (2) bundleVersion, and (3) softwareVersionBundleID.Add the app.
--a. Click Management -> Mobile Device App Catalog -> Add App
--b. Select In-house app and click Continue.
--c. From the TextEdit file (from Step 2c above) copy/paste the following:
----I. App Name = playlistName
----II. Bundle ID = softwareVersionBundleID (sometimes called bundleVersion)
----III.Version = bundleShortVersionString
--d. Choose a deployment method (Self Service or Prompt User). If you are deploying to a large number of devices OTA, the Self Service option may be better so that all devices aren’t downloading at once. For example, choosing Prompt User when trying to send out an app like The Elements (which is 1.7 GB in size) to several hundred devices in your school at once might not be a good idea.
--e. Check boxes as needed (managed app, remove app, etc)
--f. Upload the .ipa file.
----I. Next to Icon, click on Upload icon. Click Choose File. Navigate to your Desktop copied folder and go into the unzipped app folder. Highlight iTunesArtwork and click Choose. Then click Upload Selected File.
----II. Copy the .ipa file from ~/Music/iTunes/Mobile Applications up to your web server location.
----III. Choose Hosting Location -> Host on web server.
----IV. Next to URL to IPA File, enter the URL of the .ipa location of the web server you set up earlier.
----V. Scope it to the appropriate group of iPads. For paid apps, be sure you have purchased the same number of VPP codes as the number of iPads you are scoping to.
----VI. Click Save.
If you chose Prompt User in Step 10d above, the end user will receive an APN pop-up message that will require the user to click a button to install the app. No Apple ID to enter. No password to enter. Just a single click on the Install button and the app will install. If you chose Self Service, the user will use the iPad Self Service app and click on the In House App tab to install the app. They will also receive an APN pop-up message requiring the click to install. No Apple ID or password required.
Phase 3: Updating Apps
When app updates are available, I’ve been posting the updates to Self Service (the end user is not able to update the app via the App Store). Here’s how I’ve been updating apps.
In iTunes on your imaging computer, on the left side under Library select Apps.
In the bottom right corner, click on the button that says “xx Updates Available”
Make note of the app(s) that you will update (so that you know which ones in the JSS you need to edit).
Click Get Update on the app(s) that you would like to update. This will download new .ipa files into ~/Music/iTunes/Mobile Applications.
Upload the new .ipa file to your web server.
In the JSS, edit the App Catalog listing for the app (Note: Do NOT delete the app listing in the JSS. Choose Edit). Confirm that the App Name, Bundle ID, and Version match the info in the new iTunesMetadata file (usually its just the version number that changes, but sometimes the app name changes too so double check both of them). Make changes as needed.
If needed, change the deployment method to Self Service.
Next to URL to IPA File, enter the new URL of the .ipa location on the web server (usually the version number is included in the file name, so that will probably be the only part in the URL that needs to be changed).
Click Save. The end user will now see the update listed in Self Service under the Updates tab.
That’s it!
Again, I am not saying that this process is the best way or right way to distribute iOS apps. It is just one undocumented way of deploying apps with Casper where school districts or other educational institutions need to maintain ownership and control of paid apps. It has its pros and cons like everything else but might work for you depending on your deployment scenario.
I hope that Apple makes it easier for us iPad administrators to deploy apps in the future. Until then, this is one process that may interest you.
Enjoy,
~Joe
