Skip to main content

Hi All,

I thought I'd share the workflow I used this week to set up and deploy a few hundred new shared student iPads in carts using the new Apple Configurator 2, DEP, VPP MD, and the latest version of JSS (v9.81) without using Apple IDs. I couldn't find any step-by-step documentation online, so I typed up my own. I thought I'd summarize and share what I did in hopes that it helps some of you who are just getting started with the new Apple Configurator 2.

Here's the workflow I used this week.

Before you get started...
Be sure you are signed up for Apple's Deployment Programs at http://deploy.apple.com . Link up your JSS with DEP, and set up VPP in your JSS too. For help on Apple's Deployment Programs, visit http://help.apple.com/deployment/programs/ . For help setting up DEP and VPP in the JSS, see the Casper Suite Administrator's Guide 9.81 .

In the VPP Education Store...
I first determined what apps I wanted as my default set of apps and purchased (paid or free) that number of Managed Distribution licenses from the VPP Education Store. I have a group of a dozen or so free apps that get installed on all iPads so I "purchased" 3,000 free licenses of each. NOTE: If you don't see the app right away, follow these instructions. The issue is filed with JAMF support under D-009059.

In the JSS...
Make sure you allow for Apple Configurator enrollment at Management Settings -> Mobile Device Management -> Apple Configurator Enrollment and place a check mark in the box next to "Allow Apple Configurator enrollment." Under PreStage Enrollments, I added my new DEP iPads to a new shared student PreStage Enrollment under Scope. Here you can choose to Supervise devices, allow for pairing, disallow MDM profile removal, make MDM profile mandatory, and skip any/all the setup assistant steps. Created/updated a Student Customizations configuration profile with various restrictions. Scoped it to our "Shared Student iPads" Smart Group. Added my default set of apps as individual apps under "Apps" in the JSS and under the VPP tab of each selected "Assign VPP Content" and the VPP account that I used to "purchase" those free app licenses. Scoped to my new "Shared Student iPads" Smart Group. Set apps to auto install.

In Apple Configurator 2...
NOTE: From an earlier post here on JAMF Nation, use the following URL for enrollment in AC2 instead of the one listed in the JSS (this issue is filed with JAMF under D-009664): https://jss.organization.org:8443/mdm/ServerURL

  1. In AC2, click Blueprints -> Edit Blueprints -> New. Name your Blueprint. Then double-click the Blueprint.
  2. Click Prepare -> Automated Enrollment -> Next.
  3. Add a WiFi Profile (created by AC2 under File -> New Profile). Click Next.
  4. Skipped Username and Password and just click Prepare. Now "Automated Enrollment" shows up under "Setup."
  5. Click Add to add apps or profiles. In the Menu Bar, click Actions -> Modify to add wallpaper or set device names. For device names, click on the "+" sign in the lower left corner of the popup window and select Number. You can change the Number field by double clicking on the number that comes up in blue and edit the number. You can also add the cart name or other words before/after the number. When done, click Done.
  6. Plug all iPads in to the AC2 computer with a sync cart or USB hub.
  7. Select all iPads. Right click, choose Apply and select the new Blueprint. Click Apply.

Applying this Blueprint will activate, update, prepare, and enroll your iPads. Once the iPads update to iOS 9.0.2 and enroll into the JSS, the default apps set up in the steps above start installing automatically without any Apple ID or any user interaction.

Future app updates can be managed in the JSS too either automatically for all apps (Settings -> Mobile Device Management -> App Updates -> Automatically update all App Store Apps), automatically per app (Mobile Devices -> Apps, select the app -> Automatically update app), or manually (Mobile Devices -> Apps, select the app , Edit, click Force App Update). All of this can be done in the JSS and pushed out OTA to the iPads without Apple IDs.

With Apple Configurator 2, you can customize your initial setup by using Blueprints. When you are in Edit mode of a Blueprint, just add the setup actions you want and it will save to the Blueprint. For example, to have a Blueprint restore a backup be sure you are in Edit mode of a Blueprint and go to Actions -> Restore from Backup… Choose the backup you want to restore and you will see it save to the Blueprint.

The latest JSS release v9.81 offers many new iOS 9 features including some fantastic new configuration profile restrictions. I am most excited about the ability to uncheck the box next to "Allow modifying passcode (supervised only)." I can't tell you how often a student will maliciously set a passcode on a shared iPad… this restriction will keep that from happening again on any of our shared iPads.

Resources:
iOS 9 Deployment Referece: https://help.apple.com/deployment/ios/
Apple Configurator 2 Help: http://help.apple.com/configurator/mac/2.0/
Apple Deployment Programs Help: http://help.apple.com/deployment/programs/

I'm sure my shared cart workflow above will evolve over time but thought I'd post it as it is now. If anyone has anything to add or share (tips, tricks, triumphs or tragedies), please comment! I will continue to add to this post as well.

Thanks and see you at JNUC next week.
~Joe

PS. If anyone wants to discuss this workflow at JNUC, come to the K12 iPads in Education mini-event. Hope to see you there!

@nsdjoe Nicely done !! Thank you. Looking forward to hear more about it @jnuc.

An excellent tip from another post… Configurator 2 auto opening Photos

It is possible to disable Photos from automatically opening when an iPad is plugged in to the Configurator station by using the following defaults write command:

defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool YES

Thanks @jevans76 for sharing!

Can you elaborate a bit more on getting the devices enrolled into the JSS using AC2? When I use https://jss.organization.org:8443/mdm/ServerURL with our information, I get the error of https://jss.organization.org:8443/MDMServiceConfig not found.

"ServerURL" is the actual string I want at the end, yes? I wouldn't be replacing that with my actual server URL again?

We are running into the same thing jbourbon is. Seems like it likes https://jss.organization.org:8443/mdm/ServerURL but it points it somewhere that doesn't exist. May be some settings we share on our JSS is causing this?

Any update on this? We are having the same problem.

I'm at JNUC right now and don't have my Configurator computer with me to double check my settings. But I do remember that after adding that URL with "ServerURL" to AC2, AC2 set itself up properly with the MDMServiceConfig file. Even if you get an error, try going to AC2 Preferences and click on your server listed and see if it picked up a few certificates. For me, there were three certificates that were automatically added, and URL was automatically fixed. Everything worked properly after that.

Hope is helps!
Joe

Joe - thanks for writing and sharing this. I look forward to giving it a try, testing 9.81 in test environment now.

I need clarification, I thought if you are using DEP you CANNOT use Apple Configurator?

Cool @CasperSally! Let us know if you learn any tips/tricks in your testing. Thanks Sally. ~Joe

Hi @dmichels,

You CAN use Apple Configurator 2 for initial DEP enrollment, and do so without the use of an Apple ID. You could not do that previously with Apple Configurator 1.

Soon, you will also be able to side load apps with AC2 during the initial set up/enrollment, and then manage those AC2 installed apps (with updates and such) via the JSS afterwards. But we have to wait until the JSS is able to convert unmananaged apps to managed apps.

~Joe

Hey folks,

We have a lot of deployments using the /configuratorenroll option on AC1, we're trying to migrate clients to AC2. I spoke with support yesterday as this is broken in iOS 9. They pointed my to this article where I got excited to see a known Defect and the adjusted URL. However, no matter how hard we try - we still get an error during enrolment.

Oct 15 05:07:03 iPad Setup[215] <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
    Desc   : Invalid Profile
    US Desc: Invalid Profile
    Domain : MCProfileErrorDomain
    Code   : 1000
    Type   : MCFatalError

For clarification, DEP works fine, manual enrolments work fine. We have full public SSL, multi-tenanted environment with multiple JSS (around 40).

I'm at JNUC too, anyone fancy joining me in pushing this further with support?

Hi, I'm also having the same issue with the enrollment URL error it will not take anything I enter. I wonder if our server OS version has any relevance to this problem. We're still running on 10.9 Mavericks server currently. I was wondering what your running @nsdjoe that you had success with this? Many of these new features of deployment are dependent on the latest versions of iOS/OS so I'm curious if we need to bump the server up the latest and greatest.

Thanks!

@dleonardi . I checked with our server admin on this. He said we are using a Debian Linux 6 on vSphere 5.5 (plan to upgrade to ubuntu 14.04 soon), 4 cpus, 6GB ram, JSS 9.81.

@nsdjoe Posted: 10/13/15 at 2:40 PM by nsdjoe

Even if you get an error, try going to AC2 Preferences and click on your server listed and see if it picked up a few certificates. For me, there were three certificates that were automatically added, and URL was automatically fixed. Everything worked properly after that.

I guess I didn't follow your instructions fully my mistake. I saw the error and didn't even realize I could click the Next button but you were right. Even though an error is thrown the correct certs do appear for our MDM. I was successfully able to enroll one of our devices. Now on to step 2!

Hey I met with apple the other day and they told me you can now do lookups on VPP website to see if a developer opted in to being device assignable.

Go to VPP store.
Search for app (Evernote is example)
Scroll down on left
"Device-Assignable" is there if it is.

Maybe everyone knows this, but it was news to me.

This sucks @CasperSally I've been telling my staff at my K12 that they can start using this awesome new feature and push all their apps without AppleIDs. I should have known that Apple would have tons of "gotchas" with it. What would be the big downside to a developer for allowing "Device-Assignable"?

It was always opt in @ssrussell. I don't think there's a downside for developers, but I imagine some free edu apps that haven't been upgraded in awhile may not be assignable, or just oversight on the developer side. Have you checked your apps? We haven't yet.

I intend to use this school year to test and pilot and start pushing apps in production starting next summer. Gives our curricular team time to make a list of the apps they'll want and start bugging developers if they aren't assignable

@ssrussell and @CasperSally,

I haven't checked all of our apps yet, but a good majority that I have checked do allow device based app assignments. I talked to several other K12 iPad admins at JNUC about this and we've been seeing about 80% of apps are device assignable. But yes Sally, I agree that this will be a problem for the many education apps that were last updated like 2 or 3 years ago.

I'd like to encourage all of us to contact any developers we find who have non-device assignable apps and let them know that this feature is critical for schools! I've had good success over the last few years connecting with developers who have free apps with in-app purchases and asking them to post a paid "full version" of their app(s) into VPP instead of doing in-app purchases explaining that schools can't use VPP for in-app purchases. When you tell them that you'll be buying 3,000 copies of a "full version," but only if its in VPP you tend you get a quick response :) Hopefully we will get a good response about device assignments too (maybe tell them we want to buy a bunch more, but only if they are in VPP and offer device assignments).

Just brainstorming here… For those apps that are old/not-updated where we can't find or connect with the developer, maybe we could use Apple Configurator 2 to side load those apps. I know it's not as convenient as doing it OTA via the JSS but it may be the only supported way to get those old apps on the devices and not require an Apple ID. I know there are other unsupported ways of getting apps on devices without Apple IDs but I'd like to see us (and Apple and JAMF) develop and use a workflow that is supported and that does work.

Just a side note… the ability to use the JSS AND AC2 to provide ongoing management to devices is not currently supported by JAMF but hopefully will be soon. The way I understand it you will need to share the supervision certificate between the AC2 computer(s) and the JSS so that they all understand each other. Hopefully that will be available in an upcoming JSS release... along with the ability to convert unmanaged apps to managed apps.

~Joe

@nsdjoe I am going to encourage the curriculum departments that choose the apps to reach out to developers if the apps they want aren't device assignable.

We are planning on supporting device assignable apps only. We'll see.

@nsdjoe and others - are you guys using caching servers? We haven't implemented them yet, but I'm thinking if pushing apps makes app distribution much easier for us, it may be time to start - particularly for iOS app deployments.

Would love to know what specs you guys are using for them & how many devices they cover. Apple rep threw out a number of like 1 per 700 devices.

Thanks!

Hey @CasperSally. We are not using caching servers yet. But it is definitely something I plan on looking in to.

Without an AppleID, how do you locate lost and stolen devices?

@mmcallister I was told at an Apple Update Meeting that we will not be able to locate the device since no Apple ID means no iCloud. I am thinking about adding in the iCloud ID for each grade level into my devices and not adding it into the Apple Store.

Great post Thanks

We are moving to App distribution through our MDM, but we have not gotten the VPP system completely set up. But it looks like through the post we can use Configurator 2 as part of our transition when we are completed. So if we set up using DEP and Pre-stage as well as the basic application blueprint, when our VPP tokens are in place, the apps will be updated and then we can slowly transition to the JSS and only use Configurator 2 for part of the initial deployment system, right? My big headache right now is VPP codes from the old system and wanting to allow the transition.

Terms & ConditionsCookie settingsAccessibility statement