Ok, I was able to replicate the details in the original post, and it was very helpful.

That said, for step 3, I'm going to have an issue pushing this into production. Our "real" WiFi network is an 802.1x network (PEAP w/ MSCHAPv2) that uses login via username/password.

One option is that I store a username and password in the profile. Not a great option, but it would work if I can somehow go through after enrollment and remove the wifi profile. Is that possible?

Otherwise, is there an option to integrate JSS into Configurator 2 that doesn't require including a WiFI profile?

@georgecm12

Yes, you can can create a temporary wifi profile, install it and then remove it. We perform this when working with our Elementary School Carts.

In AC2 you can go to File -> New Profile -> Wifi and set your Wifi Information there. On the General page, at the bottom, you will see "Automatically Remove Profiles" you can chose "Never", "On date", or "After Interval". We choose "After Interval" one hour.

Note: I have noticed this does not always work but that was with AC1. Maybe AC2 can handle this better. In our case, we remove the profile using AC and ensure our Wireless Profile takes over.

Hope that helps!

@lee.smith Could you provide a little more information about how you remove the profile using AC?

@georgecm12 I sure can. When I get back to the office, I will give you some more detail.

@georgecm12 I apologize for taking to long in getting back with you.

In AC2 you can perform the following:
1.) File -> New Profile ->

2.) Name Your New Profile:
--- At the bottom select "Automatically Remove Profile"
---- After Interval 1 hours

3.) Create your Wi-Fi Profile:

4.) Save your Profile

5.) Select All Your Devices
--- Edit -> Select All

6.) Add your Wifi Profile
--- Actions -> Add -> Profile

Note: I also add my Enrollment Profile and CA Certificate. This way it will enroll and pull down the correct configuration profiles.

Note: I have noticed my Temporary Wifi Profile does stay even after an hour. So, after I check the JSS and ensure the correct Configuration Profiles are installed I will remove the Wifi Profile by performing the below steps.

1.) Select All Your Devices:
--- Edit -> Select All

2.) Remove Your Wifi Profile:
--- Actions -> Remove -> Profiles -> Select your Wifi Profile

Now your iPads have been added to the JSS, the temporary Wifi removed and now have your interns work on the next cart.

Our next steps for summer will be to inventory the apps and deploy them through Casper. So, when they check in they will start installing the apps. This will be based on SMART Groups.

I hope this helps and if you have ANY questions please let me know.

@nsdjoe Thanks for your write-up on DEP & AC2. I have been able to successfully Prepare iPads using AC2 using the Automated Enrollment, AC2 talks to DEP and the devices get supervised and enforced MDM profiles. I didn't have to enter any server addresses in AC2 -> Preferences -> Servers (I think these are for non-DEP MDM enrolments??).

The issue I am running into now is restoring a backup of a DEP device to a different device. AC2 is able to take a backup of a DEP device, but after I restore it to another iPad I am unable to progress past the setup wizard, I get an error saying the device is not activated. I even tried the following workflow:

• Take a backup of iPad 1
• Restore backup to iPad 2
• Do not touch the setup wizard
• Prepare iPad 2 using Automated Enrollment

The console error is as follows:

Nov 18 14:16:04 iPad profiled[86] <Error>: Can't convert pem cert
Nov 18 14:16:04 iPad profiled[86] <Notice>: (Error) MC: Could not create machine info dictionary. Error: NSError:
    Desc   : Your iPad is not activated.
    US Desc: Your iPad is not activated.
    Domain : MCInstallationErrorDomain
    Code   : 4014
    Type   : MCFatalError
    Extra info:
    {
        isPrimary = 1;
    }

Have you tried restoring DEP backups to different iPads using AC2 yet?

@CasperSally

This is a late response to your caching question, but our Apple Rep recommended 4 caching servers (Mac Minis) for the 2,000 iPad we purchased back in October of this year. We have since purchased two more Mac Minis that both cache and run AC2 so we don't have to use our personal Macbooks for AC2. Our device count BEFORE the 2,000 was around 1,600, so now we are at 3,600 total iPads and around 200 Macbooks with 6 caching servers. Things seem to be running fine as long as VPP doesn't break (which it has several times during our deployment).

We also had another Apple Engineer tell us that one caching server would serve up to 4000 devices. Which engineer is right? I suppose that's up to us to decide!

At any rate, my advice is to buy low, test and add as needed. Your engineer's recommendation for 700:1 is probably a good metric to start with.

First off, this is a GREAT! post, very thorough and one of the best I've come across during our deployment.

This post is in regard to our workflow without blueprints and wallpapers. As mentioned in the OP, a blueprint can be created with a wifi profile, device name and a wallpaper. I have a few observations to contribute to that method:

1. We chose not to go with a Blueprint because we found the delivery of the blueprint to 15+ devices became unreliable.

   • e.g. I made a blueprint for 15 devices with a wifi profile and a name. We then made a smart group to filter upon the name given in the blueprint (we wanted to be able to control each class set of iPads in JSS if needed, rather than having one universal "student iPads" smart group). We noticed that after the deployment of the blueprint, we lacked consistent results. We would have a handful of iPads not accept the device name (e.g. we-room#-1), but they did accept the wifi profile. Since iPads ship with the default name of "iPad", if the device name is not properly distributed from the blueprint and the Wifi profile is, guess what? - your smart group is null and void, because as soon as the iPad connects to wifi, it hits DEP and then enrolls into JSS with the name "iPad." Thus requiring us to go in and name the iPads again, one at a time in JSS. I'm not sure if anyone else struggled with AC2 preparation consistency, but we sure did. So we just broke these steps up one at a time and bailed on using blueprints altogether.
   • Our workflow: Plug in devices, restore (to install iOS 9.1, since they shipped with iOS 8.3), name devices, close AC2 and reopen if needed(devices that didn't accept the name initially would then refresh in AC2 and reflect the name), then prepare, automated enrollment and add Wifi profile (again, if prepare function failed, we could instantly see which iPads failed, so then we could choose them and prepare again). While iPads are restoring and preparing we were making smart groups filtered upon their class set names (device name "is like" we-room#-) and making their casper focus classrooms. Yes, this is a long version of what was mentioned above but hey, it worked consistently! Again, this is not be a knock on the OP, but just to explain what we ran into and our solution since Apple support and Apple PM was unable to provide any insight. I'm open to suggestions of what we could have done better with Blueprints.

2. This is mainly a question about wallpapers. Since each of our iPads has unique class set name (e.g. we-room#-1, we-room#-2, etc.) we really wanted the wallpapers to reflect the name on the screen. Unfortunately in JSS we can assign a wallpaper, but we can't tell it to reflect the name of the device like we can in AC2. However, in AC2 whether or not you're using a blueprint to assign a wallpaper, it requires supervision to apply the wallpaper. Therefore, if we give Supervision to AC2 and then try and prepare the device for automated enrollment it wants to "restore" the device (getting rid of the wallpaper) in order to allow the MDM to supervise. We sat through two apple presentations where the apple reps said this was possible, but then in their presentations they didn't apply a wallpaper, only a device name (which does not require AC2 supervision). So we were told this would work but then we were never shown it working and we were never able to get it working on our end no matter what workflow we tried. Has anyone found a way to make this happen? The only way I can think of is to somehow connect AC2 to talk to the JSS and allow AC2 the ability to co-supervise the devices.

3. Currently we have a profile in JSS that does not allow students to assign a wallpaper using the iPad. This is because students will put inappropriate pictures on the device wallpaper. If teachers ask to be able to save the wallpaper we just add their devices to a separate profile that will allow them to change the wallpaper. Wallpapers may not seem like a big issue, but it makes the teacher's job much easier to assign iPads to specific kids rather than using stickers on the cases that can come off. If anyone has a suggestion for us to try I'd appreciate it!

Hey all - if you're interested in iOS in K12, there's a new channel over on slack where some discussions are going on. Just wanted to pass along

https://macadmins.slack.com/messages/edu_ios/

Hey @CasperSally

Do we need to apply for membership?

sorry you can join slack - http://macadmins.org/

Then look for the edu_ios channel. There's a jamfnation one too. enjoy.

Getting an error trying to wipe/update my iPads on AC2. We are using DEP. This error comes up any time I want to do anything remotely useful.

Configurator could not perform the requested action because “iPad” is not supervised by an existing organization. Import an organization with the identity for the device or click 'Prepare' to erase and supervise the device. All content and settings will be erased. This cannot be undone.

Thoughts? I hit 'Prepare' and so I indicate the wi-fi profile, automated enrollment, it then gives another error after wiping and updating, I hit Restore on that and get back to this. I have 500+ iPads that I need to wipe this summer, and I don't want to go through the enrollment process, because I want each student to put their credentials into the iPad setup assistant, so that it's associated to them in JSS. And even if I do enroll it myself as part of this process, it still gets stuck in a loop with these 2 errors.

What I want is to be able to plug in a bunch of iPads and wipe them, update them, and leave them at the setup assistant stage for the students to go through when they pick them up again. I want AC2 to save the unlock credentials, so that when they disable their iPad because they forgot their passcode, and they restart so wi-fi shuts off and I can't send JSS commands to it, I can plug it into AC2 and still unlock it without having to wipe the device and lose potential data.

I feel like there should be a way to export the organization from JSS and import it into AC2....?

Figured it out... https://jamfnation.jamfsoftware.com/discussion.html?id=18306

This works beautifully. However, I want to skip all of the enrollment questions EXCEPT the one to Enable Location Services. This is available in the Manual Enrollement, but my AC2 errors our every time.

Any other ideas how to make this setting during enrollment?

@nsdjoe thanks for this writeup. Finally got everything set up here and really made it simpler to go through the process. Haven't seen you in the macadmin slack, you should pop over sometime.

@ypsadmin I'm also wishing there were location controls either in AC2 or available via config profile. My date/time on iPads is defaulting wrong b/c location services by default is off. Or allow us to set time zone at least.

@mattgreen10 did you figure out what you needed with the wallpapers? I'm using AC2 to set wallpaper to black with device name on lock screen which I think will allow us to no longer deal with labeling iPads and matching up names to labels. Still thinking that through though.

Beta of AC2 available to developers has some new edu 9.3 features worth checking out to anyone interested.

Is there any tricks to get paid Apps onto the iPads using AC2 and VPP? I am not using an MDM, just AC2 and manual apply of blueprint. I can manually add the App and Profile, but not through Blueprint.

Anyone have tips on how they are implementing their naming convention? I'm testing our new DEP enabled shared device model with AC2.2 and really struggling on the naming. AC2.2 doesn't seem to increment properly, but teachers really like knowing student Timmy has #1 (versus just naming device by serial). For our own inventory purposes, it's helpful to have cart or room number as well in the name so I can see easily in JSS how many are in room X, etc.

Configurator does some weird things with their device names it seems not really tying them to blue prints, or maybe I'm doing it wrong.

I've had a ticket in with Apple for over a month for the incrementing issue and have gotten nowhere with them.

@CasperSally In our K12 we create a spreadsheet of the serials of the iPads then the Campus Tech assigns the iPads numbers following a naming convention like [SITE]-[CARTName]-[Number/Identifier]. Then later, in the JSS, they assign the iPads Name by using the "Enforce Name" feature which renames the iPad remotely. This is not an efficient way of naming iPads by any means, but it gives the Campus Tech total control over the name and numbering of the iPads.

@CasperSally Sorry for not answering until now. No we have not figured out how to add wallpapers during the AC2 process. To my knowledge, AC2 requires supervision of iPads in order to add the wallpaper, but as soon as the iPads are enrolled and supervised in JSS, this action must be undone by restoring the devices; therefore, deleting the wallpaper.

We just lifted the wallpaper restriction on some of our classrooms so that teachers and students could add their own wallpaper and then either locked the restrictions back, or trusted that the teachers and students will monitor the wallpapers so that nothing inappropriate is placed on their screens.