Apple TV Airplay Permissions and Restrictions Discussion (Jamf Pro 9.98 & tvOS 10.2)

jbutler47
Contributor II

Been playing with tvOS 10.2 and Apple TV Gen4 and JAMF PRO 9.98, here is something I have come across.

First I'll share the current out of box workflow.

  • Connect to DHCP ethernet

  • Prestage ATV4gen

  • Initial ATV Config (scoped to Prestage) adds WiFi, just to be sure and safe.

  • Manual changes to JSS record for device name, building, & asset tag

  • Initial Config units are smarted into Ready for Airplay Restrictions group

  • Airplay Restrictions Config (scoped to Airplay Restrictions Group) has tvOS restrictions checked for: Require passcode on first AirPlay pairing Allow keyboard continuation

  • Airplay Restrictions Config Also contains setting for Conference Room Display, showing the variables: $BUILDINGNAME, $DEVICENAME, and $SERIALNUMBER

  • In this Airplay Restrictions Config there is an exclusion group, a static list that can be edited at any time, allowing the ATV to lose the Airplay config and return to normal usage for whatever local changes are needed, etc. Remove the ATV from the list, it returns to normal and resets the variables shown in the conference display. (A good idea when it goes bonkers.)

So, what is the issue you ask.

Well, if you engage Airplay Permissions in Global Settings or via a config with Airplay Permissions, you can only target an ATV with a list of devices that can connect to it. Once connected or aligned to the ATV a device will always be able to connect to it and never prompted for a code until the ATV is restored or wiped.

If permissions are not set in Global nor via a config, the connected device is prompted once for a code and will always be able to connect to it and never prompted for a codeuntil the ATV is restored or wiped.

This is an issue in schools, where students will connect once and always have the ability to connect. Having the security of being in the room to see the airplay code is highly convenient way to control student access to ATV, for obvious reasons.

What my take away for the moment is that Airplay Permissions or restrictions may not always work in educational settings, sans conference rooms or restricted access ATVs. Perhaps, it is worth a trial to see how an ATV aligned to a teacher only is able to use Apple Classroom to route traffic from a controlled student device.

Curious what others have found or experienced, please share your feedback.

Thanks.

6 REPLIES 6

apizz
Valued Contributor

@jbutler135 Thanks for this.

I've only just started testing the new 4th gen ATV, but if I'm understanding you correctly the issue here is with giving computers access to only certain ATVs while also forcing them to enter a 4-digit code each time they connect?

I'm definitely not 100% familiar with the capabilities & limitations of the AirPlay config profile payload, but do you by chance configure each ATV to have their own individual passcode, or is this set to be randomized? If not randomized, this may be your issue, as I can imagine entering the 4-digit code once would then save that for future uses (but I could be wrong here).

This may not help you immediately, but hopefully is some food for thought since we are a school as well and have ATVs in all of our classrooms at the moment.

We're an Aruba shop, and we use Aruba AirGroup to limit Apple TV access based on where users are connected on our network. As such, even though we have 50+ ATVs on our network, our users only see the ~10-15 ATVs in their vicinity. Paired with a randomized 4-digit passcode on each ATV, this accomplishes for us what it sounds like you are trying to do. This way we don't have to deal with configuring a profile to give our computers and iOS devices access to specific ATVs. I did not personally set up AirGroup at our school, so I can't speak to the ease which this was implemented (although it is fairly $$), but since implementing AirGroup we haven't had any issues controlling which ATVs users have access to.

Our ATVs are also on a separate VLAN which (currently) only our faculty VLAN can access.

rcampbell_jamf
New Contributor

Thankyou for your informed post. I too have encountered this issue. K-12 situation as well. I think we need the ability in the tvOS Conference room restriction to specify what type of restriction to use.. one time or always, like we can when manually setting up the Apple TV using the remote. Do you know if one can allow access to the tvOS menu when Conference Room setting is enabled in a configuration profile. Access to the settings app specifically.

Please keep up with the feedback. And the ability to use device variables was a big help!

tdilossi
Contributor

Thanks for the detailed information!
Can you Please post this as a feature request for those of us in the same boat? This seems like a valuable request for those of us in the K-12 sector.

mrhollywoodgate
New Contributor II

I'm also noticing this behavior. If I enable "Password" security manually on that AppleTV without any config profile installed from the JAMF Pro server, then it will prompt me every time to connect to the display.

If I use the Conference Room Display configuration profile, it will not prompt every time, only the first time. It does this even if the setting on the TV was to ask every time before the config profile was pushed.

sdiver
New Contributor III

I have just started playing with Apple TVs & Jamf management, so I guess I will share what has worked for us...

First, I add the Apple TV serial number to Apple's Deployment site, and from there I am able to get them mapped them to a PreStage Enrollment. Good to go there.

From, there I go through a manual setup of the Apple TV, selecting the correct SSID, etc. Once the Apple TV is "setup", I verify it is completely updated to tvOS 10.2.1. With that completed, I update the two other settings within the Apple TV...

  • Conference Room Display Settings: Settings > AirPlay > Conference Room Display - set Conference Room Display to On
  • AirPlay Passcode: Settings > AirPlay - set Security to Passcode

Back in Jamf, I created Configuration Profile, that includes the following...

  1. WiFi Payload - just because...better safe than sorry
  2. Restrictions Payload - Allow keyboard continuation is checked
  3. Conference Room Display Payload - just giving generic text because no teachers are going to read Apple's AirPlay section instructions...not that they'll read what I put in there either :-

I also created a Static Group, just for the AppleTVs. It would have been nice to be able to create a Smart Group, to automatically apply the Configuration Profile based on membership...automate things almost completely. However, that seems to prevent the ability to change the AirPlay passcode to be a dynamic number for each connection attempt. So before I add the AppleTV to the Static Group, I manually change that setting on the device, then add it to the Static Group...which then applies the Configuration Profile, and the dynamic password for AirPlay remains functional!

Not ideal...but it works.

Edit: I should note that I am using Jamf Pro v9.98.

sapalmerBCS
New Contributor III

Just thought I would chime in on this. We are a school. The missing ability to set the Airplay Security setting to Passcode (so that it asks each time) rather than First Time Passcode is the only step missing from us being able to take these devices straight out of the box and allow them to configure on their own using a Prestage group and an automatic configuration profile.

Is there a feature request about this that someone can point me to? I'm not finding it.

Note: I'm on 9.99, but I didn't see anything about this in the notes for 9.100.