Configurator, DEP, and Supervision

smith_kyle
New Contributor III

I work in a school district and we have deployed a lot of iPad centers/labs, and have been setting each device up by hand (completing setup assistant/enrolling to specific lab user, signing in with appropriate Apple ID, downloading apps, etc.). It would be nice to be able to prepare a master image for some lab cases (at least to prepare it to a point that wouldn't involve so much work on the glass) using Configurator.

I know that Configurator now supports an enrollment URL, which I believe works with DEP(?), but it's not clear if devices run through configurator that are in DEP get supervised by the JSS, or if they can only be supervised by the configurator workstation. It seems slightly counterintuitive for the latter to be the case, which would result in devices prepared in configurator that are in DEP being enrolled in the JSS, but supervised by the workstation, whereas other devices that are in DEP enrolled OTA get supervised by the JSS.

Anyone have a firm answer on this? Or perhaps a better way to deploy multiple iPads requiring the same image (for the most part) without manually setting up each device?

3 REPLIES 3

joshuasee
Contributor III

It takes some setup, but yes, what you describe is doable. This scenario is a large part of why the Device Enrollment Program exists.

Here, when a device arrives, there serial number is scanned off the packaging and it is assigned an asset tag, which becomes its name. I the enroll them by serial number in the DEP, designating our JSS as the managing server. In the JSS, I set up a prestage enrollment with the name/asset tag set, scoped to the serial number which the JSS gets from the DEP. We set one prestage per device to force the name, cloning them to make new ones, but you can assign as many devices to a prestage as you like if the name isn't important to you. I don't need to touch the devices during this process.

When the customer gets the device, they are prompted to connect it to the Wi-Fi network, and then are notified that a management profile will be downloaded. We prompt for their credentials during enrollment to assign user info, but this isn't necessary.

My todo list includes creating an updated training video for this process, do I'll try to post a link here when it is ready.

qhle373
Contributor

You are correct that when a device is 'Supervised' in Configurator, it is then controlled by that computer that enrolled it.

As far as the Apple IDs, are those the end-user's personal IDs or are they created/managed by your district?

Also for the Apps, do you have those going through VPP for paid ones or are they all free?

I ask these things because as far as a pre-installed standard load, Configurator is going to be the answer. It does use a single Apple ID for those apps though. The user can still sign out of it and sign in with their own for downloading future apps if that is what your management structure is going to be.

We also have DEP setup like @joshuasee has mentioned. We have paired this up with VPP Invitations / Assignments for certain departments that have managed paid apps. Otherwise, you could make the apps needed available through Self-Service (especially the free ones) for the user to get themselves.

There are a variety of methods to have the iPad layout that the end user needs to see. Its just very based off of what your district wants, and is willing to coordinate with the end-user on.

smith_kyle
New Contributor III

Thanks for the info and suggestions. What you guys outlined is very similar to what we're doing for our staff devices. We assign them to our JSS in DEP, have one blanket prestage enrollment for most devices, and then set up other prestage enrollments if needed to streamline the setup process for different groups of users.

Our hard spot right now, though, is our iPad lab devices that each have about 40 iPads that need to be set up exactly same. Our setup process for each device is:

- streamlined setup assistant (from prestage enrollment) requiring unique AD login (we use AD groups for all of our profile/vpp scoping)
- sign them in with a unique, district-controlled Apple ID and enroll them to VPP
- ensure proper settings (i.e. name, auto downloads on, e-mail settings correct, find my ipad on, etc.)
- then pretty much babysit the devices as their VPP apps download (mix of free/paid)

In a perfect world, I'd like DEP to play nice with configurator so the devices get supervised by the JSS, and not tied to that one workstation. And not having to hog bandwidth (we use a caching server) and babysit each device as the apps download would be a plus. I know that we could go the app catalog/silent install method for the apps, but setting up and having to scope each app sounds like or of a pain than the current setup.

Thanks again - nice to compare workflows!