How are you managing your K-12 iOS devices in shared environments?

jramsey021
New Contributor

Our district just recently purchased JAMF Casper Suite to manage approximately 300 iOS devices (and hoping to grow that number) and went through the Jump Start session. Now we are working on getting those devices enrolled and making the most out of what Casper Suite has to offer us.

We have about half of them enrolled right now and below are a few things we are doing with them. Just looking for some input on what we're doing wrong, what we could be doing better, and any other tips/tricks you have to offer us!

  • Smart groups to separate our devices by schools (e.g. naming convention is SCHOOL-iPad Cart#-Device# // smart group sorted by [device name [is like] XXX] = XXX Elementary)
  • Smart group to separate all elementary schools from secondary schools, etc.
  • Smart groups showing things such as < 2 GB storage, missing our student restrictions profile, out-of-date iOS
  • Configuration profile for each school including payloads for that schools WiFi, iPad cart printer, and schools Web Clip link
  • Buildings separated for each school location, departments sorted by All Students and All Teachers
  • Disabled iTunes/App Store/FaceTime/Messages etc so we have more control over the content that the students see since we have these in the hands of students in grades as low as pre-k

Is there anything else that you are doing in a shared environment that makes iOS device management easier or gives you more control? We would love to get some more ideas!

2 REPLIES 2

CasperSally
Valued Contributor II

@JRamsey - I'm pretty closely following this other thread
started by @nsdjoe

How are you implementing your naming convention? I'm testing our new DEP enabled shared device model with AC2.2 and really struggling on the naming. AC2.2 doesn't seem to increment properly, but teachers really like knowing student Timmy has #1 (versus just naming device by serial). For our own inventory purposes, it's helpful to have cart or room number like you seem to be doing as well.

I've had a ticket in with Apple for over a month for the incrementing issue and have gotten nowhere.

apizz
Valued Contributor

@jramsey021 When you say "shared environment" you mean that the iPads aren't 1:1?

If so, that's what Apple is currently whipping up with their new School management beta and their Classroom App. With iOS 9.3 Apple included features which are for truly shared iPads, but because of the local data it has to store they say you need iPads that have a MINIMUM of 32GB, which we don't have. AND Apple has basically disclosed nothing about how this is all going to work and what it requires on the backend. So ¯_(ツ)_/¯ . What we're really talking about here then is implementing some sort of developed process to make what are designed to be 1:1 consumer devices to be used by multiple individuals. And that's where the real challenge is.

The first issue is going to be related to security & access. Do you set a 4 or 6 digit passcode and only disclose this information to the faculty and the students using the devices? Will they always be using that one device or will they have to know multiple codes? Do you setup TouchID so students can sign in just with their fingerprint? All of these have pros and cons, but all will require training & a fair amount of management to do right. Especially since Apple hasn't released their School Management features, there's no way to separate out people's data currently and as a result one student takes a picture using the camera, everyone with access to the device can see that.

The real bummer is once someone has the ability to unlock the device they also have the ability to update the iOS firmware on the device as well, which if you're not proactive about preventing can cause issues if Apple introduces any bugs or if things don't play nice with Casper. I know there was an issue with iOS 9.2 or 9.2.1 related to distributing VPP licenses so updating before fully testing things can cause problems that you can't easily reverse.

In terms of smart groups, the overwhelming majority of our groups are based on device name. Something fairly easy to do would be to setup a PreStage Enrollment for devices to automatically assign department & building information to enrolled devices. That way you don't have to entirely depend on device name for all your groups.

If you create a test iOS smart group and choose the "All criteria" option, you'll see all the criteria you can base your smart groups on. That will answer your question about devices having X amount of available storage, iOS version, etc. We have a number for specific apps we need all devices to have and have setup up Apple's Volume Purchasing Program so that we can assign our institution's licenses to applications we make available through Self Service (even if they're free) and pull them if they're no longer needed. Definitely a LOT easier than plugging in a single Apple ID to all your devices.

You can disable the iTunes Store, Game Center, News, and Podcasts within a mobile config profile which you can set to all your mobile devices. However, as far as I know the only way you can disable additional apps like FaceTime and Messages is setting restrictions manually (unless you use Apple Configurator 2 I believe) in iOS Settings. One setting we configured is disabling the ability to change any account information. This prevents students from being able to enter their personal Apple ID info into apps like Messages and FaceTime. If you are running Casper 9.9 there are additional features included to support iOS 9.3 so there may be more you can do in the mobile config profiles than I can in 9.82, but we don't have that many iPads so we don't have a reason to upgrade at the moment.

There's a LOT here, so if you provided more details about how you have things configured on your JSS, how you're enrolling & processing each machine, etc. you may get more helpful responses in terms of how to do X better than the plethora of different things I've included here. Happy to help though!