How Can I Import a Supervision Identity from DEP/JSS into Configurator 2 (or the otherway around)?

Graeme
Contributor

Hi all,
We are beginning our implementation of supervision on IOS and DEP. We are currently supervising using Configurator 2 but when I try to use configurator 2 to configure a device supervised through DEP I get an error saying the device is not supervised by an existing organization. It also says (suggests) to import an organization with the identity for the device.

You can export the organization certificate from Configurator 2 or the whole Organization as well as being able to choose an existing identity (certificate) when creating a new Organization. The Configurator 2 doco indicates it is compatible with DEP.

My question is how can I use the same identity across DEP, JSS and Configureator 2?

many thanks
Regards
Graeme

1 ACCEPTED SOLUTION
16 REPLIES 16

mbuckner
Contributor

My understanding is that you can't have an iPad supervised by Configurator2 AND JSS. If you are using the JSS with DEP, that will limit what you can do through Configurator2. You can install apps with configurator, you can install configuration profiles, change the ipad name, etc.

You can't change the wallpaper (or put the ipad name on the wallpaper). That requires Configurator to supervise the iPad, which then keeps you from assigning apps to the iPad (as opposed to assigning them to the apple id).

It's a bunch of trade offs, but here we decided that using JSS was worth what we lose in Configurator.

I hope that helps some.
Mark

Graeme
Contributor

HI mark, and thanks for your response.

I'm sure that was definitely the case in Configurator 1.x but Apple says Configurator 2 is compatible with DEP (https://support.apple.com/en-au/HT205285).

There is a knowledge base article from Zuludesk (https://community.zuludesk.com/topic/127-apple-configurator-2-prepare-devices-using-automated-enrollment/) that talks about importing the identity from configurator into the enrollment profile.

When I get the enrollment error on Configuratior 2 it suggest importing the correct identity. Given all this it seems you can use both, you just have to have the correct identity.

I'll spent a bit more time with certificates to see if I can get it to work.

Regards
Graeme

iOSGenius
New Contributor III

Hello,

I was trying the same and found it is more work than needed so i placed them all in my JSS and it was so easy and configured all in one shot than using Config v2.

Yes Config v2 does support it in the process of dep that items are already enrolled though i needed to test it out via csv file and would need to get the token from Config v2 was a pain to upload to DEP and the public key could not find a place to put it after much reading and reading seems there is an issue with Config v2 to accept the token key. So after spending some good week time to figure it out if kept failing.

So i skipped it and did in JSS and was accepted and done in under a couple of hours and works flawlessly,
I was thinking of using Config v2 because it would been easier to get all devices registered in my thought but it did not and caused some confussion because then i would be needing to use to MDM JSS/Config and i rather just use one than other as Config would only work with a Mac connected to devices and JSS is all OTA process and wanted it more simpler in long run and adding more devices.

Thanks Dan
D87

plawrence
Contributor II

@Graeme I'd be interested to know if you manage to find a solution to your issue. I'd also recommend submitting feedback to Apple regarding the features you would like in Configurator 2 at http://www.apple.com/feedback/configurator.html

Graeme
Contributor

Thanks for the replies and no solution yet. DEP and JSS is working well, just have to make sure that the devices that are enrolled (and supervised) through DEP and those that are supervised through Configurator have a different work flow.

I will give the feed back to apple through the web site.

Regards
Graeme.

aertul
New Contributor

Graeme,

I'm trying to do this as well. The reason being, I haven't found a nice way to set the wallpaper and get it to display the device name on the locked screen using the JSS. Does anyone know a way to do that and not need config v2 for it.

Graeme
Contributor

Configurator 1 does this nicely for supervised iPads Configurator 2 is more limited. It is available for groups in Casper. Select either a static or smart mobile group and then "View", Click "Action>" and select "Send Remote Commands". the set wallpaper command is then accessable.

Regards
Graeme

aertul
New Contributor

Graeme,

I see the set wallpaper itself but I do not see anything for putting the device name on the lock screen like can be done in Configurator. Is this there somewhere or not available?

mbuckner
Contributor

My understanding (from talking to Apple enterprise tech support about this issue) is that you can supervise your iPads using your mdm OR you can supervise them using Configurator 2. You can't do both. Yes, Configurator 2 will work with DEP. You can supervise the iPads, install VPP apps, set device names, wallpaper, etc. However - you can't use the same VPP account with configurator that you use with Casper (configurator 2 specifically tells you this if you try to login with a VPP account associated with the JSS). Apple told me to use configurator to update the OS on my iPads and to enroll them in casper. Do everything else through casper, not configurator.

I know this is all confusing, and documentation is still scarce. I recommend calling Enterprise tech support. They have been very helpful, but their number is hard to find. Here it is: 1-866-752-7753.

I hope that helps.
Mark

Graeme
Contributor

Thanks Mark, I might be missing something, Supervising through Casper has been mentioned a lot in these forums but I have only found a way to do it with prestaged enrollments and DEP, can Casper supervise a device without DEP?

I found the limitation of VPP accounts and Configurator 2 so at the moment I'm considering having one VPP account for 1:1 devices (most of my fleet) and another VPP account on Configurator 2 for the base install on the carts. I'm hoping this way the the apps will arrange themselves into the same folders as the backup.

Aertull, no option any more AFAIK to put names or photos on the lock screen :-(.

mbuckner
Contributor

You can do some things with Casper without DEP, but you are severely limited because Apple limits what you can do. Without DEP, users can remove the MDM profile (and thus any restrictions, configuration profiles, etc) at any time. DEP allows you to enforce the MDM. Also, you have to use DEP if you want to assign apps to devices. Without DEP, every user must have an apple id (unless you are using configurator 1).

Configurator 2 will let you set names on the lock screen, but only if configurator is supervising the ipad (i.e. Casper is NOT). I really wanted the two to play well together; names on the lock screen is the thing I miss most in the new setup.

One other gotcha I just found out about. In configurator 1, when I installed an app (free or paid) it asked for my apple id. I used a school apple id and everything just worked. With configurator 2 I can also install apps, but when my students run the app, it asks for their apple id. My students are K-5; they don't have apple ids. Apple tells me that there is no way to make this work as it did before, so we are now using configurator 2 for only a few things:

  1. Updating ipads from ios 8.4 to ios 9
  2. Enrolling them in Casper

I'm doing everything else through Casper. We are not supporting apps that don't support device assignment.

Anyway, I hope this all makes sense. It's late and I'm tired :-)

Mark

Graeme
Contributor

Thanks Mark, much appreciated.
Regards
Graeme

JackKuiper
New Contributor

looks like a feature request.
i to stumbled into not beeing able to get the name in the lock screen.
But if Configurator can do it, there has to be a way to make casper do it ;-)

I think i will fo over the feature requests to see if it is in there and then push it, create it if not

thanks for letting me know i'm not alone

JackKuiper
New Contributor

there we are:

https://jamfnation.jamfsoftware.com/featureRequest.html?id=4117

plawrence
Contributor II

@mbuckner

My understanding is that you can still use Configurator 2 to load apps onto devices, but you need to use VPP app deployment. If you don't want your users to be prompted for an Apple ID, then the device needs to be Supervised (by Configurator or DEP) and you need to be logged into Configurator 2 using your VPP Apple ID. See the Configurator 2 Help Pages (http://help.apple.com/configurator/mac/2.0) for the steps.

mhayden
New Contributor III