Importing new users from Apple School Manager

d_logue
New Contributor II

I need to create about 600 managed Apple IDs in Apple School Manager. I created a few test users in ASM and set up the sync time, but the users are not being created in the JSS.

The documentation talks about matching criteria for existing users, but we currently have no existing student users in the JSS and I don't see anything about importing new users from ASM. What am I missing?

1 ACCEPTED SOLUTION

mcooper
New Contributor III

After the sync has run you will need to import the users into the JSS. Steps to do this are found at the bottom of page 619 of the Administrator's Guide. http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.93-Administrators-Guide.pdf

We have new users almost daily. I would like to see an option to set default import settings after the sync.

View solution in original post

30 REPLIES 30

d_logue
New Contributor II

I found it. You have to do a user search first, then you get the New and Import options in the JSS. Such a weird design, I always forget about it.

mcooper
New Contributor III

After the sync has run you will need to import the users into the JSS. Steps to do this are found at the bottom of page 619 of the Administrator's Guide. http://resources.jamfsoftware.com/documents/products/documentation/Casper-Suite-9.93-Administrators-Guide.pdf

We have new users almost daily. I would like to see an option to set default import settings after the sync.

View solution in original post

Nick_Gooch
Contributor III

Our users aren't matching up. In ASM the MID is First_Last@appleid.school.org and in the jss the email is First_Last@school.k12.co.us Anyway to get those to import and match as the proper user?

mcooper
New Contributor III

You could change the matching criteria operator to "contains". So the criteria would be Managed Apple ID contains Email (JSS).

Nick_Gooch
Contributor III

@mcooper I tried that. It always imports the user as a new user.

mcooper
New Contributor III

How were your users originally added to the JSS? If they were added by way of LDAP, do you have the user mapping pulling the Email Address from the correct AD Attribute? When you look at the user in the JSS is the Email Address field populated with the correct address?

Nick_Gooch
Contributor III

Yes from LDAP and yes it is the correct email first_last@school.k12.co.us MID's are first_last@appleid.school.org

cdenesha
Valued Contributor II

@mcooper I had missed page 619 of the Admin Guide - because I was reading the Integration Guide which did not mention it! I thought the nightly sync was going to handle the potentially massive daily changes (especially at beginning of year and also when schedules change). A manual procedure is NOT going to cut it.

cdenesha
Valued Contributor II

@Nick_Gooch I think you need to set the domain. In the Setup Assistant for step 3 'Create Accounts and Classes' click 'Change Settings'. Set your domain appropriately and uncheck 'Use applied subdomain'.

Nick_Gooch
Contributor III

I want/need the .appleid sub domain in there. We have been 1-1 for 5 or 6 years so a majority of our staff and students already have apple ids with our domain. That will prevent it as suggested from Apple. I figured the option of picking first part would use everything before the @ but I guess not. I worked around it by adding ids to Casper as an ea but it's not ideal in our situation.

cdenesha
Valued Contributor II

@Nick_Gooch Did you use Student IDs?

We have a mixed environment as well but I'm wondering.. if ASM is going to force us to create MIDs for all students and staff.. what happens if I provide an AID that already exists? It can't create it, and perhaps I can ignore the error?

We've been planning this so that our younger users would not have to remember a different MID than their email address. Right now we have an unwieldy username@students.longschooldomain.org, I don't know that I want them to have to know when to use username@appleid.longschooldomain.org. It seems easy for me to remember.. Although it may be easier for them to remember "It's Apple use 'appleid'" versus "reuse your email address for the apple ID".

[edit] typo due to stupid autocorrect

Nick_Gooch
Contributor III

We used did use student id's.

We have a similar odd naming for students email addresses with our @school.k12.co.us that none of the students can remember. We also have an alias of just school.org which is what I went with for the apple id to make it easier to remember (along with the appleid. since most users created their apple id's with school.org already).

I believe if you attempt to create an id with one that is already created (by upload) it adds a -1 to the apple id. It looks like it is also adding a -1 to the apple id even if just the email address is the same as an apple id already created. Maybe over the next couple weeks they can work out some of the bugs but I don't see it happening before school starts. We may end up skipping shared iPad's this year. No web clips is one of the biggest deal breakers for that right now.

cdenesha
Valued Contributor II

Thank you.

My issues with Shared iPad (many which I'm sure will be ironed out, but when?) are:

  • no web clips
  • cannot install apps while user is logged in, nor install iOS updates.
  • must put ipad to sleep and then wake up to Log Out
  • student cannot change wallpaper or move around icons - has to be done with profiles
  • Can NOT change the Auto-Lock - stuck at 2 minutes!!!!
  • Cannot see Recent Users from Log On screen once 'Other Users' has been pressed

I stopped testing shared iPad and am moving to MID testing with Apple Classroom. Hopefully I'll still be able to use 4 and 6 digit passwords when logging them into iCloud...

jbutler47
Contributor

If you haven't been following developments, but serious changes have been made to the import CSV process. As of this afternoon, I've had no luck in using their new SFTP solution. If you haven't been to the site today, take a peek. New templates for CSV files as well.

On hold with Apple to find out more.

James

jbutler47
Contributor

Off the phone with AppleCare. Kinda nightmarish now.

To make import of accounts to work:

  • Create your entire school in one shot, define all student, teachers, classes, courses, rosters, and locations
  • Zip each file separately but it must be named as the template
  • Upload via SFTP
  • Hope that ASM does not reject, if it does, read the error page, and get back to work.

In this scenario, I already have upload 440 students before the new import process, I have not processed any other category. Now I am told that the import process needs to be done in fell swoop (all together).

For example, if I have 45 students I want to do today, I need to create teachers, classes, courses, rosters, and locations as well. Which doesn't make sense.

You are not able to upload empty cvs, and dummy data is not going to work.

Maybe things will change again, but it seems the only way to upload now is to do it all in one shot and hope for the best.

Hmm, promised for April, delivery in July, still half-baked pie. We need better when it is so close to the start of school.

So, check your stuff, and don't piecemeal it, from what I'm seeing.

michael_devins
Contributor II

@Nick_Gooch Is the student's username the same as the email username@school.edu? If so, you could try matching criteria of "Managed Apple ID starts with Username (JSS)". Student ID numbers make great matching criteria (Source System Identifier from Apple School Manager) if you've got them.

@cdenesha While Apple School Manager syncing will download all changes from Apple, there is not currently an option to automatically import all changes. The primary concern here is the potentially massive amount of user and class data that could end up in someone's JSS, especially if matching validation is required.

That being said, once a class has been imported, any new users added to that class from your Apple School Manager sync will automatically be imported and added to the class.

If you have a workflow that would benefit from an Automatically Import All Users type of functionality, you should definitely file a Feature Request so we can evaluate how helpful this could be to the entire community.

Managed Apple IDs will be created for every user within Apple School Manager (even if you choose not to use them). This detail is generally pretty useful for matching criteria regardless of whether a student actually uses it. Some schools have actually inserted other variables into the username field of the student's Managed Apple ID if you have unique matching criteria needs (i.e. lastname_studentID@school.edu).

jbutler47
Contributor

9369c5e075df437c872772a179562450
Attaching my ASM cvs field comparison to our PowerSchool data fields. Haven't yet tested it yet due to the new way to import data on ASM.

The visual representation might be worthwhile to understand data consistency with the cvs files and how that may impact your SIS export.

Hope it helps you.

UPDATED: 081216 with new Picto-gram of the data flow and PowerSchool (work in progress). It is the one on top.

16287c389f5a48348bb8a7e0ccd152cb

cdenesha
Valued Contributor II

@jbutler135 Thank you for the PS matching graphic - I'll bring it to my data person when we meet.

When the SFTP process went live Monday I was still in testing mode so no live data. I decided to import what they sent me. The instructions stated to zip so I zipped all 6 into one archive and uploaded. No problems.

I don't think you need to do all your students at once. Because of the dependencies between the tables/csv files you would need complete information for those students, i.e. the Location, Instructor etc. as those IDs are in the other tables/csv files.

I don't see a problem with re-uploading, it seems to overwrite fields with updated data, like new names, grades, etc.

Still using dummy data until my TAM gets back to me to find out why I can't sync the last upload from ASM to Casper..

[edit] typo due to auto-correct

cdenesha
Valued Contributor II

@michael.devins Thank you for your details.

While Apple School Manager syncing will download all changes from Apple, there is not currently an option to automatically import all changes. The primary concern here is the potentially massive amount of user and class data that could end up in someone's JSS, especially if matching validation is required.

I'm confused as to the difference between the sync with ASM and the Import. Wouldn't a sync also be collecting a massive amount of data into the JSS?

At this point I have no idea what I'm going to be matching on. The format of our teacher's email address is username@schooldistrict.org but our student's email address is username@students.schooldistrict.org. ASM won't let me have more than one domain. I may use the 'starts with' to match on username - that is a good thought thank you. The Student ID is a unique identifier - who actually has that as a field in LDAP? And it doesn't seem to populate over to my custom EA for newly created user objects anyway.

chris

michael_devins
Contributor II

You're welcome @cdenesha!

When the JSS syncs with Apple School Manager, we pull down the entire data set of users and classes from Apple's Roster API and store it locally for use by the JSS. This happens at every scheduled sync. Unfortunately, the only option is to collect the entire data set at every sync - there is no partial or delta sync option available with the Roster API.

Once a copy of your Apple School Manager data has been synced down to the JSS, you can Import Classes or Users and use them within the JSS.

The reason this is a two step process is because many customers have more users in Apple School Manager than they want in the JSS. Additionally, schools leveraging SIS integration may not actually use every Class as a Class within the JSS.

While you have the option to import all users or import all classes (which would automatically import subsequent users added), it is a two step process. If we learn that many customers don't need that distinction, we can explore the design of additional workflows around that use case.

The other thing you can try is doing two separate imports. In my experience, the Managed Apple ID format settings will be applied to any new users imported/created, however it can be changed over time.

In other words, if you need different Managed Apple ID domains for the two populations, you could potentially setup the Managed Apple ID "Format A" and import all teachers. Then change the Managed Apple ID format to "Format B" and import all students. Not ideal but it might be something to explore.

LDAP users cannot currently map fields to custom EA fields. That would make for an excellent feature request (or vote on this guy if it articulates your request: https://jamfnation.jamfsoftware.com/featureRequest.html?id=2551). It's something that would be a great enhancement if we see enough input on its value from the community.

Thanks for the dialogue!

cdenesha
Valued Contributor II

@michael.devins This is incredibly helpful, thank you for jumping into this thread and providing explanatory background info! The Admin Guide tells you the options but I can better architect my solution when I truly understand what is going on!

While you have the option to import all users or import all classes (which would automatically import subsequent users added)

This sentence prompted me to go back to the Admin Guide and Tech Paper (again). I was missing two pieces:

  1. I was looking at the ASM -> JSS connection from a User centric point of view and couldn't figure out how the new users that enroll mid-year would come over. I see now that they'll be created if they are in a Class that I have previously imported.
  2. They'll do this whenever the ASM sync occurs and are not a separately scheduled process.

It would be really really really nice if the new user objects created during the ASM sync/import could be LDAP users. Please see this FR.

In regards to the User Object, thank you for the link to the FR. I actually have voted on that FR - I've been missing this feature since Users were added in 9.3! This FR and this FR can also be upvoted!

However what I meant was this: Let's say I have populated the Student ID into a User EA called StudentNumber, and I match on that and on ASM's Source System Identifier. If it doesn't match then a new user object is created during import... but the StudentNumber field of the new user is blank! I would expect the field to be populated for future matching purposes. This is very low priority though as I've decided to match on Managed Apple ID.

michael_devins
Contributor II

Good stuff @cdenesha.

Great questions around the LDAP workflows. We've spent a lot of time examining to the various complexities of LDAP users and Apple School Manager matching. While we haven't solved for all of these permutations (thanks for the feature requests!), we did add one more small feature as a part of the 9.93 release.

When a new user is created from Apple School Manager, we will populate the JSS username field from the username of the Managed Apple ID.

For example, an imported new user from Apple School Manager with the Managed Apple ID "j.appleseed@appleid.school.edu" would create a new user in the JSS with the username "j.appleseed".

Subsequently, when a new student enrolls a device with LDAP credentials, the JSS will identify that the LDAP user/username already exists and it will append the LDAP info to the imported user. This would be important for anyone who wants to set up classes over the summer and then have students enroll hardware at the beginning in the year.

In order to benefit from this type of LDAP matching, you would need to have Managed Apple ID usernames that match your LDAP usernames.

With regard to Student ID numbers and LDAP mapping, it is definitely starting to matter more and more for these matching workflows. While some type of Global Unique ID from SIS would be ideal for matching, the Student ID number is probably the best that most schools can hope for. (Apparently some organizations recycle Student ID numbers after a number of years, hence the lower fidelity for matching).

We are very interested in learning more about how education workflows will come to rely upon Student ID numbers in the JSS for matching (and other LDAP mapping workflows) so we can make improvements in that area.

Olson
New Contributor II

I've imported all my users. Yay. Unfortunately, it updated my user email fields with the new or updated appleIDs. So my emails are no longer correct either because they added applid in the the domain field and/or added a -1 to the username part of the email. I assume I have to edit these by hand? Is there another way to do a mass change? Or is this a waste of time, because each time there is an import of users the email and username fields revert back to these imported values from the ASM?

cdenesha
Valued Contributor II

@Olson It sounds like you were working on your Production server and not a Test server? For the users connected to a Computer or Mobile Device, you could use the Mac app 'JSS MUT' to match a CSV of serial numbers and then update various fields - the email address is one of them. Be Careful!!

Thank you for reporting this though - I had not fully tested with the .appleid style Managed Apple ID as we were going to try and use email addresses.. but that isn't going to work. I've done some further test importing:

For the sftp upload to ASM, the first name, last name, grade, and email address can be changed. The sis_username is not exposed in the UI so I don't know about that.

For a brand new JSS user created from an ASM import, the Managed Apple ID is indeed going into the email address field. Also the username is being created from the base of the Managed Apple ID before the @ sign. I now see this noted in an earlier post in this thread.

When a new user is created from Apple School Manager, we will populate the JSS username field from the username of the Managed Apple ID.

@michael.devins Do you know if the email address and sis username fields are exposed by the ASM API? If so, I think ASM email should go in JSS email. I also think ASM sis username should be the JSS username, which I expect would match the student's username in LDAP. However in practice not all districts use just the username for the base of the email. In our district they are different because we prepend the expected Year of Graduation, i.e. johnsmith has 17johnsmith@students.district.org.

For matched JSS users, it seems that this does not happen. This is because once matched no data on the 'General' tab is ever updated, just the 'Roster' tab. The 'Roster' tab has one field that currently changes, the name. @Olson your existing matched users should not be getting their email addresses changed..

For me, the ASM sync creating non-LDAP users, and this email address being populated from the Managed Apple ID, are going to cause a different workflow. I'm either going to 1) import ALL my new users into the JSS with the API first and specify that they be LDAP users, or 2) allow ASM to create them but then use the API to change them to LDAP users. The latter would probably be easier as long as I'm sure I can change them. Then my email field in 'General' can be fixed with the LDAP update that happens with an Update Inventory.

chris

cdenesha
Valued Contributor II

Whoops! Bad logic. I can't have ASM create my users from the base of the Managed Apple ID, because of that Year of Graduation. [Note to self: don't test with test usernames that begin with numbers]

I'm going to be importing ALL my new users into the JSS with the API first and specify that they be LDAP users. That way my ASM Matching will work:

'Managed Apple ID' CONTAINS 'Username (JSS)'

michael_devins
Contributor II

Good question @cdenesha. Apple School Manager and the Roster API only returns the person's Full Name, Managed Apple ID and optionally grade level in addition to some system identifiers. We do not receive any username fields nor do we receive any actual email addresses (might be a good feature request for Apple if this could be helpful information for your deployment).

Because of the nature of the dataset from the Roster API, we have been iterating workflows based upon the very critical Managed Apple ID.

As previously stated, JSS 9.93 will peel of the @school.edu for creating usernames and it will insert the Managed Apple ID as the email address verbatim when creating a new user (since email address is a required field for new users). As a part of our next release, we will extend the import logic as it relates to Managed Apple IDs and Email addresses.

In 9.96, a new user will still truncate the username (same as 9.93). Additionally, the Managed Apple ID will be inserted into the email field. The difference is that if there is an "appleid" subdomain, that will be automatically removed when populating the email field.

Example:
Johnny Appleseed has a Managed Apple ID of jappleseed@appleid.school.edu. Upon importing, no matching user is found. The new user for Johnny Appleseed would have a username of "jappleseed" and an email address of "jappleseed@school.edu".

In this example, you could see how a school might create Managed Apple IDs based upon user email addresses and then always insert the "appleid" subdomain. Upon importing into the JSS, the user might match (based upon available criteria) and append to an existing user. Alternatively, a new user would be created and the JSS would essentially revert to the proper email address by removing the "appleid" subdomain from the Managed Apple ID. Of course, this assumes that your email address username and your directory service username match.

Note: In the long term, Student ID numbers or Global Unique ID numbers (from SIS) will likely be the best matching solution. Until now, there haven't been many compelling reasons to append this extra detail to users throughout all of the various systems at play. Once those ID numbers actually propagate from SIS to directories and into the JSS, they will offer a much more accurate matching solution for Apple School Manager.

ayork
New Contributor II

I'm having major issues with the different ID'S and matching them up in Powerschool. Has anyone got ASM import working yet?

jeremyschoonove
New Contributor

We haven't, and we're finding that PowerSchool has assigned the same ID (which would end up being the "person_id") to some teachers and students. Has anyone else seen this?

cdenesha
Valued Contributor II

I haven't, and have decided not to until it all works properly. Please see this comment for my primary concern.

RLR
Valued Contributor

How can we change Apple Classsroom so it displays student name instead of their email address.

Edit: Seems like it is displaying student names and the teacher was reporting something different.