Help

ipad permissions/restrictions based on network segmentation

toolrules
New Contributor

Posted on ‎04-12-2018 07:30 AM

I've searched through the forum, and earlier discussions on this topic are now too old to ask for additional information within.

I'm tagging two users who have provided solutions for this discussion, but kindly I would ask for additional information/confirmation: @tobiaslinder and @kitzy

background:
I'm a parent with a student in a school district with 1:1 iPad program. The district does not have iBeacon hardware. The district allows students the use of applications that I would prefer be used only at school. When the device is off campus, I would want the device to have access to only parental permitted applications (valid educational applications). In a household of devices to monitor, having one device not managed similarly is a disruptor.
Efforts at home to minimize device's disruption to family and student sleep include utilizing mdm on our family owned iOS devices (OurPact). I disable wireless access at home for the 1:1 device - however that creates additional work to enable/disable when the device is actually needed for school work, and its makes it more difficult to provision access when I'm not at home.

My understanding:
There are at least two ways of having a student profile enacted. The first possibility is via use of iBeacons. When the device is in range of the iBeacon, the device enacts the appropriate profile.
A second solution involves the setup of network segmentation within Casper for the campus. When the device checks in with Casper, the devices network configuration is inspected and based its network configuration, a profile will be provisioned to the device.

Work Flow:
My student arrives at school. The device joins campus network. The device checks in with Casper. The device is inspected for network configuration, Casper identifies the device as being within campus domain (network segmentation). Casper deploys the campus profile to my student's device.
My student arrives at home. The device joins my home network. The device checks in with Casper. The device is inspected for network configuration, Casper identifies the devices as being outside the campus domain (network segmentation). Casper deploys the off campus profile to my students device.

Questions:
Is what I presented above a current and possible solution that can be implemented by the district? What pieces have I wrong? When reading Casper documentation, which topics should I become knowledgeable of. Have I missed other JAMF discussions which can provide additional information?

Thank you for your time -

0 Kudos
2 REPLIES 2

tobiaslinder
Contributor II
Contributor II

Posted on ‎04-12-2018 12:12 PM

Hi @toolrules This would be a very clever workflow but the problem is that the IP-Adress of the device is only reported to the Jamf Server once a day during the inventory update.

A possible solution to that problem would be to send out an API command (here an example https://www.jamf.com/jamf-nation/third-party-products/files/823/updatedeviceinventory-py-update-mobile-device-inventory) to trigger the update inventory more often.

I am not sure if this breaking the rules with Apple if you trigger update inventory for example every 15 minutes. Can someone please chime in who has knowledge about that subject?

0 Kudos

cdenesha
Valued Contributor II

Posted on ‎04-17-2018 11:04 AM

Apple recommends a max of one Update Inventory (check in with Casper / Jamf Pro) per day, so that is the smallest time increment in Jamf Pro. Asking for just another couple of updates per day is not a huge issue for Apple and they do not enforce it. Every 15 minutes? I would think that is excessive as the use of the APNS servers goes up, but again I'm not sure Apple would 'catch' you.

Going back to the original question.. Theoretically your logic is sound, but the problem is the check in at school and the check in at home when the server only asks for an update 24 hours after the previous update.

Here is one Feature Request to read and here is another.

I struggle with the same issues at my home. It is on my to-Do list to find a better home MDM or perhaps one with a local app that can implement time based controls.

chris

0 Kudos