Jamf Nation Community

nsdjoe · ‎06-03-2013

I talked to several of you at JNUC 2012 and ACPE 2013 about how I’ve used Casper to “push” App Store apps out to iPads wirelessly without requiring the end user to enter an Apple ID or a password. I thought I’d share the current step-by-step process that has been working for me in our iPad pilot since the start of the 2012-13 school year.

Yes, it is a long process. But once everything is set up, you only need to do a few steps to upload and push out new apps to groups of your iPads OTA. I can set up a new app and have it ready to distribute to all of my iPads in about 3 minutes.

Is this the perfect way to deploy apps? No. There are pros and cons to this process like anything else. I’m not here to discuss whether it is the “right way” or “wrong way” of doing things. There are definitely some caveats. I’m just sharing these instructions to show that it is technically possible to do so with Casper’s tools, and might be something you may want to consider depending on your deployment plan.

DISCLAIMER: This process is not supported by JAMF or by Apple. They are both aware of this workaround and have told me that if it ever stops working they won’t be able to help. Its been working just fine for me the past 8-9 months (since August 2012). Other MDM providers have a similar workaround and I’ve talked to several folks who have been doing it on other MDMs for over a year. The process below is what has been working for me with the Casper Suite v8.6 and v8.7.

WARRANTY: There is none. Use at your own risk.

IMPORTANT: This process will only work if the (1) imaging computer, (2) master iPad “image” (i.e. encrypted backup), and (3) App Store app purchases are all linked to the same “master” Apple ID at the time of imaging/restoring the iPad. Once the iPad has been “imaged” with the steps below, you can log off the school’s “master” Apple ID on the iPad and the process will still work. So you can use this process if you want to have a 1-to-1 “Layered Ownership” deployment model. For example your school or district could use this method to “push” paid apps when VPP codes have been purchased so that your organization maintains ownership of the apps, but have teachers and students use their own Apple IDs to download free apps from the App Store.

Phase 1: The Initial Setup

Set up an imaging computer. Authorize iTunes with your school’s “master” Apple ID (iTunes -> Store -> Authorize This Computer). If you are going to image a large number of iPads and need a lot of imaging computers, you will want to contact your Apple SE to allow you to authorize more than 5 computers with this “master” Apple ID (the normal limit is 10 devices, but only 5 of them can be computers... have Apple temporarily lift that limit to the number of imaging computers you plan to use for your initial deployment).
Set up a web server folder where you can upload app .ipa files (iPads will be downloading apps from this location). If you don’t have a web server available, you can upload directly to the JSS (the JSS upload works for most apps, but in testing last fall there were several apps that didn’t upload properly for me. I’ve heard of other issues too with uploading directly to the JSS. The web server process has worked 100% of the time for me so that is the process that I will focus on below).
Build a master “image” on a new iPad. For a faster imaging/restore process (outlined in Step 7 below), don’t install too many apps on this master “image” (they can be installed later). Configuration profiles can also be sent out later. Some things you may want to include in the master image:
--a. WiFi setting (required for OTA enrollment into the JSS)
--b. At least one iPad app using your school’s “master” Apple ID
--c. Safari bookmarks
--d. Casper enrollment webclip or bookmark (unless you plan to enroll with Apple Configurator)
--e. Adjust various preferences in Settings
Sync the iPad with iTunes on your imaging computer. Be sure to select Automatically sync apps to my iPad.
Make an encrypted backup of the master iPad on the imaging computer. Make sure it is encrypted (in the iTunes Summary screen, scroll down and select "Encrypt local backup"). Encrypting the backup saves many of the usernames and passwords entered during the building of the master iPad. You might want to duplicate and store a copy of this backup in another location in case it needs to be used again. It is located in ~/Library/Application Support/MobileDevice/Backup.
Disable automatic backups in iTunes.
--a. Quit iTunes
--b. Open Terminal
--c. Type or copy/paste the line below:
defaults write com.apple.iTunes AutomaticDeviceBackupsDisabled -bool true
--d. This will prevent automatic backups from running. You can still manually run backups by Ctrl+clicking the device in iTunes and selecting “Back up.” If you ever want to change iTunes back to running auto backups, copy/paste the same code above, but change “true” to “false.”
Activate and restore the encrypted backup to new iPads.
--a. Launch iTunes
--b. Plug an iPad into the imaging computer. It will show up under Devices in iTunes.
--c. If it prompts you to activate and register the iPad, enter the “master” Apple ID and password to register the device. If there is an iOS update available then click the restore button from the summary screen in iTunes to update it. Once the iOS upgrade is complete, the iPad will reboot.
--d. Perform a restore from the "master" backup (created in Step 5 above).
--e. The iPad will reboot once more when this is complete.
--f. Now the device will start to sync any apps that were added on your “master” iPad image.
--g. When syncing is complete, change the name the iPad by highlighting the name in the left column of iTunes and typing a new name (to whatever your naming convention will be). Then eject the iPad.
Enroll the iPad into the JSS. You can enroll it via Configurator with an enrollment profile, or hand the iPad to the user and have him/her enroll it via a Casper enrollment webclip or bookmark.

At this point you have completed the initial setup and deployment of an iPad, ready to be handed over to the end user. The iPad is now configured to accept apps that you “push” out to it.

Phase 2: Pushing The App

For paid apps, you must be enrolled in Apple’s Volume Purchase Program. Only scope to the number of iPads that you have purchased VPP codes for.

On page 23 of Apple's iOS 6 Education Deployment Guide it states, "For app purchases, education institutions have the option of redeeming one app code per iTunes authorized computer, or “configuration station,” and retaining the rest of the codes as proof of purchase. For these configuration stations, the End User iTunes account may be created using a school-controlled email address, and the configuration station administrator should be an authorized user."

We’re going to do something similar to that.

On the imaging computer (which was activated with the school’s “master” Apple ID), use the iTunes store to download an iPad app (for paid apps, redeem one VPP code). These downloaded apps will be located at ~/Music/iTunes/Mobile Applications. After downloading the app (or multiple apps), make a copy the .ipa file, and place the copy on your Desktop. Work from the copied file on your Desktop (just in case something goes wrong in the process, you still have the original .ipa file in your Mobile Applications folder).
Get information about the app file for the JSS.
--a. From your copied .ipa file on the Desktop, change the file extension from .ipa to .zip.
--b. Double-click on the .zip file to open it.
--c. Double-click on the iTunesMetadata file. Keep this TextEdit file open. In the next step you will need the information in this file under (1) playlistName, (2) bundleVersion, and (3) softwareVersionBundleID.
Add the app.
--a. Click Management -> Mobile Device App Catalog -> Add App
--b. Select In-house app and click Continue.
--c. From the TextEdit file (from Step 2c above) copy/paste the following:
----I. App Name = playlistName
----II. Bundle ID = softwareVersionBundleID (sometimes called bundleVersion)
----III.Version = bundleShortVersionString
--d. Choose a deployment method (Self Service or Prompt User). If you are deploying to a large number of devices OTA, the Self Service option may be better so that all devices aren’t downloading at once. For example, choosing Prompt User when trying to send out an app like The Elements (which is 1.7 GB in size) to several hundred devices in your school at once might not be a good idea.
--e. Check boxes as needed (managed app, remove app, etc)
--f. Upload the .ipa file.
----I. Next to Icon, click on Upload icon. Click Choose File. Navigate to your Desktop copied folder and go into the unzipped app folder. Highlight iTunesArtwork and click Choose. Then click Upload Selected File.
----II. Copy the .ipa file from ~/Music/iTunes/Mobile Applications up to your web server location.
----III. Choose Hosting Location -> Host on web server.
----IV. Next to URL to IPA File, enter the URL of the .ipa location of the web server you set up earlier.
----V. Scope it to the appropriate group of iPads. For paid apps, be sure you have purchased the same number of VPP codes as the number of iPads you are scoping to.
----VI. Click Save.

If you chose Prompt User in Step 10d above, the end user will receive an APN pop-up message that will require the user to click a button to install the app. No Apple ID to enter. No password to enter. Just a single click on the Install button and the app will install. If you chose Self Service, the user will use the iPad Self Service app and click on the In House App tab to install the app. They will also receive an APN pop-up message requiring the click to install. No Apple ID or password required.

Phase 3: Updating Apps

When app updates are available, I’ve been posting the updates to Self Service (the end user is not able to update the app via the App Store). Here’s how I’ve been updating apps.

In iTunes on your imaging computer, on the left side under Library select Apps.
In the bottom right corner, click on the button that says “xx Updates Available”
Make note of the app(s) that you will update (so that you know which ones in the JSS you need to edit).
Click Get Update on the app(s) that you would like to update. This will download new .ipa files into ~/Music/iTunes/Mobile Applications.
Upload the new .ipa file to your web server.
In the JSS, edit the App Catalog listing for the app (Note: Do NOT delete the app listing in the JSS. Choose Edit). Confirm that the App Name, Bundle ID, and Version match the info in the new iTunesMetadata file (usually its just the version number that changes, but sometimes the app name changes too so double check both of them). Make changes as needed.
If needed, change the deployment method to Self Service.
Next to URL to IPA File, enter the new URL of the .ipa location on the web server (usually the version number is included in the file name, so that will probably be the only part in the URL that needs to be changed).
Click Save. The end user will now see the update listed in Self Service under the Updates tab.

That’s it!

Again, I am not saying that this process is the best way or right way to distribute iOS apps. It is just one undocumented way of deploying apps with Casper where school districts or other educational institutions need to maintain ownership and control of paid apps. It has its pros and cons like everything else but might work for you depending on your deployment scenario.

I hope that Apple makes it easier for us iPad administrators to deploy apps in the future. Until then, this is one process that may interest you.

Enjoy,
~Joe

CasperSally · ‎06-19-2013

Joe,

Thanks for posting this, I'm not sure how I missed it when you originally posted back in March.

It’s an interesting way to push apps via JAMF without the Apple ID prompting, I guess it’s faking it like it’s an in house created app so iTunes stays out of it? How many are you managing? The initial iTunes restore backup process was taking us too long (plugging in each ipad one by one, we’re up to 700ish iPads in elementary shared environments). It’s stupid that iTunes doesn’t let you restore to multiple devices at once like Configurator does – it really is a big time savings for us to do 30 restores at once versus 1 (and update iOS at the same time to latest).

nsdjoe · ‎06-19-2013

Yeah, the workaround basically uses the JSS instead of iTunes or Apple Configurator to distribute the app as an in-house app, and it does so OTA by linking to the ipa file stored on a web server. By satisfying Apple's DRM requirements on each device with the "master" Apple ID before giving it to the end user, the end user won't be prompted for an Apple ID or password when he/she installs additional apps from Self Service.

We use iTunes to initially "image" the iPads with an encrypted backup but we only install one app during imaging (goes a lot quicker that way). Apps are then downloaded later via Self Service. One cool thing about the In-House tab in Self Service is that there is an "Install All" button in the upper right corner (unlike the App Store tab where you can only download one app at a time). The user will get an APN pop up for each app as it installs from Self Service, but all they have to do is click "Install". No Apple ID or password required :)

bcampbell · ‎07-17-2013

Thanks for sharing this Joe. We have been coming up to speed for using Casper to manage iPads during this past year at my school. Our plan is to restrict App Store access on student iPads in the fall. Current thinking before reading your post is that, we will have to open up access on an occasional basis (likely during class under teacher supervision) for app updates and to install any new apps even if deploying through Casper. From reading the details of your method above, it sounds like Apps get installed without using the App Store. So does that mean you can deploy apps using your (unsupported I realize) method while keeping the App Store app unavailable on the iPad?

nsdjoe · ‎07-22-2013

Hey Bill,

You are correct. The App Store is bypassed using this method. Therefore, you can deploy apps while maintaining the App Store restriction. I just did a test on an iPad here at my desk where I applied a configuration profile via JSS with just the App Store restriction. I applied it and the App Store icon disappeared. I then went to Self Service and was able to install apps without any problem.

So you can use this process if you want to have an "Institutional Ownership” deployment model and do all of your app distribution OTA.
~Joe

blackholemac · ‎07-30-2013

To all those using this method,

I've been hesitant to chime in and I know no one will endorse us doing it, but we are probably going to anyway. Putting this aside, I have a practical issue with it. It seems to work almost flawlessly except for one problematic app in our deployment.

Can anyone here get Doodle Buddy for iPad (a free app) to work with this method? Here's the iTunes Store link: https://itunes.apple.com/us/app/doodle-buddy-for-ipad-paint/id364201083?mt=8

It seems to be missing some of the required metadata. Every time I have tried, I've failed (both uploading to the JSS and hosting on a web server). Any secrets, tips, tricks...if not, I'm thinking of making it the "at least one app", but I'm trying to make the "at least one app" be a small one that is NEVER updated. Any thoughts or ideas?

ItsMe_Sean · ‎07-30-2013

Post deleted

ItsMe_Sean · ‎08-09-2013

Post deleted

ItsMe_Sean · ‎08-11-2013

Ignore the previous 2 posts :P

Blackholemac

For your issue, I have done some messing around and have deployed the app successfully.

I used the following data from the app.

----I. App Name = playlistName

----II. Bundle ID = softwareVersionBundleID (located near the end of the data file) formatted like "com.pinger.doodlebuddyipad"

----III.Version = bundleVersion / bundleShortVersionString (usually something like 1.2.3)

Using this data everything seems to deploy fine for me.

blackholemac · ‎09-11-2013

figured out my previous problem...oddly enough collecting the info from iPhone Configuration Utility (not Configurator) was the solution...strange but it worked.

Moving past that problem...now, I'm having a problem where initial deployment goes very well. When a user tries to update an app that I have published an update for, it is now asking the user to enter an AppleID/password to use the app.

Any ideas?

ItsMe_Sean · ‎09-11-2013

Hi Blackholemac

Are you trying to update the apps via the app store and not via self service? If so that will be what is causing your issues. If you update via the app store it will always ask for the apple ID used to purchase the app, but if you load it into self service and do the updates using the procedure described in Phase 3 of this guide it should work for you.

Regards
Sean

blackholemac · ‎09-12-2013

no i'm not...I'll give you a "for instance".

User had teacher ipads and student iPads deployed using this method. A handful of free and paid apps were included.

User is informed about an "update" to Educreations, a free app. Instead of updating at the app Store, user goes to Self-Service where I had published the update. Users updates the app. User launches app it asks for authentication. I did verify that was the case and sadly it is.

nsdjoe · ‎09-12-2013

Hi blackholemac,

I wonder if the issue you are experiencing is due to an expired key bag, where the credentials of the iTunes account expired on the device. All existing apps will run, but if you push a new app or update to the device, the new or updated app won't work.

The only ways I know of to refresh the key bag on the device are: (1) manually enter the "master" Apple ID and password on the device when prompted, (2) on the device go to the App Store and download a new app with the "master" Apple ID and password, or (3) connect the device to a computer running Apple Configurator and install an app that was purchased/VPP redeemed with the "master" Apple ID. These methods will satisfy Apple's DRM requirements on the device for the "master" Apple ID and should allow deployment of the app(s) to the devices.

This issue could potentially happen on any MDM that allows pushing 3rd party, already signed, apps to devices. I haven't experienced it myself, but from the sounds of it your situation could be the result of this happening. :(

blackholemac · ‎09-13-2013

Joe,

Thank you ever so much for your patience in working with me. What you are describing sounds EXACTLY like what happened. I've never heard of the "key bag" but I've been assuming it was an expired "certificate". That is entirely possible because this Configurator station has been in use LONG before our 1 to 1. At least a year and a half.

Your 3 ideas to refresh the key bag are exactly the only three ways I've found to deal with this. I have the App Store disabled on student devices but confirmed on a teacher device that this fixed the issue. For the student machines, I've done your first idea and that put the Apple ID into the iTunes and App Store setting in Settings app. That seems to fix it. Connecting a device to Configurator works too but is a pain because we have a central Configurator station. I verified though that setting up a new iPad for one of the afflicted classrooms with the afflicted apps works fine.

Before trying to refresh the keybag though, I tried pushing a new app to the device and it two wanted the master account. Buggers...I'm going to read up on the keybag online. I also am going to keep reading for how Apple plans to deal with VPP in iOS 7. I've seen all kinds of marketing materials talking about the process, I've even watched the WWDC session that talks about it...I want to see it in action and see how Casper interacts with it.

Thanks again,
blackholemac

cdenesha · ‎10-08-2013

nice post - thank you!!!

With some help I was able to set it up to publish the In-House apps via Casper's Tomcat using the same base URL and port 8443. That way students can install from home if they wish.

chris

Sean_Ginn · ‎10-10-2013

I have been running into an error that i can't seem to circumvent. I have added the requested information into the correct fields (I Think) and i am getting "Value does not match contents of archived app file(). Is this an expected outcome and it will just work or am I doing something wrong. Thanks everyone for the the help I really appreciate the OP for letting us know that we don't have to freak out entirely.

cdenesha · ‎10-10-2013

It sounds like one of the three things you pasted is not matching what is in the app bundle. I would try again.

Sean_Ginn · ‎10-11-2013

Am i pasting the entire <string>"Value"</string> or just "Value" ? Is this possibly different with the new version of JSS?

cdenesha · ‎10-11-2013

Just the value.

Should be the same.

Feel free to email me if you want me to try with my JSS.

chris

sboutot · ‎12-16-2013

I have been attempting to do this workaround. I have a few questions as I am new to iPads and with all the changes this fall it has been quite a maze. 1. does the iPad have to be brand new or can it be restored to new state?
2. are you supervising or performing any other AC deployment methods?

I get as far as having the encrypted backup, the encrypted backup iPad will install all from the in-house list in self service. I image other iPads and they all still ask for the apple id password.
thank you

nsdjoe · ‎12-16-2013

A few people have asked me if this process will work if iPads are not deployed with encrypted iTunes backups (but rather with an Apple Configurator backup).

Yes, it can still work. We have a few carts of Supervised iPads that I had to "image" with a Supervised backup instead of an encrypted iTunes backup. What you need to do is install at least 1 free app using Apple Configurator where the app is originally downloaded in iTunes using the "master" Apple ID and use that same Apple ID in Apple Configurator to distribute that app. If the free app installs correctly to the iPad via Apple Configurator with the "master" Apple ID and launches without crashing, then the in-house process above will work. Make a Supervised backup of this iPad and restore that Supervised backup to your iPads. All is good.

Here's one cool thing when using Supervised backups in iOS 7 and Casper 9… When you set up the app in the JSS and choose "Prompt User to Install," it does not prompt the user to install the app…it just installs it without any user interaction. No install prompt, no Apple ID, no password. It truly is a silent install :)

Another cool thing… it appears that app updates can be run via the App Store rather than Self Service even with apps that were originally deployed with Self Service and it does not prompt the user for the "master password." I haven't done a lot of testing with this, but it appears to work on my test iPads here at my desk. I'll do some more testing this week.

These features are really helping to make enterprise iPad management easier for Casper mobile admins (I just wish these methods were supported by Apple and JAMF)!

Hope all is going well with everyone.
~Joe

nsdjoe · ‎12-16-2013

@boutots
Welcome to the world of enterprise iPad management! Yes it is a maze, and I hope we can help you navigate through it. To answer your questions…

1) No it does not have to be brand new. You can wipe old iPads to defaults or restore an encrypted iTunes backup (which wipes it) and the process will work.

2) Last year, we didn't use Configurator. We did not want to Supervise our iPads (because of the limitations pre-Configurator 1.4). This year, we are Supervising and are able to get this process to work (see my post above).

I'm not sure why your other "imaged" iPads are asking for the Apple ID. The key is to make sure you have at least one app installed using the "master" Apple ID on your "golden image", and then make the encrypted iTunes backup of that iPad. Also be sure that you have "Automatically sync apps to my iPad" selected in Step 4 of Phase 1. Wipe an old iPad (go to Settings -> General -> Reset -> Erase All Content and Settings) and try restoring the encrypted iTunes backup to it. It should work…

Hope this helps!
~Joe

CarrieNZ · ‎03-02-2014

Hi Joe, just wanted to thank you for posting this.

We run a layered 1-to-1 program for some of our degree students and ran into issues around activation lock after iOS 7 was released, so this year have deployed as supervised devices via Apple Configurator (and just use the threat of losing their apps and having their iPad confiscated to keep the management profile in place).

It took a fair bit of work to set up, but the silent install works brilliantly so saved heaps of time at the other end of the deployment.

I don't know if anyone's mentioned it above but if you already have the App Store apps in your JSS you will need to rename these before you create the in house version to avoid duplicate errors if you'd like to keep them in your database for existing licencing info.

Jamf Nation Community

#K12 Deploying iPad Apps OTA Without Passwords