Jamf Nation Community

An excellent tip from another post… Configurator 2 auto opening Photos

It is possible to disable Photos from automatically opening when an iPad is plugged in to the Configurator station by using the following defaults write command:

defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool YES

Thanks @jevans76 for sharing!

Can you elaborate a bit more on getting the devices enrolled into the JSS using AC2? When I use https://jss.organization.org:8443/mdm/ServerURL with our information, I get the error of https://jss.organization.org:8443/MDMServiceConfig not found.

"ServerURL" is the actual string I want at the end, yes? I wouldn't be replacing that with my actual server URL again?

We are running into the same thing jbourbon is. Seems like it likes https://jss.organization.org:8443/mdm/ServerURL but it points it somewhere that doesn't exist. May be some settings we share on our JSS is causing this?

Any update on this? We are having the same problem.

I'm at JNUC right now and don't have my Configurator computer with me to double check my settings. But I do remember that after adding that URL with "ServerURL" to AC2, AC2 set itself up properly with the MDMServiceConfig file. Even if you get an error, try going to AC2 Preferences and click on your server listed and see if it picked up a few certificates. For me, there were three certificates that were automatically added, and URL was automatically fixed. Everything worked properly after that.

Hope is helps!
Joe

Joe - thanks for writing and sharing this. I look forward to giving it a try, testing 9.81 in test environment now.

I need clarification, I thought if you are using DEP you CANNOT use Apple Configurator?

Cool @CasperSally! Let us know if you learn any tips/tricks in your testing. Thanks Sally. ~Joe

Hi @dmichels,

You CAN use Apple Configurator 2 for initial DEP enrollment, and do so without the use of an Apple ID. You could not do that previously with Apple Configurator 1.

Soon, you will also be able to side load apps with AC2 during the initial set up/enrollment, and then manage those AC2 installed apps (with updates and such) via the JSS afterwards. But we have to wait until the JSS is able to convert unmananaged apps to managed apps.

~Joe

Hey folks,

We have a lot of deployments using the /configuratorenroll option on AC1, we're trying to migrate clients to AC2. I spoke with support yesterday as this is broken in iOS 9. They pointed my to this article where I got excited to see a known Defect and the adjusted URL. However, no matter how hard we try - we still get an error during enrolment.

Oct 15 05:07:03 iPad Setup[215] <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
    Desc   : Invalid Profile
    US Desc: Invalid Profile
    Domain : MCProfileErrorDomain
    Code   : 1000
    Type   : MCFatalError

For clarification, DEP works fine, manual enrolments work fine. We have full public SSL, multi-tenanted environment with multiple JSS (around 40).

I'm at JNUC too, anyone fancy joining me in pushing this further with support?

Hi, I'm also having the same issue with the enrollment URL error it will not take anything I enter. I wonder if our server OS version has any relevance to this problem. We're still running on 10.9 Mavericks server currently. I was wondering what your running @nsdjoe that you had success with this? Many of these new features of deployment are dependent on the latest versions of iOS/OS so I'm curious if we need to bump the server up the latest and greatest.

Thanks!

@dleonardi . I checked with our server admin on this. He said we are using a Debian Linux 6 on vSphere 5.5 (plan to upgrade to ubuntu 14.04 soon), 4 cpus, 6GB ram, JSS 9.81.

@nsdjoe Posted: 10/13/15 at 2:40 PM by nsdjoe

Even if you get an error, try going to AC2 Preferences and click on your server listed and see if it picked up a few certificates. For me, there were three certificates that were automatically added, and URL was automatically fixed. Everything worked properly after that.

I guess I didn't follow your instructions fully my mistake. I saw the error and didn't even realize I could click the Next button but you were right. Even though an error is thrown the correct certs do appear for our MDM. I was successfully able to enroll one of our devices. Now on to step 2!

Hey I met with apple the other day and they told me you can now do lookups on VPP website to see if a developer opted in to being device assignable.

Go to VPP store.
Search for app (Evernote is example)
Scroll down on left
"Device-Assignable" is there if it is.

Maybe everyone knows this, but it was news to me.

This sucks @CasperSally I've been telling my staff at my K12 that they can start using this awesome new feature and push all their apps without AppleIDs. I should have known that Apple would have tons of "gotchas" with it. What would be the big downside to a developer for allowing "Device-Assignable"?

It was always opt in @ssrussell. I don't think there's a downside for developers, but I imagine some free edu apps that haven't been upgraded in awhile may not be assignable, or just oversight on the developer side. Have you checked your apps? We haven't yet.

I intend to use this school year to test and pilot and start pushing apps in production starting next summer. Gives our curricular team time to make a list of the apps they'll want and start bugging developers if they aren't assignable

@ssrussell and @CasperSally,

I haven't checked all of our apps yet, but a good majority that I have checked do allow device based app assignments. I talked to several other K12 iPad admins at JNUC about this and we've been seeing about 80% of apps are device assignable. But yes Sally, I agree that this will be a problem for the many education apps that were last updated like 2 or 3 years ago.

I'd like to encourage all of us to contact any developers we find who have non-device assignable apps and let them know that this feature is critical for schools! I've had good success over the last few years connecting with developers who have free apps with in-app purchases and asking them to post a paid "full version" of their app(s) into VPP instead of doing in-app purchases explaining that schools can't use VPP for in-app purchases. When you tell them that you'll be buying 3,000 copies of a "full version," but only if its in VPP you tend you get a quick response :) Hopefully we will get a good response about device assignments too (maybe tell them we want to buy a bunch more, but only if they are in VPP and offer device assignments).

Just brainstorming here… For those apps that are old/not-updated where we can't find or connect with the developer, maybe we could use Apple Configurator 2 to side load those apps. I know it's not as convenient as doing it OTA via the JSS but it may be the only supported way to get those old apps on the devices and not require an Apple ID. I know there are other unsupported ways of getting apps on devices without Apple IDs but I'd like to see us (and Apple and JAMF) develop and use a workflow that is supported and that does work.

Just a side note… the ability to use the JSS AND AC2 to provide ongoing management to devices is not currently supported by JAMF but hopefully will be soon. The way I understand it you will need to share the supervision certificate between the AC2 computer(s) and the JSS so that they all understand each other. Hopefully that will be available in an upcoming JSS release... along with the ability to convert unmanaged apps to managed apps.

~Joe

@nsdjoe I am going to encourage the curriculum departments that choose the apps to reach out to developers if the apps they want aren't device assignable.

We are planning on supporting device assignable apps only. We'll see.

@nsdjoe and others - are you guys using caching servers? We haven't implemented them yet, but I'm thinking if pushing apps makes app distribution much easier for us, it may be time to start - particularly for iOS app deployments.

Would love to know what specs you guys are using for them & how many devices they cover. Apple rep threw out a number of like 1 per 700 devices.

Thanks!

Hey @CasperSally. We are not using caching servers yet. But it is definitely something I plan on looking in to.

Without an AppleID, how do you locate lost and stolen devices?

@mmcallister I was told at an Apple Update Meeting that we will not be able to locate the device since no Apple ID means no iCloud. I am thinking about adding in the iCloud ID for each grade level into my devices and not adding it into the Apple Store.

Great post Thanks

We are moving to App distribution through our MDM, but we have not gotten the VPP system completely set up. But it looks like through the post we can use Configurator 2 as part of our transition when we are completed. So if we set up using DEP and Pre-stage as well as the basic application blueprint, when our VPP tokens are in place, the apps will be updated and then we can slowly transition to the JSS and only use Configurator 2 for part of the initial deployment system, right? My big headache right now is VPP codes from the old system and wanting to allow the transition.

Ok, I was able to replicate the details in the original post, and it was very helpful.

That said, for step 3, I'm going to have an issue pushing this into production. Our "real" WiFi network is an 802.1x network (PEAP w/ MSCHAPv2) that uses login via username/password.

One option is that I store a username and password in the profile. Not a great option, but it would work if I can somehow go through after enrollment and remove the wifi profile. Is that possible?

Otherwise, is there an option to integrate JSS into Configurator 2 that doesn't require including a WiFI profile?

@georgecm12

Yes, you can can create a temporary wifi profile, install it and then remove it. We perform this when working with our Elementary School Carts.

In AC2 you can go to File -> New Profile -> Wifi and set your Wifi Information there. On the General page, at the bottom, you will see "Automatically Remove Profiles" you can chose "Never", "On date", or "After Interval". We choose "After Interval" one hour.

Note: I have noticed this does not always work but that was with AC1. Maybe AC2 can handle this better. In our case, we remove the profile using AC and ensure our Wireless Profile takes over.

Hope that helps!

@lee.smith Could you provide a little more information about how you remove the profile using AC?

@georgecm12 I sure can. When I get back to the office, I will give you some more detail.

@georgecm12 I apologize for taking to long in getting back with you.

In AC2 you can perform the following:
1.) File -> New Profile ->

2.) Name Your New Profile:
--- At the bottom select "Automatically Remove Profile"
---- After Interval 1 hours

3.) Create your Wi-Fi Profile:

4.) Save your Profile

5.) Select All Your Devices
--- Edit -> Select All

6.) Add your Wifi Profile
--- Actions -> Add -> Profile

Note: I also add my Enrollment Profile and CA Certificate. This way it will enroll and pull down the correct configuration profiles.

Note: I have noticed my Temporary Wifi Profile does stay even after an hour. So, after I check the JSS and ensure the correct Configuration Profiles are installed I will remove the Wifi Profile by performing the below steps.

1.) Select All Your Devices:
--- Edit -> Select All

2.) Remove Your Wifi Profile:
--- Actions -> Remove -> Profiles -> Select your Wifi Profile

Now your iPads have been added to the JSS, the temporary Wifi removed and now have your interns work on the next cart.

Our next steps for summer will be to inventory the apps and deploy them through Casper. So, when they check in they will start installing the apps. This will be based on SMART Groups.

I hope this helps and if you have ANY questions please let me know.

@nsdjoe Thanks for your write-up on DEP & AC2. I have been able to successfully Prepare iPads using AC2 using the Automated Enrollment, AC2 talks to DEP and the devices get supervised and enforced MDM profiles. I didn't have to enter any server addresses in AC2 -> Preferences -> Servers (I think these are for non-DEP MDM enrolments??).

The issue I am running into now is restoring a backup of a DEP device to a different device. AC2 is able to take a backup of a DEP device, but after I restore it to another iPad I am unable to progress past the setup wizard, I get an error saying the device is not activated. I even tried the following workflow:

• Take a backup of iPad 1
• Restore backup to iPad 2
• Do not touch the setup wizard
• Prepare iPad 2 using Automated Enrollment

The console error is as follows:

Nov 18 14:16:04 iPad profiled[86] <Error>: Can't convert pem cert
Nov 18 14:16:04 iPad profiled[86] <Notice>: (Error) MC: Could not create machine info dictionary. Error: NSError:
    Desc   : Your iPad is not activated.
    US Desc: Your iPad is not activated.
    Domain : MCInstallationErrorDomain
    Code   : 4014
    Type   : MCFatalError
    Extra info:
    {
        isPrimary = 1;
    }

Have you tried restoring DEP backups to different iPads using AC2 yet?

@CasperSally

This is a late response to your caching question, but our Apple Rep recommended 4 caching servers (Mac Minis) for the 2,000 iPad we purchased back in October of this year. We have since purchased two more Mac Minis that both cache and run AC2 so we don't have to use our personal Macbooks for AC2. Our device count BEFORE the 2,000 was around 1,600, so now we are at 3,600 total iPads and around 200 Macbooks with 6 caching servers. Things seem to be running fine as long as VPP doesn't break (which it has several times during our deployment).

We also had another Apple Engineer tell us that one caching server would serve up to 4000 devices. Which engineer is right? I suppose that's up to us to decide!

At any rate, my advice is to buy low, test and add as needed. Your engineer's recommendation for 700:1 is probably a good metric to start with.

First off, this is a GREAT! post, very thorough and one of the best I've come across during our deployment.

This post is in regard to our workflow without blueprints and wallpapers. As mentioned in the OP, a blueprint can be created with a wifi profile, device name and a wallpaper. I have a few observations to contribute to that method:

1. We chose not to go with a Blueprint because we found the delivery of the blueprint to 15+ devices became unreliable.

   • e.g. I made a blueprint for 15 devices with a wifi profile and a name. We then made a smart group to filter upon the name given in the blueprint (we wanted to be able to control each class set of iPads in JSS if needed, rather than having one universal "student iPads" smart group). We noticed that after the deployment of the blueprint, we lacked consistent results. We would have a handful of iPads not accept the device name (e.g. we-room#-1), but they did accept the wifi profile. Since iPads ship with the default name of "iPad", if the device name is not properly distributed from the blueprint and the Wifi profile is, guess what? - your smart group is null and void, because as soon as the iPad connects to wifi, it hits DEP and then enrolls into JSS with the name "iPad." Thus requiring us to go in and name the iPads again, one at a time in JSS. I'm not sure if anyone else struggled with AC2 preparation consistency, but we sure did. So we just broke these steps up one at a time and bailed on using blueprints altogether.
   • Our workflow: Plug in devices, restore (to install iOS 9.1, since they shipped with iOS 8.3), name devices, close AC2 and reopen if needed(devices that didn't accept the name initially would then refresh in AC2 and reflect the name), then prepare, automated enrollment and add Wifi profile (again, if prepare function failed, we could instantly see which iPads failed, so then we could choose them and prepare again). While iPads are restoring and preparing we were making smart groups filtered upon their class set names (device name "is like" we-room#-) and making their casper focus classrooms. Yes, this is a long version of what was mentioned above but hey, it worked consistently! Again, this is not be a knock on the OP, but just to explain what we ran into and our solution since Apple support and Apple PM was unable to provide any insight. I'm open to suggestions of what we could have done better with Blueprints.

2. This is mainly a question about wallpapers. Since each of our iPads has unique class set name (e.g. we-room#-1, we-room#-2, etc.) we really wanted the wallpapers to reflect the name on the screen. Unfortunately in JSS we can assign a wallpaper, but we can't tell it to reflect the name of the device like we can in AC2. However, in AC2 whether or not you're using a blueprint to assign a wallpaper, it requires supervision to apply the wallpaper. Therefore, if we give Supervision to AC2 and then try and prepare the device for automated enrollment it wants to "restore" the device (getting rid of the wallpaper) in order to allow the MDM to supervise. We sat through two apple presentations where the apple reps said this was possible, but then in their presentations they didn't apply a wallpaper, only a device name (which does not require AC2 supervision). So we were told this would work but then we were never shown it working and we were never able to get it working on our end no matter what workflow we tried. Has anyone found a way to make this happen? The only way I can think of is to somehow connect AC2 to talk to the JSS and allow AC2 the ability to co-supervise the devices.

3. Currently we have a profile in JSS that does not allow students to assign a wallpaper using the iPad. This is because students will put inappropriate pictures on the device wallpaper. If teachers ask to be able to save the wallpaper we just add their devices to a separate profile that will allow them to change the wallpaper. Wallpapers may not seem like a big issue, but it makes the teacher's job much easier to assign iPads to specific kids rather than using stickers on the cases that can come off. If anyone has a suggestion for us to try I'd appreciate it!

Hey all - if you're interested in iOS in K12, there's a new channel over on slack where some discussions are going on. Just wanted to pass along

https://macadmins.slack.com/messages/edu_ios/

Hey @CasperSally

Do we need to apply for membership?

sorry you can join slack - http://macadmins.org/

Then look for the edu_ios channel. There's a jamfnation one too. enjoy.

Getting an error trying to wipe/update my iPads on AC2. We are using DEP. This error comes up any time I want to do anything remotely useful.

Configurator could not perform the requested action because “iPad” is not supervised by an existing organization. Import an organization with the identity for the device or click 'Prepare' to erase and supervise the device. All content and settings will be erased. This cannot be undone.

Thoughts? I hit 'Prepare' and so I indicate the wi-fi profile, automated enrollment, it then gives another error after wiping and updating, I hit Restore on that and get back to this. I have 500+ iPads that I need to wipe this summer, and I don't want to go through the enrollment process, because I want each student to put their credentials into the iPad setup assistant, so that it's associated to them in JSS. And even if I do enroll it myself as part of this process, it still gets stuck in a loop with these 2 errors.

What I want is to be able to plug in a bunch of iPads and wipe them, update them, and leave them at the setup assistant stage for the students to go through when they pick them up again. I want AC2 to save the unlock credentials, so that when they disable their iPad because they forgot their passcode, and they restart so wi-fi shuts off and I can't send JSS commands to it, I can plug it into AC2 and still unlock it without having to wipe the device and lose potential data.

I feel like there should be a way to export the organization from JSS and import it into AC2....?

Figured it out... https://jamfnation.jamfsoftware.com/discussion.html?id=18306

This works beautifully. However, I want to skip all of the enrollment questions EXCEPT the one to Enable Location Services. This is available in the Manual Enrollement, but my AC2 errors our every time.

Any other ideas how to make this setting during enrollment?