#K12 Deploying Shared iPad Carts Without Apple IDs using DEP and Apple Configurator 2

nsdjoe
Contributor II

Hi All,

I thought I'd share the workflow I used this week to set up and deploy a few hundred new shared student iPads in carts using the new Apple Configurator 2, DEP, VPP MD, and the latest version of JSS (v9.81) without using Apple IDs. I couldn't find any step-by-step documentation online, so I typed up my own. I thought I'd summarize and share what I did in hopes that it helps some of you who are just getting started with the new Apple Configurator 2.

Here's the workflow I used this week.

Before you get started...
Be sure you are signed up for Apple's Deployment Programs at http://deploy.apple.com . Link up your JSS with DEP, and set up VPP in your JSS too. For help on Apple's Deployment Programs, visit http://help.apple.com/deployment/programs/ . For help setting up DEP and VPP in the JSS, see the Casper Suite Administrator's Guide 9.81 .

In the VPP Education Store...
I first determined what apps I wanted as my default set of apps and purchased (paid or free) that number of Managed Distribution licenses from the VPP Education Store. I have a group of a dozen or so free apps that get installed on all iPads so I "purchased" 3,000 free licenses of each. NOTE: If you don't see the app right away, follow these instructions. The issue is filed with JAMF support under D-009059.

In the JSS...
Make sure you allow for Apple Configurator enrollment at Management Settings -> Mobile Device Management -> Apple Configurator Enrollment and place a check mark in the box next to "Allow Apple Configurator enrollment." Under PreStage Enrollments, I added my new DEP iPads to a new shared student PreStage Enrollment under Scope. Here you can choose to Supervise devices, allow for pairing, disallow MDM profile removal, make MDM profile mandatory, and skip any/all the setup assistant steps. Created/updated a Student Customizations configuration profile with various restrictions. Scoped it to our "Shared Student iPads" Smart Group. Added my default set of apps as individual apps under "Apps" in the JSS and under the VPP tab of each selected "Assign VPP Content" and the VPP account that I used to "purchase" those free app licenses. Scoped to my new "Shared Student iPads" Smart Group. Set apps to auto install.

In Apple Configurator 2...
NOTE: From an earlier post here on JAMF Nation, use the following URL for enrollment in AC2 instead of the one listed in the JSS (this issue is filed with JAMF under D-009664): https://jss.organization.org:8443/mdm/ServerURL

  1. In AC2, click Blueprints -> Edit Blueprints -> New. Name your Blueprint. Then double-click the Blueprint.
  2. Click Prepare -> Automated Enrollment -> Next.
  3. Add a WiFi Profile (created by AC2 under File -> New Profile). Click Next.
  4. Skipped Username and Password and just click Prepare. Now "Automated Enrollment" shows up under "Setup."
  5. Click Add to add apps or profiles. In the Menu Bar, click Actions -> Modify to add wallpaper or set device names. For device names, click on the "+" sign in the lower left corner of the popup window and select Number. You can change the Number field by double clicking on the number that comes up in blue and edit the number. You can also add the cart name or other words before/after the number. When done, click Done.
  6. Plug all iPads in to the AC2 computer with a sync cart or USB hub.
  7. Select all iPads. Right click, choose Apply and select the new Blueprint. Click Apply.

Applying this Blueprint will activate, update, prepare, and enroll your iPads. Once the iPads update to iOS 9.0.2 and enroll into the JSS, the default apps set up in the steps above start installing automatically without any Apple ID or any user interaction.

Future app updates can be managed in the JSS too either automatically for all apps (Settings -> Mobile Device Management -> App Updates -> Automatically update all App Store Apps), automatically per app (Mobile Devices -> Apps, select the app -> Automatically update app), or manually (Mobile Devices -> Apps, select the app , Edit, click Force App Update). All of this can be done in the JSS and pushed out OTA to the iPads without Apple IDs.

With Apple Configurator 2, you can customize your initial setup by using Blueprints. When you are in Edit mode of a Blueprint, just add the setup actions you want and it will save to the Blueprint. For example, to have a Blueprint restore a backup be sure you are in Edit mode of a Blueprint and go to Actions -> Restore from Backup… Choose the backup you want to restore and you will see it save to the Blueprint.

The latest JSS release v9.81 offers many new iOS 9 features including some fantastic new configuration profile restrictions. I am most excited about the ability to uncheck the box next to "Allow modifying passcode (supervised only)." I can't tell you how often a student will maliciously set a passcode on a shared iPad… this restriction will keep that from happening again on any of our shared iPads.

Resources:
iOS 9 Deployment Referece: https://help.apple.com/deployment/ios/
Apple Configurator 2 Help: http://help.apple.com/configurator/mac/2.0/
Apple Deployment Programs Help: http://help.apple.com/deployment/programs/

I'm sure my shared cart workflow above will evolve over time but thought I'd post it as it is now. If anyone has anything to add or share (tips, tricks, triumphs or tragedies), please comment! I will continue to add to this post as well.

Thanks and see you at JNUC next week.
~Joe

PS. If anyone wants to discuss this workflow at JNUC, come to the K12 iPads in Education mini-event. Hope to see you there!

44 REPLIES 44

bountyman
New Contributor III

@nsdjoe Nicely done !! Thank you. Looking forward to hear more about it @jnuc.

nsdjoe
Contributor II

An excellent tip from another post… Configurator 2 auto opening Photos

It is possible to disable Photos from automatically opening when an iPad is plugged in to the Configurator station by using the following defaults write command:

defaults -currentHost write com.apple.ImageCapture disableHotPlug -bool YES

Thanks @jevans76 for sharing!

bumbletech
Contributor III

Can you elaborate a bit more on getting the devices enrolled into the JSS using AC2? When I use https://jss.organization.org:8443/mdm/ServerURL with our information, I get the error of https://jss.organization.org:8443/MDMServiceConfig not found.

"ServerURL" is the actual string I want at the end, yes? I wouldn't be replacing that with my actual server URL again?

natejosiah
New Contributor II

We are running into the same thing jbourbon is. Seems like it likes https://jss.organization.org:8443/mdm/ServerURL but it points it somewhere that doesn't exist. May be some settings we share on our JSS is causing this?

mbuckner
Contributor

Any update on this? We are having the same problem.

nsdjoe
Contributor II

I'm at JNUC right now and don't have my Configurator computer with me to double check my settings. But I do remember that after adding that URL with "ServerURL" to AC2, AC2 set itself up properly with the MDMServiceConfig file. Even if you get an error, try going to AC2 Preferences and click on your server listed and see if it picked up a few certificates. For me, there were three certificates that were automatically added, and URL was automatically fixed. Everything worked properly after that.

Hope is helps!
Joe

CasperSally
Valued Contributor II

Joe - thanks for writing and sharing this. I look forward to giving it a try, testing 9.81 in test environment now.

dmichels
Contributor

I need clarification, I thought if you are using DEP you CANNOT use Apple Configurator?

nsdjoe
Contributor II

Cool @CasperSally! Let us know if you learn any tips/tricks in your testing. Thanks Sally. ~Joe

nsdjoe
Contributor II

Hi @dmichels,

You CAN use Apple Configurator 2 for initial DEP enrollment, and do so without the use of an Apple ID. You could not do that previously with Apple Configurator 1.

Soon, you will also be able to side load apps with AC2 during the initial set up/enrollment, and then manage those AC2 installed apps (with updates and such) via the JSS afterwards. But we have to wait until the JSS is able to convert unmananaged apps to managed apps.

~Joe

james_ridsdale
New Contributor III
New Contributor III

Hey folks,

We have a lot of deployments using the /configuratorenroll option on AC1, we're trying to migrate clients to AC2. I spoke with support yesterday as this is broken in iOS 9. They pointed my to this article where I got excited to see a known Defect and the adjusted URL. However, no matter how hard we try - we still get an error during enrolment.

Oct 15 05:07:03 iPad Setup[215] <Notice>: (Error) MC: Failed to parse profile data. Error: NSError:
    Desc   : Invalid Profile
    US Desc: Invalid Profile
    Domain : MCProfileErrorDomain
    Code   : 1000
    Type   : MCFatalError

For clarification, DEP works fine, manual enrolments work fine. We have full public SSL, multi-tenanted environment with multiple JSS (around 40).

I'm at JNUC too, anyone fancy joining me in pushing this further with support?

dleonardi
New Contributor

Hi, I'm also having the same issue with the enrollment URL error it will not take anything I enter. I wonder if our server OS version has any relevance to this problem. We're still running on 10.9 Mavericks server currently. I was wondering what your running @nsdjoe that you had success with this? Many of these new features of deployment are dependent on the latest versions of iOS/OS so I'm curious if we need to bump the server up the latest and greatest.

Thanks!

nsdjoe
Contributor II

@dleonardi . I checked with our server admin on this. He said we are using a Debian Linux 6 on vSphere 5.5 (plan to upgrade to ubuntu 14.04 soon), 4 cpus, 6GB ram, JSS 9.81.

dleonardi
New Contributor

@nsdjoe Posted: 10/13/15 at 2:40 PM by nsdjoe

Even if you get an error, try going to AC2 Preferences and click on your server listed and see if it picked up a few certificates. For me, there were three certificates that were automatically added, and URL was automatically fixed. Everything worked properly after that.

I guess I didn't follow your instructions fully my mistake. I saw the error and didn't even realize I could click the Next button but you were right. Even though an error is thrown the correct certs do appear for our MDM. I was successfully able to enroll one of our devices. Now on to step 2!

CasperSally
Valued Contributor II

Hey I met with apple the other day and they told me you can now do lookups on VPP website to see if a developer opted in to being device assignable.

Go to VPP store.
Search for app (Evernote is example)
Scroll down on left
"Device-Assignable" is there if it is.

Maybe everyone knows this, but it was news to me.

russeller
Contributor III

This sucks @CasperSally I've been telling my staff at my K12 that they can start using this awesome new feature and push all their apps without AppleIDs. I should have known that Apple would have tons of "gotchas" with it. What would be the big downside to a developer for allowing "Device-Assignable"?

CasperSally
Valued Contributor II

It was always opt in @ssrussell. I don't think there's a downside for developers, but I imagine some free edu apps that haven't been upgraded in awhile may not be assignable, or just oversight on the developer side. Have you checked your apps? We haven't yet.

I intend to use this school year to test and pilot and start pushing apps in production starting next summer. Gives our curricular team time to make a list of the apps they'll want and start bugging developers if they aren't assignable

nsdjoe
Contributor II

@ssrussell and @CasperSally,

I haven't checked all of our apps yet, but a good majority that I have checked do allow device based app assignments. I talked to several other K12 iPad admins at JNUC about this and we've been seeing about 80% of apps are device assignable. But yes Sally, I agree that this will be a problem for the many education apps that were last updated like 2 or 3 years ago.

I'd like to encourage all of us to contact any developers we find who have non-device assignable apps and let them know that this feature is critical for schools! I've had good success over the last few years connecting with developers who have free apps with in-app purchases and asking them to post a paid "full version" of their app(s) into VPP instead of doing in-app purchases explaining that schools can't use VPP for in-app purchases. When you tell them that you'll be buying 3,000 copies of a "full version," but only if its in VPP you tend you get a quick response 🙂 Hopefully we will get a good response about device assignments too (maybe tell them we want to buy a bunch more, but only if they are in VPP and offer device assignments).

Just brainstorming here… For those apps that are old/not-updated where we can't find or connect with the developer, maybe we could use Apple Configurator 2 to side load those apps. I know it's not as convenient as doing it OTA via the JSS but it may be the only supported way to get those old apps on the devices and not require an Apple ID. I know there are other unsupported ways of getting apps on devices without Apple IDs but I'd like to see us (and Apple and JAMF) develop and use a workflow that is supported and that does work.

Just a side note… the ability to use the JSS AND AC2 to provide ongoing management to devices is not currently supported by JAMF but hopefully will be soon. The way I understand it you will need to share the supervision certificate between the AC2 computer(s) and the JSS so that they all understand each other. Hopefully that will be available in an upcoming JSS release... along with the ability to convert unmanaged apps to managed apps.

~Joe

CasperSally
Valued Contributor II

@nsdjoe I am going to encourage the curriculum departments that choose the apps to reach out to developers if the apps they want aren't device assignable.

We are planning on supporting device assignable apps only. We'll see.

CasperSally
Valued Contributor II

@nsdjoe and others - are you guys using caching servers? We haven't implemented them yet, but I'm thinking if pushing apps makes app distribution much easier for us, it may be time to start - particularly for iOS app deployments.

Would love to know what specs you guys are using for them & how many devices they cover. Apple rep threw out a number of like 1 per 700 devices.

Thanks!

nsdjoe
Contributor II

Hey @CasperSally. We are not using caching servers yet. But it is definitely something I plan on looking in to.

mmcallister
Contributor II

Without an AppleID, how do you locate lost and stolen devices?

Abernard
New Contributor

@mmcallister I was told at an Apple Update Meeting that we will not be able to locate the device since no Apple ID means no iCloud. I am thinking about adding in the iCloud ID for each grade level into my devices and not adding it into the Apple Store.

adamlalicker
New Contributor III

Great post Thanks

lawrence_stegal
New Contributor III

We are moving to App distribution through our MDM, but we have not gotten the VPP system completely set up. But it looks like through the post we can use Configurator 2 as part of our transition when we are completed. So if we set up using DEP and Pre-stage as well as the basic application blueprint, when our VPP tokens are in place, the apps will be updated and then we can slowly transition to the JSS and only use Configurator 2 for part of the initial deployment system, right? My big headache right now is VPP codes from the old system and wanting to allow the transition.

georgecm12
Contributor III

Ok, I was able to replicate the details in the original post, and it was very helpful.

That said, for step 3, I'm going to have an issue pushing this into production. Our "real" WiFi network is an 802.1x network (PEAP w/ MSCHAPv2) that uses login via username/password.

One option is that I store a username and password in the profile. Not a great option, but it would work if I can somehow go through after enrollment and remove the wifi profile. Is that possible?

Otherwise, is there an option to integrate JSS into Configurator 2 that doesn't require including a WiFI profile?

lee_smith
New Contributor III

@georgecm12

Yes, you can can create a temporary wifi profile, install it and then remove it. We perform this when working with our Elementary School Carts.

In AC2 you can go to File -> New Profile -> Wifi and set your Wifi Information there. On the General page, at the bottom, you will see "Automatically Remove Profiles" you can chose "Never", "On date", or "After Interval". We choose "After Interval" one hour.

Note: I have noticed this does not always work but that was with AC1. Maybe AC2 can handle this better. In our case, we remove the profile using AC and ensure our Wireless Profile takes over.

Hope that helps!

georgecm12
Contributor III

@lee.smith Could you provide a little more information about how you remove the profile using AC?

lee_smith
New Contributor III

@georgecm12 I sure can. When I get back to the office, I will give you some more detail.

lee_smith
New Contributor III

@georgecm12 I apologize for taking to long in getting back with you.

In AC2 you can perform the following:
1.) File -> New Profile ->

67425a11e2f9482eba68a213b8b40333

2.) Name Your New Profile:
--- At the bottom select "Automatically Remove Profile"
---- After Interval 1 hours

4ce0482c9aaa4b22bf42e7839b49064b

3.) Create your Wi-Fi Profile:

18cddb1c5f9947f7adcf68be15e95b6b

4.) Save your Profile

5.) Select All Your Devices
--- Edit -> Select All

6.) Add your Wifi Profile
--- Actions -> Add -> Profile

648ad4cfb033444abcebfbcf7114b073

Note: I also add my Enrollment Profile and CA Certificate. This way it will enroll and pull down the correct configuration profiles.

Note: I have noticed my Temporary Wifi Profile does stay even after an hour. So, after I check the JSS and ensure the correct Configuration Profiles are installed I will remove the Wifi Profile by performing the below steps.

1.) Select All Your Devices:
--- Edit -> Select All

2.) Remove Your Wifi Profile:
--- Actions -> Remove -> Profiles -> Select your Wifi Profile

Now your iPads have been added to the JSS, the temporary Wifi removed and now have your interns work on the next cart.

Our next steps for summer will be to inventory the apps and deploy them through Casper. So, when they check in they will start installing the apps. This will be based on SMART Groups.

I hope this helps and if you have ANY questions please let me know.

plawrence
Contributor II

@nsdjoe Thanks for your write-up on DEP & AC2. I have been able to successfully Prepare iPads using AC2 using the Automated Enrollment, AC2 talks to DEP and the devices get supervised and enforced MDM profiles. I didn't have to enter any server addresses in AC2 -> Preferences -> Servers (I think these are for non-DEP MDM enrolments??).

The issue I am running into now is restoring a backup of a DEP device to a different device. AC2 is able to take a backup of a DEP device, but after I restore it to another iPad I am unable to progress past the setup wizard, I get an error saying the device is not activated. I even tried the following workflow:

  • Take a backup of iPad 1
  • Restore backup to iPad 2
  • Do not touch the setup wizard
  • Prepare iPad 2 using Automated Enrollment

The console error is as follows:

Nov 18 14:16:04 iPad profiled[86] <Error>: Can't convert pem cert
Nov 18 14:16:04 iPad profiled[86] <Notice>: (Error) MC: Could not create machine info dictionary. Error: NSError:
    Desc   : Your iPad is not activated.
    US Desc: Your iPad is not activated.
    Domain : MCInstallationErrorDomain
    Code   : 4014
    Type   : MCFatalError
    Extra info:
    {
        isPrimary = 1;
    }

Have you tried restoring DEP backups to different iPads using AC2 yet?

m_green
New Contributor III

@CasperSally

This is a late response to your caching question, but our Apple Rep recommended 4 caching servers (Mac Minis) for the 2,000 iPad we purchased back in October of this year. We have since purchased two more Mac Minis that both cache and run AC2 so we don't have to use our personal Macbooks for AC2. Our device count BEFORE the 2,000 was around 1,600, so now we are at 3,600 total iPads and around 200 Macbooks with 6 caching servers. Things seem to be running fine as long as VPP doesn't break (which it has several times during our deployment).

We also had another Apple Engineer tell us that one caching server would serve up to 4000 devices. Which engineer is right? I suppose that's up to us to decide!

At any rate, my advice is to buy low, test and add as needed. Your engineer's recommendation for 700:1 is probably a good metric to start with.

m_green
New Contributor III

First off, this is a GREAT! post, very thorough and one of the best I've come across during our deployment.

This post is in regard to our workflow without blueprints and wallpapers. As mentioned in the OP, a blueprint can be created with a wifi profile, device name and a wallpaper. I have a few observations to contribute to that method:

  1. We chose not to go with a Blueprint because we found the delivery of the blueprint to 15+ devices became unreliable.

    • e.g. I made a blueprint for 15 devices with a wifi profile and a name. We then made a smart group to filter upon the name given in the blueprint (we wanted to be able to control each class set of iPads in JSS if needed, rather than having one universal "student iPads" smart group). We noticed that after the deployment of the blueprint, we lacked consistent results. We would have a handful of iPads not accept the device name (e.g. we-room#-1), but they did accept the wifi profile. Since iPads ship with the default name of "iPad", if the device name is not properly distributed from the blueprint and the Wifi profile is, guess what? - your smart group is null and void, because as soon as the iPad connects to wifi, it hits DEP and then enrolls into JSS with the name "iPad." Thus requiring us to go in and name the iPads again, one at a time in JSS. I'm not sure if anyone else struggled with AC2 preparation consistency, but we sure did. So we just broke these steps up one at a time and bailed on using blueprints altogether.
    • Our workflow: Plug in devices, restore (to install iOS 9.1, since they shipped with iOS 8.3), name devices, close AC2 and reopen if needed(devices that didn't accept the name initially would then refresh in AC2 and reflect the name), then prepare, automated enrollment and add Wifi profile (again, if prepare function failed, we could instantly see which iPads failed, so then we could choose them and prepare again). While iPads are restoring and preparing we were making smart groups filtered upon their class set names (device name "is like" we-room#-) and making their casper focus classrooms. Yes, this is a long version of what was mentioned above but hey, it worked consistently! Again, this is not be a knock on the OP, but just to explain what we ran into and our solution since Apple support and Apple PM was unable to provide any insight. I'm open to suggestions of what we could have done better with Blueprints.
  2. This is mainly a question about wallpapers. Since each of our iPads has unique class set name (e.g. we-room#-1, we-room#-2, etc.) we really wanted the wallpapers to reflect the name on the screen. Unfortunately in JSS we can assign a wallpaper, but we can't tell it to reflect the name of the device like we can in AC2. However, in AC2 whether or not you're using a blueprint to assign a wallpaper, it requires supervision to apply the wallpaper. Therefore, if we give Supervision to AC2 and then try and prepare the device for automated enrollment it wants to "restore" the device (getting rid of the wallpaper) in order to allow the MDM to supervise. We sat through two apple presentations where the apple reps said this was possible, but then in their presentations they didn't apply a wallpaper, only a device name (which does not require AC2 supervision). So we were told this would work but then we were never shown it working and we were never able to get it working on our end no matter what workflow we tried. Has anyone found a way to make this happen? The only way I can think of is to somehow connect AC2 to talk to the JSS and allow AC2 the ability to co-supervise the devices.

  3. Currently we have a profile in JSS that does not allow students to assign a wallpaper using the iPad. This is because students will put inappropriate pictures on the device wallpaper. If teachers ask to be able to save the wallpaper we just add their devices to a separate profile that will allow them to change the wallpaper. Wallpapers may not seem like a big issue, but it makes the teacher's job much easier to assign iPads to specific kids rather than using stickers on the cases that can come off. If anyone has a suggestion for us to try I'd appreciate it!

CasperSally
Valued Contributor II

Hey all - if you're interested in iOS in K12, there's a new channel over on slack where some discussions are going on. Just wanted to pass along

https://macadmins.slack.com/messages/edu_ios/

lee_smith
New Contributor III

Hey @CasperSally

Do we need to apply for membership?

CasperSally
Valued Contributor II

sorry you can join slack - http://macadmins.org/

Then look for the edu_ios channel. There's a jamfnation one too. enjoy.

mhayden
New Contributor III

Getting an error trying to wipe/update my iPads on AC2. We are using DEP. This error comes up any time I want to do anything remotely useful.

Configurator could not perform the requested action because “iPad” is not supervised by an existing organization. Import an organization with the identity for the device or click 'Prepare' to erase and supervise the device. All content and settings will be erased. This cannot be undone.

Thoughts? I hit 'Prepare' and so I indicate the wi-fi profile, automated enrollment, it then gives another error after wiping and updating, I hit Restore on that and get back to this. I have 500+ iPads that I need to wipe this summer, and I don't want to go through the enrollment process, because I want each student to put their credentials into the iPad setup assistant, so that it's associated to them in JSS. And even if I do enroll it myself as part of this process, it still gets stuck in a loop with these 2 errors.

What I want is to be able to plug in a bunch of iPads and wipe them, update them, and leave them at the setup assistant stage for the students to go through when they pick them up again. I want AC2 to save the unlock credentials, so that when they disable their iPad because they forgot their passcode, and they restart so wi-fi shuts off and I can't send JSS commands to it, I can plug it into AC2 and still unlock it without having to wipe the device and lose potential data.

I feel like there should be a way to export the organization from JSS and import it into AC2....?

mhayden
New Contributor III

ypsadmin
New Contributor

This works beautifully. However, I want to skip all of the enrollment questions EXCEPT the one to Enable Location Services. This is available in the Manual Enrollement, but my AC2 errors our every time.

Any other ideas how to make this setting during enrollment?