Jamf Nation Community

@mvu Yes we are.

You can use Configurator 2 to setup and enroll multiple devices at once.

The EAP-PEAP wireless is going to be a bit more difficult if the intention is to have each user's credentials authenticating to the network. If you're using a service account, that's another story.

You can import devices into the JSS from the API, but you'll need their UDID and even then what's imported will basically just be a placeholder. There's a couple of handshakes that need to be done for actual enrollment/management to happen.

@jbourdon If I used Apple Configurator, which I'm very open to, how would I get past the device enrollment portion, so that it assigns it to the particular user? Also, I would assume I would need to give AC2 my JSS supervision profile in order for that to work? Will the wireless profile work just fine if I just a generic account? I might have to have a conversation with my boss about that if so.

@jbourdon Seriously, thank you so much! I think I convinced my boss to just use one generic account for all devices. The big "life saver" was the "turn off authentication" part. That will make my life so much easier :) If I load a wifi profile from AC2, do I have to make a separate but equal profile in the JSS to "replace" it, or can I just stick with AC2 profile (can users delete it, etc.)

Just one more question about the Apple ID's, we already have all our apps setup for device based VPP so that is not an issue, but what about iBooks/iTunes U? With it cause any issues with those apps?

@jouwstrab Are you trying to assign the device through DEP? I would say let the students enroll the device using their own credentials. I would not take the time to log in as each student no good way to do that as far as I know. We just set everything up in a pre-stage give them a very temporary network to jump onto when they first get the device and then push out the main network profile once they complete the enrollment process on the device. No need for AC.

@jouwstrab As far as I know, iBooks/iTunes U are still VPP Codes, so they would need Apple ID's.

My experience is that with AC2, if you name the WiFi profile the same in AC2 and the JSS it will get overwritten, but it has to drop off the network as it removes the old one before it can install the new one, so you'd run into an issue with that. If the devices are Cellular, or you are able to jerry rig ethernet for the iPads, you'll have no problem with this.

As far as I've been able to tell, having it be the exact same profile (same unique identifier string) causes the scenario @brandonusher mentioned, but now that I'm thinking about it, I also changed the names of my profiles when I recreated them for AC2, so I would't say my experiences are conclusive...

You could set your profile from AC2 to self remove within a day or a few hours and keep your profile scoped in the JSS. I haven't tested that but theoretically it should work.

I would recommend you either use an enrollment account for your devices (if it's a JSS only account it wont get assigned to that user) since AC2 makes typing in the credentials a lot less of a hassle—or turning authentication back on when you're done.

I've had a few devices walk-off, and get reset without a username tied to it. Granted that means it's not going to get activated either, but I haven't had a lot of luck with good samaritans seeing our Lost Mode messages...

Are these shared devices or 1:1?

@RWitt I would love to have the student be in charge of the process, but that hasn't been the standard for the school since the "iPad program" began, thus changing will need to be a conversation that will not be happening this summer... unfortunately.

@brandonusher That is what I assumed, however is it possible to assign assign a profile named "X" from AC2 and then deploy a profile named "Y" from the JSS even though they do identical things, or is that a bad idea?

@jbourdon The removing itself option didn't work for me when I tried it, I assume it should happen automatically after the set time limit correct? What has been working is the following:
1. Created a wifi config. that uses a generic account, which is acceptable and can stay that way, it won't need to change. 2. Removed "authenticate" from the pre-stage requirements so the iPads just enroll "blank" 3. Use JSS MUT to add asset tags, usernames, and name the devices, after they inventory the user info is pulled from LDAP which put them in the right smart mobile device groups to assign restricts and app assignments.

So far I haven't run into any issues, just started this process today, let me know if anything looks "dangerous or weird." Thanks again guys for the responses, I really appreciate it!!!

@jouwstrab Yes, two profiles doing the same thing would be perfectly okay. Then you could go in the JSS after a while and create a profile called X and have no scope and see if that removes it from the devices. If not, scope it to all the devices that have Y, wait a day/month/whatever then unscope it to have it removed.

Or as I see with another post is to set a time limit for a month and it will auto remove itself. That is, provided you can get the time limit to work (as I see in your post saying there are issues). If that gets squared away, that might work for you.

Too bad you can't get the students to enroll from the start. We do what @RWitt does. We don't even hold the students hands. We give them an iPad and charger at registration with one small slip of directions and tell them to let us know if they have any questions. Some stay at school and some go home they log in with their network username/pwd and they are up and running. They download a majority of apps and get most of the profiles from home so when they come back for day 1 they are ready to go. The only time we touch the device is to put the case on and to hand it to the student.

@Nick_Gooch That is the best policy, honestly it's not hard, and if the students want to use the device they should understand a little about how it works. However, that was not the expectation set at the beginning of the 1:1 program, so changing it now will be difficult. Anyway, not to start a rant.

This might be of assistance(?) I used it a while a go to allocate users to devices based on device name (that came out of a configurator / groundcontrol enrolment workflow).

For VPP assignment you needed a user record before device based showed up. This let you create a bunch of user records without needing associated directory users (eg. good for shared devices). You might be able to use it to allocate your iPads to users in the JSS in a more automated way? It's rough. Ensure you have a bogus record in the last row. It doesn't have much in the way of error checking. Very rought but got the job done.

You can feed it a CSV like this:

name,domain,mobiledevice,department,building
ipad.site01,domain.edu.au,Site-iPad01,iPadShared-Cart1,SchoolName
ipad.site02, domain.edu.au,Site-iPad02,iPadShared-Cart1, SchoolName
x,x,x,x,x

#!/bin/bash
#
# jssVPPUserCreator.sh
#
# i should be python
#
# feed me a csv
# user,domain,devicename,department,building
# ipad+01,gmail.com,iPad-01,cart1,school
#
# i assign a user (and create a user record) to mobile device (the device must already be enrolled)
# cutting out the requirement for LDAP records for shared device VPP!

# read only api user please!
apiuser=""
apipass=""

# if true will overwrite blank location data (eg. department / building)
overwriteblankdata=false

# if you are using a self signed cert for you jss, tell curl to allow it. blank will read admin
selfsignedjsscert=false

# if not specified will read from client prefs, and admin prefs
#jssurl="" 

#
#
# end of configuration
#
#

jssurl="$(defaults read com.jamfsoftware.jss url)"
[ "$(defaults read com.jamfsoftware.jss allowInvalidCertificate)" == "1" ] && selfsignedjsscert=true

csvfile="${1}"

if ${selfsignedjsscert}
then
    curlopts="-k"
else
    curlopts=""
fi

[ -z "${csvfile}" ] && read -p "csvfile: " csvfile
[ -z "${apiuser}" ] && read -p "API/JSSadmin username: " apiuser
[ -z "${apipass}" ] && read -s -p "API/JSSadmin password: " apipass

if [ ! -f "${csvfile}" ]
then
    echo "${csvfile} don't exist brah! "
    exit 1
fi

makeMobileDeviceXML()
{
echo "<?xml version="1.0" encoding="UTF-8" standalone="no"?>
<mobile_device>
  <location>
    <username>${username}</username>
    <real_name>${username}</real_name>
    <email_address>${email}</email_address>
    <position>VPP Account</position>" >> "${mbdevxml}"
# add extra location data
if [ -n "${department}" ]
then
    echo "    <department>${department}</department>" >> "${mbdevxml}"
elif ${overwriteblankdata}
then
    echo "    <department></department>"  >> "${mbdevxml}"
fi

if [ -n "${building}" ]
then
    echo "    <building>${building}</building>" >> "${mbdevxml}"
elif ${overwriteblankdata}
then
    echo "    <building></building>"  >> "${mbdevxml}"
fi

echo "  </location>
</mobile_device>
" >> "${mbdevxml}"
}

updateJSSRecord()
{
echo -en "updating: ${devicename} ... "

putresult=$(curl ${curlopts} -H "Accept: application/xml" -s -u "${apiuser}:${apipass}" "${jssurl}JSSResource/mobiledevices/name/$(echo ${devicename} | sed -e 's/ /+/g')" -T "${mbdevxml}" -X PUT)
rm "${mbdevxml}"

if [ -n "$(echo ${putresult} | grep "requires user authentication")" ]
then
    echo "ERROR: problem with api access or credentials"
    exit 1
fi

if [ -n "$(echo ${putresult} | grep "The server has not found anything matching the request URI")" ]
then
    echo -e "# NO DEVICE RECORD #"
else
    # probably worked :P
    echo -e "OK"
fi
}

#
# main csv parse
#
echo
echo "-------------- processing -----------------"
echo

while IFS="," read username domain devicename department building
do
    #mbdevxml="$(mktemp -t mbldev.xml)"
    email="${username}@${domain}"
    mbdevxml=$(mktemp /tmp/mbdev.xml.XXXXXXXXXXXXXXX)
    makeMobileDeviceXML
    updateJSSRecord
done < "${csvfile}"

echo "--------------- all done ------------------"

exit

@loceee I realized I never said thanks! I ended up not needing to use your script, but none the less thanks!