Switch to managed distribution from VPP codes without data loss

St0rMl0rD
Contributor III

Hi guys,

So, we're in process of getting all our VPP codes converted to managed distribution licenses (some of them already are converted). Right now, we are planning to do it like this:

- convert VPP codes to managed distribution licenses (already in process)
- make sure users know how to back up their data manually to external sources
- collect all user iPads
- restore all iPads, set them as new supervised devices
- assign devices to users in JSS via API import script
- send VPP invitation to users to enroll into our VPP managed distribution
- assign apps to users

This way all the content gets erased and users cannot use iCloud backup, because it requires our syncstation password.

Does anyone have a better solution on how to switch to managed distribution without any data loss?

Thanks,
-J

10 REPLIES 10

nsdjoe
Contributor II

I'm planning on doing the exact same thing this summer. Curious to see if anyone is doing anything different too... Thanks for posting!
~Joe

cdenesha
Valued Contributor III

Your mgmt model does not allow iCloud for users? Do they use iWork apps (Pages, Keynote)?

I also am planning on reimaging with OTA Supervision this summer and switching to managed app distribution.

St0rMl0rD
Contributor III

Hi all,

Yes, we do encourage everyone to use iCloud. This works great for iWork apps, but not for many others. The issue of data loss is because when we resupervise (restore) them, the iPads will come back empty to users. If the user would to restore the iPad from the iCloud Backup, it would ask them for the sync station password for the paid school apps, which we cannot give out.

-J

cdenesha
Valued Contributor III

I'll start with my environment and then brainstorm with you. We use Configurator to restore a base image, Supervised. Enroll and push a few In House apps, which came from the App Store using a single redeemed VPP code (saving the licenses for managed distribution). Launch one of those apps once, to enter the Apple ID password. Enable Restrictions (so they cannot). Assign it to an LDAP user in JSS.

Scenario 1) Keep all the same except switch to managed distribution of apps. For iWork apps, we enable iCloud for Documents, and the app can be deleted without data loss. Notability is an app which optionally can use iCloud, so the same. Goodreader can sync with Dropbox or other cloud services, so set that up and those documents won't be lost.

Is this your environment as well? If so, and using the steps you provided above, some apps would lose data. Do you know which apps they are, that you really care about? Perhaps you could copy off the Documents folder of the app with a utility like PhoneView or iExplorer, and put it back after the new app is installed? I'm going to test this myself..

Is there a need to restore all iPads? Are they unsupervised now, or are you switching to a different Configurator Mac or perhaps DEP and OTA Supervision? If not, I don't necessarily see a need to wipe and restore..

Scenario 2) Changing Supervision. I plan on Unsupervising each iPad from Configurator and Resupervising them OTA with Casper and the DEP program. This will require a wipe. I don't have any apps in use, that aren't using a cloud service to store documents, that are important enough to manually save the data for each iPad. I instructed users to turn on all cloud services for document backup and to back up their iPad to iCloud with Find My iPad Off.. If we do find such an app in the fall we can restore to a temp device and get the data (as long as we figure it out quickly).

I'm curious what you mean by the sync station password for the apps? It sounds like the Apple ID password that redeemed the app. My users are not doing their own iCloud restores, I am, so I have the ability to enter it.

I think I detailed it all correctly - do you agree? Am I missing something? Is your environment different?

Thanks,

chris

p.s. Can you share the script that assigns users to devices? I cannot figure out how to use the API. :(

qsodji
Contributor

Hi All,
I am going over that process tomorrow as part of a switch out rollout.
While we have already converted our VPP to managed apps, the current devices are not supervised. Users are getting new iPads which will have OTA supervision.
In this case each iPad has its own apple ID so each user will backup to iCloud
then turn on the new iPad which will take them through the restore process
After the restore is complete, the iPad reboots and starts the OTA supervision (DEP+Casper)
My DEP is set with user authentication that way the device is automatically assigned in casper to a user
So the user is prompted to enter his/ her LDAP credentials
DEP kicks in and installs the JSS enrollment profile (also skips the steps I have selected i.e apple ID, passcode, Agreement terms)
The iPad comes up with apps restoring and now supervised.
This was tested with 1 iPad and it was relatively simple
Couple of things for people using DEP, make sure your iPad is 7.1.1 or you could get an invalid profile when using DEP.
Hope this helps.

St0rMl0rD
Contributor III

Hi all,

First of all, a few questions for cdenesha:

  1. how were you able to use one Apple ID in more than 10 devices?
  2. for apps that do not use iCloud (most of ours do not), do you ask users to manually backup? do they know how to? we are dealing with 11, 12 year old students, so I'm not expecting they will all have their data backed up (but that won't be my problem, because I have provided the instructions for them)
  3. not really a question, but regarding resupervision - I need to take in all the iPads, because I want to set them up new in a way that they can connect to other computers (currently, they cannot), and to make sure all of them are supervised, as we had some gone unsupervised, etc.
  4. I don't think I will be able to share the script, as it is still in progress and it is a result of many hours of manual work

-J

St0rMl0rD
Contributor III

And this is fo qsodji - how do you get the apps to install automatically after the user sets up his iPad?

qsodji
Contributor

@St0rMl0rD You need to make sure Automatic App download is enabled in Settings under App Store.
When we assign VPP apps to our users, the apps start loading on their devices without them having to do anything (specially with supervised devices).
I would recommend also turning on updates to auto so you don't have to worry about that specially if you have a caching server dealing with the bandwidth.

St0rMl0rD
Contributor III

Of course that makes sense for Automatic downloads, but my question was to the first-time set up. After the user has authenticated over DEP and is set up with all the correct profiles etc., they are able to sign in into App Store and download all the apps that have been assigned to them. However, you say all the apps install automatically. How is this possible?

cdenesha
Valued Contributor III

First of all, a few questions for cdenesha:

  1. how were you able to use one Apple ID in more than 10 devices?
  2. for apps that do not use iCloud (most of ours do not), do you ask users to manually backup? do they know how to? we are dealing with 11, 12 year old students, so I'm not expecting they will all have their data backed up (but that won't be my problem, because I have provided the instructions for them)
  3. not really a question, but regarding resupervision - I need to take in all the iPads, because I want to set them up new in a way that they can connect to other computers (currently, they cannot), and to make sure all of them are supervised, as we had some gone unsupervised, etc.
  4. I don't think I will be able to share the script, as it is still in progress and it is a result of many hours of manual work

@St0rMl0rD Wow I am so sorry, I missed the question you asked when my job became extremely busy due to collection and damaged iPads. I'm going through old email now for 'JAMF'.

1) The 10 device limitation is not something Apple enforces for app installs.. I used the method that was used since the iPad 1st gen came out. Buy your licenses and save them for proof. Redeem one code with a dedicated school Apple ID. During setup be sure to install one app owned by that Apple ID, launch it, and authenticate - the device will remember this. Later when you want to push an app from your In-House server you can and it will not need the password again.

2) Our students are 14-17.. I asked them to back up what they could and provided basic instructions.

3) I agree - Supervised with the ability to connect to computers to load audio and video content.

4) I'm sorry to hear your work cannot be shared. Sometime this year I hope to get my mind wrapped around API scripting.

thank you,

chris