Restricted App Store and App Updates

rsaeks
New Contributor III

Good morning,

For our deployment on student iOS-based devices we restrict the app store and use Self-Service for app installation. One drawback to this setup is update handling on devices. One way we were looking at working with updates is to keep a device on hand with the same students VPP assignments and note when there there is an update; obviously, this can be very tedious.

I put together a sample Google Spreadsheet (https://docs.google.com/spreadsheets/d/1pKQfORjYsI7ydITp5YVDxALZHftpxRHpNqCstve9Fl0/edit?usp=sharing) that helps make this a bit easier.

One tab of the sheet allows you to list the app name, distributed version (from Mobile Devices in the JSS > Apps) and a link to the app from the App Store. The next tab checks the App Store link and pulls back the app version, performs a comparison on versions to see if they match and lets you know if there is an update needed. From there you can go back into Mobiel Devices, Apps and bump the version number on the app to get it installed on your supervised devices.

This was handy for our setup and wanted to share it along to others that may be in the same boat. If you would like to use the spreadsheet just choose File, Make a copy and enter in your information.

Hope this is helpful!

17 REPLIES 17

nigelmarrion
Contributor

Randy,

This looks cool.

So if I read this correctly you are restricting students from installing apps, but are assigning them to automatically install from Self Service. Is that the case?

Nigel

rsaeks
New Contributor III

Nigel,

Correct. This way Self-Service becomes our app store for students.

nigelmarrion
Contributor

Randy,

Would it be possible to speak with you more about what you are doing here?

Nigel

rsaeks
New Contributor III

Nigel - Do you want to try and touch base on this offline?

jarednichols
Honored Contributor

As an aside to this, there's some great features we're adding to iOS 9 that helps greatly with this process. Have a look at the What's New in Managing Apple Devices session from this year's WWDC.

rsaeks
New Contributor III

We are looking forward to the iOS 9 additions and the support that will be there. For many in education, however, the timing of the iOS 9 release with the new functionality is going to miss the window for being considered in upcoming school year device deployments.

bpavlov
Honored Contributor

That's probably the case every year when it comes to iOS and new features each year. Perhaps it's intentional so that admins can test out the new features for a year. Although a year is such a long time to wait and newer iOS devices will come with the new OS anyways. Maybe if they released a new version of iOS in the summer it would give more time for testing (although I suppose they technically do with the betas and dev previews, but it's understandably not the same as an official release since even vendors will not support the betas right off the bat). Tricky timing and only feedback may help so that Apple could possibly shift their release schedule for new OSes to be in the summer rather than the Fall. But I suspect it may also have something to do with earnings and the fiscal year, end of year holidays, sales, etc.

jarednichols
Honored Contributor

Valid feedback, I think. Please provide it to your education SEs. While Apple's a big ship to turn we do on occasion do things nobody thought we'd ever do. App Store app deployment without an Apple ID comes to mind... :)

nmarkellos
New Contributor

Randy,

I am doing the same thing with my school and running into the same problem regarding updating Apps ... I looked into the Web Clip version of Self Service vs. the Mobile one, which seems to allow updates or at least it says that in the JSS. When I called into Support, they basically told me what you state above -- put the new URL of the app in the JSS and the students can update to latest version. However, some of the apps wouldn't work unless the students deleted the app and then reinstalled it. For example, I am teaching an iPad Summer Camp and I am using iTunes U as the course book ... The students mostly had iTunes 2.1.1 and the course wouldn't work properly unless they updated to 3.0. They all had to delete the app and reinstall it.

I agree with having the Self Service as the primary App Store because it's easier to monitor and we know that the students are not downloading 9,000 apps that have nothing to do with their education. The ability to update Apps in Self Service would be a big step, and I posted a feature request on it, recently: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3745

Another idea that I just had today was filtering the app store through a Configuration Profile. With students a lot of what is in the App Store is valuable but there is a lot that they shouldn't have access to. The logic is simple: If all apps are filtered by metadata when they enter the App Store, then I don't see why the JSS can't set a Config Profile that would prevent students from downloading Apps in certain Categories, like "games" "social media" or "dating" We could still push out apps though the Self Service of simply push the app to install and this would alleviate the issue of updating as well. Put this feature request in today as well: https://jamfnation.jamfsoftware.com/featureRequest.html?id=3789

Also as a side note ... since I have implemented the restricted App Store, had a lot of students install provisioning profiles that have illegal App Stores like "hipstore" ... I had to wipe their iPads and have them reenroll .... after I updated the Configuration Profile that prevented them from installing Profiles. Only issue there is, they have to enroll via DEP and LDAP and cannot enroll using the "enroll invite"

Love to hear you ideas ... when dealing with Education it's always nice to have multiple perspectives.

Best,

Nick Markellos Paul VI High School

jgwatson
Contributor

As someone who also manages high school iPads I use self service a slightly different way - thought I would let you know, to see if this works.

  1. I tell all of the students the only apps approved for their iPad are the ones in SelfService.
  2. App Store is turned on.
  3. I ask Teachers and Student's to let me know of any new apps which need adding to Self Service.
  4. I then set up a profile to hide all apps if certain apps are installed.
  5. Then I just pick the most popular apps which are banned e.g. clash of clans, facebook, etc.
  6. Start of the school year I write about 50 detentions.
  7. By October they get the message.

I also randomly check iPads for banned apps. (We all know the student's who need checking.)

nmarkellos
New Contributor

Interesting way to handle it ... for #4 Can you send me the workflow for that profile, I would love to try it out.

Thanks,

Nick

jbutler47
Contributor II

jgwatson:

Could you expand on Item #4, very interested in how you worked it out.

(#4. I then set up a profile to hide all apps if certain apps are installed.)

Thanks.

J

bcampbell
Contributor
I also randomly check iPads for banned apps. (We all know the student's who need checking.)

@jgwatson As of Casper 9.5 (I think that's the version but it was sometime this past school year), you can now create a mobile device smart group using the criteria "Apps Not In the App Catalog Are Installed". You can then use that group to easily see what devices are violating your policy of only installing apps from self service. The App Catalog is defined as any app you have listed under Mobile Devices > Apps even if they are not scoped to anyone. That way you can skip having to try to guess what unauthorized apps students might install.

With a Smart Group defined using that criteria you can certainly check it anytime you wish, you could sent it to send an email alert when membership changes so you'd know right away when someone violates policy, and/or you could use that to scope in the configuration profile that hides all apps.

jgwatson
Contributor

So the way I have done it is......

I have set up this configuration profile Configuration Profile> Media Content > Don't Allow Apps, and then scoped that to a smart group with the banned app or apps listed.

I first started with the big three = Facebook, Twitter, Clash of Clans, and I've slowly added to it. I tell the student's that the system (JAMF) is constantly scanning for banned apps, so you may be at home when all of your apps disappear. The best part is student's have to come to me to get their apps back. Sometimes I will miss a new game for a few days, but I have a couple of narcs who rat them out to me. Get used to writing detentions, as I currently hold the school record. They get the message in the end.

nmarkellos
New Contributor

Smashing James ... that is a great idea! There is a lot that goes into our jobs in the Education Business so every little bit helps! Appreciate it!

lizmowens
New Contributor III

I love this! And will definitely try to implement for our iPad students. Is there an equivalent for OS users? We move to MacBook Airs for grades 5-8 and I'd love any and all ideas on ways to manage this type of behavior for these kids.

woaikonglong
Contributor

Just came across this. So excited, it seems terrific. In test it works wonderfully apart from one issue. My inventory only collects data once a day. Is there a way to increase that frequency automatically? A Self Service policy, perhaps? I do not need it to instantaneously disable the iPad apps, but within 30 minutes would be wonderful.


We've done the impossible, and that makes us mighty.