Managing Apple Devices

Spring 2012: Managing Apple Devices
David Wright djwright@rm.com | @rmdavidwright
RM Technical Seminars spring 2012
Managing Apple Devices
Introduction
Apple devices are great to be used in schools. Apple computers have applications that allow powerful multimedia content to be created straight out of the box. As well as Apple computers schools are looking to use iOS devices, typically iPod touch and iPad to expand the learning experience from interactive lessons to study aids. We are familiar with being able to control and configure Windows computers; through the RM Management Console we can apply Computer User Policies to our Community Connect 4 computers in order to configure them for roles on, and off, the network. We can control which applications a user can run and we can build them on to the network, to perform an automated installation of the operating system and applications. Configuring and controlling Apple computers is quite simple, and in this paper we will look at how we can manage the Apple computers in our school using similar tools to Community Connect 4 Registry Policies that are, in reality, Windows Group Policy Objects. We will look at how we can configure, and control, iOS devices that are in our school, whether they are iPod touch or iPad that the school own, or whether they are owned by the students, because we can allow them to be used in school without the lesson being disturbed by students using the devices outside of what the teacher intends. Apple Mac computers and iOS devices greatly enhance the educational experience and offer teaching methods no other device can offer and if theyre not they are probably soon going to be whether they are purchased by the school or users have their own and want to use them during school time. We are going to have to adapt, design a strategy for configuring, monitoring and managing these devices particularly iOS devices because our users are seeing the benefits of using these devices to teach and learn.
www.rm.com/techseminars 2012 RM Education Page 2
iOS devices
Five years ago, at the Mac Expo keynote speech, Steve Jobs addressed conference delegates and introduced the iPhone, a device that quite literally, reinvented the Smartphone market. Several months later, Apple announced the iPod touch a phone-less iPhone, which presented users with a touchscreen, simple to use device which, a year later, would allow software vendors to produce rich multimedia and productivity applications which could be downloaded and installed quickly and simply within iTunes. In 2009, Apple announced the third-device, a new category of computer, sitting in between the smartphone and a computer: a tablet computer. Of course, tablet computers arent anything new Microsoft released Windows XP Tablet Edition in 2002, claiming that this new tablet form would revolutionise mobile computing. As we now know, it didnt, however Apple positioned iPad as a device that was designed to consume content a device that, by and large, could be used to browse the Internet, watch a film, or read a book. As the App Store grew so did the kind of apps available. We now have apps that can be used as a learning aid for students; note-taking apps which can sync to the cloud and can then be used on computers and, more recently, Apple has released a new version: iBooks, which allows rich multimedia books which not only contain words and pictures, but videos. These were released to specifically replace text books in education. Apple, with iOS devices, is transforming how students learn and how teachers teach. There are many case studies available on the Internet that demonstrate how the use of IOS devices are improving student engagement and attainment in education and as the Network Support Team, we can configure and support these devices using tools that Apple provide us with. www.rm.com/techseminars 2012 RM Education Page 3
Apple Mac
More schools are starting to use Apple Mac computers during lessons. Out of the box Mac has powerful multimedia applications installed on them in the form of iLife which consists of iPhoto for digital photo editing and management, iMovie which allows users to create videos, add special effects and edit the sound, and finally GarageBand which allows great sounding music to be created and edited. There are many other advantages to using Apple Mac computers in education, including: OS X: This is the operating system that comes with Mac. OS X, (pronounced OS 10!), is a powerful, UNIX based operating system with an efficient and friendly to use interface. In a completely unscientific test I was talking to my daughter about the computers she uses at her school and she said her iMac, which she uses at home, is a lot easier to use than the Windows laptops they have at school! Because OS X is based on UNIX technology it is less susceptible to viruses, (Caveat: That doesnt mean there will never be OS X viruses!). OS Flexibility: Although Mac ships with OS X, they can also run Windows! Because Mac uses Intel chips it is possible to run Microsoft Windows on a Mac either through a virtualisation solution, such as VMware Fusion or Parallels, or using Boot Camp. Apple provides Windows drivers for Intel-based iMac, MacBook Pro or MacBook Air and software that allows you to dual-boot them. Innovation: The Apple MacBook Pro and Air, for example, use MagSafe to connect to power supplies. Little magnets connect the power lead to the MacBook Pro and MacBook Air a simple yet ingenious solution to the problem of the power lead becoming accidentally disconnected, like if someone trips over it a potential money saver in a classroom environment! Add to that, multi-touch and gestures and you can see www.rm.com/techseminars 2012 RM Education Page 4
RM Technical Seminars spring 2012 why people like to use Mac computers. -
Design: This may be the lowest on the list of priorities for a network support team but Apple computers are cool. The advantages to this in schools are that students want to use them. Because they want to use them they are enthused and are likely to produce better work when using a Mac.
So we can see why they are becoming more popular. Speak to network support teams however and their views of Mac computers are often different! It may be technology we arent used to supporting; we see them as being inflexible because they require different or additional management, however, you will hopefully see from this session that they arent actually all that different.
Mac OS X Lion Server

Apple produces a version of OS X Lion for servers. Actually, there is a fundamental difference between OS X Lion Server and previous versions of OS X Server. With the release of OS X Lion, Apple simply released one operating system, (Mac OS X Lion), and then made the server components available as apps through the Mac App Store. You can still purchase Mac servers, and Apple offers two servers in their range: Mac mini Server Mac Pro Server
We, as an Apple Solution Expert, can provide hardware, support and training services for the entire Apple range, and you can find more information about our services from the following link: http://www.rm.com/shops/rmshop/Catalogue.aspx?nguid=df22f1db030e-4d9e-8ae4-efb03b9d7e31 However, if you have an existing Apple Mac Server which meets the OS X Lion Server hardware requirements, which can be found here: http://www.apple.com/macosx/server/specs.html then you can simply download OS X Lion and the Server App from the Mac App Store.
The link to OS X Lion Server in the Mac App Store is: http://itunes.apple.com/gb/app/os-x-lion-server/id444376097?mt=12 The OS X Lion Server Admin Tools are a separate download from Apples website, here: http://support.apple.com/kb/DL1488 Note: This link is for version 10.7.3, which is the latest version at the time of writing.
Configuring a Mac OS X Server

We manage iOS and OS X devices using a component of the Server App called Profile Manager, which is included as part of OS X Lion Server. In order to use Profile Manager you will need a Mac Server as part of your deployment. Profile Manager in OS X Lion consists of three parts: Web-based Administration Tool: The Profile Manager web application is where you configure settings for devices, manage enrolled devices and device groups, and execute or monitor tasks on enrolled devices. Self-Service User Portal: Profile Manager's user portal is an easy to use, secure website for distributing settings you define using the www.rm.com/techseminars 2012 RM Education Page 6
administration tool. Users connect to the web-based portal using their device then. After they log in, the settings that you assigned to them are available for download and installation. Users also utilise this site to enrol devices for mobile device management, (if you're using Profile Manager as a mobile device management server). Mobile Device Management Server: Profile Manager also provides a device management (MDM) server that lets you remotely manage enrolled Mac OS X Lion and iOS devices. After a device is enrolled with Profile Manager, you can update its configuration over the network without user interaction, as well as execute tasks such as reporting or locking and wiping the device.
Before we can use Profile Manager, our server needs to be configured in order to manage iOS and OS X devices. There are several things that need to be configured on the server before we can deploy Profiles to our iOS and OS X devices. These are: Configuration of the Mac Server Configuring SSL Certificates Configuring a Directory Service Configure Profile Manager
Configuration of the Mac Server

As this paper is about managing Apple devices then I am not going to cover configuring the Mac Server; I am making the assumption you have a Mac OS X Server already. However it is really important that the following components are configured correctly in order for Profiles to work:
IP Address
Your Mac OS X Server needs to have a static IP address from your range. This can be configured in Network from the System Preferences menu:
Once in Network Preferences you can configure your Static IP by clicking the Advanced button and completing the details on the TCP/IP and DNS tabs.
Server host name

The Servers host name is what, from a Windows world, we would know as the Fully Qualified Domain Name. This is the name of the server. When configuring this we can choose one of the following host name options: www.rm.com/techseminars 2012 RM Education Page 8
Host name for the local network: This allows users to access the server only on the local network. Host name for private network: Lets users access the server on the local network and using a Virtual Private Network, or VPN. Host name for Internet: Lets users access your server on your local network and the Internet.
In my research for this paper the recommendation has always been to configure the servers host name as Host name for Internet. This is because Profiles can be deployed over the Internet if so desired.
DNS records
Its vitally important that DNS on your network holds forward and reverse lookup records for your servers details. You can check this is working correctly by testing the host name and server IP address using Network Utility, which is part of Mac OS X. In Network Utility, you use the Lookup tab to check that the servers host name and IP address is correctly resolved by DNS. If the servers host name and IP address are resolved correctly by DNS you will see the results in the Answers section of the Lookup results.
Creating Users and Groups

Profiles are delivered to users and devices. In order to be able to deliver Profiles we need to configure these Users and Groups. A Group can of course contain Users, Mac computers or iOS devices. In order to be able to use Profile Manager to manage our devices our server needs to be configured with a directory service. Out of the box, you can create Users in OS X Lion Server however these would be local users. Just like a Windows network we need to create network users and groups and to do this we need a Directory Service.
Configure the server to manage network users and groups using a Directory Service
A directory service is a software system that is designed to store, organise, and provide access to information in a directory. Simply put, a directory service is a map between names and values. It allows the lookup of values to a name, very much like you would in a dictionary. As a word in a dictionary might have many definitions, a name can be associated with multiple, different pieces of information. Likewise, a word might have different parts of speech and different definitions; a name in a dictionary might have different types of data. www.rm.com/techseminars 2012 RM Education Page 9
A directory service defines the namespace for the network. A namespace is the term that is used to hold one or more objects as names entries. The directory design process normally has a set of rules that determine how network resources are named and identified. A directory service standard has been developed, known as X.500. It was originally developed in 1988 by ITU-T, (The International Telecommunication Unit), and was created in order to support email exchange, (The X.400 standard), and name lookup. The benefit of having a standard is that different directory services can communicate with each other if they are based on the same standard. The second standard that is used in a directory service is LDAP, (Lightweight Directory Access Protocol). LDAP is an application protocol for accessing and maintaining a distributed directory information service over an IP network. A directory service has a structure, based on a set of attributes. Each attribute has a name and one or more values. Each entry in the directory service has a Distinguished Name, (DN) which is constructed using the entrys Relative Distinguished Name, (RDN), and some attributes in the entry, followed by the parents DN. Heres an example, if this seems a little heavy! If we take the following file as an example: C:\Users\Little Johnny\Documents\Homework.docx The full path to the file, and the filename, (C:\Users\Little Johnny\Documents\Homework.docx), is the DN and the filename (Homework.docx) is the RDN. A DN may change over time and as such this cannot be relied on as the identifier for a record in a directory service. For example, user account information is held in a directory service on most modern networks. We couldnt use the DN as the unique identifier for the user account because the details may change in it - a username may get renamed and for that reason, many records also include a UUID, (Universally Unique Identifier). A UUID never changes. The UUID is created for the record in the directory service when the record is created and never changes, no matter what information is changed within the record.
Active Directory
Active Directory is the Microsoft implementation of a directory service. Active Directorys structure is made up of a hierarchical arrangement of information about objects. Objects, broadly speaking, are either resources, like printers, or security principals, like user or computer accounts. Each object in Active Directory is identified by its name and has a set of attributes that are defined in the Schema, which also defines the kinds of objects that can be stored in Active Directory. The schema in Active Directory is known as flexible, which means it can be modified. Examples of changes that can be made to the schema include when a Microsoft Exchange server exists on the network; the schema is changed when Exchange is added so that information about the users mail stores can be held in Active Directory. Community Connect 3 made changes to the schema so information pertinent to CC3 could be held. In Community Connect 4 this information is held in a separate, enterprise-class PostGres SQL database. When we look at a Community Connect 4 Active Directory structure, we can see the domain level at the top of the structure, with Organisational Units below it. This is where the CC4 objects exist within the namespace. In order to communicate with Active Directory, LDAP is used. LDAP allows information to be read, updated and added to Active Directory.
Apple Open Directory

Apple Open Directory is Apples directory service implementation for OS X. Open Directory is based on the Unix directory service, OpenLDAP and is a shared LDAPv3 directory service. In order to use Open Directory on OS X Server, it must be configured as an Open Directory Master. Once configured as an Open Directory Master, centralised data can be stored, much like Active Directory, including user, security group and computer accounts, which other systems can access. Most of us will already be running a directory service, Active Directory on our Community Connect 3, 4 or Windows network. So do we need to implement an Open Directory Master as well? We do if we are using some of the other features of OS X Server such as Wiki or Web Server features because we need to use the information in our directory service to set permissions on these. The good news is we dont need to recreate the users and groups that exist in Active Directory in Open Directory on our OS X server, we can implement something called The Magic Triangle.
Communicating between Directory Services: The Magic Triangle

Configuring a so-called magic triangle, (or golden triangle as it is sometimes called), allows Apple clients to communicate with Microsoft Active Directory and OS X Server. We need our clients to do this so they can: Authenticate against Active Directory Access shared folders and resources from the Microsoft network Have configuration preferences applied from OS X Server.
In order to do this we need to bind the Apple computer to Active Directory and Open Directory, which is running on our OS X server. In my previous seminar session, Apple Integration, I looked at how we bind Apple Mac computers, so I wont be going through this in this seminar paper, however, if you want more information on binding then this can be downloaded from the RM Knowledge Library here: http://www.rm.com/Support/GeneralDownload.asp?cref=DWN205774 6&nav=0 Once the Apple computer is bound to both directory services then resources, (including information in Active Directory and Open Directory) can be accessed.
As you can see from the diagram above, as well as binding our client to both directory services, we also need to bind our OS X Server to Active Directory. This allows our users and groups that exist in Active Directory to be accessed and used on the OS X server. This is useful because we only need to create the groups once, (On the Windows side of the network, in Community Connect 4, for example), and then use them in OS X Server. This can be using groups, for example, to set security permissions on our OS X server.
Preparing to use Profile Manager

In the context of managing your Mac computers and iOS devices, a Profile is a collection of settings which include network settings, email accounts, and security policies. Enrolment Profiles allow the Mac OS X server to manage the device using a Payload this is what is contained in a Profile. Before we can use Profile Manager we need to configure the server. The configurations we need to carry out are: Obtain and install an SSL certificate. Obtain an Apple ID, which allows a push certificate to be created.
Obtain and install an SSL certificate

Devices must be able to establish a trusted, secure connection to the Profile Manager server and they do this through the use of Secure Socket Layer (SSL) certificates. If a trusted Certificate Authority, a company that issues SSL Certificates, known to Mac OS X Lion or iOS does not issue your servers SSL certificate, clients must install the necessary root certificates to verify the certificate issued from the OS X Server the self-signed certificate. They do so by downloading the Trust Profile from the user portal. Alternatively, as part of your configuration of iOS devices when you first receive them you can install and trust your servers self-signed certificate. Profile Manager signs configuration Profiles so devices can verify that they haven't been modified during delivery. This requires a code-signing certificate, which Profile Manager can generate for you. Alternatively, you can use a signing certificate with an established chain of trust. In the Profile Manager pane of the Server app, enable Profile signing and select your installed codesigning certificate from the system keychain. Tell your users to download the Trust Profile from the user portal to install the intermediate certificates to verify signed Profiles. Much more information can be read on the Internet about this secure way of transferring data both internally and externally to the network. If you would like more information on SSL certificates then the following web link will help: http://www.webopedia.com/TERM/S/SSL.html To use Profiles we need to have an SSL certificate. There are two types of SSL certificates: Self-signed SSL certificate www.rm.com/techseminars Page 13
2012 RM Education
RM Technical Seminars spring 2012 Trusted certificate
With Profile Manager you can use a self-signed certificate however if you will have some extra work to do in order to manage iOS devices. Also when using a self-signed certificate you have to manually configure all the iOS devices you want to use with Profiles to trust the self-signed certificate from your server. Trusted certificates are purchased from a Certificate Authority, which Apple have pre-trusted. Simply put, a certificate issued by Certificate Authority will be automatically trusted by a Mac or an iOS device. You can see the Certificate Authorities in Keychain Access on a Mac:
I would recommend purchasing an SSL certificate from a trusted Certificate Authority as this minimises the amount of steps in order to make use of the tools we can use to configure iOS devices and Apple Mac computers.
Obtain an Apple ID
It is likely you will already have an Apple ID, especially if youve purchased from iTunes. Once you have an Apple ID you can use this during the setup of Profile Manager to obtain an Apple Push Notification Certificate. Push Notification Certificates are used to distribute over the air Profiles. If you are using iOS devices with 3G connectivity, (this could be an iPad or iPhone), or on a wireless network that isnt in your school, for example at home, then changes to Profiles will still be sent to these devices without the need for them being connected to your network. These changes are pushed to the devices through a notification that is sent to the iOS device from Apple. When you make a change to a Profile, your OS X Server notifies Apple that Profile X has changed. When Apple receives this notification, a notification message is then sent to iOS devices www.rm.com/techseminars 2012 RM Education Page 14
registered with Profile Manager. These devices then phone home to receive the new Profile directly from your OS X Server. If you dont have an Apple ID then you can create one at: http://appleid.apple.com
Once you have all of these pre-requisites set up you can enable Profile Manager and start to make your configurations.
Enabling Profile Manager

Now that we have done all the groundwork, we can enable Profile Manager. We do this through the Server App on our OS X Server. 1. To initially set up Profile Manager, open the Server App and select Profile Manager in the sidebar:
2. In the right-hand pane, click the Configure button and the Configure Device Management wizard starts. Click on Next. 3. After reading some initial settings from your OS X Server, you need to choose the SSL certificate Profile Manager is going to use. It is at this point you either select your self-signed certificate or the third party trusted certificate you have purchased from a Certificate Authority. Remember that if you use a self-signed certificate you wont be able to use Profiles on an iOS device without first telling the device that your self-signed certificate is trusted. In the screen shot below I have used a self-signed certificate and you can see the Profile Manager wizard is warning me that I cannot enrol iOS devices automatically until they have been configured to trust this certificate. If you dont want to purchase an SSL certificate then it doesnt matter, either you, or the user can trust the certificate, and we will look at that later.
Click Next You now have to request an Apple Push Notification Service Certificate. In this screen you enter your Apple ID and password. It is recommended you dont use a personal email address for this but one that can be accessed by any member of the Network Support team. Once it has been verified your Push Certificate will have been set up for you and you will receive a confirmation email:
You can see in the copy of the email above, the Apple Push Certificate is applicable to: <server name> - apns:come.apple.mgmt This is for Profile notification!
4. Once the Apple Push Notification Service Certificate has been created, the wizard will complete. A green tick confirms that Profile Manager has been configured correctly.
5. Back in the Server app, you need to tick the box Sign configuration Profiles and click the Edit button.
6. You should then choose your SSL certificate (either self-signed or certificate issued by Certificate Authority) and click OK. www.rm.com/techseminars 2012 RM Education Page 18
Profile Manager has now been configured ready for you to create the Profiles to manage your iOS and OS X.
Starting Profile Manager

We have now configured Profile Manager and now we need to start it. To start Profile Manager you need to open the Server tool and, from Services in the lefthand pane, select Profile Manager. Use the slide switch to turn Profile Manager on.
The first time you start Profile Manager, a configuration wizard starts which allows you to configure: An SSL Certificate An Apple Push Notification Service Certificate
Once Profile Manager has been enabled we can manage Profiles on iOS and OS X devices. Profile Manager is a new implementation of device management introduced with OS X Lion. Previously, we used Workgroup Manager and that only allowed us to manage OS X devices. There was a separate utility, the iPCU (iPhone Configuration Utility) that allowed network support teams to configure iOS www.rm.com/techseminars 2012 RM Education Page 19
devices. Workgroup Manager is still available in OS X Lion however Apple recommends that devices be managed using Profile Manager.
What is a Profile?
Each user, user group, device, and device group can have a default group of settings. This allows you to easily share base settings for devices or people that need them. For example, to configure a teacher's iPad, create a user account for the teacher then place that user in the "teachers" and "iPad" groups. This assigns them two collections of default settings - one from each group - and you can then assign additional settings that are tailored to the user. Profile Manager works by creating and distributing configuration Profiles. Configuration Profiles are XML files (.mobileconfig) that contain payloads that define groups of settings. When the Profile is installed on a Mac OS X Lion or iOS device, the settings it defines are applied. Each user, device, and group have default configuration Profiles so you can quickly provide a base level of settings, and then you can further assign additional configuration Profiles to customise the settings to meet your schools requirements. For example, to enforce restrictions and configure user's devices you can create a configuration Profile with a restrictions Payload. After you have defined the settings for users and/or their devices, you can distribute the configuration Profiles to users in the following ways: Manual distribution: You can download configuration Profiles (.mobileconfig files) from Profile Manager's administration tool, then send them to your users via email or post them to a website you create. When users receive or download the file, they can install them on their device. Users can download and install the settings from Profile Manager's built-in user portal. The user portal ensures that users receive the configuration Profiles you assign to them or their group.
User self-service:
Remote device management: For iOS devices, you can enable Profile Manager's mobile device management server, which allows you to remotely install, remove, and update configuration. In order to manage iOS devices using Profile Manager you need to enable Mobile Device Management, (MDM) which will configure it as an MDM Server. Once configured this way, iOS devices can be enrolled on to the MDM Server www.rm.com/techseminars 2012 RM Education Page 20
using any of the three ways already mentioned, (manually, through a selfservice portal or using remote device management), and profiles can be installed. In order for OS X Lion to act as an MDM server so that iOS devices can be managed, there are certain prerequisites: 1. The Mac must have a static IP address 2. Have access to the internet (so that Profiles can be distributed over the Internet using Apple Push Notifications).
Managing iOS devices

In schools, we are used to the practice of one device to many, i.e. a computer in the school is to be used by many users. Indeed, we design our network management toolset, Community Connect 4, with this in mind because it supports, amongst other things, roaming Profiles, where the users environment is downloaded from a centralised server when they log on. This is probably the biggest mind-set change we have to consider when talking about iOS devices being used in schools: iOS devices are personal devices What that doesnt mean is that a school considering the introduction of iOS devices should be looking at purchasing one for every student, or in a particular year, but we should be planning on using them as if they belonged to an individual. The ways schools are implementing these devices include: Purchasing an iOS device for each student within a particular intake year. Purchasing iOS devices for a class or subject and are distributed at the start of a lesson. Purchasing them for students, then selling them to parents in a leaseback scheme whereby the school purchases the iOS device and the parents of children pay for them over time and eventually own them.
Of course, users may have their own iOS device which they want to use maybe a student owns an iPad and wants to use it to take notes or perhaps a teacher owns one and wants to mirror the iPad display using AirPlay and an Apple TV connected to a projector. www.rm.com/techseminars 2012 RM Education Page 21
iOS device setup workflow

If you are looking to use iOS devices in school then it is important that you have a strategy for configuring and managing these devices, or a workflow. Before you even open the first box, there are a number of things you need to consider: How are you going to purchase apps for the iOS devices? How to configure the iOS devices for app deployment How are you going to track the iOS devices? How are you going to synchronise multiple iOS devices? How are you going to configure the iOS devices for such things as connecting to the wireless network, applying restrictions, etc?
Purchasing apps for iOS devices

The downloading of free and chargeable apps can be performed either through iTunes or the App Store on an iOS device.
iTunes is a media application which can be used for playing and managing music and movies and gives you access to the App Store where apps for iOS devices can be purchased. iTunes comes pre-installed on every Mac and can be downloaded for Windows or OS X from Apples website here: http://www.apple.com/itunes/download/ Before you can purchase content for your iOS devices an iTunes account needs to be created. I would recommend creating a school iTunes account that can www.rm.com/techseminars 2012 RM Education Page 22
then be used to purchase this content. To buy content on iTunes you can either register a debit or credit card, or purchase iTunes cards which allow you to front-load your iTunes account.
If you do register a debit or credit card then always use the schools card as opposed to your own and never use a personal email address, always use a school one which responsible people in the school can have access to, (but keep the password for iTunes itself safe and secure, as you would your System Administrator level user account passwords). There is a slight disadvantage here between using iOS devices in the UK and the USA because in the USA Apple have the Apple Volume Purchase Program. This allows an educational establishment to bulk purchase apps for devices they own. Using the bulk purchase program, a school can, through a single iTunes account, purchase enough licences for the iOS devices in school. Once the app, (or any content in the iTunes store) has been purchased, redeemable codes are sent to the school that can then be distributed. The code can then be used in the App Store to download the app. Currently, the Apple Volume Purchase Program isnt available in the UK but I would expect it to be available soon, given Apples recent activities in the use of iOS devices in education, however in the meantime there is another way we can centrally deploy apps to iOS devices. Through iTunes it is possible to Gift This App:
You can also gift apps through the App Store on an iOS device:
When you gift apps it is possible to distribute them to the iOS devices in your school by the user, (or a member of the network support team) using the code that is emailed to the email address you specified. Another benefit of being able to gift apps is you can send apps to iOS devices that arent owned by the school, (for example personal devices), as long as you know the email address of the person who you want to send this app to. It is also worth noting here that, according to Apples Terms and Conditions, nobody under the age of 13 is allowed to have an iTunes account without a carers consent so be aware of this if you are deploying iOS devices for individual users.
Currently, Apple doesnt provide a way for schools to centrally deploy apps within the school environment all apps need to be downloaded and installed from iTunes.
This is cumbersome. It appears that for every iOS device the school owns somebody would have to install the app however there is a trick here! The trick is that we are only gifting the apps for licensing purposes because as we will see later we will sync the iOS devices from a master iTunes account. On the RM Education website, we have provided links to our favourite 25 iOS apps for Education which you can have a look at by following this link: http://www.rmeducation.com//webcontent/generic/GWGEN2354677
Configure iOS devices for app deployment

If your iOS devices are going to be used with multiple users then you should create unique email addresses for each of your iOS devices. It is impractical to use a personal email address when iOS devices are going to be used by multiple users, (obviously if iOS devices are issued to individual users, for example, teachers, then personal email addresses could be used), whereas having a unique email address for the iOS device allows you to: Cover the licence requirements for apps through gifting. Aid collaboration (teachers could email work to users using the iPad through the generic email address and users could email it back at the www.rm.com/techseminars 2012 RM Education Page 25
RM Technical Seminars spring 2012 end of the lesson).
In order to use the App Store for gifting apps an iTunes account must be available and that is linked to an email address so by having these unique email addresses we can use those. You might want to consider how you will record the particular email address for an iOS device it may be as simple as having a label on the back of each device with it printed on it.
Tracking iOS devices

iOS devices are designed to be mobile so you need to consider how you are going to track these devices once they are released to users. In the App Store, Apple has a free app called Find my iPhone. This is a really useful app for schools, (well for everyone), because it allows you to locate any iOS device wherever it is in the world, assuming it has been connected to a WiFi or telephone network. In order to use Find my iPhone you will need to set up an account for iCloud. iCloud is a free service from Apple that allows you to sync items such as music and photographs across multiple iOS devices and Mac computers, however it is unlikely this would be useful for iOS devices in a school. Note: You do not need an iCloud account for every iOS device the school owns. iCloud allows you to register multiple devices against one account. Once iCloud is configured, from a web browser, you can navigate to: www.icloud.com and, from the webpage, click on Find My iPhone:
A map will be displayed showing the location of all the iOS devices associated with the iCloud account:
Note: As you can see from the screen shot above, iCloud can also locate Mac computers with OS X Lion installed, and Find My Mac enabled in iCloud System Preferences.
Once an iOS device has been located using iCloud you can send a message to the device and optionally prompt it to play a sound:
Once sent, the message is displayed on the iOS device (even if it is locked and the sound will play even if it has been muted).
If you have a managed wireless network, such as the Meru Managed Wireless Network Solution, then you may be able to track your iOS device through the management software but obviously this would only work within your school, or wireless environment. For more information about Meru Managed Wireless Networks you can download the technical paper from this round of the Technical Seminars from the RM Knowledge Library.
Synchronising multiple iOS devices

iPad, iPod touch and iPhone should be regularly synchronised with iTunes in order to: Backup the contents of the iOS device. Install any new or updated apps. Copy any music, movies, podcasts, audiobooks and iTunes U content to the iOS device. Add Safari Bookmarks. Copy Books. Copy Contacts. Copy Calendars. Copy Notes. Copy Documents (in File Sharing apps).
There are several options available for synchronising iOS devices so they are backed up and have the latest apps, files, etc installed on them. Also, the way you sync may be dependent on how the iOS are deployed, (per user, per class, personal devices).
RM Technical Seminars spring 2012 Hard wired synchronising
When an iOS device is connected to a computer (Mac or Windows PC), it can be seen in iTunes and synchronised. This synchronisation can be manual or the device can be configured through iTunes to synchronise when it is connected to the computer. As you can see in the next screenshot, this iPad is configured on the Summary tab to Open iTunes when this iPad is connected. When it is plugged in to the computer iTunes opens and the iPad synchronises. Without this tick enabled I would have to open iTunes and manually synchronise it.
Sync over wireless With the introduction of iOS 5 Apple also introduced wireless syncing. It is now possible to sync iOS devices over your wireless network. With iTunes open and the device connected to a power supply they will sync automatically when they are connected for charging. This is an ideal scenario for a school because at the end of the school day it is likely the devices will be returned to a charging station, (be it a trolley or shelving), and plugged in. At this point they will sync if iTunes is open on the master iTunes computer. You can still sync iOS devices over wireless even if they arent connected to a power supply however, you would have to do this manually in iTunes by rightclicking on the iOS device and choosing Sync.
You should be conscious of the fact that if you are wireless syncing lots of iOS devices this may put your wireless network under strain, particularly if large apps are being distributed. A managed wireless network solution will help with www.rm.com/techseminars 2012 RM Education Page 29
this however, you should ensure where possible you have adequate bandwidth to support large numbers of iOS devices syncing wirelessly. If you find wireless bandwidth availability is causing some devices to fail syncing correctly then you should consider manually repeating the wireless syncing. Using a charging and synchronisation dock You can purchase charging and synchronisation docks which allow multiple iOS devices to be charged and synchronised at the same time.
As you can see, these allow multiple iOS devices to be charged and synchronised at the same time when the dock is connected to the USB port of a Mac or Windows PC. More information on charging and synchronisation docks can be found either from your RM Account Manager, or on the RM Education website: http://www.rm.com/shops/rmshop/Product.aspx?cref=PD1625498 Classroom computers Fraser Speirs is an educationally renowned expert in iOS device deployment, specifically iPad, and he has documented his experiences of deploying devices to every student in his school. He uses another method to deploy apps to iPads in his school. Every classroom has a computer in it, which is used to synchronise the iPads in his school. When a new App is purchased through the centralised school iTunes account, he then distributes the app to these computers using Home Sharing.
Home Sharing allows iTunes on computers which are part of the same network to access libraries (music, videos, books and apps) from other computers on the network, as long as they know the iTunes password, (Apple ID). Then, at the start of each school day, the students connect to the remote computer in the classroom and synchronise their iPads. For more information on Home Sharing, please see the following Apple Support web page: http://support.apple.com/kb/HT3819 For an article about Frasiers experience of deploying iPad in his school, you can read about it here: http://www.techradar.com/news/computing/apple/the-school-thatgives-every-student-an-ipad-915539?artc_pg=1 As an advocate of Apple devices even I have to admit, app deployment to multiple iOS devices isnt easy. Even with Apples Volume Licensing Program, which makes the purchasing of multiple copies of an app easy, it doesnt make the deployment of the apps to devices any easier. With Apples recent efforts to encourage the uptake of devices in education I can only hope they are working on a solution which makes it easy for schools, (and to a large degree, enterprises), to deploy apps as you would to a Mac or PC. I do have some concerns about the deployment of Apps using Home Sharing. This may be against Apples Terms and Conditions for App deployment so I would look at alternative ways to distribute Apps to your iOS devices.
Configuring and controlling iOS devices

Almost everybody you speak to about large-scale deployments of iOS devices, (and by large scale I mean five or more!), the largest concern is that of configuration (and by virtue control) of iOS devices. As I said at the start of this paper: www.rm.com/techseminars 2012 RM Education Page 31
iOS devices are personal devices Even though they are designed to be used as personal devices there are ways we can control and configure these devices. One of the easiest ways to initially configure your iOS devices is to create a master image. With our first iOS device we configure it how we would like all of our devices to be configured. Once we have got our image we synchronise with iTunes, which will create a backup of our device configuration. Once we have that backup we can use that to restore to our other iOS devices. Firstly, lets take a look at configuring iOS devices.
Out of the box

Earlier in this paper I talked about having a master iTunes account for the school that is used to purchase apps. We can also use this account to configure our iOS devices when we first receive them by using it to create a master iOS image. We can use this image to initially configure our iOS devices prior to issuing them to users in the school. It is important to remember that you have to repeat these steps for each type of iOS device you are using in your school, (i.e., once for iPad, iPod touch and iPhone). When you start an iOS device for the first time it needs to be configured. An improvement was introduced with iOS5 where you can now configure new devices without connecting them to a Mac or PC running iTunes. How you configure them is completely your choice. Im not going to run through the initial setup process here, however there are many videos available on YouTube showing you how to setup a new iOS device. Here is one as an example: http://www.youtube.com/watch?v=Kf2APwl6sQU
There are some minimal settings that we need to configure on the iOS devices before issuing them to users or classes: Networking settings. App placement on Springboard (Springboard is the interface we use to launch apps). Settings for the device.
RM Technical Seminars spring 2012 Network settings
In order to get the most benefit from using iOS devices they need to be connected to a wireless network, and preferably a managed wireless network so that bottlenecks in connectivity dont occur. These settings are configured on the iOS device in Settings, Wi-Fi.
Once the device has been joined to the wireless network, the proxy details can be configured on the same screen:
App placement on Springboard Springboard is the standard iOS application that manages the home screen. As well as managing this, Springboard also launches bootstrap applications and configures some of the iOS device settings on start-up. We can configure a standard Springboard layout for all of our devices by configuring it in our master image. www.rm.com/techseminars 2012 RM Education Page 33
The Springboard layout can be configured in two ways: 1. On the iOS device itself. 2. In iTunes. To configure the layout of Springboard on the iOS device itself: 1. Press and hold an app icon until it starts to wiggle. 2. Move the app icon to the desired place, (moving it to the far left or right of the screen to move it to a new page). 3. Press the Home button once you are happy with the layout. You can place collections of app icons in to folders by dragging one app icon on to another. When you do this a folder is created and you can give that folder a name.
You can also configure Springboard through iTunes. On the device in iTunes you can select the Apps tab and organise the icons on to different screens or in to folders.
Settings for the device We will explore later how we can configure the devices centrally using profiles and Payloads, however in our master image we should consider setting a four digit password to enable Restrictions. What you set in Restrictions will depend on what apps are installed on the iOS devices however there are some restrictions you may want to apply to the built-in apps on an iOS device. Settings you can restrict include: Enabling or disabling web apps such as Safari and YouTube. Installing and deleting apps. Applications that use Location Services (allowing the app to locate the iOS device). Setting whether users can add, remove or modify Mail, Contacts and Calendars. Set the Allowed Content country and the age ratings for Music, Podcasts, Movies, TV Shows, apps. Whether In-App purchases are allowed, (however to do this the user would need the schools master iTunes account password). Game Center settings, (Games Center is an online multiplayer social gaming network provided by Apple). www.rm.com/techseminars 2012 RM Education Page 35
Note: Many of these settings can also be configured through Profiles.
Taking the backup of the configuration

Now that we have configured our iOS device so that the settings are correct, apps are loaded and the Springboard is organised, we need to back this up. Backing up the image is simply a case of synchronising the iOS device with iTunes. It is possible to back iOS devices up to iCloud, Apples cloud service, however I would recommend you back up to the iTunes master computer which you have control of. This is configured on the iOS device on the Summary tab: www.rm.com/techseminars 2012 RM Education Page 36
As you can see, you can also encrypt this backup if you wish. You may want to keep a backup copy yourself of this master image so, should something happen to the computer it is stored on you have a backup copy of the master image. If you have a Mac, the backups are stored in: <username>/Library/Application Support/MobileSync/Backup And if you are using Microsoft Windows: <UserHomeFolder>\Application Data\AppleComputer\MobileSync\ Backup Note: In OS X Lion the Users Library folder is hidden by default. To show the Library folder, in Finder, click on the Go menu and press the Option key, choosing Library when it appears in the menu. You can copy the contents of this folder to another location in order to keep a backup of your master image. Now, when you connect other iOS devices in to the master iTunes computer, after completing the initial device setup, you can restore it from the master iOS device backup and all of your iOS devices will have the same configuration. You could now deploy the iOS devices in your school however we can set additional configuration settings and restrictions by using additional software to control and configure your iOS devices.
Apple Configurator
Apple have very recently released a new tool called the Apple Configurator through the Mac App Store that allows schools to configure up to thirty iOS devices at a time, (You can configure more however you can only do it in batches of up to thirty).
Apple Configurator can be downloaded from the Mac App Store using this link: http://itunes.apple.com/gb/app/apple-configurator/id434433123? mt=12 Using Apple Configurator when you want to deploy iOS devices for the first time is a three-stage process: 1. Prepare the iOS devices. 2. Supervise the iOS devices. 3. Assign iOS devices.
For iOS devices that have been used, its possible to use Apple Configurator to simply supervise them. If individuals, for example teachers, use iOS devices then you can use Apple Configurator to assign them to those users. Use the Prepare feature in Apple Configurator to quickly define and apply configurations, install apps, and update iOS to batches of new iOS devices. Note: You need to prepare devices before you can supervise them or assign them to users. This makes it really easy for schools to deploy these devices without using OS X Server but we will be looking at that option later.
Prepare the iOS devices

Preparing iOS devices is the first step in any iOS device deployment in a school. Using the Prepare feature allows the Network Support Team to quickly define and apply configurations, install apps, and update iOS to batches of new devices. You need to prepare devices before you can supervise them or assign them to users. In the Prepare screen, you can set the device name, (and increment them with a number), install configuration Profiles and choose what free apps are installed on the device. The Prepare screen will also allow you to restore an iOS device from a backup you may have already taken, which applies the device settings and Springboard layout, and any App data.
RM Technical Seminars spring 2012 On the Settings tab you can set: -
The name of the devices and tell Apple Configurator to number them sequentially starting at 1. Enable Supervision, (we will look at this later). Set the version of iOS to use on the device. The default for this is to not change the version that is currently installed on the device however you can tell Apple Configurator to use either the latest version or a .ipsw file you may have previously downloaded. A list of download links for iOS 5.1.1 can be found here: http://www.technobolt.com/2012/05/07/apple-released-ios-5-1-1-foriphone-ipod-touch-and-ipad/
Tell Apple Configurator to erase all the content and settings that may already be installed on the iOS device. This would be used if you are not installing a new version of iOS on the device you simply want to prepare it so it can be supervised in Apple Configurator but you want any existing content on it to be removed. Restore the iOS device after it has been prepared from a backup you already have of the device. Note: In here you can also tell Apple Configurator to take a backup of the devices as they are currently configured.
Apply a Profile to the iOS devices after preparing them.
As we have already seen, a Profile is a collection of settings for configuring an iOS device. We will look at how you create these Profiles a little later.
On the Apps tab you can specify iOS apps which you would like to be installed as part of the preparation process. Its important to note here that only apps, which are free from the App Store, can be deployed this way. This is because Apple doesnt currently allow UK iTunes customers to use the Volume Purchasing Plan that was mentioned earlier. Any apps that need to be purchased cannot be deployed through Apple Configurator.
Note: If an App has been added to an iOS device using Apple Configurator, these apps can only be updated through Apple Configurator.
Once the devices have been connected to the Apple Mac, you press the Apply button and the devices will be prepared based on the settings on the Prepare tab.
After confirming you want to prepare the attached iOS devices, Apple Configurator sets the iOS devices up:
Once they have been prepared you can then configure the Supervision options.
Supervise the devices

Once an iOS device has been prepared it will appear in the Supervisor screen. In here you can make changes to the iOS devices that Apple Configurator is supervising. In here, you can rename iOS devices, check for iOS updates and restore from, or create, backups. You can get information about the iOS device by right-clicking on it and choosing Get Info. This shows you the information in the screen shot below:
It is possible on this screen to organise your iOS devices. This makes it useful for applying configuration Profiles to the devices if you want different configurations for different uses. In the Supervised Devices column you can create new Device Groups and drag the devices listed in All Devices to their relevant organisational area.
In the Settings tab on the Prepare screen we have the option of adding Profiles. If it is the first time you have used Apple Configurator you will not have any Profiles created. There are two ways these can be created: 1. On the Settings tab by clicking on the + button. 2. On the Supervise once the device has been prepared by clicking on the + button in the Profiles section.
In a Profile you have different payloads down the left-hand pane, (these can be thought of as categories of settings), and we can configure the Profile for the settings we want our iOS devices to be configured with. The General Profile Payload includes the name of the Profile (this is mandatory) and information for the school name and a description of the Profile. Also in here you can configure whether Profiles can be removed from iOS devices. This is useful as it prevents users from removing the Profiles, and consequently the settings, from an iOS device. You might what to consider setting the Security to With Authorization and setting a password so that should a member of the network support team need to turn off the restrictions they can.
Im not going to list all the settings here however some you may want to configure on iOS devices include:
RM Technical Seminars spring 2012 Passcode settings
Restrictions which includes settings for app purchase, use of the camera and ratings for iTunes content.
Wi-Fi settings
Exchange ActiveSync or email settings.
Once the Supervisor settings have been created, and the Profiles you want to be applied to the iOS device ticked, you simple click Apply and the settings are sent to the device. www.rm.com/techseminars 2012 RM Education Page 45
Youll notice in the screen shot above there are two Profiles for my iOS device. This is useful because you can target different settings depending on the use of the iOS device. In my example, I have a Global Policy, which configures the iOS device for such things as the school wireless network, and then a second Profile for settings relevant for the subject area in which they will be used. Once the Profiles have been applied you can see them on the iOS device by navigating to General, Profiles:
If the Profile is allowed to be removed, as discussed earlier, by pressing on the Profile you have the option to remove it: www.rm.com/techseminars 2012 RM Education Page 46
Assigning iOS devices

The third screen in Apple Configurator allows you to Assign iOS devices to users. On the Assign screen we can see all of the users and groups on our network (if our Mac has been bound to a Directory Service), or we can manually create them.
This is useful if we are loaning iOS devices out to users, perhaps at the start of the school day. This allows us to track who has a particular iOS device. To assign an iOS device to a user: www.rm.com/techseminars 2012 RM Education Page 47
1. On the Assign screen, select a User. 2. Click the Check Out button. 3. Choose the iOS device the user has and click Check Out:
4. Apple Configurator then shows the iOS device being with that user.
To check the device back in simply highlight the user on the Assign screen and choose Check In:
A really useful feature of Check In is once the iOS device is checked back in its configuration, based on the Profiles you have assigned it are restored so if the user had made any changes to the iOS device these are removed.
Using Profile Manager to manage iOS devices

We have already seen how to configure Profile Manager on your Mac OS X Server, so you can now use it to create and manage Profiles. The management tool is a web application so can be accessed through a web browser on any computer that is connected to the same subnet as your OS X Server by navigating to: https://<Server Host Name>/profilemanager e.g. https://server.seminars.internal/profilemanager Devices need to be available so they can be configured through Profile Manager. This can be achieved by using the User Self Service Portal to enrol the device. This is accessed through a web-browser, either on the Mac or on an iOS device by navigating to: https://<Server Host Name>/mydevices e.g. https://server.seminars.internal/mydevices
Here we hit a problem in a school environment with iOS devices Enrolment is designed to be a self-service activity. For iOS devices, I would recommend that www.rm.com/techseminars 2012 RM Education Page 49
this is a task undertaken by the network support team at the point where the devices are initially configured. Once the initial configuration has been carried out, any changes to Profiles, and their payloads, will be pushed to the devices automatically. In the Self-Service portal, a username and password must be entered in order to enrol the device. You might want to consider how you do this on your network. You may consider one of these as an option: 1. For iOS, create a username and password for each iOS device and log on as that user. In other words, for each iOS device your school owns, it has its own user account, (and this would work well where iOS devices are shared by classes). 2. Allow users to enrol the devices, (this is probably the least recommended way of enrolling the iOS devices). 3. Use the Administrators username and password to log on and enrol iOS devices. Of course, if you have implemented a Magic Triangle then you can use a network username and password so option one may not be needed. Once logged on from the device you want to enrol, the My Devices page is displayed which has two tabs Devices and Profiles. If the device hasnt been enrolled in Profile Manager then the Enroll [sic] button is displayed:
Before we enrol the device we must install the Trust Profile from our server if we are using a self-signed SSL certificate, (remember SSL Certificates issued by Certificate Authorities are trusted if iOS or OS X is aware of the Authority). In order for our device to trust Profiles delivered from Profile Manager, a Trust Profile should be installed. This is available from the Profile Manager page on the Profiles tab, and when the trust profile is selected, the following screen is displayed:
Once installed you will see that the Trust Profile has been installed and from this point onwards Profiles delivered from OS X Lion Server will be trusted by the iOS device and installed:
So far, we havent enrolled our device; we have only configured the device to trust our OS X Server. The next step is to enrol it. If you are using an OS X device then you will be returned to the Self Service Portal in Safari where you can again press the Enroll [sic] button. Because our OS X Server is now trusted, we will be prompted to install the Device Enrolment Profile:
On an iOS device, pressing Install, Install Now and then Install on the warning screen will enrol the device in Profile Manager. Once enrolled, on the device we see this:
And in Profile Manager, we see our enrolled device:
Note: When attempting to install the Trust certificate or enrolment Profile you may see an error Server could not be contacted. If this is the case you should ensure that TCP port 1640 is mapped to cert-responder on your router. Profile Manager holds lots of information about our iOS device, for example we can see information about the device and what apps are installed on it:
If the school owns the devices then the network support team enrolling the devices would work fine and we can install the Trust for the self-signed certificate and then the configuration profiles. However, you may support BYOD (Bring Your Own Devices) in your school. In which case, Profile Manager wont be aware of the device that it needs to configure but we will know the user (because they have to authenticate in order to enrol their iOS device on to the network). In this example you might want to have a set of Configuration Profiles for personally-owned devices. For BYOD a user must enrol their device. When they browse to the User Profile Portal through a web browser, and log on using their credentials, as we have already seen, they have the option to enrol the device: www.rm.com/techseminars 2012 RM Education Page 54
Once enrolled, Profiles can be applied to configure the device:
Alternatively, an Enrolment Profile can be placed somewhere on your network (or web site) which the users can download from their iOS device to enrol them on the network. In the example above, we had the iOS device so could carry out the configuration. Another way to configure devices ready for enrolment is to create Placeholders in Profile Manager. A Placeholder allows you to create a record in Profile Manager for devices that you expect to enrol in the future. To add a Placeholder for a device: www.rm.com/techseminars 2012 RM Education Page 55
1. In Profile Manager, choose Devices in the left-hand pane and, from the right-hand pane, click on the + button and choose Add Placeholder.
2. In the Add Device box, you can give the device a name and then enter the information that is unique to the device. This can be the: - Serial Number. This can be found either on the device or in iTunes.
- UDID: This is the Unique Device Identifier and you can find this in iTunes when your device is connected. You cycle through the Serial Number and UDID by clicking on the information.
For iOS devices with mobile connectivity (iPhones, or iPad 3Gs) you can also identify them using the following: - IMEI: This is the International Mobile Equipment Identity. You can find this out on your iPhone (or any other mobile phone by entering *#06#. - MEID: This is the Mobile Equipment Identifier and can be found, (if available), on the iPhone or iPad 3G box.
Once the Device Placeholder has been added it appears in Profile Manager.
Organising devices
Whether the device is enrolled in Profile Manager, or we have created Placeholders, once they appear in Profile Manager we can organise them in to groups. This makes it easier, (just like NTFS Security Groups in Windows) to deploy Profiles to groups of iOS devices. To create a Device Group: www.rm.com/techseminars 2012 RM Education Page 57
1. In Profile Manager, click Device Groups in the left-hand pane and click the + button at the bottom of the left-hand pane. A New Device Group will be created which you can provide a meaningful name for.
2. In the middle pane, click on the + button at the bottom of this pane and click the Add button next to the enrolled devices you want to be a member of this Device Group. (You can also click the Add All button if you want all of the devices in this Device Group to save time).
Note:
Devices can be members of multiple Device Groups and if this is the case will have multiple Profiles delivered to them.
3. Once you have selected them, click Done and you will see the devices listed in the Device Group.
What do we apply Profiles to on iOS devices?

The closest things weve probably ever used which are similar in concept to Profiles are Group Policy Objects on a Windows network. Group Policy Objects can be applied to users and computers on Windows based networks in a couple of different ways either by applying them to an Organisational Unit in Active Directory in Windows, or by using Group Filtering setting NTFS permissions on the Group Policy Object so it is only applied to a member of a security group. This is very similar to Profiles in Profile Manager these are applied to configure Devices, Users, Device Groups or User Groups, (simply called Groups in Profile Manager). Just like when using Group Filtering to apply Group Policy Objects on a Windows network you need to plan what you are going to apply Profiles to individual users or devices, or groups of users and devices. Note: You cant have a mixed group containing users and devices. I would suggest you apply Profiles to Groups as opposed to individuals. This would be particularly useful if you have student and teacher devices and want to apply different policies to each group. As we have seen, it is possible to deliver configuration Profiles to users or devices. When we are configuring Profiles for school-owned devices we would deliver configuration settings to the devices, as we can never be sure which user would be using the iOS device, in fact, its almost impossible to find that www.rm.com/techseminars 2012 RM Education Page 59
information out when the iOS device is in use as Profile Manager records the user information of the individual who enrolled the device.
Configuring Payloads
A Profile contains Payloads; these are what we use to configure our devices. In Profile Manager we can configure Profiles, (and the Payloads within them), on Devices, Device Groups, Users and (User) Groups. Where you apply Profiles and Payloads will take some planning, just like if youve ever created your own Group Policy Objects. For iOS devices, it is likely they are going to be shared so it is likely you will apply Profiles to devices (or Device Groups). When we select a Device or a Device Group we see four tabs of information about it. Its on the Profile tab we configure the Payloads and when we select the Profile tab we can edit the Payload.
Payload settings are broken down in to categories, which we can view down the left-hand pane. To edit one we click on the Configure button:
Im not going to list all of the settings you can configure within a Payload however there are lots of settings that are relevant to schools, including: Configure email settings for the device, (ActiveSync for Exchange or POP and IMAP accounts). Configure network settings for wireless and proxy access. Allow use of camera (and FaceTime). Allow Installing apps. Allow in App Purchase. Allow adding Games Center friends. Allow Siri (for applicable devices). Restricting iOS apps such as YouTube and the iTunes Music Store. Setting Region ratings for iTunes content.
Once you have configured the Payload, pressing OK will save the Profile and, if the device is already enrolled in Profile Manager, push the Profile to the devices.
You can at any time look at the Active and Completed Tasks in Profile Manager by choosing the relevant option in the left-hand pane:
If the device that you have changed the Profile of has Internet access, either in or out of school, it will still receive the new or updated Profile because when Profile Manager was initially configured we set up an Apple Push Notification Certificate. With this certificate, (and your OS X Server having exposure to the Internet), a notification will be sent to the devices through Apples servers which instructs the device to call home and have the Profile applied to it. This would work if the iOS device was on a wireless network at home or, if it had 3G connectivity, over the mobile phone network.
Managing Mac computers using Profile Manager

Weve seen how we can manage iOS devices using Profile Manager and we use this same tool to manage Apple Mac computers in our school. Just like iOS devices, Apple Mac computers should be enrolled in Profile Manager before we can deploy Profiles to iMac, MacBook Air, MacBook Pro or Mac Pro computers. Earlier we looked at Binding. Apple Mac computers dont need to be bound to a directory service in order to deliver profiles to them, they simply need to be enrolled. This is useful as this can deliver settings to the Apple Macs that dont belong to the school in order to configure access to resources on your network, such as Proxy Server settings to gain access to the Internet.
Enrolling Mac computers

Just like with iOS devices, we need to enrol Mac computers in order to use Profile Manager, and we do it in exactly the same way by browsing to the User Self Service Portal and enrolling the device:
When enrolling Mac computers you will be prompted to install the Device Enrollment [sic] Profile:
And: www.rm.com/techseminars 2012 RM Education Page 64
You should Install and or Continue if prompted. Once these have been installed, a new System Preference is added called Profiles which allows you to see which Profiles are installed on the Mac:
Once the Mac is enrolled we will see it in Profile Manager and can manage it. Remember that if we want to configure the Mac prior to enrolment then a Placeholder can be created, using the Macs serial number as the identifier.
Once enrolled, we see the Mac in Profile Manager, just like we did with iOS devices: www.rm.com/techseminars 2012 RM Education Page 65
We can now start to configure profiles and payloads for the Mac. This probably deserves more planning than with iOS devices because we can target Payloads at users and computers just like we would with Group Policy Objects on a Windows network. If you are familiar with planning Group Policy Objects for Windows networks you can apply the same skills to planning Profiles and Payloads for Mac computers. Configuring the Payloads is exactly the same as for iOS devices. In the Profile you browse to the relevant category and configure the settings as you want them to be applied on the Mac, (or the user on the Mac). For example, if you wanted to configure the Dock on a Mac for all users then you would browse to the Dock category and make the relevant settings, for example:
On clicking OK the Payload settings are added to the Profile and when this is saved they will be pushed to the Mac:
When the Mac is logged out and then logged back in again the payloads in the Profile will be applied, like in my Dock Payload below:
Because the settings for the Dock, in my example, are now being applied through a Profile and its Payload, the user cant change these settings and when we examine the Dock Preferences on the Mac, they are locked out:
In Profile Manager we can confirm that the settings from the Profile have been applied by looking in Completed Tasks. Another benefit of having enrolled iOS devices and Apple Mac in Profile Manager is that we can remotely lock or wipe them if they go missing. Remember though that if we have configured our iOS devices with iCloud and installed the Find my iPhone app then we can also do this via the iCloud website which allows us to at least attempt to locate them. Through Profile Manager, we can click on the Actions button, (the one that looks like a gear), and choose to Remote Lock or Wipe a selected device. If we choose to Remote Lock it then we can define a six-digit code which is sent to the device and locks it.
This passcode is the only way to unlock a Mac or iOS device and will persist even if the device is restarted. The passcode is held in non-volatile RAM on the device hence its persistence. This isnt infallible on Mac computers however as they can be restarted with an OS X Operating System DVD, (e.g. OS X Snow Leopard), and, in the Terminal prompt entering:
nvram c
This will clear the non-volatile RAM and consequently the passcode. Looking at the Activity of the device in Profile Manager will confirm that the Lock (and other Profile settings) have been sent to the device.
Third party solutions

As well as the solution provided by Apple there are many third party solutions that allow you to manage iOS devices and Mac computers. Some of these integrate in to Active Directory while others are cloud based. We are currently examining whether there are other third party solutions available that provide functionality over and above what OS X provides.
Further reading and help

Managing Apple devices does have some similarity to what we are used to doing with a Windows network however there is still a lot to learn! When I was researching for this session and writing this paper I found some invaluable resources to help me that I strongly recommend you look at. The first one is Apples website, and more specifically, their Profile Manager documentation. This can be found here: http://help.apple.com/profilemanager/mac/10.7/#apd0E2214C6-50F048C9-A482-74CEA1D77A9F Frasier Speirs has become an expert in the field of deploying iPad in education as he has carried out a project to issue all teachers and students within his school an iPad. He has a website but I found his blog the most useful. You can find that here: http://speirs.org/blog/tag/theipadproject I also used a book, OS X Lion Server Essentials. This book is used for the Apple Training Course Lion 201 OS X Server Essentials and can be purchased as either a Kindle eBook, or physical book from Amazon, (Bizarrely in the UK this cannot be purchased through iTunes or the iBook store!): www.rm.com/techseminars 2012 RM Education Page 69
http://www.amazon.co.uk/Apple-Pro-Training-EssentialsSupporting/dp/0321775082 If you would like classroom-based training then we can offer the full range of Apple Certified Training Courses. These can be viewed on our website: http://www.rm.com/shops/rmshop/Product.aspx?cref=PD1537075&rgu id=0cf870ff-ddac-47bd-858a-d951d1ad0d3d We can also offer a range of installation and support services for your Apple devices. This information can be found on the RM website.
Summary
We know Apple Mac computers are becoming more popular in schools but we are now seeing iOS devices iPod touch and iPad being used in schools. From the network support teams point of view this can seem like a headache because these devices may initially seem hard to track, configure and manage. In this session we have looked at all of these nightmares and I hope you agree it isnt as bad as you may first of thought. OS X Lion Server includes Profile Manager, which allows you to create profiles and Payloads that can configure Macs and iOS devices. This isnt the only thing to consider though. The whole workflow from unpacking a device to issuing it to a user or a class needs to be planned out. That way your devices can be configured correctly, for what theyre being used for, straight away. Setting up a master iTunes account allows you to synchronise your iOS devices from one account meaning apps can be deployed and licensing issues can be covered by Gifting apps to iTunes accounts you have created for your devices. How you keep iOS devices up to date with software and app updates needs to be planned and I have given you several possible options here. Before issuing iOS and Apple Mac computers you can enrol them in to Profile Manager so that any Profiles and payloads you deploy will be automatically applied. When creating Profiles you have to plan what settings you want deploying to users and which to devices. This is more problematic with iOS devices because they will typically be shared so its likely settings will be deployed to the devices themselves whereas with Macs its likely to be a mixture of user and computer Profiles you will be deploying. Apple, the Apple logo, AirPlay, Apple TV, FaceTime, GarageBand, iBooks, iLife, iMac, iMovie, iPad, iPhoto, iPod touch, iTunes, Air, MacBook Pro, MagSafe, Safari, Siri are are all trade marks of Apple Corporation in the US and other countries www.rm.com/techseminars 2012 RM Education Page 70

Managing Apple Devices

Uploaded by

Document Information

Original Description:

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Managing Apple Devices

Uploaded by

Copyright:

Available Formats

Spring 2012: Managing Apple Devices

David Wright djwright@rm.com | @rmdavidwright

RM Technical Seminars spring 2012