The ADM Schools have a snow day today – or, more correctly, a “cold day” – which has given me a chance to get caught up on some things that tend to get lost in the shuffle, like updating the technology blog.
I’ve been meaning to publish this post for awhile. We’re in the midst of a project with a goal of updating all of our district-owned iPads to the current version of iOS. In addition, we’ll be enrolling each device in Meraki Systems Manager – a free mobile device management solution provided by Cisco – and enabling device supervision. Supervision, it should be pointed out, isn’t as big brotheresque as it probably sounds; it’s simply Apple’s term for a setting that expands remote management capabilities in iOS.
The district owns over 400 iPads, so updating and applying the settings manually, one-by-one is not an option. As such, we’re making use of a few different tools, Apple Configurator, Apple’s Device Enrollment Program (DEP), and Meraki’s DEP integration.
Why three tools, you ask? In an ideal world, we’d pick one solution (the DEP) that doesn’t require much in the way of manual interaction with the devices and roll with it. In practice, we’ve found that – for our purposes, at least – each tool has some key limitations. I hope that this guide to the processes, strengths, and limitations of each approach – along with an articulation of the approach we’ve settled on – will be useful to some other school and enterprise IT departments who are faced with a similar challenge.
I’ll start with Apple Configurator. Basically, this tool works as follows:
- Connect an iPad (or multiple iPads via a hub, like this one) to a Mac with Apple Configurator installed
- Configure your preparation settings in configurator: management profiles, MDM enrollment, iOS updates, supervision (if applicable), app installations, configuration payloads, device naming scheme, bypass setup prompts
- Click “Prepare” to launch the preparation process on all connected devices
It’s worth noting that this process is far better than when I started using Configurator a few years ago. For one, the ability to bypass setup prompts (like enabling location, submitting usage data to Apple, etc.) saves about 12 taps and one minute per iPad. Additional management options, a more streamlined app deployment interface, ability to set the device to display the device name on the lock screen, and automatic MDM enrollment with an enrollment URL are all huge improvements.
That said, there are some key drawbacks to Configurator:
- Devices must still be physically connected to a computer: this is onerous when managing hundreds or thousands of devices
- Errors are common, and are not handled gracefully: we ran into trust-setting errors with some iPads that hadn’t been factory reset, which resulted in the entire process needing to be commenced again (rather than just fixing the issue and reconnecting the iPad). Further, we ran into NSURL errors when using automatic MDM enrollment anytime we had more than three or so devices connected; this would only affect a minority of devices in a batch, but again, the entire process would need to be run again. If supervision is on, the prepare process always erases the iPad, which means that a single error results in having to complete the lengthy iOS installation process again.
- If the process gets interrupted (and occasionally even if it doesn’t), the device needs to be restored individually with iTunes before it can be reimaged with Configurator
- Due to the errors (especially with supervision on), processing is very slow: While the preparation process takes about 15 minutes per batch, so we might do simple math like 480 iPads, 12 at a time, should take about 13.5 hours (with setup) ((480/12)*20)to complete, in reality our processing times were much, much longer. Completing one 25-unit iPad cart deployment was taking us an average of about 2 hours.
Let’s move on to DEP and Meraki. The concept of DEP is pretty brilliant, and works like this:
- Purchase iOS device from Apple
- Sign up for a DEP account
- Submit your device serial number to Apple; this can even be done by just entering your order number and every device that was part of that order is automatically assigned to your DEP account
- Link the DEP account to your mobile device management (MDM) system and assign a profile in your MDM
- Either turn on the iPad for the first time, or do a factory reset and turn the device on
- Connect to a wireless network
- The iPad will launch an activation process, at which point it discovers that it’s serial is associated with a DEP account
- The iPad automatically grabs the configuration profile from Meraki, installs all relevant profiles and certificates, enables supervision (if applicable), and you’re done
This is a really painless way to set up a large number of iPads and enroll them with the management server. The only real user interaction in the above steps is entering a wireless password (unless it’s an open network) and tapping the screen a few times. Unfortunately, we found that there were a number of key limitations in our environment:
- Naming: We use device names in our environment, and they make assigning tags (equivalent to groups) and deploying apps via Meraki Systems Manager (MSM) far easier. Generally, our names are things like HS 1 iPad Cart 16 or CO Kurth iPad, and give us key assignment details. After enrolling an iPad with DEP, it’s name is just “iPad”. We can rename it in Meraki, but there is no mechanism for bulk renaming, so we’d need to rename each device one-by-one. Further, if we enroll devices in bulk via DEP, we’re left with a bunch of devices called “iPad” and tagged as “recently-added” in Meraki, and have to resort to serial numbers in order to assign specific names to specific devices.
- Lock Screen Name: As previously mentioned, Configurator allows you to configure devices to automatically display the device name on the lock screen. This functionality is not present via DEP/Meraki.
- Out-of-Date iOS: This wouldn’t likely be an issue with brand new iPads, but since our project is dealing with devices that, in some cases, are several years old, this became a big issue for us. Whereas Configurator automatically updates to the newest version of iOS, DEP/Meraki have no mechanism by which this can be accomplished. We’re left with manual updates, which are a huge strain on the network and take forever when done en masse, since the supervised devices cannot have their iOS version retroactively updated using Configurator.
In an attempt to streamline the process and sort of get the best of both worlds, we developed a process that involves both Configurator and DEP, and works as follows:
1. Start by doing a factory reset on all devices that you’ll be imaging: this process only takes a minute or two and you’ll have to erase the devices anyway in order to supervise. This has helped us avoid errors in the Configurator process.
2. This is a good time to verify that all of your serials are enrolled with your DEP account
3. Set Configurator settings (see screenshots below for our settings): Note that we include the Meraki Systems Manager app as a deployed-from-Configurator app; this is as a backup in the event that DEP automatic enrollment fails or doesn’t occur.
4. Prepare the iPad(s)
5. Swipe to get past the welcome screen, and the DEP configuration prompt should appear after device activation: you may need to connect manually to wireless prior to this step if your Configurator profile doesn’t apply properly
- We’ve had almost no errors, due to not pushing the MDM configuration through Configurator and doing a factory reset prior to beginning the process
- Very little interaction is required on the part of the technician
- We get automatic naming, name showing on lock screen, automatic MDM enrollment (via DEP), bypassed configuration pages, and automatic wireless configuration
- The process reliably takes about 15 minutes per batch
- Even if DEP enrollment doesn’t occur (rare), we can use the Meraki app that was installed by Configurator to enroll very quickly (by entering our account code or by scanning a QR code)
I hope that this guide has been helpful! If we come up with any ways to increase the efficiency of the process, I’ll update this post to reflect those changes.