Citrix Endpoint Management

Integrate with Apple Education features

You can use Endpoint Management as your mobile device management (MDM) solution in an environment that uses Apple Education. Endpoint Management support includes Apple School Manager (ASM) and Classroom app for iPad. The Endpoint Management Education Configuration device policy configures instructor and student devices for use with Apple Education.

You provide preconfigured and supervised iPads to instructors and students. That configuration includes ASM enrollment in Endpoint Management, a Managed Apple ID account configured with a new password, and required volume purchase apps and iBooks.

For more information about Apple Education features, see the Apple Education site and the Apple Education Deployment Guide from the same site.

Apple School Manager

Follow these general steps to integrate Endpoint Manager with ASM.

  1. Create an account for your institution in ASM to enroll your institution in ASM.
  2. Configure an Education volume purchase account for Apple School Manager.
  3. Add passwords for Apple School Manager users.
  4. Plan and add resources and delivery groups to Endpoint Management.
  5. Test instructor and student device enrollments.
  6. Provide the preconfigured devices to instructors and students.
  7. Manage instructor, student, and class data
  8. If a device is lost or stolen, you can lock and locate the device.

For information on enrolling in ASM and connecting your account to Endpoint Management, see Deploy devices through the Apple Deployment Program.

Prerequisites

  • Citrix Gateway

  • Enrollment profile configured for MDM+MAM.

  • Apple iPad 3rd generation (minimum version) or iPad Mini, with iOS 9.3 (minimum version)

Note:

Endpoint Management doesn’t validate ASM user accounts against LDAP or Active Directory. However, you can connect Endpoint Management to LDAP or Active Directory for management of users and devices not related to ASM instructors or students. For example, you can use Active Directory to provide Secure Mail and Secure Web to other ASM members, such as IT administrators and managers.

Because ASM instructors and students are local users, there is no need to deploy Citrix Secure Hub to their devices.

MAM enrollment that includes Citrix Gateway authentication doesn’t support local users (only Active Directory users). Therefore, Endpoint Management deploys only required volume purchase apps and iBooks to instructor and student devices.

Classroom app for iPad

The Classroom app for iPad enables instructors to connect to and manage student devices. You can view device screens, open apps on iPads, share and open web links, and present a student screen on Apple TV.

Classroom is free in the App Store. You upload the app to the Endpoint Management console. You then use the Education Configuration device policy to configure the Classroom app, which you deploy to instructor devices.

For more information on how to deploy the Classroom app, see Distribute Apple apps.

For more information on Classroom app requirements, setup, and features, see the Classroom user guide on the Apple support site.

Add passwords for Apple School Manager users

After you add an ASM account, Endpoint Management imports classes and users from ASM. Endpoint Management treats classes as local groups and uses the term “group” in the console. If a class has a group name in ASM, Endpoint Management assigns the group name to the class. Otherwise, Endpoint Management uses the source system ID for the group name. Endpoint Management doesn’t use the course name for the class name because course names in ASM aren’t unique.

Endpoint Management uses the Managed Apple IDs to create local users with the user type ASM. The users are local because ASM creates the credentials independently of all external data sources. As a result, Endpoint Management doesn’t use a directory server to authenticate these new users.

ASM doesn’t send temporary user passwords to Endpoint Management. You can import them from a CSV file or add them manually. To import temporary user passwords:

  1. Obtain the CSV file generated by ASM when creating the Managed Apple ID temporary passwords.

  2. Edit the CSV file, replacing the temporary passwords with new passwords that users provide to enroll to Endpoint Management. There is no constraint on the password type for this purpose.

    The format of an entry in the CSV file is as follows: user@appleid.citrix.com,Firstname,Middle,Lastname,Password123!

    Where:

    User: user@appleid.citrix.com

    First name: Firstname

    Middle name: Middle

    Last name: Lastname

    Password: Password123!

  3. In the Endpoint Management console, click Manage > Users. The Users page appears.

    The following Manage > Users screen sample shows a list of users imported from ASM. In the Users list:

    • User name shows the managed Apple ID.

    • User type is ASM, to indicate the account originated from ASM.

    • Groups show the classes.

    Users screen

  4. Click Import Local Users. The Import Provisioning File dialog box appears.

  5. For Format, choose ASM user, navigate to the CSV file you prepared in step 2, and then click Import.

    Users screen

  6. To view the properties for a local user, select the user and then click Edit.

    Users screen

    In addition to the name properties, these ASM properties are available:

    • ASM data source: The data source of the class, such as CSV or SFTP.
    • ASM managed Apple ID: A Managed Apple ID might include your institution name and appleid. For example, the ID might resemble johnappleseed@appleid.myschool.edu. Endpoint Management requires a Managed Apple ID for authentication.
    • ASM org name: The name you gave the account in Endpoint Management.
    • ASM passcode type: Password policy of the person: complex (a non-student password of eight or more numbers and letters), four (digits), or six (digits).
    • ASM person unique ID: Identifier for the user.
    • ASM person status: Specifies whether the Managed Apple ID is Active or Inactive. This status becomes active after the user provides their new password for the Managed Apple ID account.
    • ASM person title: Either Instructor, Student or Other.
    • ASM person unique ID: Unique identifier for the user.
    • ASM source system ID: Identifier for the system source.
    • ASM student grade: Student grade information (not used by instructors).

Plan and add resources and delivery groups to Endpoint Management

A delivery group specifies the resources to deploy to categories of users. For example, you might create one delivery group for instructors and students. Alternatively, you might create multiple delivery groups so you can customize the apps, media, and policies sent to various instructors or students. You might create one or more delivery groups per class. You can also create one or more delivery groups for managers (other staff in your educational institution).

Resources that you deploy to user devices include device policies, volume purchase apps, and iBooks.

  • Device policies:

    If instructors use the Classroom app, the Education Configuration device policy is required. Be sure to review other device policies to determine how you want to configure and restrict instructor and student iPads.

  • Volume purchase apps:

    Endpoint Management requires that you deploy volume purchase apps as required apps for education users. Endpoint Management doesn’t support deploying such volume purchase apps as optional.

    If you use the Apple Classroom app, deploy it only to instructor devices.

    Deploy any other apps that you want to provide to instructors or students. This solution doesn’t use Citrix Secure Hub app, so there’s no need to deploy it to instructors or students.

  • Volume purchase iBooks:

    After Endpoint Management connects to your ASM account, your purchased iBooks appear in the Endpoint Management console, in Configure > Media. The iBooks listed on that page are available to add to delivery groups. Endpoint Management supports adding iBooks as required media only.

After you plan the resources and delivery groups for instructors and students, you can create those items in the Endpoint Management console.

  1. Create any device policies that you want to deploy to instructor or student devices. For information about the Education Configuration device policy, see Education Configuration device policy.

    Education Configuration policy screen

    For information about device policies, see Device policies and the individual policy articles.

  2. Configure apps (Configure > Apps) and iBooks (Configure > Media):

    • By default, Endpoint Management assigns apps and iBooks at the user level. During first-time deployment, instructors and students receive a prompt to register to ASM. After accepting the invitation, users receive their ASM apps and iBooks at the next deployment (within six hours). Citrix recommends that you force the deployment of apps and iBooks to new ASM users. To do that, select the delivery group and click Deploy.

      You can choose to assign apps (but not iBooks) at the device level. To do that, change the setting Force license association to device to On. When you assign apps at the device level, users don’t receive an invitation to join the volume purchase program.

    Apps configuration screen

    • To deploy an app only to instructors, select a delivery group that includes only instructors or use the following deployment rule:

       Deploy this resource by ASM device type
       only
       Instructor
      

    Apps configuration screen

  3. Optional. Create actions based on ASM user properties. For example, you might create an action to send a notification to student devices when a new app installs. Alternatively, you can create an action that a user property triggers, as shown in the following example.

    Actions configuration screen

    To create an action, go to Configure > Actions. For information about configuring actions, see Automated actions.

  4. In Configure > Delivery Groups, create delivery groups for instructors and for students. Choose the classes that were imported from ASM. Also, create a deployment rule for instructors and students.

    For example, the following user assignments are for instructors. The deployment rule is:

    Limit by user property
    ASM person title
    is equal to
    Instructor
    

    Delivery Groups configuration screen

    The following user assignments are for students. The deployment rule is:

    Limit by user property
    ASM person title
    is equal to
    Student
    

    Delivery Groups configuration screen

    You can also filter a delivery group by using a deployment rule based on the ASM org name.

    Delivery Groups configuration screen

  5. Assign the resources to delivery groups. The following example shows an iBook contained in a delivery group.

    Delivery Groups configuration screen

    The following example shows the confirmation dialog that appears when you select a delivery group and click Deploy.

    Delivery Groups configuration screen

    For more information, see “To edit a delivery group” and “To deploy to delivery groups” in Deploy resources.

Test instructor and student device enrollments

You can enroll devices through either of the following methods:

  • A school administrator can enroll instructor and student devices by using the user password you can set in the Endpoint Management console. As a result, you can provide users with devices that are already set up with apps and media.

  • When users receive the devices, they enroll using the user password that you provide to them. After enrollment completes, Endpoint Management sends device policies, apps, and media to the devices.

To test enrollment, use Apple Deployment Program devices that are linked to ASM.

  1. If the devices aren’t linked to ASM, erase the device contents and settings by performing a hard reset.

  2. Enroll an ASM device with an instructor. Then, enroll an ASM device with a student.

  3. In the Manage > Devices page, check that both ASM devices are enrolled in MDM only.

    You can filter the Devices page by the ASM device status: ASM registered, ASM shared, Instructor, and Student.

    Devices configuration screen

  4. To verify that MDM resources deployed correctly for each device: Select the device, click Edit, and check the various pages.

    Devices configuration screen

Distribute devices

Apple recommends that you host an event so you can distribute devices to instructors and students.

If you don’t distribute pre-enrolled devices, also provide the following to these users:

  • Endpoint Management passwords for enrollment

  • ASM temporary passwords for Managed Apple IDs.

The first-time user experience is as follows.

  1. The first time that a user starts their device after a hard-reset, Endpoint Management prompts them in the enrollment screen to enroll their device.

  2. The user provides their Managed Apple ID and Endpoint Management password used to authenticate to Endpoint Management.

  3. In the Apple ID setup step, the device prompts the user to provide their Managed Apple ID and ASM temporary password. Those items authenticate the user to Apple services.

  4. The device prompts the user to create a password for their Managed Apple ID, used to protect their data in iCloud.

  5. At the end of the Setup Assistant, Endpoint Management starts installing the policies, apps, and media to the device. For apps and iBooks assigned at the user level, the assistant prompts instructors and students to register to volume purchase. After accepting the invitation, users receive their volume purchase apps and iBooks at the next deployment (within six hours).

Manage instructor, student, and class data

When managing instructor, student, and class data, note the following:

  • Don’t change Managed Apple IDs after you import ASM information into Endpoint Management. Endpoint Management also uses ASM user identifiers to identify users.

  • If you add or change class data in ASM after you create one or more Education Configuration device policies: Edit the policies and then redeploy them.

  • If the instructor for a class changes after you deploy the Education Configuration device policy: Review the policy to ensure it updates in the Endpoint Management console and then redeploy the policy.

  • If you update user properties in the ASM portal, Endpoint Management also updates those properties in the console. However, Endpoint Management doesn’t receive the ASM person title property (Instructor, Student, or Other) in the same way it receives other properties. Thus, if you change the ASM person title in ASM, complete the following steps to reflect that change in Endpoint Management.

To manage the data:

  1. In the ASM portal, update the student grade and clear the instructor grade.

  2. If you changed a student account to an instructor account, remove the user from the list of students in the class. Then, add the user to the list of instructors in the same or another class.

    If you changed an instructor account to a student account, remove the user from the class. Then, add the user to the list of students in the same or another class. Your updates appear in the Endpoint Management console during the next sync (every five minutes by default) or fetch (every 24 hours by default).

  3. Edit the Education Configuration device policy to apply the change and redeploy it.

    • If you delete a user from the ASM portal, Endpoint Management also deletes that user from the Endpoint Management console after a fetch.

      You can reduce the interval between two baselines by changing this server property value: bulk.enrollment.fetchRosterInfoDelay (default is 1440 minutes).

    • After you deploy resources: If a student joins a class, create a delivery group with just that student and deploy the resources to the student.

    • If a student or instructor loses their temporary password, have them contact the ASM administrator. The administrator can provide the temporary password or generate a new one.

Manage a lost or stolen device

The Apple Find My iPhone/iPad service includes an Activation Lock feature. Activation Lock prevents non-authorized users from using or reselling a lost or stolen device that’s enrolled in Apple Deployment Program.

Endpoint Management includes an ASM Activation Lock security action that enables you to send a lock code to an ASM Apple Deployment Program enrolled device.

When you use the ASM Activation Lock security action, Endpoint Management can locate devices without requiring users to enable the Find My iPhone/iPad service. When an ASM device is hard-reset or fully wiped, the user provides their Managed Apple ID and password to unlock the device.

To release the lock from the console, click the security action Activation Lock Bypass. For information about bypassing an activation lock, see Bypass an iOS activation lock. The user also can leave the login blank and type the ASM activation lock bypass code as the password. That information is available in Device Details, on the Properties tab.

To set the activation lock, go to Manage > Devices, select the device, click Security, and then click ASM Activation Lock.

Devices configuration screen

The properties ASM escrow key and ASM activation lock bypass code appear in Device details.

Devices configuration screen

The RBAC permission for an ASM Activation Lock is Devices > Enable ASM Bypass activation lock.

RBAC configuration screen