Integrate with Apple Education features

You can use Endpoint Management as your mobile device management (MDM) solution in an environment that uses Apple Education. Endpoint Management supports the Apple Education enhancements introduced in iOS 9.3, including Apple School Manager and Classroom app for iPad. The Endpoint Management Education Configuration device policy configures instructor and student devices for use with Apple Education.

You provide preconfigured and supervised iPads to instructors and students. That configuration includes Apple School Manager DEP enrollment in Endpoint Management, a Managed Apple ID account configured with a new password, and required VPP apps and iBooks.

The following video provides a quick tour of the changes you make to Apple School Manager and Endpoint Management.

Video icon

Here are highlights of Endpoint Management support for Apple Education features.

Apple School Manager

Apple School Manager is a service that lets you set up, deploy, and manage iOS devices and macOS laptops used in educational institutions. Apple School Manager includes a web-based portal that lets IT administrators:

  • Assign DEP devices to different MDM servers.

  • Purchase VPP licenses for apps and iBooks

  • Create Managed Apple IDs in bulk. These customized Apple IDs provide access to Apple services such as storing documents in iCloud Drive and enrolling in iTunes courses.

Apple School Manager is a type of Education DEP. Endpoint Management supports both Business DEP and Apple School Manager enrollment.

You can add multiple Apple School Manager DEP accounts to Endpoint Management. For example, this feature enables you to use different enrollment settings and Setup Assistant options by Education unit or department. You then associate DEP accounts with different device policies.

After you add an Apple School Manager DEP account to the Endpoint Management console, Endpoint Management retrieves class and roster information. During device setup, Endpoint Management:

  • Enrolls the devices.

  • Installs the resources you configured for deployment, such as device policies (Education Configuration, Home screen layout, and so on). Also installs both apps and iBooks purchased through VPP.

You then provide the preconfigured devices to instructors and students. If a device is lost or stolen, you can use MDM Lost Mode feature to lock and locate devices.

Classroom app for iPad

The Classroom app for iPad enables instructors to connect to and manage student devices. You can view device screens, open apps on iPads, share and open web links, and present a student screen on Apple TV.

Classroom is free in the App Store. You upload the app to the Endpoint Management console. You then use the Education Configuration device policy to configure the Classroom app, which you deploy to instructor devices.

For more information about Apple Education features, see the Apple Education site and the Apple Education Deployment Guide.

Prerequisites

  • Citrix Gateway

  • Endpoint Management configured in MDM+MAM mode or MDM mode. If you already have a Endpoint Management configured in MDM+MAM or MDM mode, you can use it with Apple School Manager.

  • Apple iPad 3rd generation (minimum version) or iPad Mini, with iOS 9.3 (minimum version)

Note:

Endpoint Management doesn’t validate Apple School Manager user accounts against LDAP or Active Directory. However, you can connect Endpoint Management to LDAP or Active Directory for management of users and devices not related to Apple School Manager instructors or students. For example, you can use Active Directory to provide Secure Mail and Secure Web to other Apple School Manager members, such as IT administrators and managers.

Because Apple School Manager instructors and students are local users, there is no need to deploy Citrix Secure Hub to their devices.

MAM enrollment that includes Citrix Gateway authentication doesn’t support local users (only Active Directory users). Therefore, Endpoint Management deploys only required VPP apps and iBooks to instructor and student devices.

Prerequisites for Shared iPads

  • Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
  • At least 32 GB of storage
  • Supervised

Configure Apple School Manager and Endpoint Management

After you purchase iPads from Apple or from Apple Authorized Resellers or carriers: Follow the workflow in this section to set up your Apple School Manager account and devices. This workflow includes steps that you perform in the Apple School Manager portal and in the Endpoint Management console.

Follow these instructions to configure your integration for any iPads that you use in a one-to-one model (one iPad per student) or for instructor iPads (unshared). To configure Shared iPads, see Configure Shared iPads.

Step 1: Create your Apple School Manager account and complete the Setup Assistant

If you plan to upgrade from Apple Deployment Programs, see the Apple Support article, Prepare to upgrade to Apple School Manager. To create your Apple School Manager account, go to https://school.apple.com/ and follow the instructions to enroll. The first time that you log in to Apple School Manager, the Setup Assistant opens.

  • For information about Apple School Manager prerequisites, the Setup Assistant, and management tasks, see the Apple School Manager help.

  • When setting up an Apple School Manager, use a domain name that differs from the domain name for Active Directory. For example, prefix the domain name for Apple School Manager with something like appleid.

  • When you connect Apple School Manager to your roster data, Apple School Manager creates Managed Apple IDs for instructors and students. Your roster data includes instructors, students, and classes. For information about adding roster data to Apple School Manager, see the articles under “Find staff, students and classes” in the Apple School Manager help.

  • You can customize the Managed Apple ID format for your institution, as described under “Managed Apple IDs” in the Apple School Manager help.

    Important:

    Don’t change Managed Apple IDs after you import Apple School Manager information into Endpoint Management.

  • If you purchased devices through resellers or carriers, link those devices to Apple School Manager. For information, see the articles under “Manage devices” in the Apple School Manager help.

Step 2: Configure Endpoint Management as the MDM Server for Apple School Manager and configure device assignments

The Apple School Manager portal includes an MDM Servers tab. You need the public key file from Endpoint Management to complete that setup.

  1. Download the public key for your Endpoint Management to your local computer: Log on to the Endpoint Management console and go to Settings > Apple Device Enrollment Program (DEP).

    Image of Apple DEP settings screen

  2. Under Download Public Key, click Download and then save the PEM file.

  3. In Apple School Manager portal, click MDM Servers, and type a name for Endpoint Management. The server name that you type is for your reference and is not the server URL or name.

  4. Under Upload your Public Key, click Upload File.

    Image of Apple School Manager portal

  5. Upload the server key that you downloaded from Endpoint Management and then click Save.

  6. Generate a server token: Click Get Token and then download the server token file to your computer.

    Image of Apple School Manager portal

  7. Click Device Assignments, choose how you want to assign devices and then provide the information requested. For information, see “Manage devices” in the Apple School Manager help.

  8. Under Choose Action, in the Perform Action menu, click Assign to Server. Then, in the MDM Server menu, click the server to manage the devices and then click Done.

Step 3: Add the Apple School Manager account to Endpoint Management

  1. In Endpoint Management console, go to Settings > Apple Device Enrollment Program (DEP) and under Add DEP Account, click Add.

    Image of Apple DEP settings screen

  2. In the Server Tokens page, click Upload and choose the server token (.p7m) file that you downloaded from the Apple School Manager portal. The token information appears.

    Image of Apple DEP settings screen

    Notes:

    • Organization ID is your customer ID for DEP.

    • Apple School Manager accounts have an Organization type of Education and an Organization version of v2.

  3. In the Account Info page, specify the following settings.

    Image of Apple DEP settings screen

    • DEP account name: A unique name for this DEP account. Use names that reflect how you organize DEP accounts, such as by country or organizational hierarchy.

    • Business/Education unit: The Education unit or department for device assignment. This field is required.

    • Unique service ID: An optional unique ID to help you further identify the account.

    • Support phone number: A support phone number that users may call for help during setup. This field is required.

    • Support email address: An optional support email address available to end users.

    • Education suffix: Flags the classes for a given Apple School Manager DEP account. (The VPP suffix flags apps and iBooks for a given VPP account.) The recommendation is to use the same suffix for both accounts, Apple School Manager DEP and Apple School Manager VPP.

  4. Click Next. In iOS Settings, specify the following settings.

    Image of Apple DEP settings screen

    • Enrollment settings

      • Require device enrollment: Require users to enroll their devices. Change this setting to No.

      • Require credentials for device enrollment: Require users to enter their credentials during DEP setup. For Apple School Manager integration with Endpoint Management, this setting is Yes by default and can’t be changed. Apple DEP requires credentials for device enrollment.

      • Wait for configuration to complete setup: Whether to require user devices to remain in Setup Assistant mode until all MDM resources deploy to the device. For Apple School Manager integration with Endpoint Management, this setting is No by default. According to Apple documentation, the following commands might not work while a device is in Setup Assistant mode:

        • InviteToProgram
        • InstallApplication
        • InstallMedia
        • ApplyRedemptionCode
    • Device settings

      • Supervised mode: Place iOS devices in supervised mode. Don’t change the default, Yes. For details on placing an iOS device in supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

      • Allow enrollment profile removal: For Apple School Manager integration, allow user to remove the enrollment profile from the device. Change this setting to Yes.

      • Allow device pairing: For Apple School Manager integration, allow device pairing so you can manage them through iTunes and the Apple Configurator. Change this setting to Yes.

  5. In iOS Setup Assistant Options, select the iOS Setup Assistant steps to skip when users start their devices the first time. By default, the Setup Assistant includes all steps. Consider that removing steps from the Setup Assistant simplifies the user experience.

    Important:

    Citrix strongly recommends that you include the Apple ID and Terms & Conditions steps. Those steps enable instructors and students to provide their new Managed Apple ID passwords and accept the required terms and conditions.

    Image of Apple DEP settings screen

    • Location services: Set up the location service on the device.

    • Touch ID: Set up Touch ID on iOS 8.0 and later devices.

    • Passcode lock: Create a passcode for the device.

    • Set up as New or Restore: Set up the device as new or from an iCloud or iTunes backup.

    • Move from Android: Enable transferring data from an Android device to an iOS 9 or later device. This option is available only when Set up as New or Restore is selected (that is, the step is skipped).

    • Apple ID: Set up an Apple ID account for the device. Citrix recommends that you select the check box to include this step.

    • Terms and conditions: Require users to accept terms and conditions for use of the device. Citrix recommends that you select the check box to include this step.

    • Apple Pay: Set up Apple Pay on iOS 8.0 and later devices.

    • Siri: Use or not use Siri on the device.

    • App analytics: Set up whether to share crash data and usage statistics with Apple.

    • Display zoom: Set up the display resolution (either standard or zoomed) on iOS 8.0 or later devices.

    • True Tone: Set up the True Tone Display on iOS 10.0 devices (minimum version).

    • Home Button: Set up the Home Button screen sensitivity on iOS 10.0 devices (minimum version).

  6. The DEP account appears on Settings > Apple Device Enrollment Program (DEP). To test connectivity between Endpoint Management and your Apple School Manager account, select the account and click Test Connectivity.

    Image of Apple DEP settings screen

    A status message appears.

    Image of Apple DEP settings screen

    After a few minutes, the user accounts from Apple School Manager appear on Manage > Users page. Endpoint Management creates local user accounts based on the imported Managed Apple ID for each user. In the following example, the domain name prefix of customized Apple IDs for user accounts is appleid.

    Image of Apple DEP settings screen

To find all users for a given Apple School Manager DEP account, type the account name in the user search filter.

Step 4: Configure an Education VPP account for Apple School Manager

In this section, you point Endpoint Management to the VPP account that you use to purchase VPP licenses for apps and iBooks.

  1. To configure an Education VPP account for Apple School Manager, follow the instructions in iOS Volume Purchase Program. The Add a VPP account screen requires that you supply a Company Token. Download your token directly from your Education VPP account https://volume.itunes.apple.com/us/store and paste it into the Add a VPP account screen.

    Image of iOS settings screen

    Image of iOS settings screen

  2. Wait a few minutes for the VPP licenses to import into Endpoint Management.

Step 5: Add passwords for Apple School Manager users

After you add an Apple School Manager DEP account, Endpoint Management imports classes and users from Apple School Manager. Endpoint Management treats classes as local groups and uses the term “group” in the console. If a class has a group name in Apple School Manager, Endpoint Management assigns the group name to the class. Otherwise, Endpoint Management uses the source system ID for the group name. Endpoint Management doesn’t use the course name for the class name because course names in Apple School Manager aren’t unique.

Endpoint Management uses the Managed Apple IDs to create local users with the user type ASM. The users are local because Apple School Manager creates the credentials independently of all external data sources. As a result, Endpoint Management doesn’t use a directory server to authenticate these new users.

Apple School Manager doesn’t send temporary user passwords to Endpoint Management. You can import them from a CSV file or add them manually. To import temporary user passwords:

  1. Obtain the CSV file generated by Apple School Manager when creating the Managed Apple ID temporary passwords.

  2. Edit the CSV file, replacing the temporary passwords with new passwords that users provide to enroll to Endpoint Management. There is no constraint on the password type for this purpose.

    The format of an entry in the CSV file is as follows: elizabethabeles@appleid.citrix.com,Elizabeth,Anne,Abeles,Citrix123!

    Where:

    User: elizabethabeles@appleid.citrix.com

    First name: Elizabeth

    Middle name: Anne

    Last name: Abeles

    Password: Citrix123!

  3. In the Endpoint Management console, click Manage > Users. The Users page appears.

    The following Manage > Users screen sample shows a list of users imported from Apple School Manager. In the Users list:

    • User name shows the managed Apple ID.

    • User type is ASM, to indicate the account originated from Apple School Manager.

    • Groups show the classes.

    Image of Users screen

  4. Click Import Local Users. The Import Provisioning File dialog box appears.

  5. For Format, choose ASM user, navigate to the CSV file you prepared in step 2, and then click Import.

    Image of Users screen

  6. To view the properties for a local user, select the user and then click Edit.

    Image of Users screen

    In addition to the name properties, these Apple School Manager properties appear:

    • ASM DEP account: The name you gave the account in Endpoint Management.

    • ASM person title: Either Instructor, Student or Other.

    • ASM person unique ID: Unique identifier for the user.

    • ASM source system ID: An identifier configured by your organization for the user.

    • ASM person status: Specifies whether the Managed Apple ID is Active or Inactive. This status becomes active after the user provides their new password for the Managed Apple ID account.

    • ASM managed Apple ID: A Managed Apple ID might include your institution name and appleid. For example, the ID might resemble johnappleseed@appleid.myschool.edu. Endpoint Management requires a Managed Apple ID for authentication.

    • ASM student grade: Student grade information (not used by instructors).

    • ASM passcode type: Password policy of the person: complex (a non-student password of eight or more numbers and letters), four (digits), or six (digits).

    • ASM data source: The data source of the class, such as CSV or SFTP.

Step 6: Optionally add photos of students

You can add a photo of each student. If the instructors use the Apple Classroom app, the photos appear in this app.

Recommended for photos:

  • Resolution: 256 x 256 pixels (512 x 512 pixels on a 2x device)

  • Format: JPEG, PNG, or TIFF

To add a photo, go to Manage > Users, select a user, click Edit, and then click Choose image.

Image of Users screen

Step 7: Plan and add resources and delivery groups to Endpoint Management

A delivery group specifies the resources to deploy to categories of users. For example, you might create one delivery group for instructors and students. Alternatively, you might create multiple delivery groups so you can customize the apps, media, and policies sent to various instructors or students. You might create one or more delivery groups per class. You can also create one or more delivery groups for managers (other staff in your educational institution).

Resources that you deploy to user devices include device policies, VPP apps, and iBooks.

  • Device policies:

    If instructors use the Classroom app, the Education Configuration device policy is required. Be sure to review other device policies to determine how you want to configure and restrict instructor and student iPads.

  • VPP apps:

    Endpoint Management requires that you deploy VPP apps as required apps for education users. Endpoint Management currently doesn’t support deploying such VPP apps as optional.

    If you use the Apple Classroom app, deploy it only to instructor devices.

    Deploy any other apps that you want to provide to instructors or students. This solution doesn’t use Citrix Secure Hub app, so there’s no need to deploy it to instructors or students.

  • VPP iBooks:

    After Endpoint Management connects to your Apple School Manager VPP account, your purchased iBooks appear in the Endpoint Management console, in Configure > Media. The iBooks listed on that page are available to add to delivery groups. Currently, Endpoint Management supports adding iBooks as required media only.

After you plan the resources and delivery groups for instructors and students, you can create those items in the Endpoint Management console.

  1. Create any device policies that you want to deploy to instructor or student devices. For information about the Education Configuration device policy, see Education Configuration device policy.

    Image of Education Configuration policy screen

    For information about device policies, see Device policies and the individual policy articles.

  2. Configure apps (Configure > Apps) and iBooks (Configure > Media):

    • By default, Endpoint Management assigns apps and iBooks at the user level. During first-time deployment, instructors and students receive a prompt to register to VPP. After accepting the invitation, users receive their VPP apps and iBooks at the next deployment (within six hours). Citrix recommends that you force the deployment of apps and iBooks to new VPP users. To do that, select the delivery group and click Deploy.

      You can choose to assign apps (but not iBooks) at the device level. To do that, change the setting Force license association to device to On. When you assign apps at the device level, users don’t receive an invitation to join the VPP program.

    Image of Apps configuration screen

    • To deploy an app only to instructors, select a delivery group that includes only instructors or use the following deployment rule:

       Deploy this resource by ASM DEP device type
       only
       Instructor
      

    Image of Apps configuration screen

  3. Optional. Create actions based on Apple School Manager user properties. For example, you might create an action to send a notification to student devices when a new app installs. Alternatively, you can create an action that a user property triggers, as shown in the following example.

    Image of Actions configuration screen

    To create an action, go to Configure > Actions. For information about configuring actions, see Automated actions.

  4. In Configure > Delivery Groups, create delivery groups for instructors and for students. Choose the classes that were imported from Apple School Manager. Also, create a deployment rule for instructors and students.

    For example, the following user assignments are for instructors. The deployment rule is:

    Limit by user property
    ASM person title
    is equal to
    Instructor
    

    Image of Delivery Groups configuration screen

    The following user assignments are for students. The deployment rule is:

    Limit by user property
    ASM person title
    is equal to
    Student
    

    Image of Delivery Groups configuration screen

    You can also filter a delivery group by using a deployment rule based on the Apple School Manager DEP account name.

    Image of Delivery Groups configuration screen

  5. Assign the resources to delivery groups. The following example shows an iBook contained in a delivery group.

    Image of Delivery Groups configuration screen

    The following example shows the confirmation dialog that appears when you select a delivery group and click Deploy.

    Image of Delivery Groups configuration screen

    For more information, see “To edit a delivery group” and “To deploy to delivery groups” in Deploy resources.

Step 8: Test instructor and student device enrollments

You can enroll devices through either of the following methods:

  • A school administrator can enroll instructor and student devices by using the user password you can set in the Endpoint Management console. As a result, you can provide users with devices that are already set up with apps and media.

  • When users receive the devices, they enroll using the user password that you provide to them. After enrollment completes, Endpoint Management sends device policies, apps, and media to the devices.

To test enrollment, use DEP devices that are linked to Apple School Manager.

  1. If the devices aren’t linked to Apple School Manager, erase the device contents and settings by performing a hard reset.

  2. Enroll an Apple School Manager DEP device with an instructor. Then, enroll an Apple School Manager DEP device with a student.

  3. In the Manage > Devices page, check that both Apple School Manager DEP devices are enrolled in MDM only.

    You can filter the Devices page by the Apple School Manager DEP device status: ASM DEP registered, Instructor, and Student.

    Image of Devices configuration screen

  4. To verify that MDM resources deployed correctly for each device: Select the device, click Edit, and check the various pages.

    Image of Devices configuration screen

Step 9: Distribute devices

Apple recommends that you host an event so you can distribute devices to instructors and students.

If you don’t distribute pre-enrolled devices, also provide the following to these users:

  • Endpoint Management passwords for DEP enrollment

  • Apple School Manager temporary passwords for Managed Apple IDs.

The first-time user experience is as follows.

  1. The first time that a user starts their device after a hard-reset, Endpoint Management prompts them in the DEP enrollment screen to enroll their device.

  2. The user provides their Managed Apple ID and Endpoint Management password used to authenticate to the Endpoint Management.

  3. In the Apple ID setup step, the device prompts the user to provide their Managed Apple ID and Apple School Manager temporary password. Those items authenticate the user to Apple services.

  4. The device prompts the user to create a password for their Managed Apple ID, used to protect their data in iCloud.

  5. At the end of the Setup Assistant, Endpoint Management starts installing the policies, apps, and media to the device. For apps and iBooks assigned at the user level, the assistant prompts instructors and students to register to VPP. After accepting the invitation, users receive their VPP apps and iBooks at the next deployment (within six hours).

Configure Shared iPads

Multiple students in a classroom can share an iPad for different subjects taught by one or several instructors.

Either you or instructors enroll Shared iPads and then deploy device policies, apps, and media to the devices. After that, students provide their managed Apple ID credentials to sign in to a Shared iPad. If you previously deployed an Education Configuration policy to students, they no longer sign in as an “Other User” to share devices.

Endpoint Management uses two communications channels for Shared iPads: The system channel for the device owner (instructor) and the user channel for the current resident user (student). Endpoint Management uses those channels to send the appropriate MDM commands for the resources supported by Apple.

Resources that deploy over the system channel are:

  • Device policies, such as Education Configuration, Lock Screen Message, Maximum Resident Users, and Passcode Lock Grace Period
  • Device-based VPP apps

    Apple doesn’t support Enterprise apps or user-based VPP apps on Shared iPads. Apps installed on a Shared iPad are global to the device and not per user.

  • User-based VPP iBooks

    Apple supports assignment of user-based VPP iBooks on Shared iPads.

Resources that deploy over the user channel are:

  • Device policies: Apps Notifications, Home Screen Layout, and Restrictions

    Endpoint Management currently supports only those device policies over the user channel.

When configuring device policies, you specify the deployment channel in the policy setting Profile scope.

Image of Device Policies configuration screen

To remove device policies that you deployed over the user channel, be sure to choose a Deployment scope of User for the Profile Removal policy.

General workflow

Typically, you provide preconfigured and supervised Shared iPads to instructors. The instructors then distribute the devices to students. If you don’t distribute pre-enrolled Shared iPads to instructors: Be sure to provide the instructors with their Endpoint Management server passwords so they can enroll their devices.

The general workflow for configuring and enrolling Shared iPads is as follows.

  1. Use the Endpoint Management server console to add ASM DEP accounts (Settings > Apple Device Enrollment Program (DEP)) with Shared mode enabled. For more information, see “Manage ASM DEP accounts for Shared iPads” next.
  2. As described in this section, add the required device policies, apps, and media to Endpoint Management. Assign those resources to delivery groups.
  3. Have the instructors perform a hard reset on the Shared iPads. The Remote Management screen for DEP enrollment appears.
  4. The instructors enroll the Shared iPads. Endpoint Management deploys configured resources to each enrolled Shared iPad. After an automatic restart, instructors can share the devices with students. A sign in page appears on the iPad.
  5. A student chooses the class and then enters their Managed Apple ID and temporary Apple School Manager (ASM) password. The Shared iPad authenticates to ASM and prompts the student to create an ASM password. For the next sign in to the Shared iPad, the student provides the new ASM password.
  6. Another student who is sharing the iPad can then sign in by repeating the previous step.

Manage ASM DEP accounts for Shared iPads

If you already use Endpoint Management with Apple Education: You have an existing ASM DEP account configured in Endpoint Management for devices that aren’t shared, such as the devices used by instructors. You can use the same ASM and the same Endpoint Management server for both shared and non-shared devices.

Endpoint Management supports these deployment scenarios:

  • A group of Shared iPads per class

    In this scenario, you assign the Shared iPads to a class of students. The iPads stay in the classroom. Instructors who teach different subjects in that class use the same set of iPads.

  • A group of Shared iPads per instructor

    In this scenario, you assign the Shared iPads to an instructor, who uses those iPads for the various classes that they teach.

Organize Shared iPads into device groups

ASM lets you organize devices into groups by creating multiple MDM servers. When you assign the Shared iPads to an MDM server, create a device group for each group of Shared iPads, per class or per instructor:

  • Group 1 of Shared iPads > Device Group 1 MDM Server
  • Group 2 of Shared iPads > Device Group 2 MDM Server
  • Group N of Shared iPads > Device Group N MDM Server

Add ASM DEP accounts for each device group

When you create multiple ASM DEP accounts from the Endpoint Management server console, you automatically import groups of Shared iPads (one for each class or instructor):

  • Device Group 1 MDM Server > Device Group 1 DEP account
  • Device Group 2 MDM Server > Device Group 2 DEP account
  • Device Group N MDM Server > Device Group N DEP account

Requirements specific to Shared iPads are as follows:

  • One ASM DEP account for each device group with these settings enabled:
    • Require device enrollment
    • Supervised mode
    • Shared mode
  • For a given educational organization, be sure to use the same Education suffix for all ASM DEP accounts.

To add a DEP account, go to Settings > Apple Device Enrollment Program (DEP).

Image of Apple DEP settings configuration screen

Apps for Shared iPads

Shared iPads support assignment of device-based VPP apps. Before deploying an app on a Shared iPad, Endpoint Management sends a request to the Apple VPP server to assign VPP licenses to devices. To check the VPP assignments, go to Configure > Apps > iPad and expand Volume Purchase Program.

Media for Shared iPads

Shared iPads support assignment of user-based VPP iBooks. Before deploying iBooks on a Shared iPad, Endpoint Management sends a request to the Apple VPP server to assign VPP licenses to students. To check the VPP assignments, go to Configure > Media > iPad and expand Volume Purchase Program.

Image of Media configuration screen

Deployment rules for Shared iPads

For Shared iPad deployment, the rules at the delivery group level don’t apply because they relate to user properties. To filter the policies, apps, and media for each group of devices: Add a deployment rule for the resources based on the DEP account name. For example:

  • For the Device Group 1 DEP account, set this deployment rule:

  DEP account name
  Only
  Device Group 1 DEP account

  • For the Device Group 2 DEP account, set this deployment rule:

  DEP account name
  Only
  Device Group 2 DEP account

  • For the Device Group N DEP account, set this deployment rule:

  DEP account name
  Only
  Device Group N DEP account

Image of Device Policies configuration screen

To deploy the Apple Classroom app only to instructors (using unshared iPads), filter the resources by ASM DEP shared status with these deployment rules:


Deploy this resource regarding ASM DEP shared mode
only
unshared

Or:


Deploy this resource regarding ASM DEP shared mode
except
shareable

Image of Apps configuration screen

Delivery groups for Shared iPads

For the device group for each instructor:

  • Configure one delivery group. For the instructor, assign all the classes that the Education Configuration policy defines.

Image of Delivery Groups configuration screen

  • That delivery group must include these MDM resources:
    • Device policies:
      • Education Configuration
      • Lock Screen Message
      • Apps Notifications
      • Home Screen Layout
      • Restrictions
      • Maximum Resident Users
      • Passcode Lock Grace Period
    • Required VPP apps
    • Required VPP iBooks

Image of Delivery Groups configuration screen

Security actions for Shared iPads

In addition to existing security actions, you can use these security actions for Shared iPads (available in iOS 9.3 and later):

  • Get Resident Users: Lists the users that have active accounts on the current device. This action forces a sync between the device and the Endpoint Management console.
  • Logout Resident User: Forces a log out of the current user.
  • Delete Resident User: Deletes the current session for a specific user. The user can sign in again.

Image of Security Actions screen

After you click Delete Resident User, you can specify the user name.

Image of Security Actions screen

Results of security actions appear on the Manage > Devices > General and Manage > Devices > Delivery Groups pages.

Get information about Shared iPads

Find information specific to Shared iPads on the Manage > Devices page:

  • Look up:
    • Whether a device is shared (ASM DEP shared)
    • Who is logged in to the shared device (ASM logged-in user)
    • All users assigned to the shared device (ASM resident users)

Image of Devices configuration screen

  • Filter the device list by its ASM DEP Device Status:

Image of Devices configuration screen

  • View details about the user logged in to a Shared iPad, on the Manage > Devices > Logged-in User Properties page.

Image of Devices configuration screen

Image of Devices configuration screen

  • See the channel used to deploy resources to instructors and users in a delivery group on the Manage > Devices > Delivery Groups page. The Channel/User column shows the type (System or User) and the recipient (instructor or student).

Image of Devices configuration screen

  • Get information about resident users:
    • Has data to sync: Whether the user has data to be synchronized to the cloud.
    • Data quotas: The data quota set for the user in bytes. A quota might not appear if user quotas are temporarily off or aren’t enforced for the user.
    • Data used: The amount of data used by the user in bytes. A value might not appear if an error occurs as the system gathers the information.
    • Is logged in: Whether the user is logged on to the device.

Image of Devices configuration screen

  • View the push status for both channels.

Image of Devices configuration screen

Manage instructor, student, and class data

When managing instructor, student, and class data, note the following:

  • Don’t change Managed Apple IDs after you import Apple School Manager information into Endpoint Management. Endpoint Management also uses Apple School Manager user identifiers to identify users.

  • If you add or change class data in Apple School Manager after you create one or more Education Configuration device policies: Edit the policies and then redeploy them.

  • If the instructor for a class changes after you deploy the Education Configuration device policy: Review the policy to ensure it updates in the Endpoint Management console and then redeploy the policy.

  • If you update user properties in the Apple School Manager portal, Endpoint Management also updates those properties in the console. However, Endpoint Management doesn’t receive the ASM person title property (Instructor, Student, or Other) in the same way it receives other properties. Thus, if you change the ASM person title in Apple School Manager, complete the following steps to reflect that change in Endpoint Management.

To manage the data:

  1. In the Apple School Manager portal, update the student grade and clear the instructor grade.

  2. If you changed a student account to an instructor account, remove the user from the list of students in the class. Then, add the user to the list of instructors in the same or another class.

    If you changed an instructor account to a student account, remove the user from the class. Then, add the user to the list of students in the same or another class. Your updates appear in the Endpoint Management console during the next sync (every five minutes by default) or fetch (every 24 hours by default).

  3. Edit the Education Configuration device policy to apply the change and redeploy it.

    • If you delete a user from the Apple School Manager portal, Endpoint Management also deletes that user from the Endpoint Management console after a fetch.

      You can reduce the interval between two baselines by changing this server property value: bulk.enrollment.fetchRosterInfoDelay (default is 1440 minutes).

    • After you deploy resources: If a student joins a class, create a delivery group with just that student and deploy the resources to the student.

    • If a student or instructor loses their temporary password, have them contact the Apple School Manager administrator. The administrator can provide the temporary password or generate a new one.

Manage a lost or stolen device that’s enrolled in Apple School Manager DEP

The Apple Find My iPhone/iPad service includes an Activation Lock feature. Activation Lock prevents non-authorized users from using or reselling a lost or stolen device that’s enrolled in DEP.

Endpoint Management includes an ASM DEP Activation Lock security action that enables you to send a lock code to an Apple School Manager DEP-enrolled device.

When you use the ASM DEP Activation Lock security action, Endpoint Management can locate devices without requiring users to enable the Find My iPhone/iPad service. When an Apple School Manager device is hard-reset or fully wiped, the user provides their Managed Apple ID and password to unlock the device.

To release the lock from the console, click the security action Activation Lock Bypass. For information about bypassing an activation lock, see Bypass an iOS activation lock. The user also can leave the login blank and type the ASM DEP activation lock bypass code as the password. That information is available in Device Details, on the Properties tab.

To set the activation lock, go to Manage > Devices, select the device, click Security, and then click ASM DEP Activation Lock.

Image of Devices configuration screen

The properties, ASM DEP escrow key and ASM DEP activation lock bypass code, appear in Device details.

Image of Devices configuration screen

The RBAC permission for an ASM DEP Activation Lock is Devices > Enable ASM DEP/Bypass activation lock.

Image of RBAC configuration screen