By clicking ‘Accept’, you agree to the storing of cookies on your device for an enhanced experience as well as analytical and commercial purposes. To learn more about how we use cookies, please see our privacy policy.
Allow
Deny
  • Sign up / Login
My Cart

12 months interest free on any Mac over £1,000. 18+, T&Cs apply.

Account

iOS9 and shared devices

Anybody who has deployed iPads in significant numbers as shared devices will understand why preparation for the deployment was essential.  In fact shared device deployments under iOS 8 took a whole lot more preparation than one-to-one devices ever did because the IT department were effectively acting like the end user on each device signing in using institution owned credentials.

 

iOS 9 has changed all of that…….. and dramatically!

 

Apple have taken a step back and tried to look at this whole process from a different perspective, and the results are fantastic.  If you’re using the right foundations for your iPad deployment iOS 9 will revolutionise how you prepare and manage your shared devices.

 

In our tests we were using the following:

 

 

Device Assigned App Deployment

 

Some may say save the best until last, but this is such a massive step forward lets get it out there up front.  If you’re using VPP to buy app licenses and an MDM for distribution you can now assign apps to the serial number of a device without the need for an Apple ID.  For those of us who have been working with shared iPad deployments since the launch of the very first iPad this brings a tear of joy to the eye.

 

Using this new method of device assigned app deployment is great for shared devices where you are unlikely to allow app installation by users directly on the device, but one-to-one deployments are still best served by Apple ID based app distribution where users require more control or may even wish to install VPP assigned apps on a secondary device from their ‘Purchased’ list in the app store.

 

VPP device assignment settings for an app in Jamf Casper Suite 9.8.1

 

Apple Configurator 2 & DEP

 

When DEP was launched in the UK Apple Configurator 1.X suddenly found itself redundant in many deployments.  In fact when a device was supervised during activation by an MDM as a result of a DEP assignment Apple Configurator 1.X would have nothing to do with it, not even as a tool to bulk update the iOS when required.  But it’s all change again.

 

Automated Enrolment

For iOS 9 devices enrolled in DEP you can now create a ‘Blueprint’ in Apple Configurator 2 for an Automated DEP enrolment which also applies WiFi details on to the attached devices allowing complete activation and enrolment in the DEP assigned MDM.  This bypasses an issue with DEP activation up to now where WiFi credentials have to be entered manually.  Not such a huge issue for a few devices, but get in to the hundreds and you’re soon deciding to create a temporary open SSID for device activation and delivery of permanent WiFi credentials in a configuration profile.

 

Creating a Automated Enrollment blueprint in Apple Configurator 2.0

 

Adding a WiFi configuration profile to an Automated Enrollment in Apple Configurator 2.0

 

A completed Automated Enrollment blueprint in Apple Configurator 2.0

 

Device Updates

Apple Configurator 2 will also allow mass iOS updated to devices supervised with DEP.  If you have a sync and charge cart able to connect 16 or 32 devices simultaneously you can update all of those iPads to the latest iOS at your convenience and without putting any undue load on your internet connection and/or WiFi network.

 

App Store & App Update Management 

Three significant steps forward have been made here thanks to iOS 9.


App Updates

App updates can now be managed by your MDM on iOS 9 devices.  Jamf Capser Suite for example can per app or on a global basis force all managed apps to install available updates at a prescribed time of day

 

Global mobile device management settings for forced app updates in Jamf Casper Suite 9.8.1

 

App Store Access

New to iOS 9 for supervised devices IT administrators can now disable on device access to the app store whilst retaining the ability to deploy new apps.  Many MDM’s had applied a workaround to this under iOS 8, but it left a temporary windows of access to the App store on device while a new managed app was deployed by the MDM.  Under iOS 9 it’s a true lockout on supervised devices where users can be restricted all access to the app store on device permanently.

 

Automatic App Downloads

Apple ID assigned app deployments came with one particular frustration that most IT admins just learned to live with.  That being unmanaged apps which just seemed to mysteriously appear on devices.  This was normally caused by the Automatic app downloads setting being enabled on the device and it responding to an app being purchased under that Apple ID on another device.

 

The real frustration for IT admins was that this setting could not be managed by an MDM under iOS 8, but it can now under iOS 9 on supervised devices.  Disable this setting and disable the App store and IT admins now have absolute control over app deployment on shared devices.

 

New app installation management settings for iOS 9 in Jamf Casper Suite 9.8.1

 

 Are Apple ID’s still required?

 

There’s no single answer to this question because it completely depends on your deployment.  Suffice to say that there are still important features and apps that rely on an Apple ID to function.  Highlights of which are:

 

- iCloud backup

IMPORTANT NOTE - Data from device assigned apps (new to iOS 9) is not backed up by iCloud.  It’s presumed that users will copy data off the device on to iCloud Drive or a similar cloud storage solution

  • iCloud Drive
  • iCloud Photo Library
  • iTunes U
  • Find my iPad (activation lock)
  • App Store - For on device app purchases if allowed

 

Device Name Management

 

A simple enhancement, but one that has been often requested.  A new restriction payload allows disabling the ability for a user to change device names on supervised iOS 9 devices.


Conclusion

 

If you’re using iPads as shared devices you should be migrating on to iOS 9 and leveraging these new technologies as soon as possible.  In summary these are the technologies to use and why:

 

  • Apple Device Enrolment Program (DEP)

Forces devices to refer to an MDM during standard activation processes.  DEP assignment of devices to an MDM is the only way of applying a management profile to an iPad which cannot be removed by the user.

 

  • Mobile Device Management (MDM)

Takes device enrolments referred by DEP and allows supervision of devices in the process enabling some of the more advanced setting and restrictions on iPads desired in a shared device deployment.  An MDM is also required to push out apps without the need for an Apple ID and enforce settings like disabling the App store on device.

 

  • Apple Configurator 2.0 on a Mac running Mac OS X 10.11 El Capitan

Allows a streamlined deployment of devices leveraging DEP and the assigned MDM.  With the correct setup you can connect brand new devices to a Mac running Apple Configurator 2 and within a few minutes end up with fully configured and managed devices with all required apps installed having not even tapped the screen once.  Magic!

 

  • Apple Volume Purchase Program (VPP)

Where to purchase app licenses for device assignments of apps without Apple ID using your MDM.

Comment Below

Comments

    No Comments yet. be the first to comment.