Preparing for Apple devices
As Apple devices are being deployed in more and more schools and businesses across the country we are regularly asked by IT Managers, “What can we do to prepare?”.
In truth the answer to that question can be very short or very long depending on the exact circumstances, but when it comes to many of our education customers the answer almost always includes three steps. In this article we will outline those three steps, and in doing that hopefully give you a head start in preparing for iPhone, iPad or Mac on your network.
Apple School Manager
Whichever deployment model you choose Apple School Manager (ASM) will be required for automatic enrolment in to your Mobile Device Management solution (MDM) when devices are activated, and for managed distribution of apps from the iOS or Mac App Store.
Automated enrolment in to your MDM leverages Apple’s Device Enrolment Program, also known as DEP, and deployment of apps uses the Apps & Books store in Apple School Manager, also known as VPP.
In anticipation of refreshing or deploying new Apple devices ascertain the status of your Schools’ ASM account and how it’s currently being administered. If you don’t have an Apple School Manger account sign up for one here.
Apple Content Caching
Apple Content Caching is a service that can be enabled on any Mac running macOS X 10.13 High Sierra. When started it registers with Apple to tell them that your network has a caching service, and is then checked by all Apple devices when downloading Apps, books or iCloud data to see if a local copy exists before downloading it from the internet.
If a local copy doesn’t exist on the caching server, it’s cached during the first download from the internet, allowing future requests of the same data to come from your local caching server. All of which is invisible to the end user.
Content caching provides significant speed improvements to the user experience when installing apps and logging in to Shared iPads.
When deploying new Apple devices or simply refreshing the setup of existing kit, it is now more important than ever to leverage DEP as the method by which you enrol those devices in to your management solution. Most commonly that management solution will be Jamf Pro as part of our FirstClass Managed Service for schools.
To allow devices to communicate with the relevant web service during activation we need to ensure that access to the Apple network and Jamf Cloud bypasses all outbound filtering and firewall rules.
This allows devices to receive configuration and apps without user interaction, but has to bypass inline web filters and proxy services because the devices will not have received certificate settings by the time they need to communicate with Apple and Jamf using secured ‘SSL’ protocols.
Once enrolled successfully devices can be pushed the required certificates to be able to connect to the wider internet using SSL.
The settings required for firewall and filtering systems are:
1. Whitelist the Apple network block 184.108.40.206/8 on all ports.
Ports 80 & 443 for http/https and 5223, 2195 and 2196 for Apple Push Notification services are the most important, but whitelisting all ports will alleviate any ongoing issues when Apple expand or change devices and services in the future.
2. Whitelist the wildcard URL https://*.jamfcloud.com/ on port 443
The FirstClass Managed Service for schools in underpinned by Jamf Pro as our chosen MDM. This can't be resolved to an IP address because of a load balancers changing the address at any time.
If you’re not using the KRCS Managed Service or your own instance on Jamf Cloud simply whitelist the https URL for your own MDM.
Further public information supporting this advice can be found via these links
We hope that this advice has been helpful, and potentially given you the ‘head start’ promised in preparing for Apple devices on your network.
For further information please contact your KRCS account manager, call us on 0115 985 1797 or email email@example.com .
Follow us on Twitter