Preparing for Apple devices
As Apple devices are being deployed in more and more schools and businesses across the country we are regularly asked by IT Managers, “What can we do to prepare?”.
In truth the answer to that question can be very short or very long depending on the exact circumstances, but when it comes to many of our education customers the answer almost always includes three steps. In this article we will outline those three steps, and in doing that hopefully give you a head start in preparing for iPhone, iPad or Mac on your network.
Apply for Apple School Manager or Apple Business Manager
Whichever deployment model you choose Apple School / Business Manager will be required for automatic enrolment in to your Mobile Device Management solution (MDM) when devices are activated, and for managed distribution of apps from the iOS or Mac App Store.
Automated enrolment in to your MDM leverages Apple’s Device Enrolment Program, also known as DEP, and deployment of apps uses the Apps & Books store in Apple School Manager, also known as VPP.
Whitelist Apple and your MDM
To ensure that Macs and iPads can activate properly and communicate with your chosen MDM you may need to prepare your network. In our example here we're using the Jamf Pro MDM which underpins our FirstClass Managed Service for schools.
To check your existing network access grab a device, iPad is probably the easiest, and connect it to your network. Importantly make sure that the test device doesn't have SSL certificates installed for your web filter and doesn't have a web proxy setup. Then simply try to access the following web sites using Safari (subtitute jamcloud.com with your chosen MDM if not using Jamf Pro):
Access to the Apple network and Jamf Cloud should bypass all outbound filtering and firewall rules allowing you to connect to these sites. If that's not the case you should make some changes to your network. The settings required for firewall and filtering systems are:
1. Whitelist the Apple network block 126.96.36.199/8 on all ports.
Ports 80 & 443 for http/https and 5223, 2195 and 2196 for Apple Push Notification services are the most important, but whitelisting all ports will alleviate any ongoing issues when Apple expand or change devices and services in the future.
2. Whitelist your MDM server URL on port 443
KRCS managed services are underpinned by Jamf Pro as our chosen MDM so the wildcard URL https://*.jamfcloud.com/ has to be whitelisted. Like most other cloud MDM's this can't be resolved to an IP address because of a load balancers.
Further public information supporting this advice can be found via these links
Enable Apple Content Caching
Apple Content Caching is a service that can be enabled on any Mac running macOS X 10.13 High Sierra. When started it registers with Apple to tell them that your network has a caching service, and is then checked by all Apple devices when downloading Apps, books or iCloud data to see if a local copy exists before downloading it from the internet.
If a local copy doesn’t exist on the caching server, it’s cached during the first download from the internet, allowing future requests of the same data to come from your local caching server. All of which is invisible to the end user.
Content caching provides significant speed improvements to the user experience when installing apps and logging in to Shared iPads.
To find out more about configuring the caching service click here.
We hope that this advice has been helpful, and potentially given you the ‘head start’ promised in preparing for Apple devices on your network.
For further information please contact your KRCS account manager, call us on 0115 985 1797 or email firstname.lastname@example.org .
Follow us on Twitter