Hosted by Apple Engineers from Cupertino.
Brett G - Apple US Education

Deployment consultation in the microlabs. Will ask about recomended (free?) MDM server, possibly issues with Windows DHCP server and Netboot/Netinstall.

Start testing iOS 9 and OSX 10.11.

  • AD integration
  • Printers
  • Scripts
  • Wireless

Watch these videos from WWDC 2015

Beyond the box

  • Applecare
  • Apple Professional Development

OS support intigration support including MDM and Active Directory. Used this support a few times.

Apple Proffesional Services

Ultimate goal to help deploy iPad and Macs to organizations. Builds self-sufficiency, Comprehensive services for successful deployments. Costs a percentage, didn't mention what percentage.

Apple ID

Apple IDs can be changed.
Some assets/credentials can be transfered between Apple ID accounts.
Store purchases are locked forever to Apple IDs.

Plan for Apple IS creation, give instruction to users to create without credit cards.

Bulk create Apple IDs for students under age of 13.
Follows COPA guidlines with access to all Apple Services. Requires parantal concent through online portal. Allows parents and teachers to reset student passwords. Uploaded CSV has basic data including parent's email addresses where a varification is sent. No credit card information required, or varify security information.


  • Use real student email address
  • Notify parents about program invitations.
  • Plan school events to facilitate parental concent.
  • Resend parent email only once every 24 hours.
  • Locations determine which students can be viewed and reset.

Volume Purchase Program

MDM is the starting point. iOS enrolled at deployment.apple.com, OSX can be told to enrol via script. Policy based on Apple Push Notification Services to update client to talk to server.

MDM configuration

  • Account Setup
  • Device Configuration
  • Content Distribution
  • Device Info
  • Security Commands
  • Restrictions
  • Managed Airplay

Automated Setup

Have this in place now for iOS, though enrolled through Meraki. Meraki doesn't allow us to manage these devices as fine grained as we could.

  • Device boot, purchased from Apple.
    • Setup assistant asks DEP who owns the device
    • Enrolls device into MDM solution

Supervision on iOS 8 disables Activation Lock.

Managed Apps

OSX Still has many sources of app installation. iOS still only has the App Store.

Either Managed licenses or redemtion codes. Redemtion codes are old and perminantly assigned to accounts.

MDM server assigns Apps to users, invites users to participate. Ability to revoke and reassign apps at any time. Apps are lended to Apple IDs where they can install it to any of their devices.

Network coverage

Touched breifly, will be session Wednesday that goes in deep regarding wireless design.


MDM relies on Apple, the client, and your server. Simple setup, rest is dependent on the MDM. Use a trusted certificate. Always keep backups, Veeame for us.

OSX AD does not look at management data. Single sign on. In Yosemite there is a new user group "Print Administrators", this group allows the management of printers. Would be useful in Libraries (maybe).

Caching Server is a must have, esspecially around October for software updates. Apple tells clients about local caching servers. When caching is turned on, a request to Apple is sent containing the private IP, public IP, subnet mask, and other information. When Apple detects an update requests from a client with the same public IP, they are directed to the cachine server. Might be dependent on internal subnet?

iCloud Backup

Backs up devices, automatic, daily when connected to power and Wifi. Uses iCloud Drive Storage

MDM query: does the user have iCloud Backup turned on?

Four Phases of deployments

  1. Get Prepped
    • Sign up
    • Select MDM
      • Apple and third party
      • Education Centric
      • Vendor support
    • Apple IDs
  2. Setup and Configure
    • Setup MDM
    • Setup Devices
      • Assign via DEP
    • Configuring devices with MDM
    • Assigning Apps and Books
      • Assign to users with VPP
  3. Distribute Devices
    • Student-driven Setup
    • Hand device to user, MDM sets up device when it turns on. Including OSX.
  4. Manage over time

Look at every deployment as fresh. Don't be afraid of change, do what's best for the current situations.

MDM is essential, a required tool in managing iOS and OSX devices moving forward (Windows 10 moves to this model as well). THOUGH NOBODY EVER TALKS ABOUT SPECIFIC MDM SOLUTIONS! Yes, lets keep it a secret. The only MDMs ever talked about are those like JAMF that cost an arm and a leg.

MDM Teacher Tools

  • Invite Students to present to Apple TV
  • Initiate Guided Access remotly for test taking and classroom activities.

Deploying Macs and iPads

Usage senarios

  • Insitution owned one-to-one
  • User owned (BYOD)
  • Shared (Carts, Labs)

Institution Owned

  • Best experiance for end users
  • Streamlined setup
  • consistant interface and configurations
  • Supervision, need I say more?

Student or User Owned (BYOD)

  • Students arive with devices
  • Can manage with MDM
    • Cannot use Supervision
    • Importantly can lend apps/books to their accounts via VPP
  • Provides access to tiered infustructure
  • View usage and app installs
  • Require Passcode
  • Enable VPN access

Shared Devices


  • Institution owned devices
  • Sit in a cart and shared between users serially
  • Should be managed with configurator
  • Used to create iOS images
  • Lots of talk regarding Configurator.
  • Configurator Version 2: comming soon
    • Replacement of Redemtion codes to MDM VPP Licenses
    • Syncs with other configurators on the network to share apps/backups


  • Device Enrollment Program and MDM should give tons of options. Yay! Just need to find a good server...
  • iOS are consumtion devices, not production devices. OSX is more popular for creativity.
  • Active Directory for authentication
  • Can student accounts be Guest accounts?
  • User Data
    • Local Disk
    • Cloud
    • Network Share
  • Changed passwords on OSX changes keychain password. If the password is changed via another service, the keychain password is not updated. Will be an issue moving forward.
    • Try managing home folder expiry options. When home folder expires keychain is deleted.

Core OS + App Packages

  • Start with a base OS image from App Store
    • No more monolithic image
    • For new devices, use DEP and MDM to install configurations. (Supported by Airwatch and JAMF)
  • Install patch management server client
    • ARD "immediate action tool" for patch management
    • Probably use Munki
  • Install packages to built system
  • softwareupdate command line tool

System Image utility

  • Workflow based disk image creation
  • NetBoot
    • Boot to an image over the network
  • NetInstall
    • Deploystudio
    • Boots to an OS installer
  • NetRestore
    • Build perfect system
    • Boot to server
    • Capture image of hard disk
    • Runs in workflows


Look at sysadminctl, a new command line tool in Yosemite for OSX account management.