What’s New in Managing Apple Devices

If you manage iPads or Macs at any sort of scale, then do watch this video from WWDC: What’s New in Managing Apple Devices.

Here’s a summary of some of the cool stuff that made me particularly happy…

No Apple IDs to install apps

If an iPad is Supervised (set up with Apple Configurator or DEP), you will be able to push out apps via your MDM without the need for an Apple ID on the device.  Which is pretty cool!  The app gets assigned to the device rather than a person.  The installation, updating and management are all controlled by your MDM.

Push out iOS updates

In iOS9, you will be able to push out iOS updates.  This is good news for me, as I’m still trying to get teachers to update their iPads from iOS7!  Via an MDM, you will be able to schedule updates to happen, e.g. when the device is plugged in at night.

Fix wallpaper, passcode and device name

A new MDM restriction means you will be able to lock the wallpaper, prevent a user from adding a passcode and stop the device name being changed.  This is very handy for shared devices in a cart-based deployment.

New Apple Configurator 2

They’ve ditched having a database (that gets very big and is prone to corruption) and are instead keeping ‘tags’ stored on the devices themselves.  The demo looked quite nice and I can see it being handy for those synced-via-cable cart deployments.  Apparently, you can also enrol a device via DEP using Configurator too, meaning a lot less tapping on devices.

There were lots of other nice features, so do watch the video or read a summary here (Amsys) or here (Enterprise iOS).

I like the fact that Apple are no longer insisting that the best and only way to use iPads in a school is 1:1, but are rather accepting that having a shared cart of iPads might actually be ok and are providing tools to help manage iPads in that way.

It’s a shame I won’t get to play with this stuff until we’re substantially into the new academic year, but I guess that is the life of an educational technologist these days!

Getting Caching Server working on LGfL

Caching Server is a cool part of OS X Server: once you turn it on, it basically becomes a local cache of the App Store (Mac and iOS), keeping a copy of downloaded apps on your local network.  This results in faster app downloads, as they’re coming from within your network, and less use of your broadband connection.  Which is nice.

Unfortunately I’ve never been able to get it to work as my school is part of London Grid for Learning (LGfL).  LGfL is a broadband consortium, which allows schools to buy broadband at much cheaper rates because the LGfL trust has built a lovely big network (with the help of Virgin Media Business) just for schools in London. With an eye to safeguarding children, this network is built to be very safe and secure.  The upshot of this is that our little Mac server is buried deep within the network behind many firewalls and switches and routers and so on.  Which has meant that Caching Server hasn’t worked, as it needs to sit pretty close to the open Internet.

Until Yosemite that is.

We recently had our server updated to OS X 10.10, and with that comes some improvements to Caching Server.  One of these is the ability to set the public IP addresses/ranges that will use the Caching service, thus making it all work.

Here’s how:

  1. Open the Server app and click on ‘Caching’. Turn it on.
  2. Click on ‘edit’ next to where it says ‘Permissions’.
  3. On the drop-down menu next to ‘Serve clients with public addresses’, choose ‘on other networks’.
  4. Click the plus in the box below and add the public IP address of the server.  You can find this out by clicking the server name under ‘Server’ in the sidebar.
  5. Enter in the public IP address for all LGfL-connected, which is 5.150.101.173.  Apparently!
  6. You then need to set some client configuration on your DNS server.  Our DNS is on a Windows server, so I click ‘Client Configuration’, choose ‘Windows’ as the DNS type and then copy the command.  I then open up the Windows server, type ‘CMD’ into the search box to open the command line, then copy the command.

And that seems to do the trick!  Lovely.

The State of Mac Management

In the glory bygone days, managing Macs was easy: just setup a OSX Server, get Workgroup Manager working and then configure users preferences to your heart’s delight. There were ways to easily tweak settings using a GUI, or you could import whatever .plist file you wanted to and have a custom preference.

Now, it wasn’t all a bed of roses: the Mac had to be bound to the OSX Server for these managed preferences to work, meaning things got rather ugly if the server got taken down for any reason. Plus, you had to find other solutions for imaging Macs, deploying and updating software and remote access. But there were tools for this (Deploy Studio, Munki, Apple Remote Desktop), so we were happy.

Then along came Lion. As part of taking everything Apple had learnt from iOS ‘back to the Mac‘, Configuration Profiles were introduced. These were just the same as the profiles used to manage iPhones and iPads, offering ways to lock down certain things and setup accounts like email etc. The other cool thing was that these lightweight profiles could be pushed out to a Mac from an MDM server, removing the need to have the Mac permanently bound to a server. Instead, the Mac would keep hold of its profiles until the server gave it some new ones. Macs and iPads could all be managed from one place: one MDM to rule them all!

Workgroup Manager continued to be updated by Apple, but with very little attention given to it. The last version released was for 10.9 server: it still works in 10.10, but has officially been retired and any future support for it is quite unlikely.

As someone who likes to live at the bleeding edge of technological change, did I adopt it straight away? Not for want of trying! Apple offered their own ‘free’ version of an MDM as part of their Server app, called Profile Manager. We couldn’t even get it to work in 10.7, finally got it working with some iPads in 10.8 and then gave up on it in 10.9 (after suffering email profiles being pulled off every teacher iPad due to some weird Active Directory issue).

The issue with it boiled down to how Configuration Profiles just aren’t the same as Managed Preferences. In the ‘walled garden’ of iOS, we just accepted that certain things just weren’t manageable (like position of apps on the home screen or the initial setup of apps etc). Whereas Managed Preferences had given the Mac administrator the taste of absolute control – you shall have the settings I give you! Plus, they also had the fine-grained option of setting preferences to ‘once’, ‘often’ (ie every time you logged in) or ‘always’… with profiles, everything was just ‘forced’.

So, the questions are: what actually needs to be managed? what are the ways of doing it?

Things that need to be managed:

  • First run settings on stuff like Office
  • Mounting shared drives
  • Tweaking the UI as required, eg right click on Apple Mouse, sidebar defaults etc
  • Licence keys for apps
  • Setting keyboard, location etc
  • Managing the dock
  • Installing new software and patching existing software
  • Imaging new Macs
  • Running Apple Software Update

So what are the tools?

  • Using a Configuration Profile, either for the settings Apple gives you, or importing a custom plist – only works if you don’t mind it being ‘always’. Tim Sutton has a command line tool for converting a .plist file into a profile. An MDM server can push out profiles over the air and Munki can now install profiles too.
  • Tweaking the preferences in the default user template. Composer as part of Casper Suite has a handy feature for doing this as well as filling existing users’ preferences as well.
  • Running various scripts on startup/login/logout. Our Apple reseller has a way of running various scripts like this, and Casper can manage his too. You can also make payload-free packages which just run a script when installed and can be distributed with Munki.

So how do you choose the right tool? The factors are:

  • Cost: MDM servers aren’t cheap necessarily, nor is spending money on getting an Apple reseller to set things up for you.
  • Experience: are you savvy with scripting and dealing with the command line? If not, a solution with a GUI might be better.
  • Continuity: I work in a primary school where high turn-over of staff is quite common. Does the solution need to keep working even if you go?
  • Time: do you have time to learn and understand the intricacies, or do things need to work ‘out of the box’? I am in the fortunate position of being able to give time to figure some things out, but most primary schools aren’t.

At my school, we’ve gone for Casper Suite as a way to have a GUI for managing Macs that doesn’t rely on me being a complete Mac system admin with lots of experience in scripting etc., whilst also moving away from Managed Preferences and leveraging Configuration Profiles instead. Let’s hope it works!

Casper Suite

We’ve just had Casper Suite installed at my school. Part of the installation process is a three-day ‘Jump Start‘ where a highly experienced trainer (in our case, two, as we had someone shadowing) guides you through installing the software and the processes involved in setting up and running it.

So why Casper suite? Over the years, we’ve ended up using a range of different systems and technologies to manage the Macs and iPads in school. The Macs have been managed with an OSX Server running Workgroup Manager, plus a few scripts written by our Apple Reseller and the use of Munki for managing software installs and updates. With iOS, we’ve used Meraki, making use of the VPP programme and managed distribution, as well as Apple Configurator for class sets of iPads.

This has worked pretty well, but I knew we needed to move away from Workgroup Manager. Since 10.7 Lion, Apple has pushed the use of Configuration Profiles instead of Managed Preferences. Technology-wise, it isn’t a straight swap, as there are things you can do with MCX that you can’t do with profiles, and vice versa. But with 10.10, Workgroup Manager no longer even exists (even though the 10.9 version still works!), so I knew we had to do something. Casper suite was well spoken of, properly supported OSX as well as iOS, and seemed to have some cool features.

The main drawback of Casper Suite is the cost: as an educational customer, you only pay for support per device, which works out pretty cheap. But you have to pay for the three days of ‘Jump Start’ before you begin, which is not cheap! However, I calculated that it works out about the cost of a case per device, which isn’t so bad. An iPad without a case is pretty hobbled, and I’m sure Casper will add a depth and richness to our deployment.

The Jump Start went pretty well, and we managed to get everything working by the end of the three days. I did finish the three days feeling overwhelmed with everything there is to do (sorting out all the configuration of the Macs then imaging them all, plus redoing all the iPads), but I think it will come together over the next half term.

Here are some of the highlights so far:

  • Casper Focus: allows a teacher lock all the iPads in a class to a particular app or webpage
  • Self service: dishing up apps, books and in fact most things to users
  • Deployment Enrollment Programme (DEP): iPads get automatically enrolled to Casper and tied to a certain user out of the box
  • Composer: a powerful way to package up Mac apps, including the ability to fill the user template and existing users’ preferences
  • JSS: the fact it runs as a web service, meaning that Macs don’t have to be bound to an OSX server any more
  • JAMF Nation: a community of helpful geeks who are there to help find solutions to problem

I’m not sure it’s the right solution for small primary schools, or places without an onsite Mac geek, but I think it’s going to work really well for us.

Apple Distinguished Educator

So, I’ve been accepted to become an Apple Distinguished Educator, class of 2015!

I had to tell the story of how I used Apple technology to transform the learning environment in my school, both in words and in a video. It was quite tricky to distill it down into a decent and clear narrative, but I guess I must have done ok!

Part of the induction process is attending the ADE Institute in the summer. This should be a fascinating week, learning more from educators from across Europe, Africa, Indian and the Middle East about how to use technology to transform education.

Thought on Chromebooks

There has been much talk about the place about how Chromebooks are overtaking iPads in the classroom. Maybe they are. And maybe they do have advantages, such as:

  • cheaper hardware
  • easy to set up and manage
  • multiple users per device
  • works nicely with Google Apps
  • data all in the cloud
  • etc…

However, everything is done through a web browser.  Which to me sounds like a very depressing way to go.

The Wonderful WWW has been transformative (thanks Tim), but displaying everything using a web browser is really rather limiting in the end.  Hypertext Markup Language is not the same as a proper operating system with proper apps.  Which is what you get with iPad.  Which means you can do cool stuff like:

  • make videos
  • do green screen
  • draw with your finger
  • have a proper mail client
  • have 3D animations
  • etc….

Now, obviously all the best iPad apps make use of the Internet to make the experience better.  But making us of http:// isn’t the same as using .html.

Let me use our VLE (run using moodle) as an example.  It runs off a web server, which means it can be accessed anywhere in the world on any platform that has a web browser.  But the downside is that it’s a horrible and clunky experience.  Adding a calendar entry on an iPad versus on a Moodle page is like comparing something easy to something unpleasant.  We use a SIMS plugin so we can enter assessment data and take registers, but the user experience is horrible.  Admittedly, using SIMS on a PC isn’t all that wonderful, but at least it’s a native experience.  A web page isn’t native for anyone.

Which is why I’m thinking that we might need to look at the SIMS Teacher app.  It doesn’t do anything more than what Moodle can, but it potentially does it in a more pleasant way…

Bye-bye SMARTboards

Having unplugged and uninstalled ourselves from the SMART ecosystem, embracing instead mirrored iPads and Explain Everything, one problem still remained: having a surface to write on! Using a stylus (or finger) on an iPad is ok as far as it goes, but for properly modelling good handwriting to a class you need to be able to write on a large surface.

In many ways, the ideal scenario is . This gives you a crisp digital surface and a really good physical writing surface. However, at my school there just isn’t the space for both in our classrooms. In a new building, we experimented with putting dry-wipe paint on one of the walls and then pointing an HD projector at it too. Writing anywhere on a wall is cool, but having the ability to include digital content is handy too.

So, in order to roll this out across the school, we decided to install special where the SMARTboard surface was before. These boards are designed to be projected onto so you don’t get as much glare as a normal shiny whiteboard, but you can still write on them. We kept using the existing 4:3 VGA projectors, but the boards could also fit a 16:9 HD projected image for when we upgrade in the future.

The installation went down very well with teachers. One of the consequences has been seeing less use of the projector for when it’s not really necessary. Having a decent writing surface to teach with is actually really rather lovely.

Yosemite won’t boot

Since upgrading our Macs to OS X 10.10 Yosemite, we’ve had an issue where Macs won’t boot up properly. They start up and show the grey loading bar, but it gets to 50% and then gets stuck there. Some hacks and tricks would sometimes help (like resetting the PRAM and repairing the disk and permissions), but not always. I hoped that 10.10.2 would fix things, but alas it has not.

It turns out that the problem was to do to with having the Mac bound to an Active Directory. Thankfully, I found a solution on the JAMF support pages from the contributor Chris Hotte. He suggests editing the rc.server file as follows:

  1. Boot into single user mode
  2. Type ‘mount -uw /’
  3. Type ‘/usr/bin/nano /etc/rc.server’ to edit the file
  4. Type in the following code.

    #!/bin/sh
    /bin/echo BootCacheKludge Beta 1.0 – Chris Hotte 2015 – No rights/blame reserved.
    /usr/sbin/BootCacheControl jettison

Hope that helps someone! You can find the original post here.
You can read the post here. Hope that helps someone!

What’s the point of iPad?

If you go to any sort of Apple in Education event/conference/briefing, they often say that you should be really clear about the aims of any sort of technology deployment. This way you can then evaluate whether your deployment is working well or not.

Here are some of the aims (sometime conscious, sometimes unconscious) for the different stages of our technology rollout in school.

iMacs

Purpose: provide computers that could do movie-editing and just generally worked (didn’t get viruses/fail to turn on most days).
Success?  Tick!

Teacher Mac Minis

Purpose: extend familiarity of OS X to teachers and therefore children, provide a bit more reliability.  Whilst supporting 4:3 screen ratios and not being too expensive.
Success? Mainly. The fact they had to run with ageing monitors/smartboards/projectors/sound systems made the experience rather less that wonderful.

Teacher 1:1 iPads

Purpose: familiarity with iOS, teacher exploration of new apps.
Success? Yes! Plus the bonus of teachers using email much, much more often.  And we got to try out the Great Smartboard Experiment.

Class sets of iPad minis

Purpose: more provision of computers to enable use of ICT across the curriculum.
Success? Moderate. It is happening, but not as much as it could.

So, how do we take our iPad deployment (for the kids) to the next level?

Some ideas…

  • Work out exactly how can iPad help with learning in English and Maths
  • Do some staff training on that
  • Support teachers

We’ve got a day with Julian Coultas in a week or so (courtesy of Toucan) where I’m hoping we can work out how to best move things forward.  Stay tuned!

GarageBand Pricing

I love this time of year. Not only does the latest release of iOS mean that I have an oodle of iPads to get updated (which takes varying degrees of time depending on how much free space is required to install the update), but a month after the mega IPHONE announcement, Apple calmly release a slew of other updates for the Mac and iLife/iWork. Yay. Last year’s came with quite a few headaches (such as the way iWork didn’t play nicely at all with SMB shares) but hopefully they won’t repeat this year. I’ve already tried saving a file over SMB with newest iWork, and it seems to work fine. The ‘proper’ file format they have finally created I’m sure is to thank for that.

Last year, GarageBand threw in a bit of a curveball by being free but requiring an in-app purchase to unlock all of the functionality. This is a system admin’s worst nightmare, as there is no decent way to do this upgrade on a whole school’s worth of iPads and apps.

Thankfully, it seems that this year Apple have rescinded on the in-app upgrade option and have slapped a price on instead. For new devices, you get the app free and on existing apps you get a free upgrade.

A few questions though:

  • What happens with Apple Configurator? Do we have to have app codes to install the app? Or even just to sync existing iPads with Configurator?
  • If we now need app codes, can we still apply for free ones on iPads bought in the last year?
  • What about codes for Macs?
  • I hope to make some investigations this week to find out more…