#deploy2016

For years I have really wanted to do a 1:1 iPad deployment in my school. Ever since we started getting sets of iPads in our school, they always tended towards one-per-child, with teachers combining smaller sets so that every pupil in a class could have one. When the original iPad mini came out in 2012, I put a proposal to my headteacher for us to roll out iPads across the whole school, which (thankfully, in hind-sight) wasn’t accepted. This was back in the days when syncing to iTunes was still a thing and we still had a creaky and patched together wifi network. It might have worked at scale in a 3-4 form Primary school, but I do doubt it.

Since then, we’ve been slowly increasing the number of iPads in the school and gradually embedding them into everyday practice, bringing us to the point where ‘going 1:1’ just seemed like the obvious next step. We just needed more devices so that the iPad could be a tool for learning whenever it was needed, rather than having to negotiate an hour slot once a day. After all, you don’t have to book out a class set of pencils – everyone gets one, whenever you need it!

With this in mind, our proposal for going 1:1 in KS2 was agreed, with the rollout at the beginning of this term. Here’s the process we went through…

Picking the device

We’ve been using iPad minis with children in our school for 3 years, and it’s been working well. The devices are small and light enough for children to easily carry and use, as well as not taking up loads of space on a desk when not required, and they’re also that little bit cheaper than a ‘normal’ sized iPad. The question was then about storage size and model. For the money we had to spend on a lease, we could get 32GB iPad mini 2s over 3 years, 16GB iPad mini 4s over 3 years or 64GB iPad mini 4s over 4 years. Having that slower processor of the mini 2 at this point felt it would feel pretty tired and old after 3 years, as probably would the mini 4 after 4 years. Admittedly, 16GB is pretty scrimpy for doing a 1:1, but with iCloud storage and uploading finished projects to Showbie, I feel like we can make it work. Hopefully! It’s not entirely ideal, but the best of the options.

Broadband Upgrade

We get our broadband at school through London Grid for Learning, which has a pan-London network with pipes from Virgin Media. In return for us signing up for so many more years, they’ve doubled our broadband speed to 200 Mb. The upgrade wasn’t entirely pain free as the increased bandwidth required an enormous new router, which barely/didn’t fit into our existing cabinets. Putting in a new cabinet involved re-patching all the cables, with occasional one popping out because the little clip had snapped off, resulting in “aargh, why doesn’t our network work!” panics.

Having a bigger pipe coming into the school can only help, particularly we significantly increasing the number of devices in the school.

Caching Server

OSX Server has a featured called Caching Server, which basically keeps a copy of any and every app that is downloaded on the network for iOS and OSX and then serves it up the any device that then subsequently wants it. This dramatically speeds up app download speeds and reduces pressure on your broadband connection. Which is nice. It even works in weird networks like ours, where our school is buried deep within LGfL’s network.

However, we only had caching server on one machine, meaning one of our sites was cache-less and the other site had to share one cache with lots of devices. So we got Toucan Computing to install a couple of other Mac servers for good measure.

802.11ac WiFi

The iPad mini 4 comes with faster radios, supporting 802.11ac wifi. Our existing wifi installation was the 802.11N Unifi from Ubiquiti, which allows you to add as many access points as you want without additional licence fees for the controller, which can run on a Mac/PC/Linux box somewhere. They mount nicely on ceiling tiles or walls and can be powered via PoE (Power over Ethernet). They now have an ‘ac’ model, so we swapped in newer access points for the classrooms having 1:1 iPads. So far they seem to be managing perfectly fine with 30+ devices per access point, with faster download speeds as well.

Storage Cabinets

Because we’re not sending the devices home, we needed an easy and secure way to store and charge iPads. Three years ago, lots of people sold ridiculously expensive cabinets that could USB sync your iPads with iTunes. However, I wonderfully stumbled across these cabinets from Zioxi (formerly ISIS, who have since changed their name as the innocent river flowing through Oxford has inherited some other connotations). The trolleys are basically some shelves for each iPad with some power strips to plug in the USB power adaptors.

I’ve found that teachers are notoriously bad at remembering to lock up cabinets, so we opted for ones with digital code locks, making the locking process a lot easier. It seems to be helping!

Apple School Manager

The thought of manually creating 450 Apple IDs made me feel ill at the thought, so thankfully Apple have now released Apple School Manager where you can, amongst other things, create Apple IDs that are managed by the school. These accounts can be reset by the school, as well as inspected for their contents at any time. They also strip out anything to do with commerce on the account, which means no buying apps or in-app purchases. This might make you wonder what the use of them is, especially as apps can now be assigned to devices by the MDM. It’s basically for iCloud backup, plus the ability to accept distributed e-books and enroll on iTunes U courses (with a caveat – read carefully!).

Apple School Manager is an attempt to unify all of the different systems such as Volume Purchase and Device Enrollment. It does work, but still feels a bit like a work in progress.

The dream of Apple School Manager is that it will sync seamlessly with your student information system (SIS), automatically populating your MDM and iTunes U with classes, teachers, courses and the correct students. Our SIS isn’t supported, so we instead have to download 6 CSV templates, complete them with the relevant information and upload it back to Apple via an SFTP address. It was rather fiddly (not helped by the fact that LGFL blocked SFTP traffic to begin with) to set up, and requires some careful reading of their support information, but I got it working in the end. You are supposed to be able to set the passcode requirements (normal alphanumeric, 6-digit or 4-digit) from the CSV file, but that didn’t work for me so I had to manually reset all the account passwords after importing.

Once the Managed Apple IDs are created, you then print them out (either full page or many to a page) and give them to children to enter when setting up their ipads. They have a temporary password that the user then as to change during the setup process. One annoyance was that there was no way to filter or sort by class, only by year group, meaning I had to manually sort a big pile of login sheets into each of the four classes in year group. Hey ho.

Casper Suite

We moved from Meraki to Casper Suite as our MDM last year, and I do not think we could have done a 1:1 programme without it! Amongst its many benefits, it allows us to have our own internal ‘App Store’, through their Self Service app. Students can then browse and download the apps they they need from a pre-selected list without the need for an Apple ID or using the App Store.

Roll Out

With all of this planning and prep, and all the features that Apple released in iOS 9.3, we were able to roll out 15 classes of iPads in just 4 days, with children themselves tapping through the set up process and entering their Managed Apple IDs etc. It really was remarkably straightforward!

The State of Mac Management

In the glory bygone days, managing Macs was easy: just setup a OSX Server, get Workgroup Manager working and then configure users preferences to your heart’s delight. There were ways to easily tweak settings using a GUI, or you could import whatever .plist file you wanted to and have a custom preference.

Now, it wasn’t all a bed of roses: the Mac had to be bound to the OSX Server for these managed preferences to work, meaning things got rather ugly if the server got taken down for any reason. Plus, you had to find other solutions for imaging Macs, deploying and updating software and remote access. But there were tools for this (Deploy Studio, Munki, Apple Remote Desktop), so we were happy.

Then along came Lion. As part of taking everything Apple had learnt from iOS ‘back to the Mac‘, Configuration Profiles were introduced. These were just the same as the profiles used to manage iPhones and iPads, offering ways to lock down certain things and setup accounts like email etc. The other cool thing was that these lightweight profiles could be pushed out to a Mac from an MDM server, removing the need to have the Mac permanently bound to a server. Instead, the Mac would keep hold of its profiles until the server gave it some new ones. Macs and iPads could all be managed from one place: one MDM to rule them all!

Workgroup Manager continued to be updated by Apple, but with very little attention given to it. The last version released was for 10.9 server: it still works in 10.10, but has officially been retired and any future support for it is quite unlikely.

As someone who likes to live at the bleeding edge of technological change, did I adopt it straight away? Not for want of trying! Apple offered their own ‘free’ version of an MDM as part of their Server app, called Profile Manager. We couldn’t even get it to work in 10.7, finally got it working with some iPads in 10.8 and then gave up on it in 10.9 (after suffering email profiles being pulled off every teacher iPad due to some weird Active Directory issue).

The issue with it boiled down to how Configuration Profiles just aren’t the same as Managed Preferences. In the ‘walled garden’ of iOS, we just accepted that certain things just weren’t manageable (like position of apps on the home screen or the initial setup of apps etc). Whereas Managed Preferences had given the Mac administrator the taste of absolute control – you shall have the settings I give you! Plus, they also had the fine-grained option of setting preferences to ‘once’, ‘often’ (ie every time you logged in) or ‘always’… with profiles, everything was just ‘forced’.

So, the questions are: what actually needs to be managed? what are the ways of doing it?

Things that need to be managed:

  • First run settings on stuff like Office
  • Mounting shared drives
  • Tweaking the UI as required, eg right click on Apple Mouse, sidebar defaults etc
  • Licence keys for apps
  • Setting keyboard, location etc
  • Managing the dock
  • Installing new software and patching existing software
  • Imaging new Macs
  • Running Apple Software Update

So what are the tools?

  • Using a Configuration Profile, either for the settings Apple gives you, or importing a custom plist – only works if you don’t mind it being ‘always’. Tim Sutton has a command line tool for converting a .plist file into a profile. An MDM server can push out profiles over the air and Munki can now install profiles too.
  • Tweaking the preferences in the default user template. Composer as part of Casper Suite has a handy feature for doing this as well as filling existing users’ preferences as well.
  • Running various scripts on startup/login/logout. Our Apple reseller has a way of running various scripts like this, and Casper can manage his too. You can also make payload-free packages which just run a script when installed and can be distributed with Munki.

So how do you choose the right tool? The factors are:

  • Cost: MDM servers aren’t cheap necessarily, nor is spending money on getting an Apple reseller to set things up for you.
  • Experience: are you savvy with scripting and dealing with the command line? If not, a solution with a GUI might be better.
  • Continuity: I work in a primary school where high turn-over of staff is quite common. Does the solution need to keep working even if you go?
  • Time: do you have time to learn and understand the intricacies, or do things need to work ‘out of the box’? I am in the fortunate position of being able to give time to figure some things out, but most primary schools aren’t.

At my school, we’ve gone for Casper Suite as a way to have a GUI for managing Macs that doesn’t rely on me being a complete Mac system admin with lots of experience in scripting etc., whilst also moving away from Managed Preferences and leveraging Configuration Profiles instead. Let’s hope it works!

Casper Suite

We’ve just had Casper Suite installed at my school. Part of the installation process is a three-day ‘Jump Start‘ where a highly experienced trainer (in our case, two, as we had someone shadowing) guides you through installing the software and the processes involved in setting up and running it.

So why Casper suite? Over the years, we’ve ended up using a range of different systems and technologies to manage the Macs and iPads in school. The Macs have been managed with an OSX Server running Workgroup Manager, plus a few scripts written by our Apple Reseller and the use of Munki for managing software installs and updates. With iOS, we’ve used Meraki, making use of the VPP programme and managed distribution, as well as Apple Configurator for class sets of iPads.

This has worked pretty well, but I knew we needed to move away from Workgroup Manager. Since 10.7 Lion, Apple has pushed the use of Configuration Profiles instead of Managed Preferences. Technology-wise, it isn’t a straight swap, as there are things you can do with MCX that you can’t do with profiles, and vice versa. But with 10.10, Workgroup Manager no longer even exists (even though the 10.9 version still works!), so I knew we had to do something. Casper suite was well spoken of, properly supported OSX as well as iOS, and seemed to have some cool features.

The main drawback of Casper Suite is the cost: as an educational customer, you only pay for support per device, which works out pretty cheap. But you have to pay for the three days of ‘Jump Start’ before you begin, which is not cheap! However, I calculated that it works out about the cost of a case per device, which isn’t so bad. An iPad without a case is pretty hobbled, and I’m sure Casper will add a depth and richness to our deployment.

The Jump Start went pretty well, and we managed to get everything working by the end of the three days. I did finish the three days feeling overwhelmed with everything there is to do (sorting out all the configuration of the Macs then imaging them all, plus redoing all the iPads), but I think it will come together over the next half term.

Here are some of the highlights so far:

  • Casper Focus: allows a teacher lock all the iPads in a class to a particular app or webpage
  • Self service: dishing up apps, books and in fact most things to users
  • Deployment Enrollment Programme (DEP): iPads get automatically enrolled to Casper and tied to a certain user out of the box
  • Composer: a powerful way to package up Mac apps, including the ability to fill the user template and existing users’ preferences
  • JSS: the fact it runs as a web service, meaning that Macs don’t have to be bound to an OSX server any more
  • JAMF Nation: a community of helpful geeks who are there to help find solutions to problem

I’m not sure it’s the right solution for small primary schools, or places without an onsite Mac geek, but I think it’s going to work really well for us.