Apple don’t like Mac admins tinkering with the dock. For Apple, the dock is a space for the user to customise and tweak to their heart’s desire, not for some technical overlord to control.
But in a school setting, setting the contents of the dock is actually really handy. If people are moving around the school and could potentially log into any given Mac, having all the dock items in the same place makes it more familiar for staff.
Unfortunately, Jamf Pro doesn’t really offer quite the right tools for doing this. It is possible to add and remove dock items using ‘policies’, but this is prone to error and still allows users to move things around however they like. Or you can create a ‘profile’ for the dock, but only if it includes default apps and not things like Keynote, Word or Slack.
Thankfully, Michael Page has created ‘Dock Master’, an online tool that allows for the creation of customisable dock profiles with whichever apps your heart desires. Just set it up as you want, download the profile and then upload that to your MDM of choice.
When Ventura was released, I started upgrading some Macs to it and then noticed that Safari would have a little alias arrow in the left corner of the app icon in the dock. Very strange!
After a little bit of digging, I discovered that this was because Safari actually now lives in
We’ve been using Jamf Pro (formerly Casper Suite) at school since 2015 to manage our Macs and iPads. And it’s been generally great, and certainly better than any other MDMs on offer.
However, upon visiting and presenting at BETT earlier this year, it became clear that Jamf were positioning their Jamf School product (formerly Zuludesk, acquired by Jamf in 2019) as the best solution to use in education. After chatting with some Jamf engineers and then their sales team, it turned out that they were perfectly happy to give us complementary licences for Jamf School for the year for us to try it as we were already paying for Jamf Pro and then we could migrate our devices from Jamf Pro at our own pace.
And trialing it is what we’ve done. Moving MDM is not an insignificant task, as every device has to be reenrolled (involving a wipe and fresh setup), but as we were refreshing our KS2 iPads and tweaking our KS1 setup (no more ‘shared iPad’ mode), this seemed like a good opportunity.
And the verdict? We love it!
So much so that I am going to write a blog post where I literally count the ways in which Jamf School is so great…
It’s easy to get started. There’s a friendly onboarding process that gets you plugged into all of Apple’s systems from the outset, such as Apple School Manager, sorting out push certificates etc.
Authentication with Microsoft is also easy. Compared with Jamf Pro, sorting out authentication with a 3rd party provider is really straightforward and lets you add that to the device enrolment workflow.
Syncing accounts with Apple School Manager is simple. Once ASM is plugged in, all of the various student and teacher accounts can be imported into Jamf School, complete with class groupings and everything.
Making groups is fun. In Jamf School, when you make a static or smart group, assigning apps and profiles to that group is part of the creation process. It’s a small thing, but it’s so much quicker as you just ‘click, click, click’ to add the apps you want, rather than going to each app individually and changing the scope.
Making profiles is more straightforward. Rather than just presenting profile options in all their complexity, profile creation is organised in a way that makes more sense for a school. For example, designing Home Screen layouts includes a lovely drag and drop GUI that shows what it will look like as you create it.
The Jamf Teacher/Jamf Student apps are cool. Rather than the Self Service app in Jamf Pro, Jamf Teacher combines the classroom control functionality and resource/app/books catalogue into one place. Which is nice.
There is a plethora of payload variables on offer. Jamf Pro had a few ways of pulling in device/user information in places, but Jamf School has way more of this. One particularly handy place this is implemented is with device naming. Rather than just having the option of a the device serial number, we can craft our own custom naming schema, with the default being the useful ‘iPad of %FullName%’. It’s a little thing, but it makes AirDrop in a school of hundreds actually doable as students can easily see the iPad of their classmate, rather than just the serial number.
Student photos on Apple Classroom becomes a thing. Ever since Apple Classroom came out, it’s been possible to put your student’s photos to appear when showing which child has which iPad. However, for most MDMs it’s required hosting the photos of the students on a private web server, which is way beyond my competence level. But with Jamf School, you can just upload the photos to the child’s profile and then they appear automagically in Apple Classroom. Or even the teacher can take a photo in the Jamf Teacher app and then they appear in Apple Classroom too. Cool huh?
Different app settings in one place. In Jamf Pro, if I wanted to have an app automatically install for one group but be a manual install for another group, this was possible but involved adding an app multiple times to the catalogue. Whereas in Jamf School you can just pick the distribution method when you pick the group for the app.
The App catalogue just shows the apps you have licences for. Rather than having to add apps by searching the entire App Store catalogue, Jamf School just shows you all the apps you have volume purchase licences for. And if you don’t want to use any given app any more, you can just hide it from the list. It’s so easy AND tidy!
Assigning books just works. Want to add a book? It will already be in the catalogue of books if you have a licence for it and then you just scope it to the users you want to have it. Jamf School sorts out inviting all the Managed Apple IDs with a simple tick of a box.
You can put devices in groups, enter their asset tag number and rename them before they are enrolled. This is hugely powerful because you no longer need to think of sneaky ways to get a device to end up back in a group should it ever be wiped or deleted from Jamf School.
I probably could go on.
All in all, it’s been an experience with the continual delight of ‘hey, that’s a much better way of doing things’. Admittedly, some ways of doing things is different to Jamf School (such as the idea of automatically reinstalling apps if a user deletes them – the correct method is to remove it via the Jamf Teacher or Jamf Student app). But once you begin thinking in a Jamf School kinda ways, it becomes much easier!
On Tuesday, Apple announced (via a press release rather than some fancy online event) the latest iteration of iPad, the 10th generation iPad.
It has some nice things going for it:
Rounded corner edge-to-edge display
Touch ID on the sleep/wake button
Fancy new magical keyboard, making use of the old-school magnetic connector on the side of the iPad and with Microsoft Surface-style kickstand
Front-facing webcam on the landscape edge rather than on the portrait top
Chip speed bump
However, it also has some rather key downsides:
Quite a lot more expensive
Not compatible with the 2nd generation Apple Pencil with its magnetic pairing and charging, but rather support for 1st generation Apple Pencil with the use of a handy dongle
This seemingly strange choice around Apple Pencil support has broken the internet with people completely baffled as to why Apple wouldn’t go the whole hog and do the magnetic charging/pairing Apple Pencil 2 thing.
The reason for me is to do with education. Apple needs to have a cheap and affordable iPad in order to keep a toehold in schools. The 9th generation iPad is a complete steal, with a great feature set at a very sensible price. However, it’s still stuck in the old ‘home button + lightning port’ paradigm which Apple is moving away from everywhere.
But making that move to a home-buttonless iPad isn’t going to be immediately easy. I’m still impressed with how the 9th generation iPad has the same feature-set as the original iPad Pro (Apple pencil support + Smart Connector support). However, it took many iterations to add these features step-by-step in a way that kept the price low and still differentiated with the more expensive iPad models.
So the same is for the 10th generation iPad: they’ve added the new screen and shape and Touch ID location and USB-C connectivity as the more expensive iPads, but at a price that schools can afford. Or at least will be able to afford in a year or two once Apple have figured out how to make them more cheaply.
So what about the Apple Pencil fiasco? A dongle to charge us a hilariously inelegant solution in many ways. I believe that the answer lies in a little announcement from Logitech of a new USB-C Crayon. It’s the updated Apple Pencil that’s Apple can’t make themselves but is perfect for schools.
So where’s the new Apple Pencil for the new iPad? It’s been released by Logitech instead!
When the iPad was launched in 2010, Apple also announced iBooks, an ebook reader with corresponding digital store. It made a lot of sense, especially as the iPad is about the size and weight of a large book.
Despite this great start, digital books in schools have never really taken off. I feel that part of this is the technical distribution challenge and the other is the cost. With 1:1 iPads and a decent MDM, we have sort of solved the first problem and have been able to give out digital texts at my school. However, book licenses are not re-assignable in Apple Books, which makes the whole thing only workable with free titles.
So I wondered: might a digital lending library be possible? And after a bit of searching, I discovered one…
Overdrive have created and app and digital service called Sora. Once it’s set up for your school, it offers an ebook reader that works on iPad and the web, including the facility to sync annotations and titles across devices and even play audiobooks.
The best thing though is a subscription they offer in the UK called Ebooks Now. Once paid up, you get access to large range of digital texts that can be ‘borrowed’ by students in school. They keep a close eye on which titles are being read or otherwise, swapping out unpopular titles and keeping the selection as fresh as possible.
When we returned from the first COVID lockdown in September 2020, they there were all sorts of concerns about restricting the risk of viral transmission with shared resources or spaces. So things like a school lending library were out of the question!
Instead I proposed that we get Sora at school, making the most of our 1:1 iPad programme by offering a digital lending library to our students.
It was really easy to get set up, and Overdrive even allowed us to authenticate users with our on-premises Active Directory (and later swapping to Azure for cloudy credentials). Once logged in, children could browse our school’s digital collection, borrow or reserve books and then read to their hearts’ content!
Reading the results
There’s been lots of benefits. Here’s a few…
Lockdown library. When we had to switch again to remote learning in January 2021, children were still able to log into Sora to borrow and read books at home. With no other way to provide books to our students, this was a fantastic way to keep our children reading.
Lending leader. As an admin, I’m able to see the number of titles that have been loaned by kids in our school. And in the last year, that number was 47,111! Which I think is not too bad…
Idle moments. Because we are 1:1 iPad, teachers are able to make use of the ‘down’ time in the classroom to do reading on Sora. Obviously reading an ‘analogue’ book is just as good, but it does mean children can listen to audiobooks easily too, as well as change or renew books without having to leave their seat.
So Sora definitely comes with a thumbs up from me!
Back in November, we had a ‘STEM’ week at school, which was an opportunity to celebrate the subjects of Science, Technology (Computing), Engineering (Design Technology) and Maths and the interconnections between them all. As a 1:1 iPad school, what better way to do this than setting up a virtual ‘escape room’ challenge using Showbie Groups?
Showbie has had ‘groups’ for a while now, which are basically a bit like a mix between an assignment and a class discussion, and has its own little ‘groups’ section in the UI separate from classes. They are created by a teacher, are joinable by both parents and students, and can be set to ‘announcements only’, thus preventing everyone else from posting in them (should you so desire). To join them, all you need is a 5-character Showbie Group code.
From this came the germ of an idea: students would be given a URL within Showbie to join the starting Showbie Group, which would explain the rules of the game as well as the code for the first subject’s Showbie Group, e.g. Science. Each subject would have its own group and challenge, with the outcome of the challenge revealing a-5 character code that would take you to the next subject’s Showbie Group. Once all of the tasks and subjects had been completed, children would then have successfully won the ‘escape room’ challenge.
We decided to differentiate by year groups/phases, as a Year 1 child would need a different level of challenge to a Year 2 child, as would lower Key Stage 2 (Years 3-4) and upper Key Stage 2 (Years 5-6). This required the creation of quite a few different Showbie Groups – 21 to be precise (4 different levels of challenge, 4 subject each plus a ‘welcome’ landing group, with a shared ‘celebration’ victory group)!
With this all this set up, each subject then began devising their activity and challenges. My computing team and I took on the T in technology and we came up with iPad tasks as follows.
Task 1: Pages
In Pages, we created increasingly difficult puzzles that mostly involved changing the colour of the text within a coloured box to reveal one of the characters in the Showbie Group code. We tried to include some instructions on what to do, to make it not too hard and not too easy.
Task 2: Keynote
In Keynote, we wanted to make use of children’s skills in selecting, moving and rotating objects to make a literal jigsaw puzzle. And rather than just show the required Showbie Group code character, why not include a homophone instead? The hardest part was subtracting and combining shapes to create suitable ‘jigsaw’ outlines, before using them to mask over part of an image. A little fiddly, but certainly good fun.
Task 3: GarageBand
For this task, we wanted to use audio in some way. In Years 1 and 2, we just recorded something as a Showbie voice note, but for Key Stage 2 we made it more tricky by including a GarageBand project file. Years 3 and 4 had to know how to turn up the volume on a specific track to hear back the Showbie Group code and Years 5 and 6 had to reverse and speed up my dulcet tones for their answer. Certainly more tricksy!
Task 4: iMovie
This was possibly the most difficult task for children, particularly the older ones. For Key Stage 1, we just had a first-person video of me wandering around the school until I zoomed into the next character of the Showbie Group code. Lower Key Stage 2 had an iMovie project with a the Showbie Group code character inserted as a cutaway halfway through, which wasn’t too difficult. Upper Key Stage 2 had the real challenge, which was an iMovie project of a first-person shot down a corridor with no Showbie Group code character to be seen. What children had to do was select the clip in the timeline and then extend it backwards to reveal the missing character: I gave no clues that this is what you needed to do, so most people didn’t get it!
Task 5: Numbers
The final task for each year group/phase was a little Numbers spreadsheet that, once the correct characters were entered, would reveal the final character for the Showbie Group code. This was a fun little document to make, and was a useful check that children had solved the previous puzzles before allowing them to move onto the next Showbie Group. We made it harder/easier by the number of possible characters that appeared in each dropdown box and whether it gave feedback by changing colour if you selected the correct character. It would have been quite easy to hack the spreadsheet to reveal the correct code, but I’m not sure our students knew enough Numbers formulas for that!
All in all, I think children had a lot of fun completing all the tasks, solving the puzzles and engineering their way out of the ‘escape room’. It was a rather time-consuming little project, but worthwhile I feel.
Since, like, forever, we have had our Macs at school bound to our Active Directory. Initially this was to try and match the experience people were used to with logging into PCs, with a shared drive and a network ‘home’. But as we started to migrate to the cloud, the jobs of the trusty (or not) Windows server were increasingly given away elsewhere, e.g. using Google Drive for our shared drives and so on. This left the Macs just using network accounts purely to authenticate users. Was there a way to log onto the Macs using cloud credentials?
Defining the benefits
‘Moving to the cloud’ is something that is spoken of as an untrammelled good, but it’s useful to articulate the advantages. What would be the benefit of moving away from logging in on-premises Active Directory?
A service is the cloud is a service that is someone else’s problem if it breaks. Before we moved to Google Drive, all of the school’s really important documents just lived on a hard drive on a server in a cupboard. Whilst the data was backed up, it still was a rather fragile single point of failure. If the running of the server is handed over to people who actually know what they’re doing (e.g. Microsoft or Google), this is one less thing for a school to worry about.
A job that’s handled by the cloud is one less job for an on-premises server. Hopefully, if enough jobs can be given away, we can get rid of the server altogether!
Unifying the sign-in experience. We use Microsoft accounts in an ever-increasing variety of places, such as with federated Managed Apple IDs and as part of the initial setup process on an iPad, so if teachers are used to using the Microsoft account every day on the Macs, this will help them become more familiar with it.
Giving a more reliable experience. Whilst binding to AD has been part of the Mac since OS X and before, it feels like directory access is something that randomly breaks as the OS updates or upgrades. So if we just move beyond it, this removes one more point of failure.
Allowing remote users to log into their Macs. Since the COVID pandemic, there’s been an increasing number of users in school who need to be able to log into their Macs when not on the school network. If the Mac is still bound to the AD, this isn’t necessarily possible.
Moving with where things are going. Back in 2015, we moved from managing our Macs with a Mac Server running Workgroup Manager (those were the days) to an MDM approach with Jamf Pro. Workgroup Manager continued ‘working’ for several more years of macOS updates after that before being discontinued with Yosemite, but it was good to be ahead of the curve and avoid running in a brick wall. Moving away from binding to AD feels like the same sort of thing.
Enter Jamf Connect
So, what to replace network accounts with? In 2018, Jamf acquired NoMAD, which was an open-source alternative to using Apple’s directory tools for authenticating users. It then turned into Jamf Connect, a paid solution that offers it’s own login screen and a menu bar tool. How does it work?
Installation of Jamf Connect requires a ‘jump start’, a remote support session from a Jamf technician to set it all up in your environment. A great way to get it all working!
There is a Jamf Connect Configuration Tool that is required to set up the different settings, such as which identity provider you’re going to use as well as a plethora of different options.
We then set up the login screen (complete with custom wallpaper) so that users were required to sign into the Mac using their Microsoft account. If an existing AD account was already there, this was converted from a ‘mobile‘ account to a standard Mac user account. The login process then asks for the user to enter their password for a second time, which then unlocks the account on the Mac itself.
Once logged in, we configured it so that the Jamf Connect menu bar item was automatically logged in with the Microsoft account, which then kept the local Mac password in sync with the cloud password.
Once we had installed the Jamf Connect software and configuration options, and told staff what to expect on their new login screen, it seemed to work just fine!
Things to watch out for
It wasn’t entirely a plain sailing from this point however. The way Macs are set up at school is that, whilst a particular Mac may only be used by a subset of users, it could potentially be logged into by any member of the staff team. If a user had changed their password since logging into a Mac and then returned to that Mac, the local password would be the old one. When using network accounts, the Mac would happily log in using the new password and then would prompt the user for the old password to update the keychain password. If the user didn’t know their old password, the old keychain would be replaced with a new password.
With Jamf Connect, this scenario gets more complicated. If the user’s account is still a ‘mobile’ account and has not been converted to a ‘standard’ account as part of the initial login with Jamf Connect, the Mac can still talk to Active Directory to at least still let the user into the local account before it is then ‘demobilised’. (Please see Jamf’s documentation for more information about this.) For this reason, it’s important to not unbind the Macs from the Active Directory until you’re sure there are no remaining ‘mobile’ accounts on it. I found some handy ‘extension attribute’ scripts that will tell you which Macs on Jamf Pro still have network accounts on them.
If a user’s account is a normal ‘standard’ account, either because they’ve demobilised an existing network account or have just signed in fresh with Jamf Connect, and they then change their password outside of using the Mac and return to the Mac, there thankfully is a solution to getting back into this account. I found a handy blog post that explains the commands you can use to change the password on a given user account. I turned this into a script that can be run from Self Service, which prompts the user for the username of the account you’re trying to change the password of. You need to actually be logged into a machine to do this, which can be done with a local admin account or something like that. In the script I made it change the password to something that only your tech team can know, preventing any unscrupulous users changing the password of another account and then trying to log in! The next time the user logs in via Jamf Connect, they can then enter the temporary password as the known local account password, which Jamf Connect will then change to the user’s cloud password once they’re logged in.
Below is the script in question:
#Freddie Cox for Knox County Schools
#Edited by Tim Lings
tell application "System Events"
set userName to text returned of (display dialog "Please enter affected username:" default answer "" with icon 2)
#Reset local password
/usr/bin/dscl . -passwd /Users/"$userName" temporarypassword
One last thing we discovered is that some users had figured out that they could click ‘local account’ the login screen and then login with their normal AD credentials, rather than having to put in their cloud Microsoft account. It is possible to set the configuration for the Jamf Connect login window using ‘DenyLocal’ to prevent this happening (with the option to also specify local admin logins that you still want to allow).
Ah, September. The time of year when the school that everyone has so diligently and careful taken apart, sorted out and tidied away in July has to be put back together again in a matter of days because all of the children are starting school again.
The same applies with technology in schools. With our 1:1 iPad programme, September is when we have to setup new iPads for our students. Depending on the refresh cycle, this can be anything from three to six year groups that need doing. Thankfully, this year it was only Years 1-3, as we had just started a new lease with Key Stage 1 iPads and the Year 3s needed the iPads that Year 6 had finished with at the end of term.
This year, we (my technician and I) successful got all the iPads up and running by the end of day two of term…which I think was pretty good going! We managed the four classes in Year Three in one day, involving students setting up the iPads themselves, and got all eight Key Stage 1 classes ready, which we set up for the students in our bespoke Using Shared iPad Mode In The Wrong Way approach, in a day and a half.
Which I think is pretty good going! And much better than last year, which took three or four times as long.
So, what was different this year?
Having a technician again. For various reasons, the previous year I was left bereft of an IT technician, which makes a huge difference when it comes to deployment. Another pair of capable hands saves so much time.
Network upgrades. Our network has 802.11ac wireless access points and a 10gig fibre backbone but the actual cabling into some classrooms was shockingly old. In the last year we’ve rectified this with CAT 6a cabling upgrades. Which makes things much faster, or at least not noticeably slow!
Single sign on in other places too. We’ve also made use of student Microsoft accounts with logins for Showbie (our learning platform), Mathletics (for practising maths skills) and Sora (our digital lending library). It helps students become more familiar with their Microsoft account credentials and, I think, reduces complexity again.
When dealing with a school of iPads, making the effort to smooth out the speed bumps is always worth it in the long term. For technology to be an effective tool in the classroom, it’s got to ‘just work’ as much as possible, so it fades into the background and instead supports learning.
When we first got a small suite of iMacs at my school back in 2010, I could keep them all up-to-date by just manually going around and running Software Update on each machine. Later on I discovered that I could use Apple Remote Desktop to push out a Unix command to trigger the update on multiple machines at once, which seemed pretty cool at the time.
However, as the number of Macs began to multiply, keeping on top of updates became an increasing problem. As the computers were spread out across the school, I couldn’t be sure that they weren’t being used when I was wanting to run the updates, and the whole process required too much hand-holding.
After a bit of searching around on the interweb, I stumbled upon Munki. Developed by Greg Neagle at Disney, it allowed (amongst other things) for a Mac to install Apple’s software updates whilst the Mac was sitting on the login screen. By scheduling the Macs to turn on early enough in the morning, I could be sure that they were freshly on the latest and greatest version of the operating system for users at the start of each day.
Fast forward to 2020 with macOS Big Sur, and then Apple Silicon, Apple Software Updates increasingly relied on the user to actually hit the ‘restart’ button for them to install, leaving Munki unable to perform this task automatically. What to do about this?
The first thing I did was to use a configuration profile to turn on ‘automatic updates’ in System Preferences. Some updates would still require a user-initiated restart however.
I then came upon a newly developed piece of software called Nudge. Read a great blog post by Andrew Doering here!
The idea of Nudge is that the little application will pop up and ‘nudge’ users towards hitting that restart button in System Preferences. It can be configured in lots of different ways, such as giving users a certain number of dismisses of the app before it starts seriously nagging the user to just do the update. Great stuff!
Everything about how to install and set it up is on the Get Started and Readme pages, so do take a look there. Here are a few pointers from my experience, which may also be of assistance:
First thing to do is to get the Nudge app installed. The latest build is on the site and can be deployed using your management tool of choice. I used a policy in Jamf Pro.
Next you need to configure it. I used a configuration profile, making use of the handy Jamf Pro Guide which explains how to import a JSON configuration schema. Nice!
I completely missed step three at first, which is to install the launch agent, which is programmed to make Nudge run every 30 minutes. As otherwise it will never start nudging those users!
I’ve let staff know that we need them to play their part and run the update, but hopefully Nudge will, we, ‘nudge’ them along nicely as well!
When the iPad first came out back in 2010, it also came with what was then called ‘iBooks’, Apple’s answer to the Amazon Kindle. You could buy and read digital books straight on your lovely new iPad…fantastic!
Some time after that, Apple brought out the Volume Purchase Programme, which allowed schools/businesses to buy copies of apps and books for their users. These came in the form of codes which would have to be redeemed against a user’s Apple ID. These codes could only be used once, which meant that if a user left your organisation you’d have to buy all their apps again, or recycle their Apple ID by changing the name and password.
Fast forward to 2013 and Apple brought out Managed Distribution, which allowed an institution (via MDM) to assign app and book licences directly to a user’s Apple ID. With apps, these licences could be recalled and distributed elsewhere if required, but with books the licence got ‘used up’ if assigned.
A few years later, Apple rolled out device-based app assignment, which allowed an app to be assigned to a specific iPad even if there wasn’t an Apple ID on the device.
Not so with books: these still needed to be assigned to an individual rather than a device.
In order to distribute copies of Apple’s coding or creativity resources to teachers, I was quite happy to assign those book licences to individuals because there were only so many teachers in the school. But when it came to our KS2 deployment, there wasn’t a way in Jamf Pro to easily make a list of all the 450 students and then assign them books.
However, in Jamf Pro 10.16, a new feature was released that allowed for the creation of smart user groups based on information imported from Apple School Manager. So this would allow me to make a smart group with just the students in a specific class or year group. Which I could then use to assign books. Added to this was the feature that allowed for the automatic registration of users with volume purchasing if they have a Managed Apple ID, which basically meant that the MDM could assign apps/books to the user without the user having to agree to the registration. Which is handy when working with a whole school 1:1 programme!