Category: Jamf Pro

Jamf Connect

Since, like, forever, we have had our Macs at school bound to our Active Directory. Initially this was to try and match the experience people were used to with logging into PCs, with a shared drive and a network ‘home’. But as we started to migrate to the cloud, the jobs of the trusty (or not) Windows server were increasingly given away elsewhere, e.g. using Google Drive for our shared drives and so on. This left the Macs just using network accounts purely to authenticate users. Was there a way to log onto the Macs using cloud credentials?

Defining the benefits

‘Moving to the cloud’ is something that is spoken of as an untrammelled good, but it’s useful to articulate the advantages. What would be the benefit of moving away from logging in on-premises Active Directory?

  1. A service is the cloud is a service that is someone else’s problem if it breaks. Before we moved to Google Drive, all of the school’s really important documents just lived on a hard drive on a server in a cupboard. Whilst the data was backed up, it still was a rather fragile single point of failure. If the running of the server is handed over to people who actually know what they’re doing (e.g. Microsoft or Google), this is one less thing for a school to worry about.
  2. A job that’s handled by the cloud is one less job for an on-premises server. Hopefully, if enough jobs can be given away, we can get rid of the server altogether!
  3. Unifying the sign-in experience. We use Microsoft accounts in an ever-increasing variety of places, such as with federated Managed Apple IDs and as part of the initial setup process on an iPad, so if teachers are used to using the Microsoft account every day on the Macs, this will help them become more familiar with it.
  4. Giving a more reliable experience. Whilst binding to AD has been part of the Mac since OS X and before, it feels like directory access is something that randomly breaks as the OS updates or upgrades. So if we just move beyond it, this removes one more point of failure.
  5. Allowing remote users to log into their Macs. Since the COVID pandemic, there’s been an increasing number of users in school who need to be able to log into their Macs when not on the school network. If the Mac is still bound to the AD, this isn’t necessarily possible.
  6. Moving with where things are going. Back in 2015, we moved from managing our Macs with a Mac Server running Workgroup Manager (those were the days) to an MDM approach with Jamf Pro. Workgroup Manager continued ‘working’ for several more years of macOS updates after that before being discontinued with Yosemite, but it was good to be ahead of the curve and avoid running in a brick wall. Moving away from binding to AD feels like the same sort of thing.

Enter Jamf Connect

So, what to replace network accounts with? In 2018, Jamf acquired NoMAD, which was an open-source alternative to using Apple’s directory tools for authenticating users. It then turned into Jamf Connect, a paid solution that offers it’s own login screen and a menu bar tool. How does it work?

  • Installation of Jamf Connect requires a ‘jump start’, a remote support session from a Jamf technician to set it all up in your environment. A great way to get it all working!
  • There is a Jamf Connect Configuration Tool that is required to set up the different settings, such as which identity provider you’re going to use as well as a plethora of different options.
  • We then set up the login screen (complete with custom wallpaper) so that users were required to sign into the Mac using their Microsoft account. If an existing AD account was already there, this was converted from a ‘mobile‘ account to a standard Mac user account. The login process then asks for the user to enter their password for a second time, which then unlocks the account on the Mac itself.
  • Once logged in, we configured it so that the Jamf Connect menu bar item was automatically logged in with the Microsoft account, which then kept the local Mac password in sync with the cloud password.

Once we had installed the Jamf Connect software and configuration options, and told staff what to expect on their new login screen, it seemed to work just fine!

Things to watch out for

It wasn’t entirely a plain sailing from this point however. The way Macs are set up at school is that, whilst a particular Mac may only be used by a subset of users, it could potentially be logged into by any member of the staff team. If a user had changed their password since logging into a Mac and then returned to that Mac, the local password would be the old one. When using network accounts, the Mac would happily log in using the new password and then would prompt the user for the old password to update the keychain password. If the user didn’t know their old password, the old keychain would be replaced with a new password.

With Jamf Connect, this scenario gets more complicated. If the user’s account is still a ‘mobile’ account and has not been converted to a ‘standard’ account as part of the initial login with Jamf Connect, the Mac can still talk to Active Directory to at least still let the user into the local account before it is then ‘demobilised’. (Please see Jamf’s documentation for more information about this.) For this reason, it’s important to not unbind the Macs from the Active Directory until you’re sure there are no remaining ‘mobile’ accounts on it. I found some handy ‘extension attribute’ scripts that will tell you which Macs on Jamf Pro still have network accounts on them.

If a user’s account is a normal ‘standard’ account, either because they’ve demobilised an existing network account or have just signed in fresh with Jamf Connect, and they then change their password outside of using the Mac and return to the Mac, there thankfully is a solution to getting back into this account. I found a handy blog post that explains the commands you can use to change the password on a given user account. I turned this into a script that can be run from Self Service, which prompts the user for the username of the account you’re trying to change the password of. You need to actually be logged into a machine to do this, which can be done with a local admin account or something like that. In the script I made it change the password to something that only your tech team can know, preventing any unscrupulous users changing the password of another account and then trying to log in! The next time the user logs in via Jamf Connect, they can then enter the temporary password as the known local account password, which Jamf Connect will then change to the user’s cloud password once they’re logged in.

Below is the script in question:

#!/bin/bash
#Freddie Cox for Knox County Schools
#Edited by Tim Lings
#2021
set -x

sleep 1

userName=`/usr/bin/osascript <<'EOT'
 tell application "System Events"
    activate
    set userName to text returned of (display dialog "Please enter affected username:" default answer "" with icon 2)
end tell
EOT`

#Reset local password
/usr/bin/dscl . -passwd /Users/"$userName" temporarypassword

One last thing we discovered is that some users had figured out that they could click ‘local account’ the login screen and then login with their normal AD credentials, rather than having to put in their cloud Microsoft account. It is possible to set the configuration for the Jamf Connect login window using ‘DenyLocal’ to prevent this happening (with the option to also specify local admin logins that you still want to allow).

Giving macOS Software Updates a Nudge

When we first got a small suite of iMacs at my school back in 2010, I could keep them all up-to-date by just manually going around and running Software Update on each machine. Later on I discovered that I could use Apple Remote Desktop to push out a Unix command to trigger the update on multiple machines at once, which seemed pretty cool at the time.

However, as the number of Macs began to multiply, keeping on top of updates became an increasing problem. As the computers were spread out across the school, I couldn’t be sure that they weren’t being used when I was wanting to run the updates, and the whole process required too much hand-holding.

After a bit of searching around on the interweb, I stumbled upon Munki. Developed by Greg Neagle at Disney, it allowed (amongst other things) for a Mac to install Apple’s software updates whilst the Mac was sitting on the login screen. By scheduling the Macs to turn on early enough in the morning, I could be sure that they were freshly on the latest and greatest version of the operating system for users at the start of each day.

Fast forward to 2020 with macOS Big Sur, and then Apple Silicon, Apple Software Updates increasingly relied on the user to actually hit the ‘restart’ button for them to install, leaving Munki unable to perform this task automatically. What to do about this?

The first thing I did was to use a configuration profile to turn on ‘automatic updates’ in System Preferences. Some updates would still require a user-initiated restart however.

I then came upon a newly developed piece of software called Nudge. Read a great blog post by Andrew Doering here!

The idea of Nudge is that the little application will pop up and ‘nudge’ users towards hitting that restart button in System Preferences. It can be configured in lots of different ways, such as giving users a certain number of dismisses of the app before it starts seriously nagging the user to just do the update. Great stuff!

Everything about how to install and set it up is on the Get Started and Readme pages, so do take a look there. Here are a few pointers from my experience, which may also be of assistance:

  • First thing to do is to get the Nudge app installed. The latest build is on the site and can be deployed using your management tool of choice. I used a policy in Jamf Pro.
  • Next you need to configure it. I used a configuration profile, making use of the handy Jamf Pro Guide which explains how to import a JSON configuration schema. Nice!
  • I completely missed step three at first, which is to install the launch agent, which is programmed to make Nudge run every 30 minutes. As otherwise it will never start nudging those users!

I’ve let staff know that we need them to play their part and run the update, but hopefully Nudge will, we, ‘nudge’ them along nicely as well!

Books for kids

When the iPad first came out back in 2010, it also came with what was then called ‘iBooks’, Apple’s answer to the Amazon Kindle. You could buy and read digital books straight on your lovely new iPad…fantastic!

Some time after that, Apple brought out the Volume Purchase Programme, which allowed schools/businesses to buy copies of apps and books for their users. These came in the form of codes which would have to be redeemed against a user’s Apple ID. These codes could only be used once, which meant that if a user left your organisation you’d have to buy all their apps again, or recycle their Apple ID by changing the name and password.

Fast forward to 2013 and Apple brought out Managed Distribution, which allowed an institution (via MDM) to assign app and book licences directly to a user’s Apple ID. With apps, these licences could be recalled and distributed elsewhere if required, but with books the licence got ‘used up’ if assigned.

A few years later, Apple rolled out device-based app assignment, which allowed an app to be assigned to a specific iPad even if there wasn’t an Apple ID on the device.

Not so with books: these still needed to be assigned to an individual rather than a device.

In order to distribute copies of Apple’s coding or creativity resources to teachers, I was quite happy to assign those book licences to individuals because there were only so many teachers in the school. But when it came to our KS2 deployment, there wasn’t a way in Jamf Pro to easily make a list of all the 450 students and then assign them books.

However, in Jamf Pro 10.16, a new feature was released that allowed for the creation of smart user groups based on information imported from Apple School Manager. So this would allow me to make a smart group with just the students in a specific class or year group. Which I could then use to assign books. Added to this was the feature that allowed for the automatic registration of users with volume purchasing if they have a Managed Apple ID, which basically meant that the MDM could assign apps/books to the user without the user having to agree to the registration. Which is handy when working with a whole school 1:1 programme!

Jamf Teacher on Jamf Pro

When we first deployed Jamf Pro many years ago, when it was still called Casper Suite, there was a great little app called Casper Focus that allowed teachers to lock student iPads into apps, trigger AirPlay and — most importantly — reset passcodes on student devices.

Then along came Apple Classroom, plus a rebrand of Casper Suite to Jamf Pro, and Casper Focus was quietly retired. Don’t get me wrong, Apple Classroom is a GREAT product and gives teachers a powerful yet discrete way to keep tabs on what’s going on in the classroom. But it lacks the ability to reset student passcodes on devices. This meant that teachers had to contact IT to get iPads unlocked, should a child forget the 12 character alphanumeric passcode that they had thought would have been such a great choice for their device.

Until now.

Back in 2009, Jamf purchased an education-focused MDM called Zuludesk, and with it some really great apps for teachers, students and parents to manage their devices. Zuludesk became Jamf School and the handy classroom-controlling app for instructors became Jamf Teacher. As a user of Jamf Pro, we were still left out in the dark.

Thankfully, Jamf announced yesterday at their (remote) Jamf Nation User Conference that Jamf Teacher is now on Jamf Pro. Yay! Hopefully this will mean less Helpdesk calls from teachers and, more importantly, students able to get on with their learning more quickly.

How to make iCloud save the day

For various different reasons and entirely due to my own incompetence, on Monday I managed to accidentally and remotely remove all of the apps from all of our teachers iPads. Not a good way to start the day!

So, after fixing the problem and setting all the apps to reinstall again, I reflected on what does happen to all that app data should any app be accidentally deleted in future. Sure, you can restore from an iCloud backup, but that’s a pretty time-consuming process and it would be better if everything lived nice and safe in the cloud.

So, how did various different apps perform?

  • iWork: fine, so long as teachers had been saving to iCloud Drive (with the free 200GB of storage with Managed Apple IDs).
  • G-Suite: absolutely fine, as the very epitome of cloud storage.
  • Office365: more of a mixed story, depending if people were saving things to ‘On my iPad’ or to OneDrive. The Office apps don’t default to the cloud, which is not great.
  • Slack: requires the user to know the name of the workspace before signing in, but once you’re in it’s good as new.
  • Explain Everything: nothing is saved to the cloud, so any projects that weren’t already exported are lost.
  • Book Creator: not a problem, mainly because I had previously turned on iCloud storage via MDM. Once you open the app and wait a few moments, all of your previous books reappear…yay!

Making Book Creator save to iCloud

Now at this point I need to interject: how exactly did I got Book Creator to save everything to iCloud? It’s not the default setting, that’s for sure!

I stumbled upon the solution a few years ago when we introduced Shared iPad in Key Stage 1. Shared iPad mode heavily relies entirely on apps using iCloud to store all their data so that when a user logs out of one iPad and into another one, all of their app data magically follows them. Some apps support this out of the box, whereas others need to have a few settings turned on via MDM.

One cool thing about MDM is that you can use it to push out certain configurations to apps when they are installed. On Jamf Pro, there is an ‘App Configuration’ tab on apps and it’s in there that you can put in the extra settings. Such as…

<dict>
<key>enableCloudSync</dict>
<true/>
</dict>

If you enter this information, even if the iPad in question isn’t in Shared iPad mode, it will automatically save the user data to iCloud. Handy!

Please see https://support.bookcreator.com/hc/en-us/articles/209212825-Configuration-for-Shared-iPads for full details from Book Creator.

Making Explain Everything save to iCloud

So, could I leverage this benefit to fix any of the other apps? The answer is yes!

Explain Everything supports Shared iPad mode, so I used the same trick to get it to save data to iCloud even if the device wasn’t in Shared iPad mode. The following configuration dictionary in the app configuration worked for me:

<dict>
<key>SharediPads</key>
<true/>
</dict>

Please see https://docs.google.com/document/d/1atOMVFtTh38dG6twc9EbCTjBrB78gsBAbmHMVXrzHUw/edit#heading=h.i0got4llqoyo for full documentation from Explain Everything.

Making it easier to sign into Slack

Now, Slack doesn’t use iCloud per say. But it would be handy if school devices knew the school Slack domain by default to make signing in much simpler. And it turns out that they can!

The following app configuration is what you need:

<dict>
<key>OrgDomain</key>
<string>yourslackteamnamehere</string>
</dict>

Please see https://storage.googleapis.com/appconfig-media/appconfig-content/uploads/2017/11/Slack-AppConfig-ISV-Capabilities-V2-.pdf for full details of what is possible with managing Slack.

#deploy2016

For years I have really wanted to do a 1:1 iPad deployment in my school. Ever since we started getting sets of iPads in our school, they always tended towards one-per-child, with teachers combining smaller sets so that every pupil in a class could have one. When the original iPad mini came out in 2012, I put a proposal to my headteacher for us to roll out iPads across the whole school, which (thankfully, in hind-sight) wasn’t accepted. This was back in the days when syncing to iTunes was still a thing and we still had a creaky and patched together wifi network. It might have worked at scale in a 3-4 form Primary school, but I do doubt it.

Since then, we’ve been slowly increasing the number of iPads in the school and gradually embedding them into everyday practice, bringing us to the point where ‘going 1:1’ just seemed like the obvious next step. We just needed more devices so that the iPad could be a tool for learning whenever it was needed, rather than having to negotiate an hour slot once a day. After all, you don’t have to book out a class set of pencils – everyone gets one, whenever you need it!

With this in mind, our proposal for going 1:1 in KS2 was agreed, with the rollout at the beginning of this term. Here’s the process we went through…

Picking the device

We’ve been using iPad minis with children in our school for 3 years, and it’s been working well. The devices are small and light enough for children to easily carry and use, as well as not taking up loads of space on a desk when not required, and they’re also that little bit cheaper than a ‘normal’ sized iPad. The question was then about storage size and model. For the money we had to spend on a lease, we could get 32GB iPad mini 2s over 3 years, 16GB iPad mini 4s over 3 years or 64GB iPad mini 4s over 4 years. Having that slower processor of the mini 2 at this point felt it would feel pretty tired and old after 3 years, as probably would the mini 4 after 4 years. Admittedly, 16GB is pretty scrimpy for doing a 1:1, but with iCloud storage and uploading finished projects to Showbie, I feel like we can make it work. Hopefully! It’s not entirely ideal, but the best of the options.

Broadband Upgrade

We get our broadband at school through London Grid for Learning, which has a pan-London network with pipes from Virgin Media. In return for us signing up for so many more years, they’ve doubled our broadband speed to 200 Mb. The upgrade wasn’t entirely pain free as the increased bandwidth required an enormous new router, which barely/didn’t fit into our existing cabinets. Putting in a new cabinet involved re-patching all the cables, with occasional one popping out because the little clip had snapped off, resulting in “aargh, why doesn’t our network work!” panics.

Having a bigger pipe coming into the school can only help, particularly we significantly increasing the number of devices in the school.

Caching Server

OSX Server has a featured called Caching Server, which basically keeps a copy of any and every app that is downloaded on the network for iOS and OSX and then serves it up the any device that then subsequently wants it. This dramatically speeds up app download speeds and reduces pressure on your broadband connection. Which is nice. It even works in weird networks like ours, where our school is buried deep within LGfL’s network.

However, we only had caching server on one machine, meaning one of our sites was cache-less and the other site had to share one cache with lots of devices. So we got Toucan Computing to install a couple of other Mac servers for good measure.

802.11ac WiFi

The iPad mini 4 comes with faster radios, supporting 802.11ac wifi. Our existing wifi installation was the 802.11N Unifi from Ubiquiti, which allows you to add as many access points as you want without additional licence fees for the controller, which can run on a Mac/PC/Linux box somewhere. They mount nicely on ceiling tiles or walls and can be powered via PoE (Power over Ethernet). They now have an ‘ac’ model, so we swapped in newer access points for the classrooms having 1:1 iPads. So far they seem to be managing perfectly fine with 30+ devices per access point, with faster download speeds as well.

Storage Cabinets

Because we’re not sending the devices home, we needed an easy and secure way to store and charge iPads. Three years ago, lots of people sold ridiculously expensive cabinets that could USB sync your iPads with iTunes. However, I wonderfully stumbled across these cabinets from Zioxi (formerly ISIS, who have since changed their name as the innocent river flowing through Oxford has inherited some other connotations). The trolleys are basically some shelves for each iPad with some power strips to plug in the USB power adaptors.

I’ve found that teachers are notoriously bad at remembering to lock up cabinets, so we opted for ones with digital code locks, making the locking process a lot easier. It seems to be helping!

Apple School Manager

The thought of manually creating 450 Apple IDs made me feel ill at the thought, so thankfully Apple have now released Apple School Manager where you can, amongst other things, create Apple IDs that are managed by the school. These accounts can be reset by the school, as well as inspected for their contents at any time. They also strip out anything to do with commerce on the account, which means no buying apps or in-app purchases. This might make you wonder what the use of them is, especially as apps can now be assigned to devices by the MDM. It’s basically for iCloud backup, plus the ability to accept distributed e-books and enroll on iTunes U courses (with a caveat – read carefully!).

Apple School Manager is an attempt to unify all of the different systems such as Volume Purchase and Device Enrollment. It does work, but still feels a bit like a work in progress.

The dream of Apple School Manager is that it will sync seamlessly with your student information system (SIS), automatically populating your MDM and iTunes U with classes, teachers, courses and the correct students. Our SIS isn’t supported, so we instead have to download 6 CSV templates, complete them with the relevant information and upload it back to Apple via an SFTP address. It was rather fiddly (not helped by the fact that LGFL blocked SFTP traffic to begin with) to set up, and requires some careful reading of their support information, but I got it working in the end. You are supposed to be able to set the passcode requirements (normal alphanumeric, 6-digit or 4-digit) from the CSV file, but that didn’t work for me so I had to manually reset all the account passwords after importing.

Once the Managed Apple IDs are created, you then print them out (either full page or many to a page) and give them to children to enter when setting up their ipads. They have a temporary password that the user then as to change during the setup process. One annoyance was that there was no way to filter or sort by class, only by year group, meaning I had to manually sort a big pile of login sheets into each of the four classes in year group. Hey ho.

Casper Suite

We moved from Meraki to Casper Suite as our MDM last year, and I do not think we could have done a 1:1 programme without it! Amongst its many benefits, it allows us to have our own internal ‘App Store’, through their Self Service app. Students can then browse and download the apps they they need from a pre-selected list without the need for an Apple ID or using the App Store.

Roll Out

With all of this planning and prep, and all the features that Apple released in iOS 9.3, we were able to roll out 15 classes of iPads in just 4 days, with children themselves tapping through the set up process and entering their Managed Apple IDs etc. It really was remarkably straightforward!

The State of Mac Management

In the glory bygone days, managing Macs was easy: just setup a OSX Server, get Workgroup Manager working and then configure users preferences to your heart’s delight. There were ways to easily tweak settings using a GUI, or you could import whatever .plist file you wanted to and have a custom preference.

Now, it wasn’t all a bed of roses: the Mac had to be bound to the OSX Server for these managed preferences to work, meaning things got rather ugly if the server got taken down for any reason. Plus, you had to find other solutions for imaging Macs, deploying and updating software and remote access. But there were tools for this (Deploy Studio, Munki, Apple Remote Desktop), so we were happy.

Then along came Lion. As part of taking everything Apple had learnt from iOS ‘back to the Mac‘, Configuration Profiles were introduced. These were just the same as the profiles used to manage iPhones and iPads, offering ways to lock down certain things and setup accounts like email etc. The other cool thing was that these lightweight profiles could be pushed out to a Mac from an MDM server, removing the need to have the Mac permanently bound to a server. Instead, the Mac would keep hold of its profiles until the server gave it some new ones. Macs and iPads could all be managed from one place: one MDM to rule them all!

Workgroup Manager continued to be updated by Apple, but with very little attention given to it. The last version released was for 10.9 server: it still works in 10.10, but has officially been retired and any future support for it is quite unlikely.

As someone who likes to live at the bleeding edge of technological change, did I adopt it straight away? Not for want of trying! Apple offered their own ‘free’ version of an MDM as part of their Server app, called Profile Manager. We couldn’t even get it to work in 10.7, finally got it working with some iPads in 10.8 and then gave up on it in 10.9 (after suffering email profiles being pulled off every teacher iPad due to some weird Active Directory issue).

The issue with it boiled down to how Configuration Profiles just aren’t the same as Managed Preferences. In the ‘walled garden’ of iOS, we just accepted that certain things just weren’t manageable (like position of apps on the home screen or the initial setup of apps etc). Whereas Managed Preferences had given the Mac administrator the taste of absolute control – you shall have the settings I give you! Plus, they also had the fine-grained option of setting preferences to ‘once’, ‘often’ (ie every time you logged in) or ‘always’… with profiles, everything was just ‘forced’.

So, the questions are: what actually needs to be managed? what are the ways of doing it?

Things that need to be managed:

  • First run settings on stuff like Office
  • Mounting shared drives
  • Tweaking the UI as required, eg right click on Apple Mouse, sidebar defaults etc
  • Licence keys for apps
  • Setting keyboard, location etc
  • Managing the dock
  • Installing new software and patching existing software
  • Imaging new Macs
  • Running Apple Software Update

So what are the tools?

  • Using a Configuration Profile, either for the settings Apple gives you, or importing a custom plist – only works if you don’t mind it being ‘always’. Tim Sutton has a command line tool for converting a .plist file into a profile. An MDM server can push out profiles over the air and Munki can now install profiles too.
  • Tweaking the preferences in the default user template. Composer as part of Casper Suite has a handy feature for doing this as well as filling existing users’ preferences as well.
  • Running various scripts on startup/login/logout. Our Apple reseller has a way of running various scripts like this, and Casper can manage his too. You can also make payload-free packages which just run a script when installed and can be distributed with Munki.

So how do you choose the right tool? The factors are:

  • Cost: MDM servers aren’t cheap necessarily, nor is spending money on getting an Apple reseller to set things up for you.
  • Experience: are you savvy with scripting and dealing with the command line? If not, a solution with a GUI might be better.
  • Continuity: I work in a primary school where high turn-over of staff is quite common. Does the solution need to keep working even if you go?
  • Time: do you have time to learn and understand the intricacies, or do things need to work ‘out of the box’? I am in the fortunate position of being able to give time to figure some things out, but most primary schools aren’t.

At my school, we’ve gone for Casper Suite as a way to have a GUI for managing Macs that doesn’t rely on me being a complete Mac system admin with lots of experience in scripting etc., whilst also moving away from Managed Preferences and leveraging Configuration Profiles instead. Let’s hope it works!

Casper Suite

We’ve just had Casper Suite installed at my school. Part of the installation process is a three-day ‘Jump Start‘ where a highly experienced trainer (in our case, two, as we had someone shadowing) guides you through installing the software and the processes involved in setting up and running it.

So why Casper suite? Over the years, we’ve ended up using a range of different systems and technologies to manage the Macs and iPads in school. The Macs have been managed with an OSX Server running Workgroup Manager, plus a few scripts written by our Apple Reseller and the use of Munki for managing software installs and updates. With iOS, we’ve used Meraki, making use of the VPP programme and managed distribution, as well as Apple Configurator for class sets of iPads.

This has worked pretty well, but I knew we needed to move away from Workgroup Manager. Since 10.7 Lion, Apple has pushed the use of Configuration Profiles instead of Managed Preferences. Technology-wise, it isn’t a straight swap, as there are things you can do with MCX that you can’t do with profiles, and vice versa. But with 10.10, Workgroup Manager no longer even exists (even though the 10.9 version still works!), so I knew we had to do something. Casper suite was well spoken of, properly supported OSX as well as iOS, and seemed to have some cool features.

The main drawback of Casper Suite is the cost: as an educational customer, you only pay for support per device, which works out pretty cheap. But you have to pay for the three days of ‘Jump Start’ before you begin, which is not cheap! However, I calculated that it works out about the cost of a case per device, which isn’t so bad. An iPad without a case is pretty hobbled, and I’m sure Casper will add a depth and richness to our deployment.

The Jump Start went pretty well, and we managed to get everything working by the end of the three days. I did finish the three days feeling overwhelmed with everything there is to do (sorting out all the configuration of the Macs then imaging them all, plus redoing all the iPads), but I think it will come together over the next half term.

Here are some of the highlights so far:

  • Casper Focus: allows a teacher lock all the iPads in a class to a particular app or webpage
  • Self service: dishing up apps, books and in fact most things to users
  • Deployment Enrollment Programme (DEP): iPads get automatically enrolled to Casper and tied to a certain user out of the box
  • Composer: a powerful way to package up Mac apps, including the ability to fill the user template and existing users’ preferences
  • JSS: the fact it runs as a web service, meaning that Macs don’t have to be bound to an OSX server any more
  • JAMF Nation: a community of helpful geeks who are there to help find solutions to problem

I’m not sure it’s the right solution for small primary schools, or places without an onsite Mac geek, but I think it’s going to work really well for us.