Tag: MDM

An Ode to Jamf School

We’ve been using Jamf Pro (formerly Casper Suite) at school since 2015 to manage our Macs and iPads. And it’s been generally great, and certainly better than any other MDMs on offer.

However, upon visiting and presenting at BETT earlier this year, it became clear that Jamf were positioning their Jamf School product (formerly Zuludesk, acquired by Jamf in 2019) as the best solution to use in education. After chatting with some Jamf engineers and then their sales team, it turned out that they were perfectly happy to give us complementary licences for Jamf School for the year for us to try it as we were already paying for Jamf Pro and then we could migrate our devices from Jamf Pro at our own pace.

And trialing it is what we’ve done. Moving MDM is not an insignificant task, as every device has to be reenrolled (involving a wipe and fresh setup), but as we were refreshing our KS2 iPads and tweaking our KS1 setup (no more ‘shared iPad’ mode), this seemed like a good opportunity.

And the verdict? We love it!

So much so that I am going to write a blog post where I literally count the ways in which Jamf School is so great…

  1. It’s easy to get started. There’s a friendly onboarding process that gets you plugged into all of Apple’s systems from the outset, such as Apple School Manager, sorting out push certificates etc.
  2. Authentication with Microsoft is also easy. Compared with Jamf Pro, sorting out authentication with a 3rd party provider is really straightforward and lets you add that to the device enrolment workflow.
  3. Syncing accounts with Apple School Manager is simple. Once ASM is plugged in, all of the various student and teacher accounts can be imported into Jamf School, complete with class groupings and everything.
  4. Making groups is fun. In Jamf School, when you make a static or smart group, assigning apps and profiles to that group is part of the creation process. It’s a small thing, but it’s so much quicker as you just ‘click, click, click’ to add the apps you want, rather than going to each app individually and changing the scope.
  5. Making profiles is more straightforward. Rather than just presenting profile options in all their complexity, profile creation is organised in a way that makes more sense for a school. For example, designing Home Screen layouts includes a lovely drag and drop GUI that shows what it will look like as you create it.
  6. The Jamf Teacher/Jamf Student apps are cool. Rather than the Self Service app in Jamf Pro, Jamf Teacher combines the classroom control functionality and resource/app/books catalogue into one place. Which is nice.
  7. There is a plethora of payload variables on offer. Jamf Pro had a few ways of pulling in device/user information in places, but Jamf School has way more of this. One particularly handy place this is implemented is with device naming. Rather than just having the option of a the device serial number, we can craft our own custom naming schema, with the default being the useful ‘iPad of %FullName%’. It’s a little thing, but it makes AirDrop in a school of hundreds actually doable as students can easily see the iPad of their classmate, rather than just the serial number.
  8. Student photos on Apple Classroom becomes a thing. Ever since Apple Classroom came out, it’s been possible to put your student’s photos to appear when showing which child has which iPad. However, for most MDMs it’s required hosting the photos of the students on a private web server, which is way beyond my competence level. But with Jamf School, you can just upload the photos to the child’s profile and then they appear automagically in Apple Classroom. Or even the teacher can take a photo in the Jamf Teacher app and then they appear in Apple Classroom too. Cool huh?
  9. Different app settings in one place. In Jamf Pro, if I wanted to have an app automatically install for one group but be a manual install for another group, this was possible but involved adding an app multiple times to the catalogue. Whereas in Jamf School you can just pick the distribution method when you pick the group for the app.
  10. The App catalogue just shows the apps you have licences for. Rather than having to add apps by searching the entire App Store catalogue, Jamf School just shows you all the apps you have volume purchase licences for. And if you don’t want to use any given app any more, you can just hide it from the list. It’s so easy AND tidy!
  11. Assigning books just works. Want to add a book? It will already be in the catalogue of books if you have a licence for it and then you just scope it to the users you want to have it. Jamf School sorts out inviting all the Managed Apple IDs with a simple tick of a box.
  12. You can put devices in groups, enter their asset tag number and rename them before they are enrolled. This is hugely powerful because you no longer need to think of sneaky ways to get a device to end up back in a group should it ever be wiped or deleted from Jamf School.

I probably could go on.

All in all, it’s been an experience with the continual delight of ‘hey, that’s a much better way of doing things’. Admittedly, some ways of doing things is different to Jamf School (such as the idea of automatically reinstalling apps if a user deletes them – the correct method is to remove it via the Jamf Teacher or Jamf Student app). But once you begin thinking in a Jamf School kinda ways, it becomes much easier!

How to make iCloud save the day

For various different reasons and entirely due to my own incompetence, on Monday I managed to accidentally and remotely remove all of the apps from all of our teachers iPads. Not a good way to start the day!

So, after fixing the problem and setting all the apps to reinstall again, I reflected on what does happen to all that app data should any app be accidentally deleted in future. Sure, you can restore from an iCloud backup, but that’s a pretty time-consuming process and it would be better if everything lived nice and safe in the cloud.

So, how did various different apps perform?

  • iWork: fine, so long as teachers had been saving to iCloud Drive (with the free 200GB of storage with Managed Apple IDs).
  • G-Suite: absolutely fine, as the very epitome of cloud storage.
  • Office365: more of a mixed story, depending if people were saving things to ‘On my iPad’ or to OneDrive. The Office apps don’t default to the cloud, which is not great.
  • Slack: requires the user to know the name of the workspace before signing in, but once you’re in it’s good as new.
  • Explain Everything: nothing is saved to the cloud, so any projects that weren’t already exported are lost.
  • Book Creator: not a problem, mainly because I had previously turned on iCloud storage via MDM. Once you open the app and wait a few moments, all of your previous books reappear…yay!

Making Book Creator save to iCloud

Now at this point I need to interject: how exactly did I got Book Creator to save everything to iCloud? It’s not the default setting, that’s for sure!

I stumbled upon the solution a few years ago when we introduced Shared iPad in Key Stage 1. Shared iPad mode heavily relies entirely on apps using iCloud to store all their data so that when a user logs out of one iPad and into another one, all of their app data magically follows them. Some apps support this out of the box, whereas others need to have a few settings turned on via MDM.

One cool thing about MDM is that you can use it to push out certain configurations to apps when they are installed. On Jamf Pro, there is an ‘App Configuration’ tab on apps and it’s in there that you can put in the extra settings. Such as…

<dict>
<key>enableCloudSync</dict>
<true/>
</dict>

If you enter this information, even if the iPad in question isn’t in Shared iPad mode, it will automatically save the user data to iCloud. Handy!

Please see https://support.bookcreator.com/hc/en-us/articles/209212825-Configuration-for-Shared-iPads for full details from Book Creator.

Making Explain Everything save to iCloud

So, could I leverage this benefit to fix any of the other apps? The answer is yes!

Explain Everything supports Shared iPad mode, so I used the same trick to get it to save data to iCloud even if the device wasn’t in Shared iPad mode. The following configuration dictionary in the app configuration worked for me:

<dict>
<key>SharediPads</key>
<true/>
</dict>

Please see https://docs.google.com/document/d/1atOMVFtTh38dG6twc9EbCTjBrB78gsBAbmHMVXrzHUw/edit#heading=h.i0got4llqoyo for full documentation from Explain Everything.

Making it easier to sign into Slack

Now, Slack doesn’t use iCloud per say. But it would be handy if school devices knew the school Slack domain by default to make signing in much simpler. And it turns out that they can!

The following app configuration is what you need:

<dict>
<key>OrgDomain</key>
<string>yourslackteamnamehere</string>
</dict>

Please see https://storage.googleapis.com/appconfig-media/appconfig-content/uploads/2017/11/Slack-AppConfig-ISV-Capabilities-V2-.pdf for full details of what is possible with managing Slack.

Meraki and LGfL 2.0

Having a few moments at the end of the day, I thought I would give Meraki a spin. I had much more success with enroling an iPad, particularly when compared to the frankly hopeless time I had with Lion’s Profile Manager, but then couldn’t get it to actually update settings remotely or anything. Then I remembered…of course, the LGfL firewall! I’ve submitted a request for the various ports, so we shall see how that goes.

Giving up on Profile Manager

The promise of Lion’s Profile Manager seemed good: a nearly free way of managing all the macs and iPads on your network, pushing setting etc over air using Apple’s Push Notifications.

Except I can’t get it to work. The issue is that when you try and enrol an iOS device, it complains that the certificate is invalid. I’ve searched hi and low on the Interweb for solutions, and even tried out a few. However, the result has been even more of a mess, as far as I can tell!

45 iPads arrived at school today, just waiting for me to set them up ready for September. I was hoping to use Profile Manager as part of the setup process, but I think now I’ll just have to make do with Apple Configurator and iTunes. Hey ho.

Maybe more joy will be to had with Mountain Lion Server?

These guys at Amsys seem to have gotten it going, if anyone’s interested.