This blog was co-authored by Kiran Naidu.
Overview
This how-to blog is intended for customer administrators and MaaS360 administrators, who are responsible for deploying MaaS360 solution in educational settings. It takes you through the steps of deploying iPads successfully in your learning environment for both personally assigned and shared device deployments. You’ll learn how to prepare your environment, set up and deploy iPad, and enable teachers in their classrooms. It also provides guidance for deploying institution-owned devices with the education enhancements in iOS 9.3 or later.
Pre-Configuration and Customer Properties
This feature needs to be enabled by your MaaS360 Administrator for your account. Once enabled, you can view the service in your Setup >> Services page>>Apple for Education
To integrate Apple School Manager capability to your education setup, go to Provisions>>Configure MaaS360 for Customers>>Customer Properties>>Enable apple school manager.
To integrate shared device capability to your education setup, go to Provisions>>Configure MaaS360 for Customers>>Customer Properties>>Enable apple education shared device.
NOTE: Make sure you logout and re login to the customer portal in-order to get the changes reflected.
MaaS360 Local Capabilities
MaaS360 supports two types of data handling for Education use cases, (1) Local data and (2) ASM data. Local data management is creating Students, Instructors, Classes, Admins, etc. on MaaS portal and using School features. ASM data management is integrating and pulling all the School data from ASM. However, local data does not support shared device concept supported by Apple. MaaS360 provides users a capability to create local data which is non reliant on the Apple School Manager. This means, We can use existing MaaS capability(with some tweaks) to create user accounts for students and instructors and get their devices enrolled and rolling, but before we go into specifics lets look at the changes that would have set in once the pre configurations are done. We can now look at the new add-on's/changes that would now be reflecting in your customer portal.
The first change you would see is a new tab in the landing page of MaaS portal called "Schools":
Create users would now have an extra tab called Education:
Create User
There are primarily two kinds of users we will be creating as part of education setup, viz. Instructor and Student and a combination of these two entities form a class which will be explained later. So to create a instructor user, go to Users>>Add User>>Fill in basic information>>Education tab>>fill in Managed Apple Id, Person Number, Role(Instructor), Grade Level, Password Policy.
Similarly, to create a student user, go to Users>>Add User>>Fill in basic information>>Education tab>>fill in Managed Apple Id, Person Number, Role(Student), Grade Level, Password Policy.
Create Class
Class is collection of students and instructor/s. The second step after creating students and instructors is to put these people into a class, in order to create/edit/delete a class, you need to navigate to Schools>>Class>>Add Class>> here you need to fill in details such as Name, Description, Dept, Instructor(Auto complete user name), Student(Auto complete user name), Shared Device(Not applicable for local capability), Course and Location.
User and Device Groups
On creation of class, corresponding user and device group is created, So with group capability various apps, docs and policies etc can be pushed to at user level and device level. We can also Edit/Delete groups according to our need.
NOTE: On Enabling apple education feature, an "All Instructor Device Group" automatically gets created. This is useful in terms of pushing specific kind of apps accessible only to the instructors (such as the classroom app, etc).
Device Enrollment for MaaS360 Local Capability
To enroll instructor device, Go to Devices>>Add Device>>Give the username of the instructor you want to enrol the device to. Once the device is enrolled, In the device, if you navigate to Settings>>Profiles>>MaaS360 MDM Profile>>Configurations, You will see something called as "Leader Certificate" and "Member Certificate", These will basically define the kind of device i.e. whether a instructor device or a student device.
1. If, there are 2 Leader Certificates and 1 Member Certificate → It's an Instructor Device
To enroll instructor device, go to Devices>>Add Device>>Give the username of the instructor you want to enrol the device to. Once the device is enrolled, In the device, if you navigate to Settings>>Profiles>>MaaS360 MDM Profile>>Configurations, You will see something called as "Leader Certificate" and "Member Certificate", These will basically define the kind of device i.e. whether a instructor device or a student device.
2. If, there are 2 Member Certificates and 1 Leader Certificate → It's a Student Device
Classroom App Configuration on Instructor Device
Classroom turns your iPad into a powerful teaching assistant, helping a teacher guide students through a lesson, see their progress, and keep them on track. With Classroom, you can easily launch the same app on every student device at the same time or launch a different app for each group of students. Classroom helps teachers focus on teaching so students can focus on learning.
Classroom App Capabilities
Start, focus, or pause student work
- Launch any app, website, or book on student devices with a tap
- Lock devices into a single app to help students focus
- Lock screens to pause work or refocus your class
- Mute audio on student devices
See what your students see with Screen View
- See an over view of all student screens at once
- Focus on a single student screen
- Students are informed when their screens are being viewed
Share documents and links with your class using AirDrop
- Share to your entire class with just one tap
- Students can also share with you
Reset forgotten passwords right in the classroom
- Reset a Managed Apple ID password without calling IT
Organize student devices using groups
- Classroom automatically creates groups of students based on the apps they are using
- Teachers can create groups to break students into project teams
- Perform actions on entire groups or on individual students within groups
Apple School Manager (ASM)
Apple School Manager makes it simple for the management of student and teacher iPads in apple education, and enabling a new feature called Shared iPad. Shared iPad allows students to sign in/out of an iPad and thereby saves their app data to iCloud automatically. Instructor iPads are also able to launch the Apple Classroom app to monitor and control student iPads to ensure that students are focused and productive on their iPads at their institution. Please refer Apple's documentation for more information about preparing your school for Apple School Manager.
Setting Up School Data in ASM Portal
What is Setup Assistant?
When you first sign in, Apple School Manager provides a simple Setup Assistant that makes it easy to get going. With Setup Assistant you can:
- Add managers
- Connect to your Student Information System (SIS)
- Use the Secure File Transfer Protocol (SFTP) to import account information
- Find students, staff, and classes
- Choose the Managed Apple ID format for all your users
Setup Assistant appears when the administrator or manager first signs in to Apple School Manager. If they close Setup Assistant, they can click their name in the upper-right corner and select Setup Assistant from the pop-up menu to open it again.
With the help of setup assistant you can easily import all the students, instructors, staff, classes, courses, location etc information into the ASM portal. There are two ways of importing the data, First is with the help of .csv files and second with Student Information System(SIS) which is a private database owned by the respective institution.
NOTE: For more info about setup assistant and its use, please click here.
Apart from the above method, we can also create classes, users manually. The following screenshots will help you how to create users and classes:
Create a User in ASM:
Navigate to home screen of ASM portal and Click on People>>Accounts>>Add a new account
NOTE: Make sure that your Managed Apple ID is always unique.
Create a Class in ASM:
Navigate to home screen of ASM portal and Click on People>>Classes>>Add a new class
Creating New MDM Server and Assigning Devices
To use the capabilities of the ASM data by the MDM Vendors, it is very important to create MDM Servers/DEP tokens. These tokens can later be used to download the ASM data to local repositories. To create MDM Server, you first need to have a public key of MaaS360 uploaded in the "Add MDM Server" page. Then, take the following steps:
1. Navigate to MDM Server>>Click on Add New MDM Server>>Give details such as MDM Server Name, Public Key etc>>Click on Save.
2. Now navigate to Device Assignment page>>Assign Education iPads to the MDM Server created (Add by serial number, order number, CSV file).
3. Navigate back to MDM Server>>Click on the newly created MDM server>> Click on "Get Token"
MaaS360 Apple School Manager Settings
MaaS portal gives us an option to sync ASM data on to our portal. For this, We need to enable the Apple School Manager property from the master admin. When we navigate to schools tab in portal, we will find Apple School Manager settings page:
Below is the help text and its meaning:
NOTE: If an app needs to be installed on to the shared device, then the only way we can install on to the devices is by VPP.
Synchronization of ASM Data to MaaS360 Portal
1. Download a MDM Server token/ DEP token from ASM portal as mentioned in the 10th section of this page.
2. Upload the token by navigating to Devices>>Enrolments>>Other Enrolment Options>>Apple Device Enrolment(DEP)>>Tokens>>Add Token>>Add
3. Now navigate to Schools>>Apple School Manager>>Under Enable Apple School Manager checkbox>>Select the desired token>>Save.
4. Click on save and then click on refresh button. (NOTE: The ASM data sync time purely depends on the number of records present in the ASM portal, larger the data more time it takes to sync).
Introduction to Shared Devices
Issuing a device to every student in certain institution can be expensive. MaaS360 lets you share a mobile device among students. Shared Device functionality ensures that security and authentication are in place for every unique student. MaaS360 uses a simple login/logout process for shared devices in which students simply enter their dedicated credentials set in the ASM portal to log in.
Setting Up Shared Devices to Utilize Local and ASM Capabilities
Please perform the following steps to set up shared iPads to utilize local and ASM capabilities.
Pre-conditions:
1. DEP token/s containing shared devices.
2. Token added to MaaS360 portal.
3. ASM data synced in MaaS360 portal.
Steps:
1. Navigating to Devices>>Enrollments>>Other Enrollment Options>>Apple Device Enrollment(DEP)>>Profiles>>Add Profile.
NOTES:
1. In order to make a device shared iPad, "Supervised Device" needs to be mandatorily checked.
2. Max resident users are the number of partitions you want in your shared device, which means those many students can login to the device. It usually depends on the iPad storage size. Common partition ranges from 2 to 99.
2. Click on Add and assign the profile to all the devices of the token/s or individually assign the profile.
3. Reset the device and apply the configurations that would have reached the device.
4. Please add the shared device serial numbers to the classes you want the particular device to be accessed, to do this navigate to Schools>>Classes>>Search for the class you want to assign the device(Can be local as well as ASM classes)>>Click on edit>>assign the serial number in "Serial Number" section>>save.
5. Post configuration, you would see a screen which contains Class Information and the students under each class to which this shared iPad is assigned. The student can now login to the iPad based on the credentials provided from ASM Portal.
Device Policies and User Policies Configuration on the Devices
Local Devices: In terms of standalone local education iPads, the policies can be pushed as like any other iOS devices. The behaviour of iPads will be same as that of other apple devices to which MDM is configured.
Shared Devices: In shared devices, the devices policies remain configured to the device irrespective of which student has logged in to the device, these include some restrictions settings etc. Whereas user level policies will be specific to a student and will be applicable as per the policies assigned to that student. So, on login these user level policies will be applied and will get removed as soon as the student logs out. These include Active Sync, CalDav, CardDav, Google Account, Home Screen, Notification settings etc.
DO's and DON'Ts
Do's
- Make sure that all the pre configurations and pre setups mentioned in this page are done before advancing into specific workflows of education.
- Make sure that the iPads are iOS version 9.3 or later.
- Make sure that the Student iPads are always supervised (It can be supervised with apple configurator or DEP profile).
- Instructor need not be supervised, it works fine on non-supervised device also. But, if you want to apply any supervised settings to instructor device, then its advisable to make the instructor device supervised.
- It is advisable to push the Classroom app to All instructor device group, as all the instructor will be needing this app to run the class.
- Make sure that the apps you want to push to the class are in your VPP token, apps from other sources will not be installed in shared device.
- The ASM portal data CSV upload are 6 files in number, make sure that all these files are filled and synced in the ASM portal. Even if one csv file is missed then the sync will error out in
ASM portal.
- Make sure that the Apple Education iPads are in same Wi-Fi zone and Bluetooth is enabled, otherwise classroom app might show devices as offline.
Don'ts
- In case of bulk upload of csv users in MaaS portal, do not perform ASM sync into MaaS portal first and then do a bulk upload of csv, this will create duplicate records of the same users(if present in both ASM portal and bulk upload user csv). Always bulk upload users in MaaS portal first and then do a ASM sync.
- Do not push classroom app to student devices as its not necessary and configuration will fail anyway.
- While the ASM sync operation in MaaS portal is under way, do not try to perform multiple refresh as it might put load on the sync operations.
References
- Apple School Manager Portal: https://beta.school.apple.com/
- Apple School Manager Help - Configure SIS: https://help.apple.com/schoolmanager/#/tesff5b12e69
- Apple School Manager Help - Setup Assistant: https://help.apple.com/schoolmanager/#/tesd7dc27f2a
- Reference on classroom app: http://images.apple.com/education/docs/getting-started-with-classroom-2.1.pdf
- About Apple Education Program: https://www.apple.com/education/
- Classroom app appstore link: https://itunes.apple.com/us/app/classroom/id1085319084?mt=8