IBM Security MaaS360

 View Only

Using MaaS360 MDM Solution for Managing Apple Education

By AMIT Kumar D posted Wed June 26, 2019 09:20 AM

  
This blog was co-authored by Kiran Naidu.

Overview


This how-to blog is intended for customer administrators and MaaS360 administrators, who are responsible for deploying MaaS360 solution in educational settings. It takes you through the steps of deploying iPads successfully in your learning environment for both personally assigned and shared device deployments. You’ll learn how to prepare your environment, set up and deploy iPad, and enable teachers in their classrooms. It also provides guidance for deploying institution-owned devices with the education enhancements in iOS 9.3 or later.

Using MaaS360 MDM Solution for Managing Apple Education, image 1


Pre-Configuration and Customer Properties

This feature needs to be enabled by your MaaS360 Administrator for your account. Once enabled, you can view the service in your Setup >> Services page>>Apple for Education

Using MaaS360 MDM Solution for Managing Apple Education, image 2

To integrate Apple School Manager capability to your education setup, go to Provisions>>Configure MaaS360 for Customers>>Customer Properties>>Enable apple school manager.

Using MaaS360 MDM Solution for Managing Apple Education, image 3

To integrate shared device capability to your education setup, go to Provisions>>Configure MaaS360 for Customers>>Customer Properties>>Enable apple education shared device.

Using MaaS360 MDM Solution for Managing Apple Education, image 4

 

NOTE: Make sure you logout and re login to the customer portal in-order to get the changes reflected.

MaaS360 Local Capabilities


MaaS360 supports two types of data handling for Education use cases, (1) Local data and (2) ASM data. Local data management is creating Students, Instructors, Classes, Admins, etc. on MaaS portal and using School features. ASM data management is integrating and pulling all the School data from ASM. However, local data does not support shared device concept supported by Apple. MaaS360 provides users a capability to create local data which is non reliant on the Apple School Manager. This means, We can use existing MaaS capability(with some tweaks) to create user accounts for students and instructors and get their devices enrolled and rolling, but before we go into specifics lets look at the changes that would have set in once the pre configurations are done. We can now look at the new add-on's/changes that would now be reflecting in your customer portal.

The first change you would see is a new tab in the landing page of MaaS portal called "Schools":

Using MaaS360 MDM Solution for Managing Apple Education, image 5

 

Create users would now have an extra tab called Education:

Using MaaS360 MDM Solution for Managing Apple Education, image 6

Create User


There are primarily two kinds of users we will be creating as part of education setup, viz. Instructor and Student and a combination of these two entities form a class which will be explained later. So to create a instructor user, go to Users>>Add User>>Fill in basic information>>Education tab>>fill in Managed Apple Id, Person Number, Role(Instructor), Grade Level, Password Policy.

Similarly, to create a student user, go to Users>>Add User>>Fill in basic information>>Education tab>>fill in Managed Apple Id, Person Number, Role(Student), Grade Level, Password Policy.

Using MaaS360 MDM Solution for Managing Apple Education, image 7


Using MaaS360 MDM Solution for Managing Apple Education, image 8

Create Class


Class is collection of students and instructor/s. The second step after creating students and instructors is to put these people into a class, in order to create/edit/delete a class, you need to navigate to Schools>>Class>>Add Class>> here you need to fill in details such as Name, Description, Dept, Instructor(Auto complete user name), Student(Auto complete user name), Shared Device(Not applicable for local capability), Course and Location.

 

Using MaaS360 MDM Solution for Managing Apple Education, image 9

User and Device Groups 


On creation of class, corresponding user and device group is created, So with group capability various apps, docs and policies etc can be pushed to at user level and device level. We can also Edit/Delete groups according to our need.

Using MaaS360 MDM Solution for Managing Apple Education, image 10

NOTE: On Enabling apple education feature, an "All Instructor Device Group" automatically gets created. This is useful in terms of pushing specific kind of apps accessible only to the instructors (such as the classroom app, etc).


Device Enrollment for MaaS360 Local Capability

To enroll instructor device, Go to Devices>>Add Device>>Give the username of the instructor you want to enrol the device to. Once the device is enrolled, In the device, if you navigate to Settings>>Profiles>>MaaS360 MDM Profile>>Configurations, You will see something called as "Leader Certificate" and "Member Certificate", These will basically define the kind of device i.e. whether a instructor device or a student device.

1. If, there are 2 Leader Certificates and 1 Member Certificate → It's an Instructor Device


Using MaaS360 MDM Solution for Managing Apple Education, image 11

 

To enroll instructor device, go to Devices>>Add Device>>Give the username of the instructor you want to enrol the device to. Once the device is enrolled, In the device, if you navigate to Settings>>Profiles>>MaaS360 MDM Profile>>Configurations, You will see something called as "Leader Certificate" and "Member Certificate", These will basically define the kind of device i.e. whether a instructor device or a student device.

2. If, there are 2 Member Certificates and 1 Leader Certificate → It's a Student Device

Using MaaS360 MDM Solution for Managing Apple Education, image 12

Classroom App Configuration on Instructor Device

Classroom turns your iPad into a powerful teaching assistant, helping a teacher guide students through a lesson, see their progress, and keep them on track. With Classroom, you can easily launch the same app on every student device at the same time or launch a different app for each group of students. Classroom helps teachers focus on teaching so students can focus on learning.


Using MaaS360 MDM Solution for Managing Apple Education, image 13

Classroom App Capabilities

Start, focus, or pause student work

  • Launch any app, website, or book on student devices with a tap
  • Lock devices into a single app to help students focus
  • Lock screens to pause work or refocus your class
  • Mute audio on student devices

See what your students see with Screen View

  • See an over view of all student screens at once
  • Focus on a single student screen
  • Students are informed when their screens are being viewed

Share documents and links with your class using AirDrop

  • Share to your entire class with just one tap
  • Students can also share with you

Reset forgotten passwords right in the classroom

  • Reset a Managed Apple ID password without calling IT

Organize student devices using groups

  • Classroom automatically creates groups of students based on the apps they are using
  • Teachers can create groups to break students into project teams
  • Perform actions on entire groups or on individual students within groups

Apple School Manager (ASM)

Apple School Manager makes it simple for the management of student and teacher iPads in apple education, and enabling a new feature called Shared iPad. Shared iPad allows students to sign in/out of an iPad and thereby saves their app data to iCloud automatically. Instructor iPads are also able to launch the Apple Classroom app to monitor and control student iPads to ensure that students are focused and productive on their iPads at their institution. Please refer Apple's documentation for more information about preparing your school for Apple School Manager.


Using MaaS360 MDM Solution for Managing Apple Education, image 14

Setting Up School Data in ASM Portal

What is Setup Assistant?

When you first sign in, Apple School Manager provides a simple Setup Assistant that makes it easy to get going. With Setup Assistant you can:

  • Add managers
  • Connect to your Student Information System (SIS)
  • Use the Secure File Transfer Protocol (SFTP) to import account information
  • Find students, staff, and classes
  • Choose the Managed Apple ID format for all your users

Setup Assistant appears when the administrator or manager first signs in to Apple School Manager. If they close Setup Assistant, they can click their name in the upper-right corner and select Setup Assistant from the pop-up menu to open it again.


Using MaaS360 MDM Solution for Managing Apple Education, image 15

With the help of setup assistant you can easily import all the students, instructors, staff, classes, courses, location etc information into the ASM portal. There are two ways of importing the data, First is with the help of .csv files and second with Student Information System(SIS) which is a private database owned by the respective institution.

NOTE: For more info about setup assistant and its use, please click here.


Apart
from the above method, we can also create classes, users manually. The following screenshots will help you how to create users and classes:

Create a User in ASM:

Navigate to home screen of ASM portal and Click on People>>Accounts>>Add a new account

Using MaaS360 MDM Solution for Managing Apple Education, image 16

NOTE: Make sure that your Managed Apple ID is always unique.

Create a Class in ASM:

Navigate to home screen of ASM portal and Click on People>>Classes>>Add a new class

Using MaaS360 MDM Solution for Managing Apple Education, image 17

Creating New MDM Server and Assigning Devices

To use the capabilities of the ASM data by the MDM Vendors, it is very important to create MDM Servers/DEP tokens. These tokens can later be used to download the ASM data to local repositories. To create MDM Server, you first need to have a public key of MaaS360 uploaded in the "Add MDM Server" page. Then, take the following steps:

1. Navigate to MDM Server>>Click on Add New MDM Server>>Give details such as MDM Server Name, Public Key etc>>Click on Save.

Using MaaS360 MDM Solution for Managing Apple Education, image 18

2. Now navigate to Device Assignment page>>Assign Education iPads to the MDM Server created (Add by serial number, order number, CSV file).

Using MaaS360 MDM Solution for Managing Apple Education, image 19

3. Navigate back to MDM Server>>Click on the newly created MDM server>> Click on "Get Token"

Using MaaS360 MDM Solution for Managing Apple Education, image 20

MaaS360 Apple School Manager Settings

MaaS portal gives us an option to sync ASM data on to our portal. For this, We need to enable the Apple School Manager property from the master admin. When we navigate to schools tab in portal, we will find Apple School Manager settings page:

Using MaaS360 MDM Solution for Managing Apple Education, image 21

Below is the help text and its meaning:

Using MaaS360 MDM Solution for Managing Apple Education, image 22

NOTE: If an app needs to be installed on to the shared device, then the only way we can install on to the devices is by VPP.

Synchronization of ASM Data to MaaS360 Portal

1. Download a MDM Server token/ DEP token from ASM portal as mentioned in the 10th section of this page.

2. Upload the token by navigating to Devices>>Enrolments>>Other Enrolment Options>>Apple Device Enrolment(DEP)>>Tokens>>Add Token>>Add


Using MaaS360 MDM Solution for Managing Apple Education, image 23


3. Now navigate to Schools>>Apple School Manager>>Under Enable Apple School Manager checkbox>>Select the desired token>>Save.

Using MaaS360 MDM Solution for Managing Apple Education, image 24

4. Click on save and then click on refresh button. (NOTE: The ASM data sync time purely depends on the number of records present in the ASM portal, larger the data more time it takes to sync).


Introduction to Shared Devices

Issuing a device to every student in certain institution can be expensive. MaaS360 lets you share a mobile device among students. Shared Device functionality ensures that security and authentication are in place for every unique student. MaaS360 uses a simple login/logout process for shared devices in which students simply enter their dedicated credentials set in the ASM portal to log in.


Using MaaS360 MDM Solution for Managing Apple Education, image 25

Setting Up Shared Devices to Utilize Local and ASM Capabilities

Please perform the following steps to set up shared iPads to utilize local and ASM capabilities.

Pre-conditions:

1. DEP token/s containing shared devices.

2. Token added to MaaS360 portal.

3. ASM data synced in MaaS360 portal.

Steps:

1. Navigating to Devices>>Enrollments>>Other Enrollment Options>>Apple Device Enrollment(DEP)>>Profiles>>Add Profile.

Using MaaS360 MDM Solution for Managing Apple Education, image 26

NOTES:
1. In order to make a device shared iPad, "Supervised Device" needs to be mandatorily checked.
2. Max resident users are the number of partitions you want in your shared device, which means those many students can login to the device. It usually depends on the iPad storage size. Common partition ranges from 2 to 99.

 

 2. Click on Add and assign the profile to all the devices of the token/s or individually assign the profile.

Using MaaS360 MDM Solution for Managing Apple Education, image 27

 

3. Reset the device and apply the configurations that would have reached the device.

Using MaaS360 MDM Solution for Managing Apple Education, image 28

4. Please add the shared device serial numbers to the classes you want the particular device to be accessed, to do this navigate to Schools>>Classes>>Search for the class you want to assign the device(Can be local as well as ASM classes)>>Click on edit>>assign the serial number in "Serial Number" section>>save.


Using MaaS360 MDM Solution for Managing Apple Education, image 29

 

5. Post configuration, you would see a screen which contains Class Information and the students under each class to which this shared iPad is assigned. The student can now login to the iPad based on the credentials provided from ASM Portal.

Using MaaS360 MDM Solution for Managing Apple Education, image 30

Device Policies and User Policies Configuration on the Devices

Local Devices: In terms of standalone local education iPads, the policies can be pushed as like any other iOS devices. The behaviour of iPads will be same as that of other apple devices to which MDM is configured.

Shared Devices: In shared devices, the devices policies remain configured to the device irrespective of which student has logged in to the device, these include some restrictions settings etc. Whereas user level policies will be specific to a student and will be applicable as per the policies assigned to that student. So, on login these user level policies will be applied and will get removed as soon as the student logs out. These include Active Sync, CalDav, CardDav, Google Account, Home Screen, Notification settings etc.

DO's and DON'Ts

Do's

  1. Make sure that all the pre configurations and pre setups mentioned in this page are done before advancing into specific workflows of education.
  2. Make sure that the iPads are iOS version 9.3 or later.
  3. Make sure that the Student iPads are always supervised (It can be supervised with apple configurator or DEP profile).
  4. Instructor need not be supervised, it works fine on non-supervised device also. But, if you want to apply any supervised settings to instructor device, then its advisable to make the instructor device supervised.
  1. It is advisable to push the Classroom app to All instructor device group, as all the instructor will be needing this app to run the class.
  2. Make sure that the apps you want to push to the class are in your VPP token, apps from other sources will not be installed in shared device.
  3. The ASM portal data CSV upload are 6 files in number, make sure that all these files are filled and synced in the ASM portal. Even if one csv file is missed then the sync will error out in

ASM portal.

  1. Make sure that the Apple Education iPads are in same Wi-Fi zone and Bluetooth is enabled, otherwise classroom app might show devices as offline.

Don'ts

  1. In case of bulk upload of csv users in MaaS portal, do not perform ASM sync into MaaS portal first and then do a bulk upload of csv, this will create duplicate records of the same users(if present in both ASM portal and bulk upload user csv). Always bulk upload users in MaaS portal first and then do a ASM sync.
  2. Do not push classroom app to student devices as its not necessary and configuration will fail anyway.
  3. While the ASM sync operation in MaaS portal is under way, do not try to perform multiple refresh as it might put load on the sync operations.

References

  1. Apple School Manager Portal: https://beta.school.apple.com/
  2. Apple School Manager Help - Configure SIS: https://help.apple.com/schoolmanager/#/tesff5b12e69
  3. Apple School Manager Help - Setup Assistant: https://help.apple.com/schoolmanager/#/tesd7dc27f2a
  4. Reference on classroom app: http://images.apple.com/education/docs/getting-started-with-classroom-2.1.pdf
  5. About Apple Education Program: https://www.apple.com/education/
  6. Classroom app appstore link: https://itunes.apple.com/us/app/classroom/id1085319084?mt=8

 

0 comments
22 views

Permalink