Hillbrook iPad App Distribution (2015)


 Last spring, I started working at Hillbrook School in Los Gatos in a newly-created "Technology Support Specialist Role." Hillbrook is a JK-8 private school in Los Gatos, CA, with about 320 students. It is a 1:1 iPad school (Grade K-8).  

One primary responsibility as part of my role is to manage the MDM (mobile device management) system and process at the school. This system includes tracking device inventory and distributing apps to appropriate student/faculty "groups." The system we use is JAMF, along with Apple's DEP enrollment program. This year, the system was very complex, since about one third of our iPads did not qualify for the DEP program (iPad 2's), and therefore could not be automatically enrolled in JAMF. Also, I made the decision to change the way we purchased apps for the school, choosing Managed App Distribution via Apple's VPP.

Below are some comments and observations (written in early fall 2015) that may give insight to those that are managing a mixed iPad + MDM + DEP + VPP (Managed) solution:

Hillbrook iPad App Distribution
2015
With a combination of iPads within the Apple DEP guidelines (cut-off March, 2011/Institutional purchase requirement), and those outside of the guidelines (all iPad 2’s- purchased prior to March, 2011, some non-institutional), the Hillbrook Technology Department is using a custom distribution method in order to create a more streamlined user experience.  

Required for Device Management and App Distribution:

Device Configuration (specific settings/restrictions) + Enrollment in a MDM

Apple DEP (Device Enrollment Program): New June 2014

  • Linked to MDM system (JAMF)
  • Enrolls qualified devices in the MDM automatically and installs configuration profiles through a “Pre-stage Enrollment.”
  • Prior to this, it was necessary to use Apple Configurator to manually install configuration profiles, etc. Then, devices were manually enrolled in the MDM.

MDM (Mobile Device Management) System: JAMF, v. 9.4

  • Database was updated and re-generated for this year.  
  • Devices were enrolled and User accounts were created manually for each individual, including lower school iPads.
  • LDAP will help alleviate this manual process in the future!
iPad Deployment:
Pre-stage Enrollment (DEP devices only)
Configuration Profiles (Distributed after a device is enrolled)
Smart/Static Groups (for distribution)

Hillbrook’s App Distribution Process:

Enrollment

  1. iPad should already be enrolled by tech department
    1. Some iPads may have been missed
    2. If profile set is deleted, enrollment is deleted (for that device)
  2. Linked to device, not end user
  3. Allows for inventory collection
    1. Device Type/Model
    2. Serial Number
    3. Asset Tag (manually entered)
    4. Software Version/IP Address
    5. Find My iPhone is Enabled/Disabled
    6. Existing Apps (as well as if they are managed apps or not)
    7. Battery Level
    8. Available/Used Storage Space
  4. Supervised vs. Unsupervised (Supervision provides more control over restrictions and the user experience.)

Invitation

  1. Email or Pop-up message (depending on invitation scope settings)
  2. Links the USER to app distribution
    1. Based on the Apple I.D., not device serial number
    2. User needs to exist in the database (manually/auto-entered via LDAP), with username, first/last name, email address.  Additional characteristics can be added for purposes of scoping/searching, but are not required.
  3. Apple I.D. Linking
    1. After opening invitation link, user logs in to the App Store with Apple I.D./password
    2. Apps (assuming they are scoped appropriately) will appear for that user in the “Purchased” section of the App Store.  
    3. If auto-app downloads is turned on in the iTunes Store Settings, apps will begin to appear on the home screen.
    4. Apps not installed on the iPad will appear in the “Not on This iPad” section of “Purchased.”

App Distribution

  1. Apps are pushed to certain Users depending on the scope
    1. Smart/Static User Groups
      1. Used for scoping apps to students/teachers based on characteristics/key words in their User profile.  
    2. Smart/Static Mobile Device Groups
      1. Used for scoping configuration profiles (separate from enrollment profiles) to devices based on characteristics/key words about the device.
  2. Apps can be taken away after a 30 day grace period, depending on needs for the school.

App Management User Experience

  1. Apps can still be moved around/deleted by User
    1. If app is deleted, it is still accessible in the Purchased section of the App Store, as long as their Apple I.D. is logged in on that device.
  2. User experience does not change, only distribution changes