A Lockout Protocol for iOS 9.3

One of the things I want to be able to do in our new deployment is detect devices that are "out of spec" and make sure that the users find their way back to me for ... ah ... re-education.

Most "out of spec" things can be dealt with by the MDM server itself. If a device checks in with a missing configuration profile or a missing app, the server will automatically take care of that.

Sometimes, though, we want to check for other conditions and make sure that these situations don't go on for too long. To achieve this, I have designed a "lockout protocol" for our deployment.

The Configuration Profile

We have a configuration profile that can be applied to any supervised iPad that essentially “locks out” the user from doing any work. It’s really quite simple.

The first payload is a Restrictions payload which I use to only allow one app: The JAMF Self Service app.

The second payload is a Home Screen Layout payload. This puts the Self Service app into the Dock, so that people can find it easily.

That’s all it is but, because the devices are supervised and in DEP, there’s nothing the user can do to get out of this situation except to come and see me for help.

The Criteria for Lockout

To detect these anomalous conditions, I have a smart device group in our MDM that captures devices based on the following conditions:

  1. The device inventory is more than 10 days old (i.e. it’s not communicating with the server properly) OR
  2. The JSS “Jailbreak Detected” field is “yes” OR
  3. The “Location Services for Self Service” is “Not Enabled/Unknown”.
  4. The iOS version is less than the current release version of iOS.

Now, I normally give a grace period for iOS updates of about a week before I update the criteria for the smart group so it’s not too draconian.

I haven’t yet had a device where the inventory alone was stale. I suspect this condition is probably redundant given that, if the device can’t supply inventory, it’s unlikely to be able to receive the new profile either.

Warning Period

When a new iOS update comes out, the first thing I do is push a notification to Self Service. To be fair, about half the students respond to this in a timely manner.

After a few days, my new thing is to push a new wallpaper to the devices that puts the message right in the students’ faces.

After a few more days, if the devices still aren’t updated, I update the criteria for the lockout protocol and the shutter comes down until everything comes into line.

Even when locked out, the device will still be able to be updated as Settings is the one app that can’t be hidden.

Once the anomalous situation is resolved, the user will likely need to come and see me. Devices update their inventory typically once a day to the JSS, but an administrator can force an inventory update manually. That would cause the device data to be updated and the restrictions lifted.

Reflections on Deployment Day 2016

So it's now been a week since we rolled out our latest iteration of 1:1 iPad at Cedars. What does it look like and how did it go?

Deployment Design

My intention is always to do one three-year deployment, not three one-year deployments. My aim, which we achieved in the 2013 deployment, was that the iPads would go out and not come back to me until the end of the lease.

Our school is straight-through K-12, with a slight bias towards pupils in the Primary department. We decided on a split deployment this time - using iPad minis and 9.7" iPad Pros.

One interesting thing in the discussions about the device was that the name "iPad Pro" might have actually hindered the iPad a little. The idea of buying a "Pro" device for a five-year-old just seemed to absurd to fly when, in both previous deployments, we had purchased the lower-storage fastest iPad. First time round we had no choice, of course, but last time round we bought everyone a 32GB 9.7" iPad with Retina Display. This time, the younger kids got something smaller.

The devices are: 64GB iPad Mini 4 (31 units) and 32GB iPad Pro 9.7" (94 units). This leaves us 1 spare mini and 4 spare iPad Pros. That's 3-4% spare capacity, which is about right. We could probably get away with a bit less given our Mean Time To Repair (it's very quick with an Apple Store 25 minutes away), but it's good to have a couple of identical spares to test things like iOS 10, Shared iPad and so on.

We are deploying the minis to Primary 1-4 (US: K-3) and iPad Pro for everyone else. I have in the past expressed scepticism about the suitability of the iPad mini for younger users and their poorer fine motor skills. I had to abandon that opinion in the face of the weight of evidence that literally every child who had their own iPad had a mini and they were all getting on just fine with it.

We are again using Casper Suite for our MDM, hosted on Amazon EC2. We have been very happy with this product for a couple of years now and there was absolutely no compelling reason to change.

Deployment Changes from 2013-16

There are a number of new technologies coming together in the 2016 deployment that we have not used before.

Firstly, these are the first devices we have purchased since the Device Enrolment Program came to the UK. We are also switching to iOS 9's VPP device assignment from the older iOS 7-era user-assignment model for apps. The huge change of course is the migration to Managed Apple IDs - about which more later.

Migrating to a new MDM Instance

As part of the deployment, I decided to migrate everything to a new instance of Casper Suite. Doing this was remarkably easy and basically involved these steps:

  • Shut down our old EC2 instance
  • Set up a new EC2 instance and install Casper Suite
  • Reconnect the new MDM to DEP and VPP by uploading keys and tokens to the appropriate places.
  • Assigning our DEP devices to the new server and setting it as the default server for new devices.

The main downside to doing this is that we were 2 years into a 3 year reserved instance on EC2 and we couldn't make a new instance of the type that we reserved (m1.small). We are running our new JSS on a t2.small EC2 instance right now and monitoring that before we buy a new reserved instance. In general, I would like to get our EC2 reserved instances lined up with our deployment cadence.

Preparation before the Day

The preparatory stage went remarkably smoothly on the whole. Devices were delivered and it was the coolest thing to be able to see and work with them in DEP while they were still sitting in a TNT loading dock.

Once the devices arrived and were unboxed, the next steps were to:

  • Connect them 20 at a time to Apple Configurator
  • Restore the devices to the latest version of iOS (they all came with 9.3.2 and 9.3.3 was then-current).
  • Use Configurator to kick-start the DEP process.

The restore step is important. Configurator lets you update or restore. Recall that all iOS devices greater than 16GB come with a pre-installed set of apps from the App Store: iWork, iLife and iTunes U. These apps will of course be unmanaged when you get the devices into MDM. You can take them under management remotely but to do so you'd have to scope all those apps onto all those devices and then un-scope any you wanted gone. Easier, to my mind, to just press the other button in Configurator.

All of this preparation went fine, except we didn't have our iPad Pro cases yet. The 9.7" Pro is very similar to the iPad Air 2 but it's not the same and it's definitely not case-compatible. For one thing, there are four speakers on the Pro. Secondly, and more importantly, the iPad Pro is the first iPad with a flash. iPad Air cases partially occlude the flash, which would be a constant problem for indoor exposure metering in photography.

We had decided on the recommendation of many many schools to go with the STM Dux cases. The nomenclature for these cases is confusing when it comes to iPad Pro. The STM Dux case for non-Pro devices is a case with a rubber frame, plastic back and an integrated wraparound cover. The "Dux" for iPad Pro is basically that case without the cover - obviously to allow access to the Smart Connector. We wanted a wraparound case for all our devices. This, for iPads Pro, is called the "Dux Plus".

Still, we got the cases in time and it's all good. The cases seem very robust so far and have a very clever clear plastic panel over the back. Some class teachers have put labels under there to identify individual kids' iPads and they won't wear or peel off.

Rollout Day

We rolled out class by class. We ran into a couple of issues where we jammed the wifi by - maybe - associating too many devices in a short period.

Managed Apple ID Process

Let's just say that the idea of having to use a Managed Apple ID was ... not warmly welcomed by pupils used to free access to the App Store. It wasn't my decision to migrate everyone to a Managed ID, but I had to because of the limitations Apple has placed on iTunes U and Managed IDs.

As a result of this forced migration, a few issues arose. Firstly, I feel that the deployment lost a certain amount of enthusiasm amongst the older students who have had (mostly) free rein up to now. As a result, I'm deploying a range of 'lifestyle' apps for those kids to soften the blow.

Similarly, a few pupils had purchased apps in their school Apple IDs and now have no way back to using those apps on their school devices. Also, some pupils had depended on their iCloud Document syncing in Pages and Keynote instead of backing up to Google Drive. That can be recovered through iCloud.com on a desktop computer but...who has desktop computers any more? ;-)

The setup process as designed in our DEP pre-stage was:

  1. Enter personal wifi password (school-set)
  2. Enable Location Services
  3. Enter Apple ID & Temporary Password
  4. Chance Temporary password (requires entering temp password again, then school password twice)
  5. Accept TrueTone display page
  6. Get to home screen
  7. Enter password for iPad passcode
  8. Confirm password for iPad passcode
  9. Enter password for Google Apps account

I could have controlled the last two steps by not pushing the profiles until later but that would have required interacting with the JSS console in front of the class, which I really didn't want to have to do.

Younger and less-able children were very, very confused by the process of resetting their password. The terms "Current", "New" and "Verify" were too terse to fully explain what they were expected to do.

The "set passcode" prompt and the "Google apps" password prompt were in a race condition so some pupils saw one appearing first then another overtaking it. This led to confusion because I had started explaining a step and then some pupils were presented with dialogs for a separate step.

Basically, this was just too much passwording. Enter the school-provided password five times and the temporary Apple ID password twice (and twice in two screens at that!). This would have been much better if we could have set the final password in Apple School Manager and not required a reset of the password as part of the login.

App Installation

Once pupils had completed the setup, the devices needed a 'kick' in JSS to get them going. I'm not sure why. If I manually prompted the devices to update inventory, apps started getting installed. All devices had pending installations as they had been sitting in setup assistant for about 3 weeks. I didn't have to clear them manually, and probably the apps would have installed next time the devices uploaded inventory (within the next 24h). Unfortunately I needed action to happen in the class basically as soon as Setup Assistant was completed. It would be ideal if the device could signal the MDM "I'm ready now" - which I don't think it can.

App installations proceeded smoothly from there. Caching server worked wonderfully well and we barely touched the Internet the whole day.

I noticed that when a number of apps were being installed, no visual feedback was given on the home screen. The network activity spinner was active but no darkened icons were shown on screen. The apps just appeared once they had been downloaded and installed. Children, who are well used to the App Store, found this confusing and disconcerting.

Overall, though, I have been pretty pleased with the deployment. The network, MDM and caching server all performed very well for Day One.

The Problem with Managed Apple IDs and iTunes U

As I write this, we are five days away from teachers coming back to school and eight days from pupils coming back.

And I have found a showstopper problem with Managed Apple IDs and iTunes U.

Please bear with me as the explanation will be slightly complex but it is essential to understand its impact if you are rolling out Managed Apple ID and rely on iTunes U.


Briefly, a Managed Apple ID is an Apple ID that is created by the school for pupils. They can also be created for teachers and administrators. A Managed Apple ID allows access to iCloud and iTunes U but not to commercial services like the App Store and iBookstore. A Managed Apple ID is literally disbarred from any commercial transaction with Apple.

Contrast that with a 'consumer' Apple ID - the kind that every iOS user creates either through iTunes or through on-device setup when they buy an iPhone. These Apple IDs have no restrictions.

In our deployment, as in many others, teachers use their own personal Apple IDs on the iPads they use in school. This is obviously true - there has only ever been one kind of Apple ID and every teacher using an iPad must be using a 'consumer' Apple ID.

Since iTunes U 3.0 came out, teachers have been using these personal Apple IDs to create iTunes U courses for our pupils. The reason they were using personal Apple IDs is that the iTunes U app on iOS uses the Apple ID that is logged into the "iTunes and App Store" section of iOS Settings as the Apple ID for the teacher. There is no way to have a separate Apple ID just logged into iTunes U. Remember that fact; it will become important later on in this story.

Managed Apple ID

Once we were migrated to Apple School Manager, the first thing I tested was:

  • Create a Managed Apple ID for a fake student
  • Set up an iPad with that Managed Apple ID
  • Test enrolling in an iTunes U course that I created last year

Immediately I hit a problem. An error message stated:

"Your Apple ID can only enrol in courses from your institution."

I was confused by this because my courses are from my institution. Our school has an iTunes U site and all my courses are set to be from "Cedars School of Excellence". There is a menu in Course Settings where an instructor can choose which institution their course is associated with.

After some more messing around, I realised that what this error message actually means is this:

Students with Managed Apple IDs from a particular school's Apple School Manager domain can only enrol in courses that are owned by an Apple ID that is also from that same Apple School Manager domain.

I verified this by creating a new Managed Apple ID for myself, sharing a copy of my course to that Apple ID and then enrolling my fake student Apple ID in that course. This worked perfectly.


So, as a result of this decision to only allow iTunes U interaction between Managed Apple IDs in the same ASM domain, this means that teachers effectively have to be using a school-issued Managed Apple ID to run their iTunes U courses.

This is fine - in a very restricted set of circumstances that don't apply to any existing school iOS deployment anywhere.

Firstly, every currently practicing iOS teacher will be using a consumer Apple ID. Very likely it will be their personal Apple ID. This is because this was exactly the deployment scenario that Apple has encouraged us to use since iOS 7: users bring a personal Apple ID and the school or business uses VPP Managed Distribution to assign apps to that Apple ID.

Secondly, because iTunes U does not have its own Apple ID login system but instead uses the iTunes and App Store setting on the device, there is no possibility of using a separate Managed Apple ID "just for iTunes U". Signing into a Managed Apple ID on an iPad to make iTunes U happy will mean that teachers have to switch Apple IDs to buy any app, buy an In-App Purchase or download any past content purchase in iTunes, iBooks or the App Store.

This is obviously a massive speed bump in the teacher's iPad experience. Worse, though, there are various vaguely-documented tripwires in the App Store that can lock a device into a specific Apple ID for 90 days:

"Computers and devices can be associated with a different Apple ID once every 90 days."

- View and remove associated devices in iTunes, Apple

It is not at all clear whether Managed Apple IDs are also subject to these restrictions. These tripwires are set server-side and it is far from certain that you could depend on their criteria not to change during the course of a deployment. I mean, what does it look like when the App Store sees the same iPad signing into and out of Apple IDs on a daily basis?

If teachers are expected to flip between two Apple IDs on their iPad - which they will probably be doing on a daily basis, if not hourly - what happens if (when?) the iPad gets stuck for 90 days on one or other Apple ID? Either the teacher is locked out of their courses for 90 days or they can't buy or download any apps for 90 days. I'm not an Apple Music subscriber, but some teachers somewhere surely are, and I'm told that Apple Music gets weird when you switch Apple IDs.


At the moment, I have no satisfactory workaround for this. I cannot conceivably expect teachers to switch to using a Managed Apple ID permanently, abandoning all their past purchases and content. Similarly, the idea of switching between two Apple IDs in the course of doing your job is maddening at best and potentially disastrous if you accidentally trigger an App Store tripwire.

The only workaround that I can live with right now is to just not use Managed Apple IDs for students. Fortunately, most of the pupils moving up to our secondary department already have a device-generic Apple ID that I can convert into their own Apple ID. It's just the new pupils that I have to worry about.

At the moment, Apple is checking whether the Apple IDs of both teacher and student are in the same Apple School Manager domain. To me, this is the wrong criteria. The check should be: is the student's Apple ID from the same institution as the course's Institution?

It should not matter whether the teacher's Apple ID is institutional or personal - if the teacher has the right to make courses for that institution, they should be able to enrol that institution's students in that course.

I speculate that the Apple School Manager database and the iTunes U course database are simply not integrated. Whichever part of the system that is performing this check doesn't know that the "Cedars School" in our iTunes U courses is the same "Cedars School" as in our Apple School Manager domain.

I don't know the exact technical and legal reasons why this decision was made. All I know is that this new system of Managed Apple IDs is currently undeployable for any existing iOS site. The problem is not actually a student problem; it's a problem for the teacher's user experience.

90 iPads in 90 Minutes

Today was phase one of our new deployment. We received the shipment of iPad Pros (9.7", 32GB, WiFi) that will make up two thirds of our deployment over the next three years.

I wanted to write in detail about the exact process of going from a pallet of cardboard boxes to 90 iPads ready to hand to students in around 90 minutes.

There are a few moving parts to this but they boil down to:

  • Unboxing
  • iOS Update
  • MDM Enrolment
  • User Assignment


I had the dedicated help of two colleagues to get through the unboxing, which is definitely the most tedious and time-consuming part of any sizeable iPad deployment.

Our devices came wrapped on a pallet but once I cut the wrapping, I discovered that almost every iPad was in an individual brown carton, inside which was an individual shrinkwrapped retail box.

So we settled into opening all these boxes. One person stripped the shrinkwrap, another pulled out and handed the iPad to me and then unwrapped and assembled each individual piece of the power adapter. The UK power adapter ships in two parts - presumably for space efficiency - and each has an individual plastic wrap on it. We just dropped the chargers into a big box and the cables into another to be picked later on deployment day.

The final point about unboxing is to note that I don't really care who gets which device. At this point, they're fungible as they're all going to be set up in the same way.

iOS Update

To my surprise, these iPads all came with a very recent version of iOS: 9.3.2. If it wasn't for the fact that Apple just released 9.3.3, today could have gone even quicker.

I decided to update all the devices to iOS 9.3.3 using Apple Configurator 2. I was going to plug them in anyway, so it seemed easy enough to just update them the same way.

Alternatively, since these devices are in DEP, I could have sent them an MDM command to update iOS. However, I didn't see the point of generating all that WiFi traffic for nothing and, also, I wasn't certain that that command would have an effect before the devices were fully set up.

So I plugged them into my Apple Configurator Mac, 20 at a time, and hit one button in Configurator. 10 minutes of playing Crossy Road later and it was time to move on.

MDM Enrolment

Our Device Enrolment Program was already set up and, while the devices were in transit, I had already allocated them to the correct PreStage Enrolment settings in our JAMF Casper Suite MDM server.

The slow way to proceed here is to:

  • Pick up an iPad
  • Connect it to WiFi
  • Step through the setup assistant until enrolment is complete.

The smart way to proceed is:

  • Create a blueprint in Apple Configurator 2 that automates the Actions > Prepare step
  • Connect 20 devices to Apple Configurator 2
  • Apply that blueprint
  • Play another game of Crossy Road

As I said before in Towards Zero-Touch iOS Deployment, the game is: never touch the glass.

So once I worked my way through 90 iPads, 20 at a time, here's what I had:

  • All devices supervised
  • All devices on the latest iOS version
  • All devices enrolled in our Casper Suite
  • All devices are named "iPad" in Casper and not allocated to any users yet

So the next phase is: allocate devices to users.

User Allocation

So at this point, I have 90 undifferentiated devices sitting in crates on a table. My next goal is to get those devices to:

  • Be assigned to a user in Casper
  • Be named with the full name of the user
  • Have some way of showing on the device itself which user got which iPad

Here's how I did it.

Firstly I exported from Casper a list of the serial numbers of all the enrolled iPads. I could have gotten this list from the DEP area in Apple School Manager, but I had four spare iPads which had not yet been enrolled and I didn't fancy scanning through a list to find which four serial numbers to exclude.

Next, I combined this information with a CSV export from our student database for all the pupils in classes that will get the iPad Pro. At this point, I have a CSV that looks like:

username, full-name, graduation-year, role, device-serial-number

Graduation Year and Role are two extension attributes I use to group students in the JSS for scoping apps and profiles.

Next, I wrote a Python script for the JSS API that basically did the following:

  • Parse the CSV file and for each row:
  • Create a user in JSS with the given name, email address, graduation year and role
  • Assign the device with the given serial number to that user
  • Set the name of the device to the full name of the user

Having done that, I have a Configuration Profile ready that uses the new-in-iOS-9.3 payload called "Lock Screen Message". This is scoped to every user that has the Role of "student". Once the user is assigned to the device, the profile automatically appears on the device.

The magic sauce is that the message contained in the profile is customised for each individual user. Casper Suite allows you to use place holders in a Configuration Profile which are substituted with actual values before the profile is pushed to each device.

In this case, the lock screen message is as simple as "This iPad is allocated to $FULLNAME". Here, $FULLNAME is the placeholder for the full name of the user.

The result is that each device gets a custom message on the lock screen - even before the iOS setup assistant has completed. At this point, I can just pick up each device, look at the soft asset tag on the display and put the iPad into the right class box.

Excuse the fuzziness - we kept the plastic wraps on the devices while handling them.

Excuse the fuzziness - we kept the plastic wraps on the devices while handling them.

The final result: 90 iPads updated, supervised, enrolled in MDM and allocated to users. Average time-per-iPad: one minute.