MDM Structure Design for the Long Term

As we come up to the end of the school year, it's a good time to reflect on the administrative tasks we do in order to get ready for the next school year. One area of deployment that's been on my mind recently is structuring our Mobile Device Management (MDM) server to be easy to maintain in the long run.

This is one area in which, thus far, I have not done a great job.

We started with our MDM in August 2013. This was before the Volume Purchase Program Managed Distribution approach was available to us. We converted to VPP-MD in August 2014 and that approach has been highly successful in reducing to near-zero the amount of time iPads are removed from service in the classroom to be updated and have new apps installed.

Having said that, the internal structure of our MDM is not in great shape. In this article I'll explain the mistakes I made and come to some conclusions about how we're going to do things differently in the future.

I'll be writing with reference to the Casper Suite by JAMF, since that's what we use at Cedars. Full disclosure, JAMF also sponsor my podcast.

The Aspects of a Modern MDM

In the VPP-MD era, a Mobile Device Management server essentially has two major entities: mobile devices and users. Mobile devices can have configuration profiles applied and users can have apps assigned.

When we started with MDM, we only had mobile devices. There were no user objects in the Casper Suite. To install apps for the primary school, we brought the iPads back to base and used Apple Configurator. This process typically took a couple of hours a week. For the secondary school, we used Casper to make VPP Coupon Codes available to the students in Casper's Self Service app - effectively, but not technically, a "private App Store".

In some ways this old model was easier: you enrolled devices and assigned both configuration profiles and apps to those devices. In the VPP-MD era, you assign devices to users, assign configuration profiles to devices and assign apps to users. This is far more flexible but, in a one-device-per-person model, it appears to be complexity for the sake of it. It makes tons more sense if you understand that one user might have many devices.

The Mess

Basically, I have two problems with our MDM:

  • I made groups for specific classes - as they were in 2013. That means that this year, I'm still managing groups that have names one year out of date.
  • I have way too many ad-hoc groups for various quick hacks around the above structure.

Casper allows you to have two groupings of devices and four of users:

  • Static Mobile Device Groups
  • Smart Mobile Device Groups
  • Static User Groups
  • Smart User Groups
  • Buildings (for devices)
  • Departments (for devices)

These smart groups are dynamic groups composed of users or devices who meet specified criteria.

Further, two distinct objects can be "scoped" to these six collection types:

  • Sets of apps, called VPP Assignments, can be scoped to individual users or to user groups, whether smart or static.
  • Configuration Profiles can be scoped to individual mobile devices, smart or static mobile device groups, buildings or departments.

Finally, Casper allows you to create "extended attributes" for both mobile devices and users. These are custom key/value pairs that you can add to either record type. All my User objects have an EA named "Class" that describes the class they are in.

At the moment, I have apps scoped to smart user groups. These user groups are generated by users' Class EA matching a specific value.

Secondly, I have configuration profiles scoped to a mixture of different things. I started in 2013 by defining each class through the "department" attribute on the device, so I hit some classes by scoping Configuration profiles to their 2013-14 department. I also later created some static device groups named "2014-15 Primary 7" to distinguish it from the "2013-14 Primary 7" that is encoded in the device's department attribute.

This is, as you might imagine, a bit of a mess:

  • There are too many steps to put a device into the "right" group for all the settings they need to have.
  • A device needs to have its department set to its user's class - as it would have been in session 2013-14.
  • The device might also need to be manually added to a static group representing the correct class for 2014-15.
  • The User needs to have their Class EA set correctly.
  • It's hard to determine the impact of assigning a profile to a given group or class.

In all of this, the biggest problem is that all these groups change their composition each year. If classes are departments, all the users change department once a year. That's too much churn.

The Future Model for Configuration Profiles

I've taken this opportunity to re-think what we really need in terms of MDM control of app assignment and configuration profile distribution.

One of the first things that I've come to realise is that our deployment of configuration profiles is fairly stable. We have the following profiles that essentially everyone gets:

  • Deploy a web clip linking to CEOP
  • A subscription to the school's calendar feed
  • Restrict iMessage and Facetime
  • Disable shared photo streams
  • Require passcode
  • Restrict in-app purchase
  • Prevent installing profiles
  • Prevent account changes

Almost everyone gets these profiles and they very rarely change. We also apply a couple of security profiles through Apple Configurator that limit apps to 12+ and disable downloading movies and TV shows.

In the past, it was necessary to have class-specific device groups as that was also how you scoped the distribution of VPP coupon codes.

In the future, I think class-specific device groups will be less necessary. I will probably just have one main device group named "All Managed iPads" and scope these configuration profiles to that group. If anyone needs to be excluded from these groups, Casper has a 'limitations' feature that allows me to specify "everyone in A excluding B", which computes the relative complement of the two sets of users A and B.

There are also a few configuration profiles that I keep up my sleeve in case I need them. Mainly, these are "Disable Camera" and "Disable App Store". These are rarely deployed except as a disciplinary measure. For these profiles, Casper allows me to target them to individual devices. They're never targeted at entire groups.

The Future Model for VPP Assignments

The model of grouping users for VPP assignments is harder. It's harder for several reasons:

  • Students move classes each year
  • Apps are usually a requirement of classes, rather than of students.
  • Students can, from time to time, change class mid-year.
  • The set of apps assigned to a class changes over the course of the year, usually by addition of new apps.
  • Classes are sometimes composite classes of two year groups together and a teacher might only want an app for the upper or lower half of their class.

My plan, right now, looks like this:

  • An "everybody" group, to which our core apps are assigned.
  • An Extension Attribute on each user that is not their "class" but their year of graduation, which is more stable.
  • Another EA on each user that designates them as staff or students.
  • Classes are represented by a VPP Assignment that scopes a specific set of apps to one or more graduation cohorts.

With that structure, all of the following situations are handled:

  • At the end of a year, we simply rename the current VPP Assignments for next year.
  • If the composition of classes changes between sessions, we can change the class smart groups to select on different graduation cohorts.
  • If a student moves grades, we change their graduation year EA which moves them into the right smart groups. This scenario is, honestly, quite rare.
  • Apps are scoped either to "everyone" - for the core apps - or to specific class-based assignment groups.

So that's how I intend to start moving forward in managing our Casper implementation. It allows apps to be assigned to compositions of year groups, if need be. It also minimises the number of structures or fields required to put things into the right place.

As an example, here's what would be required to enroll a new device for a new student:

  • Create a User record for the student with their graduation cohort and staff/student status set correctly.
  • Enroll the device in Casper, set the device to be a "managed" iPad. There are a number of attributes in Casper you could use to identify a device as such.
  • Assign the device to its user.

With these steps, the user will be assigned the apps appropriate for their class and the device will acquire the correct configuration profiles.