- Reference 2.1 Understanding Apple’s Goals
- Reference 2.2 Device Management and Supervision
- Reference 2.3 Apple ID Considerations
- Reference 2.4 iCloud in Managed Environments
- Reference 2.5 Apple Deployment Programs
- Reference 2.6 Deployment Scenarios
- Exercise 2.1 Configure Your Client Mac
- Exercise 2.2 Create Apple IDs
- Exercise 2.3 Verify Administrator Apple ID Access
- Exercise 2.4 Configure Your iOS Device
Reference 2.5 Apple Deployment Programs
In the last year Apple has released or significantly updated three online programs that are specifically designed to help administrators manage groups of Apple devices. The significance of these deployment programs—all found at https://deploy.apple.com—cannot be understated. For many organizations, these three Apple Deployment Programs are indispensible because managing certain aspects of their Apple deployment without them would be impossible.
Device Enrollment Program
The Apple Device Enrollment Program (DEP) allows administrators to manage the initial activation and setup of iOS and OS X devices. Only devices that are purchased directly from Apple for organizational use can become part of this program. This ensures that only those devices belonging to an organization are affected by the DEP management settings. As a result, a personally purchased Apple device can never be affected by an organization’s DEP settings.
Devices in the DEP service will automatically be redirected to your MDM service during activation and setup. Within your MDM service, you can specify a variety of enrollment and Setup Assistant options. The most significant options include the ability to enforce automatic MDM enrollment and device supervision during the setup process.
This means that individual users, instead of administrative staff, can easily complete the steps needed to enable management for an Apple device. During Setup Assistant, the user can verify the configuration information and optionally be required to provide authentication using your organization’s directory services.
DEP service is also the only means to enable device supervision over-the-air and to prevent the removal of an MDM enrollment. Further, devices that are reset will conform to your enrollment and Setup Assistant options as long as they are still part of the DEP service. This situation not only makes reprovisioning devices a snap, it also acts as a strong theft deterrent by preventing unauthorized users from completing the device setup.
Volume Purchase Program
The Apple Volume Purchase Program (or VPP) allows administrators in an organization to manage the purchase and licensing of content from the iOS App Store, the Mac App Store, and the iBooks Store. From the VPP website, administrators can purchase new content and manage existing purchases. There are two primary methods for distributing the VPP content: redemption codes or managed license distribution.
The legacy method involves distributing redemption codes for purchased apps. These codes can be deployed locally to iOS devices via Apple Configurator, or distributed remotely using a supported MDM service. Unfortunately, redemption codes deployed to an individual are fully transferred to that user’s Apple ID. Thus, an organization could lose the license upon redeeming the code.
This drawback of redemption codes is the primary reason that most deployments now rely on managed license distribution. With managed licensing, a supported MDM service facilitates the relationship between an organization’s licensed purchase and a user’s Apple ID. VPP licenses for apps can be assigned to individuals as appropriate, and later recovered by the organization for use by another individual. Keep in mind, though, that even with managed license distribution, iBooks Store content cannot be revoked from a user’s Apple ID.
Apple ID for Students
Apple ID for Students, as the name implies, is an online service that gives school administrators the ability to create Apple IDs en masse for their students. Through this program, an administrator can upload lists of students and their associated email addresses for the creation of new Apple IDs.
This program also provides a workflow that allows individuals under the age of 13 to have an Apple ID. It involves having the student’s parent or guardian accept the Apple ID terms and conditions. Apple IDs for students under 13 are limited for the student’s protection. Services and features that shouldn’t be made available to children are disabled for these Apple IDs, including the ability to change the primary email address for the Apple ID.
Even with limitations, it’s important to recognize that Apple IDs created for students are individual Apple IDs that belong to the student, not the organization. Any content or resources that are permanently transferred to the student’s Apple ID belong to that individual student. Furthermore, any student who is 13 years of age or older will have access to all the same services and features as would a standard Apple ID owner. Even students whose Apple IDs were created for them as children will have their Apple ID converted to a standard Apple ID on their 13th birthdays.
The fact that student Apple IDs belong to an individual may seem counterintuitive to many administrators, but it serves as a clear indication of how Apple thinks IT administration should be handled. The goal of the Apple ID for Students program is to make it easier for administrators to provide access to services for the student, not to make it easier for an administrator to restrict access for students.