Ongoing management for Apple devices
All device deployments require ongoing management, which can include reassigning devices and apps, querying devices, and resetting device passcodes.
Send tasks
Your MDM solution can perform a wide variety of administrative tasks on devices that are managed—including changing configuration settings automatically without user interaction, locking or wiping a device remotely, and clearing passcode locks so users can reset their passwords.
These are some of the tasks that are useful in education:
Enabling Lost Mode: Puts the device in Lost Mode and shows information on the Lock screen.
Fetching device location: Prompts the device to report its location if the device is in Lost Mode.
Playing Lost Mode sound: Causes the device to play the Lost Mode sound, allowing it to be located more easily.
Remotely wiping a device: Erases the data on a lost or stolen device.
Clearing a passcode: Clears the passcode on a one-to-one device when a student has forgotten their passcode, so that the student can enter a new one.
Modifying restrictions: Changes settings and policies for a student or device.
Inspect a user account
You can inspect specific Managed Apple IDs. Your organization can grant you inspection privileges for accounts that are below you in the school’s hierarchy. For example, instructors can monitor only students. Administrators can inspect not only students but also instructors and managers.
As an authorized user wanting to inspect a Managed Apple ID, you must create special inspection credentials for that ID within Apple School Manager. You can use these credentials only to access that specific Managed Apple ID. During that period, you can access the user’s content stored in iCloud Drive or in CloudKit-enabled apps. Every request for access is logged in Apple School Manager. Logs show your name (as inspector), the Managed Apple ID in question, the time of the request, and whether or not the inspection was performed. To discourage misuse of inspections by a single user, all users with the proper inspection privileges can search these access logs.
For more information, see Inspect a user account in the Apple School Manager User Guide.
Stream content using AirPlay and Apple TV
With AirPlay, students and teachers can wirelessly stream content from iPad (or a Mac) to a classroom projector or an HDTV, even if the two devices are on different networks. This eliminates the need to join the right network or disclose Wi-Fi passwords. It also prevents reachability issues in complex network environments. Students can share projects and other work on the big screen. Teachers can lead a class brainstorming session or walk everyone through a presentation.
Your MDM solution can prompt the user to mirror their device on a specific Apple TV, without complex configurations. Teachers using the Classroom app can also prompt students to mirror their device to Apple TV.
For more information on AirPlay and Apple TV, see Use AirPlay with Apple devices in Apple Platform Deployment.
Query Apple devices
Your MDM solution can query Apple devices for a variety of information, including hardware serial number, device UDID, Wi-Fi Media Access Control (MAC) address, and FileVault encryption status (for Mac computers). It can also query for software information, restrictions, and list the apps installed on the device. This information can be used to ensure that users maintain the appropriate apps. Some MDM solutions provide innovative and valuable features based on this information, such as notifications triggered by low storage space on a device. This data can be useful for asset management and compliance monitoring.
Update settings and policies
After devices are deployed, you can wirelessly change their configuration settings using MDM. For large deployments, carefully plan any changes to reduce the potential for disrupting student work.
Manage software updates
You can manage how software updates appear for supervised iPhone, iPad, Mac, and Apple TV devices enrolled in MDM. This helps keep your organization’s devices on an existing software version while giving you the time and flexibility to complete a thorough certification of the new release in your specific environment.
You can prevent devices from offering over-the-air software updates to users until a specified period of time has expired since those updates were published by Apple. When you implement this restriction, the default delay is 30 days since update publication before the update is visible to managed supervised devices. However, you can specify a custom value, anywhere from 1 to 90 days. This delay applies to all system updates, although MDM has the ability to send specific updates to devices irrespective of the above restriction.
After an update has been available long enough for the specified delay to expire, that update is offered to users as part of the standard software update notifications and update process. This is fully automatic if the device:
Appears in Apple School Manager
Is enrolled in your MDM solution
Isn’t passcode locked
Is supervised
For Shared iPad, the device must be at the sign-in screen
Note: Passcode locked devices require the user to enter their passcode to complete the update. Devices that aren’t in Apple School Manager require the user to accept the terms and conditions to complete the update.
For more information, see Manage software updates for Apple devices in Apple Platform Deployment.
Test software updates
Join AppleSeed for IT to test Apple devices (iPhone, iPad, iPod touch, Mac computers, Apple TV, and Apple Watch), and preinstalled apps such as Mail and Calendar. With this program, your professionals and technology managers evaluate the latest prerelease software versions in their unique work environments and offer feedback directly to Apple engineering teams. Your team also takes part in a dedicated bug submission process, detailed testing plans, and forums with other participants.
Maintain your Student Information System (SIS)
After establishing a connection between Apple School Manager and your SIS, Apple School Manager automatically accepts updates from your SIS. Keep your SIS up-to-date, because Apple School Manager considers it the system of record. If you change any of the API tokens or the base URL of your SIS, update these within Apple School Manager immediately to avoid connection issues.
Plan comma-separated value (.csv) file updates
Depending on your organization’s yearly learning plan, you should regularly update information such as teachers, classes, and students with .csv files. This keeps all information up to date and removes any outdated accounts.
Keep track of your core team’s Managed Apple ID accounts
Keep track of the Managed Apple ID responsible for each aspect of your deployment. If you forget an account’s sign-in information, you may be unable to update, move, or manage critical pieces of information. For example, you should keep the following information in a secure note:
Service | Individual | Managed Apple ID | Certificate expiration date | ||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Administrator | Amy Frost | af@tsschools.org | NA | ||||||||
Device Enrollment Manager | Andrew Dean | ad@tsschools.org | 09/29/2022 | ||||||||
People Manager | Cecilia Dantas | cd@tsschools.org | 09/29/2022 | ||||||||
Content Manager | Shannon Serbe | ss@tsschools.org | 09/29/2022 | ||||||||
Important: Changing a Managed Apple ID associated with these services’ password requires you to update tokens immediately.
Download a new Apple School Manager token
Download a new token from Apple School Manager and import it in to your MDM solution. If the Apple School Manager token expires, your MDM solution won’t be able to change any enrollment settings for devices or receive any roster updates until an updated token is installed. See your MDM vendor’s documentation for specific instructions.
Download a new apps and books token
Download a new apps and books token from Apple School Manager and import it in to your MDM solution. If the apps and books token expires, your MDM solution won’t be able to invite users, assign apps or books, or revoke apps until an updated token is installed. See your MDM vendor’s documentation for specific instructions.
Import a renewed APNs certificate
Push certificates are renewed using a Managed Apple ID or Apple ID in the Apple Push Certificates portal. If you lose access to the Managed Apple ID or Apple ID used to initially create the push certificate for your MDM, you may need to reenroll your devices to restore management connectivity. If the APNs certificate expires, the clients won’t be able to receive updates from your MDM solution until an updated certificate is installed on that MDM solution. See your MDM vendor’s documentation for specific instructions on how to import the renewed certificate.
Important: In order to maintain access to this account, you should use a Managed Apple ID created in Apple School Manager. For more information, see the Apple Push Certificates Portal.
Renew your TLS certificate
If the TLS certificate expires, the client won’t be able to receive updates from your MDM solution until an updated certificate is installed on that MDM solution. See your MDM vendor’s documentation and the certificate authority’s (CA) documentation to renew the TLS certificate for your MDM solution.
Agree to updated terms and conditions
From time to time, the Terms and Conditions for Apple School Manager may change. These changes may coincide with major operating system releases. If these terms change, you may need to sign in to Apple School Manager and agree to the new terms. Make sure that the administrator email address is active and that someone is responsible for checking that mail in order to be alerted to these changes.
Migrate your MDM solution
In Apple School Manager, changing from one MDM solution to another requires that devices be unenrolled from the first MDM server and enrolled in the new server. Devices that were deployed with nonremovable MDM (a setting that prevents the user from removing a device from MDM) must be unenrolled remotely by the original MDM.
Unenrolling from MDM may remove apps that were deployed by the original MDM solution and delete the content created with those apps.
For these reasons you want to select the right MDM solution for your needs before moving ahead with any large deployment.
For more information, see Choose a mobile device management solution.
Upgrade devices
Your organization may choose to upgrade devices in your one-to-one deployment during the school year. To facilitate the process, plan a collection event similar to the one you use when the school year ends. At this event, your organization can collect the existing devices from users and distribute new devices. Users restore their devices from an iCloud backup to retrieve their personal data and apps. Enable the Restore screen in the Setup Assistant with MDM to allow users to restore their iCloud backups to new devices. The restore process may require additional network resources, so you may consider staggering the upgrade to evenly distribute the load on your organization’s network.