1 of 1 people found this helpful
Enrolling in Apple's DEP is probably the best first step. Then devices are enrolled out of the box.
Step 1 is to update the server. Luckily, this is an easy process to go from 6.3 to 7.2. Having said that, since you are on 6.3 I seriously doubt your MDM server is still working if it was ever configured. You Apple Push cert would have expired by now and would not have been renewable with 6.3.
Step 2 as Patrick mentioned is enroll in DEP and VPP. Start at http://deploy.apple.com for both.
What DEP does is as a device is reset or powered on for the first time, you pick a wifi, and then the device just knows and binds to your LANrev MDM server. You can supervise the device this way, push iOS apps using VPP to the device, and do everything else you wanted with the exception of wifi sort of.
So, how tO do this...
I am assuming that you have MDM configured correctly, are running the at least 7.2, and are enrolled in DEP and VPP and you have gotten those tokens from Apple and put them in the Server Center > Server Settings > MDM tab.
First, go to the Mobile Devices Window
On the left scroll down until you get to ASSIGNABLE ITEMS
Select Device Enrollment Profiles
Right click on the right to create a new one.
Here are the General settings I would suggest for a device that would not have an AD account associated to it
Decide which Setup Assistant Options you want to allow the user to skip as well.
In the same area (ASSIGNABLE ITEMS) is Third-Party Applications
Assuming you setup your VPP token correctly, apps you purchase on Apple's VPP site will automatically appear here.
Now go to Actions under ASSIGNABLE ITEMS
Right click on the Right hand side and create a New Enable Activation Lock Action
This will make it so even if they student figures out a way to lock the device, you can always override it and gain control of the device again.
Now select Configuration Profiles under ASSIGNABLE ITEMS
Create a new iOS profile.
Under the Restrictions area, look for Allow modifying account settings (Supervised devices only) [iOS 7+] and uncheck it. This will prevent the user from entering an Apple ID to even enable Find My iPhone.
For email you would also create a configuration profile, but it will depend on what type of email server you have. If the device was enrolled using AD Authentication during the DEP process, an email configuration profile can be created that will really simplify the setup.
Now everything is created that you want to assign, you just need a policy to assign it to.
On the left hand side click on POLICIES
On the right hand side, right click and create a New Smart Policy: Mobile Devices...
Create a policy for all your devices you want these items applied to. This would be all iOS devices...
Now if you open up that policy, you will see the same sections as ASSIGNABLE ITEMS
Open them up and you can make automatic assignments to the devices. This is where you will want to assign your Device Enrollment Profile, Configuration Profiles, Actions and Third-Party Applications that you created under ASSIGNABLE Items. You can drag the items to the category you want.
Anyway, that should get you started. It may make sense for you to talk to your sales person about getting some professional services to assist with some of this to simplify your life, make sure your old server is still good and give you some best practices guidance.
Thank you Rob and Patrick for sharing your knowledge on this topic.
This is a good start. Lots of reading and testing on my side.
Rob Morton schrieb:
... You can supervise the device this way, push iOS apps using VPP to the device, and do everything else you wanted with the exception of wifi sort of.
Yea - WiFi works as well but it's a pain in the neck to set up. We have a special server just for this, it generates automatically all the neccessery wifi certificates to connect to our network and renews them automatically. I myself am unsure about the details of this, since my colleague set it up. But, we have a profile which tells the phone to connect to our certificate distribution-server which then creates a certificate, gives it to the mdm and this pushes it to the phone.
1 of 1 people found this helpful
Yeah, that sounds much more complicated than I was even referring to. The basic issue most see is...
MDM pushes everything wirelessly
Oh can you configure WiFi?
Sure, you join it to your WiFi and then we can push out a profile to configure it to your WiFi.
In General with a school, it won't be that extreme for certificates. You can basically use Apple Configurator 2 to install the WiFi and hand off to DEP/MDM Server for everything else if you want a close to 0 touch deployment. You can also configure a staging area with an access point called AppleStore or Apple Store. Evidently iOS devices will auto join a wireless with that SSID.
We Push the certificates over the air, they all have cellular data, so no problems there. Only thing is that we have personalized certificates, and in order to get such a certificate the device must already be in the wifi network - circle of doom. So we push a general certificate to join the company wifi and then generate a user specific one.
Yeah, so very similar issue, just with an added complication to include.