Articles,Deployment,iOS April 22, 2013 at 11:00 am

Real World Example: 500 iPads from Boxes to Students

One of the rising topics of discussion that continually returns to every single Mac Admin conference, gathering, and website is the deployment of iPads.  iPads have become ubiquitous, for users, schools, and businesses now, and suddenly lots of system admins, technology coordinators, directors, and supervisors are being tasked with adopting iPads into their businesses, and many of them are scrambling to figure out the best strategies for mass dissemination of Apple’s latest flagship product.  The nitty-gritty details and best practices of deploying iPads has been discussed often, and we won’t see many changes to it until the release of iOS 7, when we all scramble to determine what changes Apple made.  Rather than write yet another post on iPad deployment strategies, I thought I’d give another 500 foot overview of the actual process of getting large numbers of devices into the hands of users. Schools of the Sacred Heart San Francisco has about ~1,000 students, and roughly ~250 faculty/staff.  We have been adopting iPads in bits and pieces, starting with one high school’s pilot program and then adding 4th grade and 6th grade classes.  After three years of testing the waters, we have decided to take the plunge and fully adopt 1:1 iPads for students, which resulted in the purchase of about 500 iPads from Apple.  Within a week of the order, we had a cargo pallet of iPad 10-packs show up at our front door. Before I start, let me list our goals for this iPad deployment:

  • Collect MAC addresses to add to our RADIUS database for authentication to the school WiFi network.
  • Add device serial number, MAC address, and our own asset tag / barcode to the inventory database.
  • Enroll devices into the CasperSuite MDM.
  • Assign devices to individual users ahead of time, so distribution won’t be random.

Cargo

The iPad 10 packs are fairly straightforward.  Each box contains the 10 serial numbers for the iPads contained inside (prefaced with an “S” if you use a barcode scanner), which is a helpful way to collect inventory quickly.  500 iPads means 50 of these boxes, which as you can imagine takes up a fair amount of space.  The first and most important goal, of course, is physically securing these iPads.  We have a large storage closet full of tech stuff, but the arrival of close to $240,000 worth of Apple devices warranted an increase in security measures, so we rekeyed the closet to a unique key only belonging to the Tech Department. Various organizations may have their own sorting methods for handling shipments and receivables, but as a school, we don’t have a corporate mailroom.  I would suggest you label your boxes with batch numbers (1-10, 11-20, etc.) so it’s much easier to keep track of how many you’ve got, how many you’ve handled, which ones are located where, and how much work you’ve got left to do.  It also means you can stack boxes pretty easily without having to dig around and unstack/restack them later in the future, if you’ve got limited space (which, I imagine, many school tech departments do).

Inventory

We use a homegrown FileMaker Pro inventory database, so I must now gather all of this information.  The iPads, out of the box, are in the Setup mode, which requires several taps before you’re allowed access to the home screen.  As an individual user, the Setup screen is a helpful way to get started with your iPad.  As an IT administrator with 500 of them, the Setup screen is terrifyingly tedious.  I’d like to avoid having to manually touch each iPad if at all possible.  However, you can’t access the wifi MAC address (which I also need for RADIUS authentication to our official wifi network) until you’re past that Setup phase, so I can’t get them on the school wifi until after they’ve been setup. I did ask our local Apple engineer if there was any way we could get a list of all this information from Apple ahead of time – serial number, MAC address, other stats, etc. – since we placed a large order.  Sadly, they have no mechanism for providing this, it seems, as we eschewed AppleCare for the iPads.  It was suggested to me that AppleCare might be able to provide this information in the future, so that may benefit readers out there who do invest in AppleCare for iOS devices, but that certainly didn’t help us.  The Apple engineer suggested that we enroll the devices into an MDM to collect this info instead (which is a great idea in its own right), but that requires them to be online. So: the devices can’t get on the official WiFi until they’ve been inventoried in the FileMaker Pro database, which exports the necessary data for importing into RADIUS.  I could collect the MAC addresses by enrolling them in an MDM, but I can’t enroll them unless they’re online, and they can’t go online without being in RADIUS.  A vicious catch-22 loop. Thankfully, we do have a guest network present here, which doesn’t require any authentication.  If you are in a similar bind, you can create a local wifi network using Internet Sharing from a Mac to accomplish the goal similarly.  With the guest network, I can change my workflow a bit:

  1. Join devices to guest wifi
  2. Enroll into MDM
  3. Export all information from MDM to inventory database
  4. Once authenticated in RADIUS, join devices to official wifi

The Fun Part

Clearly, I do not want to manually go through Setup on 500 iPads.  That would make me very sad, as well as not be a very constructive use of my time.  I could get a bunch of high school students to help out, but that wouldn’t really be a very constructive use of their time either.  And we certainly don’t want bored teenagers in charge of our technology needs. Luckily, we have Apple Configurator, which allows iPad deployment personnel to apply settings in bulk to iOS devices.  If you don’t have an iPad cart handy, you can purchase D-Link DUB-H7 USB hubs and daisy chain them together.  I’ve got six of them, so that means I can hook up 36 iPads simultaneously to a laptop running Configurator.  There are two things I need in order to make this work: a WiFi profile (which Configurator can generate), and an MDM enrollment profile (which the CasperSuite JSS generates for me).  Importing both of those profiles into Configurator (or using Configurator to generate the WiFi profile) is our first step. The feature that really makes a big difference here is our ability to save and restore backups from iPads.  Right now, all the devices are in the out-of-the-box Setup state.  I can take one device and go through setup until I get to the home screen (when asked to join a wifi network, I join the guest network manually).  This device, iPad Master, I plug into Configurator, and save a backup of the device in its current state as “iPad Temp Network” – joined to the guest wifi and past the setup screen.  Once the backup has completed, I can deploy the two profiles to test them out.  I choose to Supervise them, because I’ve noticed some odd behavior with backups and unsupervised devices – in previous testing, the backup dumped back at the setup phase, which I obviously don’t want.  The device (which is already on the guest network) should now be enrolled in CasperSuite and spawn the Self Service web clip (if you have a different MDM, this may behave differently).

Action!

Since I now have a working backup, and working profiles that have been tested, I can deploy this to a full batch of 36 devices.  Here’s the exact workflow I’ve tested to make this happen: 1) Prepare the devices by adding Supervision and the Guest network wifi profile.  Restore to the backup I created earlier, “iPad Temp Network.”  This is what Configurator looks like:

Configurator

2) Once devices have been restored to the backup with the wifi profile, they should now be Supervised and therefore show up in the Supervise tab in Configurator.  This is where I deploy the MDM Enrollment profile, which I’ve found not to function properly if you do it as part of the restore process when Preparing.  The Supervise tab looks like this:

Supervise

3) The devices are now enrolled in MDM and on the guest wifi network.  Since I’ve named them all “iPad Temp Network,” it’s really simple for me to create a saved search in CasperSuite that pulls them all up immediately.  I basically only need this criteria:

CasperSearch

The only other addition is adding the serial number and MAC address to the list of displayed fields. 4) Running this search gives me a list of all devices with that name, which are the ones I just enrolled via Configurator.  I can use CasperSuite’s export feature to get a CSV of this list of devices, which now contains serial number, name, and MAC address.  I can now import this CSV file into FileMaker Pro, matching the appropriate fields as necessary. 5) Magic happens now – the devices are extracted from the inventory and entered into RADIUS, which allows the iPads to now join the regular network.

Cleanup

The devices are enrolled in MDM, on the guest network, but now authenticated to RADIUS.  So now I can undo all that previous work and do what really needs to be done, which is to unsupervise them, unenroll them from MDM (optional), and apply the correct wifi network. 6) Now that I’ve got what I wanted from them in Casper MDM, I don’t really need them there anymore.  If I’m going to continue to use them with MDM, I can go ahead and leave them in the CasperSuite inventory list and ignore them.  It might be better to rename these devices so that they don’t keep showing up in the “iPad Temp Network” search, but it’s really not a big deal. 7) I want to Unsupervise them from Configurator.  Unsupervising them will restore them back to out-of-the-box state, so that means if I want to add

About Nick McSpadden

I'm Client Systems Manager for Schools of the Sacred Heart, San Francisco. I'm in charge of all OS X and iOS deployments to our faculty, staff, and students.

3 Comments

  • We started off with about 35 iPod Touches and deployed about 4 classes with those and then started off with the iPad Mini’s now. Every 3 months we have a new start of Nursing Students.

    All I wanted to do was setup the iPods/iPads so the student got them and when they turned them on they were at the home screen and had the needed apps downloaded and everything ready to go. All they would have to do is make an Apple ID then.

    The problem, students started to see the Updates number on the AppStore app and they would go to do the updates, but couldn’t because the apps where installed with our Admin Account. This really sucks, because it would have made deployment so much easier.

    Apple needs an option to allow apps to be updated by anyone. Would make deployment so much easier for the students.

    Other than that its been going pretty good. Because of this limitation I wrote a manual and they now get the iPads new in a sealed box on the first day with any books needed and the manual and our first launch about 3 months ago led to 0 students showing up to our office. They all got them setup without the help of IT!

    One thing to note is if you have a bulk of users creating accounts make sure you contact your Apple SE and have your IP whitelisted or they will think your a DDOS attack and block your IP. We had this happen during one of our iPod rollouts and caused a nightmare in the middle of setup. So before every start I send an email with our IP to Apple to whitelist us for 30 days.

    Thats been the biggest problem here is users not being able to update apps when the apps are downloaded by another user. Hopefully that gets fixed at some point. We aren’t the only ones that tried that setup from what our SE told us.

    But I guess for now handing them out with a manual is the way to do it for us.

  • Terrifying – absolutely, horrifically, terrifying! I can see my retirement approaching.

  • FastGM3

    If your district or business has any kind of budget and your deploying hundreds perhaps thousands of iPads, you may want to look into these USB hubs. We currently have over 3500 devices enrolled in the Casper MDM, and this hub certainly helped us.

    http://www.ipadcarts.com/solutions/DS-IP-49-SYNC.htm

    I dream of one to one deployment, our iPads are basically multi user and it’s been a nightmare to manage!