One of the rising topics of discussion that continually returns to every single Mac Admin conference, gathering, and website is the deployment of iPads. iPads have become ubiquitous, for users, schools, and businesses now, and suddenly lots of system admins, technology coordinators, directors, and supervisors are being tasked with adopting iPads into their businesses, and many of them are scrambling to figure out the best strategies for mass dissemination of Apple’s latest flagship product. The nitty-gritty details and best practices of deploying iPads has been discussed often, and we won’t see many changes to it until the release of iOS 7, when we all scramble to determine what changes Apple made. Rather than write yet another post on iPad deployment strategies, I thought I’d give another 500 foot overview of the actual process of getting large numbers of devices into the hands of users. Schools of the Sacred Heart San Francisco has about ~1,000 students, and roughly ~250 faculty/staff. We have been adopting iPads in bits and pieces, starting with one high school’s pilot program and then adding 4th grade and 6th grade classes. After three years of testing the waters, we have decided to take the plunge and fully adopt 1:1 iPads for students, which resulted in the purchase of about 500 iPads from Apple. Within a week of the order, we had a cargo pallet of iPad 10-packs show up at our front door. Before I start, let me list our goals for this iPad deployment:
- Collect MAC addresses to add to our RADIUS database for authentication to the school WiFi network.
- Add device serial number, MAC address, and our own asset tag / barcode to the inventory database.
- Enroll devices into the CasperSuite MDM.
- Assign devices to individual users ahead of time, so distribution won’t be random.
The iPad 10 packs are fairly straightforward. Each box contains the 10 serial numbers for the iPads contained inside (prefaced with an “S” if you use a barcode scanner), which is a helpful way to collect inventory quickly. 500 iPads means 50 of these boxes, which as you can imagine takes up a fair amount of space. The first and most important goal, of course, is physically securing these iPads. We have a large storage closet full of tech stuff, but the arrival of close to $240,000 worth of Apple devices warranted an increase in security measures, so we rekeyed the closet to a unique key only belonging to the Tech Department. Various organizations may have their own sorting methods for handling shipments and receivables, but as a school, we don’t have a corporate mailroom. I would suggest you label your boxes with batch numbers (1-10, 11-20, etc.) so it’s much easier to keep track of how many you’ve got, how many you’ve handled, which ones are located where, and how much work you’ve got left to do. It also means you can stack boxes pretty easily without having to dig around and unstack/restack them later in the future, if you’ve got limited space (which, I imagine, many school tech departments do).
We use a homegrown FileMaker Pro inventory database, so I must now gather all of this information. The iPads, out of the box, are in the Setup mode, which requires several taps before you’re allowed access to the home screen. As an individual user, the Setup screen is a helpful way to get started with your iPad. As an IT administrator with 500 of them, the Setup screen is terrifyingly tedious. I’d like to avoid having to manually touch each iPad if at all possible. However, you can’t access the wifi MAC address (which I also need for RADIUS authentication to our official wifi network) until you’re past that Setup phase, so I can’t get them on the school wifi until after they’ve been setup. I did ask our local Apple engineer if there was any way we could get a list of all this information from Apple ahead of time – serial number, MAC address, other stats, etc. – since we placed a large order. Sadly, they have no mechanism for providing this, it seems, as we eschewed AppleCare for the iPads. It was suggested to me that AppleCare might be able to provide this information in the future, so that may benefit readers out there who do invest in AppleCare for iOS devices, but that certainly didn’t help us. The Apple engineer suggested that we enroll the devices into an MDM to collect this info instead (which is a great idea in its own right), but that requires them to be online. So: the devices can’t get on the official WiFi until they’ve been inventoried in the FileMaker Pro database, which exports the necessary data for importing into RADIUS. I could collect the MAC addresses by enrolling them in an MDM, but I can’t enroll them unless they’re online, and they can’t go online without being in RADIUS. A vicious catch-22 loop. Thankfully, we do have a guest network present here, which doesn’t require any authentication. If you are in a similar bind, you can create a local wifi network using Internet Sharing from a Mac to accomplish the goal similarly. With the guest network, I can change my workflow a bit:
- Join devices to guest wifi
- Enroll into MDM
- Export all information from MDM to inventory database
- Once authenticated in RADIUS, join devices to official wifi
The Fun Part
Clearly, I do not want to manually go through Setup on 500 iPads. That would make me very sad, as well as not be a very constructive use of my time. I could get a bunch of high school students to help out, but that wouldn’t really be a very constructive use of their time either. And we certainly don’t want bored teenagers in charge of our technology needs. Luckily, we have Apple Configurator, which allows iPad deployment personnel to apply settings in bulk to iOS devices. If you don’t have an iPad cart handy, you can purchase D-Link DUB-H7 USB hubs and daisy chain them together. I’ve got six of them, so that means I can hook up 36 iPads simultaneously to a laptop running Configurator. There are two things I need in order to make this work: a WiFi profile (which Configurator can generate), and an MDM enrollment profile (which the CasperSuite JSS generates for me). Importing both of those profiles into Configurator (or using Configurator to generate the WiFi profile) is our first step. The feature that really makes a big difference here is our ability to save and restore backups from iPads. Right now, all the devices are in the out-of-the-box Setup state. I can take one device and go through setup until I get to the home screen (when asked to join a wifi network, I join the guest network manually). This device, iPad Master, I plug into Configurator, and save a backup of the device in its current state as “iPad Temp Network” – joined to the guest wifi and past the setup screen. Once the backup has completed, I can deploy the two profiles to test them out. I choose to Supervise them, because I’ve noticed some odd behavior with backups and unsupervised devices – in previous testing, the backup dumped back at the setup phase, which I obviously don’t want. The device (which is already on the guest network) should now be enrolled in CasperSuite and spawn the Self Service web clip (if you have a different MDM, this may behave differently).
Since I now have a working backup, and working profiles that have been tested, I can deploy this to a full batch of 36 devices. Here’s the exact workflow I’ve tested to make this happen: 1) Prepare the devices by adding Supervision and the Guest network wifi profile. Restore to the backup I created earlier, “iPad Temp Network.” This is what Configurator looks like:
2) Once devices have been restored to the backup with the wifi profile, they should now be Supervised and therefore show up in the Supervise tab in Configurator. This is where I deploy the MDM Enrollment profile, which I’ve found not to function properly if you do it as part of the restore process when Preparing. The Supervise tab looks like this:
3) The devices are now enrolled in MDM and on the guest wifi network. Since I’ve named them all “iPad Temp Network,” it’s really simple for me to create a saved search in CasperSuite that pulls them all up immediately. I basically only need this criteria:
The only other addition is adding the serial number and MAC address to the list of displayed fields. 4) Running this search gives me a list of all devices with that name, which are the ones I just enrolled via Configurator. I can use CasperSuite’s export feature to get a CSV of this list of devices, which now contains serial number, name, and MAC address. I can now import this CSV file into FileMaker Pro, matching the appropriate fields as necessary. 5) Magic happens now – the devices are extracted from the inventory and entered into RADIUS, which allows the iPads to now join the regular network.
The devices are enrolled in MDM, on the guest network, but now authenticated to RADIUS. So now I can undo all that previous work and do what really needs to be done, which is to unsupervise them, unenroll them from MDM (optional), and apply the correct wifi network. 6) Now that I’ve got what I wanted from them in Casper MDM, I don’t really need them there anymore. If I’m going to continue to use them with MDM, I can go ahead and leave them in the CasperSuite inventory list and ignore them. It might be better to rename these devices so that they don’t keep showing up in the “iPad Temp Network” search, but it’s really not a big deal. 7) I want to Unsupervise them from Configurator. Unsupervising them will restore them back to out-of-the-box state, so that means if I want to add