Deploying Shared iPads the New-Old Way

After spending a couple of weeks just getting more and more frustrated at the mess Apple has made with Configurator 2 (AC2) and Profile Manager (PM), I discovered a way to use Configurator 2 along with Configurator 1.7 (AC1) to get the results I am actually after.

In AC1, it was relatively easy to wipe devices by restoring from a backup. The iPads would get wiped, apps pushed back out over USB, and the devices renamed. AC1 had no trouble remembering whatever name had been previously assigned to the iPad, and re-applying that name during the restore process. The renaming part is one of the areas where AC2 seems to fail. It's like it forgets device names during the restore. This is very bad when you want the device name to match the uniquely numbered name printed on the device itself.

The biggest problem with the continued use of AC1 exclusively for the deployment of the iPads is that it does not support the ability to skip all of the "Welcome steps" of iOS9+ (the Setup Assistant), and there are a lot of steps now. Following a restore, it is necessary to manually skip through the steps of not setting a passcode, region, location services, and more. You have to do this on every iPad, so it is not realistic to continue using AC1 exclusively for managing the iPads.

Aside from the renaming problem in AC2, there seems to be a major problem with app deployment. First, the new app deployment mechanism in AC2 does not use the old method of downloading apps via iTunes and importing the .app file; it requires you to use "Managed Distribution" for all of your apps whether they are paid or free. If you want to deploy apps over USB during the restore process, you have to give AC2 the VPP Apple ID. When I did this, it reported that it was going to revoke the authority of PM to manage distribution of apps! I am assuming that this also means I would only be able to use this single computer to manage our apps, which is not possible across multiple sites.

The final piece that AC2 seems to break is that all of our iPads end up in the wrong timezone (and thus show the wrong time). I think restoring from a backup may deal with this, but I'm not sure.

It seems to be lose-lose, but it's not.

Note: For the following method, you must still have AC1 installed, or be able to install it. I'm not sure if you can still download it, but we still had it installed on our computer used to manage the iPads.

To start, make sure that all of the iPads you want to manage are prepared and supervised by AC1. Assign all device names using AC1. Once complete, quit AC1 and run AC2. In AC2, use the Migration tool to import all of the information from AC1. Once complete, you will be able to manage the iPads using both AC1 and AC2! If you add more devices later, you will need to add the new devices in AC1 and use the Migration tool again, but otherwise you just need to go through this process once.

When you need to wipe a shared device (or devices), follow these steps.

Run AC2 and connect all of the devices. Apply a blueprint that Prepares the iPads and applies profiles. The Prepare options are where you can disable the various iOS Welcom Screen (Setup Assistant) options. It will warn you that the connected devices are going to be erased. Just tell it to go ahead.

Once the process completes (takes about an hour for us), quit AC2 and run AC1. Select the iPads you have just restored and click Refresh. AC1 will push out any apps and profiles that are supposed to be on the devices, and it will rename the devices with the previously defined names!

Unplug the iPads and you will find that the Welcome steps have been skipped (well, those that can be skipped), your apps have been restored, and AC1 even sets the right timezone. If you've installed the PM management profile, you can even use it to push new profiles and apps remotely from PM later.

As far as I can tell, this is the best way to manage a collection of shared iPads that need to be regularly wiped. I would love to hear from others if they have found a better way.

Deploying iPads the new way

Oddly enough, the thing I struggled with the most for this entry was the title. Here were some that went through my head at various stages of deploying (or preparing to deploy) a new batch of shared iPad Minis this past week.
  • Apple Configurator 2 Challenges
  • Apple Configurator 2 and Profile Manager Challenges
  • Why does DEP need to exist?
  • iPads for Schools: Only if You're 1:1
  • Apple Hates You
Over the last few years, we have been downloading codes for use with Configurator 1.x, and happily deploying to various iPad carts from separate computers across three sites. Certain options in Configurator even made it relatively easy to wipe and restore the iPads when they were returned from our pre-service Teacher Education students, something that I imagine is important in any iPad deployment where the iPads are shared.

In addition to Configurator, we have been using Meraki for some management and deployment. Our most recent acquisition of a new batch of iPads for use in the program pushed us over the 100 device limit for using Meraki for free. We started looking at the various MDM options, and the cost quickly added up. This is where Profile Manager comes in. This is also where dependency madness began.

Profile Manager and Configurator 2 lead to updates being required for virtually everything else. OS X had to be upgraded to El Capitan on the computer running Configurator. OS X Server had to be upgraded on our Mac Pro, which in turn also required El Capitan.

So, with everything ready, I started the deployment process. Well, actually, several different deployment processes trying to figure out just how to adequately manage over 100 shared iPads.

Now, the iPads are kept in carts, and they are numbered. The new iPads have numbers inscribed on them. The old iPads have labels affixed. Well, Configurator lets you automatically number iPads during the Prepare process, so great, right? Sort of. Here are the options in Configurator 2.

  1. Plug in all of the iPads and let Configurator 2 name them, randomly assigning numbers that do not actually correspond to the numbers on the iPads.
  2. Plug in all of the iPads and assign them all the same name in the Prepare process. Next, unplug all of them. Finally, plug them back in one at a time and manually name them.
  3. Plug them in and Prepare them one at a time, manually assigning the name.
In other words, all the options suck, and it gets worse.

When wiping and restoring the iPads to ensure no personal photos or data are on them (remember, these are shared iPads), Configurator 2 completely forgets which iPad had which name! Are you kidding me, Apple?! I tried several methods to restore hoping that the name would be retained, but it was all in vain. I ended up giving up and assigning the same name to all the iPads, knowing full well what the repercussions would be.

With Profile Manager configured, I downloaded the management and trust profiles, and started the Prepare process. Of course, a few of the iPads had issues during this process and didn't finish completely. No problem, right? Oh, wait. The iPads do not have unique names that correspond to the iPad numbers! Now I have to pull the iPads out of the cart in search of the problematic ones! 

The next step was deploying apps. Our paid apps will have to wait, because Configurator 2 does not support the spreadsheet method anymore. We can convert all of our old licenses, but this has to be coordinated across multiple locations and departments (the reason we purchased downloadable codes with separate spreadsheets to begin with). This is also where Profile Manager comes in. I began pushing the apps (50 of them) out to the iPads. The iPads are all connected to the same WiFi network, and based on the progress, it seems like it's going to be a multi-day process. The best part? It would need to do this every time we need to wipe the iPads! They're shared devices, so we need to wipe them regularly. Oh, and an iPad can fail during this process as well, which means manually trying to figure out which iPad is the problem.

OK. So, use Configurator 2 to push the apps out, right? When I tried to setup our VPP account on Configurator 2, I am told that it will remove the management from Profile Manager, so I lose the remote management capability! Is this for real?!

OK, OK. I'll make a backup of an iPad with the apps already installed, then restore that backup to the rest of the iPads! Nope. Restoring the backup to a test iPad not only lacked any of the installed apps, it complained about failing to install the management profile! ARGH!!!

I need to circle back around a little, because an on-going issue with management profiles is Apple's DEP (Device Enrolment Program). The management profiles installed to the iPads can be removed by any user, without a password. The only way around this is to enroll in DEP, and only devices purchased within a given timeframe can be added to DEP (forget about the collection of iPad 2's we purchased several years ago). How does this make any sense?! How is it not possible for Apple to simply allow management profiles to be password protected?! This is absolutely insane!

I can only hope that I have missed some critical step somewhere. I have Googled and pretty much found nothing but complaints about being "forced into Configurator 2". I suspect the problems I have described are not currently "solvable".

It comes as no surprise to me that Chromebooks are gaining in popularity for education. iPad deployment, especially for shared devices, is a nightmare.