MDM for VPP, iTunes accounts, iBooks in large rollout

First, I'm going to refer you to Apple Education's IT Resources page here. There, you'll find the iOS5 deployment guide and some other articles on things like using Configurator, deployment models, etc. The deployment guide hasn't been updated to iOS 6 yet, but not much has changed concerning deployment since iOS 5 other than using Configurator for device prep and staging instead of iTunes.

Deployment Models

Apple advertises 3 choices here - Personal, Institutional and Layered. Simply put, if you want your users to "own" the apps and devices your organization purchases for them, you're going to choose Personal. If you want to maintain control of everything top down, including disabling the App Store, you'll choose Institutional. Finally, and this is the more common approach, if you want to maintain ownership of the device and only apps that your organization purchases but allow end user access to App Store with his/her Apple ID, you'll choose the Layered model.

For my examples here on out, I'll be sticking with the Layered model since you can extrapolate the info to fit into either the Personal or Institutional models.

Apple IDs

VPP
Sounds like you may already have VPP setup and running, so I'll just mention info on this setup briefly. First, create a "program manager" account - i.e. applevppmanager@school.com. Next, you'll create "facilitator" accounts within Apple's VPP Program Manager Portal that will actually be used to purchase VPP codes for apps. How many you create here will be based off of your business requirements but, generally speaking, IT maintains control of all IT purchases out of its budget so create yourself a single facilitator account for now - i.e. applevpp_it@school.com.

From here, it's as simple as signing into the VPP Education Portal with your facilitator account, redeeming volume vouchers that are purchased (they MUST be true Apple Volume Vouchers purchased from your Education Store, NOT iTunes gift cards), and purchase x # of app "licenses" per device they will be deployed to.

Deployment Apple IDs for use with iTunes/Configurator:

Take it from me, you'll want to abide by the KISS method here and use as few Apple IDs as you can. Apple now allows more than 5 activations for a single Apple ID, but you'll need to speak to your account team to have this setup. Because use cases seem to vary between Student grade levels (K-5, 6-8 and 9-12) and Staff, I would assign Apple IDs based off of this model - i.e. iTunes_esstudent@school.com, iTunes_msstudent@school.com, iTunes_hsstudent@school.com, and iTunes_staff@school.com. You'll want to use a single Mac per school. If you want, you can use up to 2 for each user type (staff/student), but you can accomplish this by simply creating a user profile for each instance on a single Mac.

Your deployment Apple IDs are the 3rd and final "role" in the VPP process and although it's not documented by Apple as such, I call them the "redeemer" role. These Apple IDs are activated in iTunes on the corresponding Macs they'll be used with and then later signed into Configurator when deploying apps. The VPP codes get "redeemed" when Apple Configurator installs an app on a device (more on this later).

App Deployment/updates

Currently, Apple doesn't support a real "push" method for apps even though MDM vendors like AirWatch tout iOS as being able to do so. For OTA deployment, you're either uploading VPP codes and "recommending" to the user to download the app with his/her Apple ID from the App Store (thus losing control of this "license" forever) OR you are uploading apps that are downloaded from iTunes and sending a request to the user to install them (the keyword here is "request", it's up to the end user to install). The latter of these two methods is the messiest, requires the most moving parts, and at the end of the day is unsupported by Apple at this time. Plus, if your MDM environment isn't setup to facilitate the install of a ~500MB app to 10,000 devices, you're going to have a bad time.

So, what do we have that's fully supported, works consistently every time and still allows your organization to maintain it's licensing even after it's been used previously? The answer is Configurator. Now, this post wasn't asking about how to use Apple Configurator so I won't go into too much detail but, as a long time user since beta 1, I can tell you that this method is tried and true.

First, download Configurator from the Mac App Store. Second, download the apps in iTunes that you plan to deploy with the Apple ID you've activated on that Mac. With the Layered model, I don't recommend deploying any free apps that aren't required by your deployment (i.e. MDM clients, VPN apps, etc) since users will still be able to use his/her Apple ID. Lastly, from the Prepare tab in Configurator, go to the Apps tab. From here, you're going to import the raw .ipa files for apps that are downloaded (~/Library/Music/iTunes/iTunes Media/Mobile Applications). Once the apps are imported, you'll see a caution symbol with 0 next to it...click there and this is where you'll import your VPP codes for each app. Again, I'm not going over Configurator 101 here, but you'll need to Supervise, name and select the apps you'd like to install and prepare each device accordingly.

Later, when it's time to update an app, you'll simply update the app in iTunes, import the updated app .ipa in Configurator (Configurator will prompt you when doing this) and reconnect each device and "refresh" from the Supervise tab. Configurator will automatically update the app and retain the user data.

Device UI conformity

This is the most difficult question to answer when asked how to deploy and maintain device UI conformity. The short answer is you can out of the gate, but not during the lifecycle. If the devices are meant for 1:1 personal use, I'd simply tell you to concede to the idea. If they are meant for shared use, however, this can be accomplished in Configurator but will need to be reconnected and refreshed more frequently. At this time, there's no way to "lock" a home screen from being altered by the end user. Also, if user data retention is a requirement as well, you'll want to explore Configurator's User Assign feature before choosing to conform devices on a regular basis - more on that here.

Remote Desktop/ARD

Short answer: no. You can enroll a device in MDM and view the device's inventory, but no remote desktop support currently.

Textbooks

Honestly, the best way to handle textbooks currently is to concede to "gifting" them to your students. Short of deploying devices that are owned by you under the Institutional model above, Apple doesn't support any method other than issuing redemption codes to be redeemed by the end-user's personal iTunes Account. At the end of the day, if you're purchasing $.99 textbooks per student every term, you'll need to retain the use of a corresponding "real" textbook for roughly 50 years before it's cheaper to not go digital...just something to keep in mind here.

Recommendations

With all this being said, you'll have to choose a deployment model that suits your District's business goals. In the ~2 years experience I have with iOS deployments in my school district, I can tell you that app deployment still remains to be the biggest pain point these days. We recently went through an update cycle that took about a month to update 5 apps across ~16,500 device in a staged manner. If I were you and your District can support it financially, do yourself a favor and go with the Personal app deployment model, but maintain control of the device by supervising it with Configurator and deploying it with a suitable MDM solution. This recurring annual cost can be financed by implementing an optional protection plan where your district is the owner/maintainer. For example, if you deploy 10,000 devices and offer an annual OPP at a cost of $50 per year, even at an 80% adoption rate you would still accumulate $400,000 of revenue. Assuming you run a breakage rate of even up to 50%, that still leaves you somewhere between $50k-$100k each year to purchase apps and textbooks for new students.

If you have any other questions, feel free to PM me or you can reach out to me on Twitter - @thomrburg.

-T

(edited to included info on how many Macs to use per school)

James,

Since this method isn't supported by Apple and could allow you to skirt Apple's EULA, I don't really feel it's responsible to post a detailed workflow here. With that being said, you'd have to first satisfy Apple's DRM requirements on your devices for a particular Apple ID, download apps required by your deployment with that same Apple ID in iTunes, upload the apps to your MDM server (App Store app uploads must be supported by the MDM vendor) and later deploy the apps only to devices for which DRM was satisfied for the same Apple ID.

As for the end-user experience, the user would be prompted that the MDM server is requesting that he/she install an app. As long as DRM is satisfied on that device, the app would then be downloaded and installed FROM the MDM server, not the App Store. The end user wouldn't be prompted for his/her Apple ID. The biggest glaring downside here is Apple regularly updates its signed keys for Apple ID's DRM on apps, and the only way to refresh these keys are by installing an app or update through the App Store app on the device, iTunes or Configurator. The end-user can also refuse the install or update and won't be prompted for it again until you trigger another update.

-T