iPad Basics - Deployment
What is Apple School Manager
Apple School Manager is a simple, web-based portal for IT administrators to deploy iOS, macOS, and tvOS devices all from one place. When used with your mobile device management (MDM) solution, you can configure device settings and buy and distribute apps and books. And Apple School Manager integrates with Student Information Systems (SISs) and SFTP so you can quickly create accounts with school rosters and classes.
If you’re already enrolled in the Device Enrollment Program (DEP) or the Volume Purchase Program (VPP), you may be able to upgrade your existing programs to Apple School Manager, bringing together everything needed to deploy iOS, macOS, and tvOS devices.
Before you enroll, make sure you’re using a supported browser and have the necessary information ready for setting up your account.
- Safari 9 or later on macOS
- Google Chrome 35.0 or later
- Microsoft Edge on Windows
Use the name of a person when setting up the account, not the name of a role or group. This account is known as the administrator account. You can give up to four managers administrator access once your enrollment is approved.
The following information is required:
- First and last name of the individual enrolling on behalf of the organization.
Note: This must be a legal, human name. First and last names such as “IT Coordinator” or “iPad Deployment” will be returned to you to correct the information.
- A work email address that isn’t associated with an iTunes or iCloud account, and that hasn’t been used as an Apple ID for any other Apple service or website.
Important: Don’t use this new Apple ID with an iTunes or iCloud account, or any other Apple services or website other than Apple School Manager.
- Work phone number
- Role/Job title
This person, usually a legal representative of your organization, verifies that you have the authority to sign and bind your organization to the terms and conditions of Apple School Manager. The information given for this contact can’t be the same as for the individual submitting the enrollment. This person is contacted during the enrollment process to verify information about the initial account and the organization.
Note: During the review process, your verification contact is contacted by phone and asked to confirm information about you and your organization before your enrollment is approved. Make sure that any filters allow mail from all apple.com domains. Return any missed phone calls quickly so that the enrollment process can proceed smoothly.
The following information is required:
- Work email address
- Work phone number
- Role/Job title
The following information is required:
- Country or region
- Legal name of the organization
- Mailing address
- Phone number
- Website URL
- Time zone and language
- Organization type (K–12 or higher education)
- Supplier information
- An Apple customer number, if purchasing direct from Apple
The legal name and mailing address of the organization should match those associated with the Apple customer number.
Note: When entering your Apple customer number, leave off any leading zeros.
- An DEP Reseller ID, if purchasing Apple devices from a participating Apple Authorized Reseller or carrier
Enroll In Apple School Manager
Get started with the enrollment process by clicking the support guide below.
Upgrade to Apple School Manager
If you enrolled in Apple Deployment Programs on or after February 26, 2014, your organization may be able to upgrade from Apple Deployment Programs to Apple School Manager. How you enrolled determines your ability to upgrade. Upgrading includes moving all MDM servers, device orders and assignments, and management-level accounts. Apple ID for Students accounts aren’t upgraded or transferred to Apple School Manager.
What are managed Apple ID's?
What are Managed Apple ID's?
Like any Apple ID, Managed Apple IDs are used to sign in to a personal or shared device. They are also used to access Apple services—including iCloud, iTunes U courses, and collaboration with iWork and Notes—and Apple School Manager. Unlike Apple IDs, Managed Apple IDs are owned and managed by your school or district and are designed to meet the needs of education organizations—including password resets, limitations on communications, and role-based administration. Apple School Manager makes it easy to create a unique Managed Apple ID for each person in bulk.
Note: When you use Managed Apple IDs with iWork collaboration, that collaboration is limited to Managed Apple ID accounts within your organization.
Important: A user with a Managed Apple ID can lock themselves out of their account if they enter an incorrect password more than 10 times. To reset their password, the user must contact an administrator, People Manager, or another user with password reset privileges.
How Managed Apple IDs are created
Managed Apple IDs are created after you:
- Import accounts from your Student Information System (SIS)
- Import .csv files using the Secure File Transfer Protocol (SFTP)
- Create accounts manually
Important: Keep in mind that every Managed Apple ID must be unique. It also can’t conflict with other Apple IDs that your staff, teachers, and students may already have.
Restricted services and features
Some Apple services and features are disabled for Managed Apple IDs. For example:
- App Store (allows browsing but not purchasing, paid or free)
- iTunes Store (allows browsing but not purchasing, paid or free)
- iBooks Store (allows browsing but not purchasing, paid or free)
- Messages (can be enabled for users in Apple School Manager)
- FaceTime (can be enabled for users in Apple School Manager)
- iCloud Keychain (although, keychain items are saved and restored on Shared iPad devices)
- HomeKit-connected devices
- Apple Pay
- iCloud Mail
- Find My iPhone
- Find My Mac
- Find My Friends
- iCloud Family Sharing
- The ability to lock a note
Note: Not all of these services are available in all countries or regions.
Additionally, Managed Apple IDs are prevented from enrolling in private courses created outside the user’s organization. For example, Managed Apple IDs can subscribe to any public course or public collection, and can enroll in any private course created by a Managed Apple ID within the same organization.
Use Managed Apple ID's
Use Managed Apple ID's
As an administrator or manager, you use Managed Apple IDs in three main ways, with accounts, classes, and roles. A big advantage as of March 27th, 2018 is that Managed Apple ID users get 200gb of iCloud storage for free.
- Accounts: Administrators can complete a range of tasks within Apple School Manager to manage accounts. For example, you can assign roles or reset passwords for a specific set of users.
- Classes: A class is a collection of teacher and student accounts. Classes have at least one teacher added when the class is created. After a class is created, it’s used with your MDM solution to enable classes to appear in the Classroom app for iPad and Shared iPad, and to simplify the experience for students using Shared iPad.
- Roles: After a Managed Apple ID is created for a user, the administrator can then assign roles for the user.These roles include manager, teacher, staff, and student. These roles define which tasks users can perform in Apple School Manager with their Managed Apple ID.
In addition, the administrator and manager can manually add an account at any time, such as when a temporary teacher is added to your school. You can also view and edit account information, such as the user’s name, ID number, grade level, and more. Depending on your role, you can also reset a user’s Managed Apple ID password, send them a verification code so they can sign in, and deactivate or restore an account.
Create Managed Apple ID's
Recommended Managed Apple ID structure
A Managed Apple ID should be different from a user’s personal or work email address to help avoid confusion and possible conflicts with an existing Apple ID.
- A unique user name to the left of the at sign (@).
You can use information from the user’s Student Information System (SIS) account, such as an email address or other account name, as the unique user name. You can also create a unique user name from their names, initials, or ID numbers. If two users end up with the same user name, Apple School Manager will add a number to differentiate them.
For example, scottmiller1@ would be the unique username.
- Text immediately to the right of the @ sign.
Apple recommends using “appleid.” as the text for all accounts.
For example, scottmiller1@appleid. would be the beginning of the full Managed Apple ID.
- The domain of your school.
For example, a fully complete Managed Apple ID would be email@example.com.
Important: This should be your organization’s registered domain name. Don’t use a domain name you created because this can cause all created Managed Apple IDs to fail.
Be sure you use the same formula for all Managed Apple IDs in your organization.
Create Managed Apple IDs from existing email addresses
Managed Apple IDs don’t have to be the same as user email addresses. If everybody in your organization has an email address and those addresses have never been used for the Device Enrollment Program, Volume Purchase Program, or personal iTunes or iCloud accounts, then you can choose to create Managed Apple IDs using those email addresses.
Important: If you choose to use existing email addresses for Managed Apple IDs, the user will have to remember two passwords—the original one that is associated with their email address, and the one associated with their Managed Apple ID.
Managed Apple IDs, roles, and passwords
When you create each account, you assign a role that defines the privileges for that account. If you’re importing from your Student Information System (SIS), the individual doing the import automatically assigns roles.
You can define password policies for each account, and it’s easiest to assign them per role. Student role accounts can have a simpler four- or six-digit passcode. Teacher, Staff, Manager, and Administrator accounts must have strong passwords consisting of at least eight characters.
Managed Apple ID password complexity
When you add users to Apple School Manager, you set a password complexity for that user. That complexity level dictates which Lock Screen appears when a user signs in with Shared iPad. A four- or six-digit passcode shows only digits on the screen. A complex password shows the full keyboard. When the user signs in with their Managed Apple ID and their initial password, they are prompted to change their password using the level of complexity you initially set in Apple School Manager.
If you add Profile Manager as one of your MDM servers to Apple School Manager, you have the option of merging any users in Apple School Manager to Profile Manager. When you do this, those users appear in the Profile Manager users list. After they appear, you can view their Managed Apple ID password type in the About tab. For more information on merging users, see Merge Apple School Manager accounts.
Important: If you set the Lock Screen behavior to a four- or six-digit passcode and the Apple School Manager setting for that user is set to a complex password, that user must manually enter their Managed Apple ID and password.
Inspect Managed Apple IDs
Organizations can comply with legal and privacy regulations by using Managed Apple ID inspection. Administrator, manager, and teacher accounts can be granted inspection privileges for specific accounts (those used on organization-owned devices that are configured for multiple users). Inspectors can monitor only accounts that are below them in the school’s hierarchy. For example, teachers can monitor students, and administrators can inspect managers, teachers, and students.
To inspect an account, an authorized user must create special inspection credentials within Apple School Manager for a specific Managed Apple ID. These credentials can be used only to access that Managed Apple ID, and they expire after 7 days. During that period, the inspector can read and modify the user’s content stored in iCloud Drive or in CloudKit-enabled apps. Every request for access is logged in Apple School Manager. Logs show the inspector’s name, the Managed Apple ID in question, the time of the request, and whether or not the inspection was performed. All users with inspection privileges can search these logs, which discourages misuse of inspections.
Create Managed Apple IDs
- Click your name in the upper-right corner, then choose Setup Assistant.
- Click Add next to Create Accounts and Classes in Setup Assistant.
- Click Change Settings to view the options for the Managed Apple ID. They are:
- Domain: This option is everything to the right of ”@appleid.” in the Managed Apple ID.
- Include “appleid.” in the domain: This option prevents potential conflicts by prepending “appleid.” to the existing domain name.
- Select your settings for each group, then click Save Format to close the format window and return to Setup Assistant.
- Click Preview Accounts and Classes to view all the proposed Managed Apple IDs for the selected groups.
- If the Managed Apple IDs are approved, click Create Managed Apple IDs to begin the process. You can view the progress in Setup Assistant.
- Click Skip Setup Assistant.
You can also edit the default Managed Apple ID formats within the Settings for your Location.
Edit Managed Apple ID Format
Edit Managed Apple ID Format
In some cases, it may be necessary to change the Managed Apple ID for several accounts or all locations. For example, if the domain name of the organization changes. Managers who have the “Create, edit, and delete Managed Apple IDs” privilege can edit the Managed Apple ID of user accounts.
There are two options when changing Managed Apple ID formats:
- Change the Managed Apple ID format for all locations: This changes the format for all new users. Existing users still use the original format.
- Change the Managed Apple ID format for users: This changes the format for all new and existing users.
See the support guide below for more information on changing Apple ID formats.
What is MDM?
A service that lets you remotely manage enrolled devices. Once a device is enrolled, you can use the MDM service over the network to configure settings and perform other tasks on the device without user interaction. Profile Manager is an MDM server that is part of macOS Server and there are also many third-party MDM servers. Mobile device management is supported on Mac computers with OS X 10.8 or later installed, and on iOS devices with iOS 5 or later installed.
Considerations for choosing an MDM solution
Several MDM solutions are available for different server platforms. Each solution offers its own management console, features, and pricing. Before you choose an MDM solution, review this section to see which features are most important to your organization.
Enrollment in MDM typically leverages the Simple Certificate Enrollment Protocol (SCEP).
Apple iOS Deployment Reference
The process for deploying devices in your organization depends primarily on whether your organization or the user owns the devices
Assign devises added from Apple Configurator.
You can add iOS and tvOS devices to Apple School Manager using Apple Configurator, regardless of where the devices were purchased. When you set up a device that has been manually enrolled, it behaves like any other enrolled device, with mandatory supervision and mobile device management (MDM) enrollment.
Your account contains a record of all the orders you have placed directly with Apple after March 1, 2011. Because accounts with participating Apple Authorized Resellers or carriers may not keep records going back to March 1, 2011, consult your participating Apple Authorized Reseller or carrier for your account’s order timeline.
You can unassign devices from an MDM server. For example, if a device is moved from one location to another, you can unassign it from one MDM server and assign it to another MDM server. If you keep the device in the program, it simply becomes associated with another MDM server.
What is content deployment.
Apple School Manager and your MDM solution work together so your organization can buy apps and books in volume, assign them to devices or users, and then install and update them wirelessly, even if the App Store is disabled.
Note: Books obtained from the iBooks Store, once assigned, become the property of the Managed Apple ID and can’t be reassigned.
Plan for migration to Apps and Books
To get started migrating, Content Managers with VPP accounts must migrate their licenses to a location in Apps and Books.
Within your organization, you can move licenses from one location to another. You can also transfer licenses in order to consolidate VPP purchases from multiple accounts or to decentralize and distribute licenses to match your organization’s structure.
Plan for app and book distribution
App and book distribution works best when apps and books are assigned before devices are configured or given to users.
Select and buy content
Apps and Books provides a streamlined purchasing process.