skip to primary navigationskip to content
 

Managing Apple devices in the University

Managing Apple devices in the University using Apple enterprise programmes.

Apple deployment programmes

handdrawn imacApple provide the following to support managing macOS, iOS and tvOS devices in the enterprise:

  • Mobile Device Management (MDM)
  • Device Enrolment Programme (DEP)
  • Volume Purchase Programme (VPP)
  • Apple School Manager (ASM)

It is current best practice to use these technologies and it is likely their use will become mandatory at some point in the future.

Mobile Device Management (MDM)

MDM is a protocol comprising of commands that can be used to manage Apple devices. The commands cover installing configuration profiles, App Store apps and device management such as locking, rebooting, remote wipes and software updates.

The MDM protocol is published here. There are many implementations of MDM such as:

The School, Department or College will be responsible for running their own MDM server of choice. UIS uses Jamf Pro for centrally managed Macs and can offer advice on its use as well as limited advice on other MDM products.

Device Enrolment Programme (DEP)

DEP is a technology that automatically enrols Apple devices into an MDM environment. When integrating an MDM server with DEP, a certificate is generated by the MDM server and then signed by Apple. This is imported into Apple School Manager to create a trusted link between the MDM server and the DEP pool.

When an Apple device is purchased from one of the Apple Higher Education Framework Resellers it should be automatically added to the DEP pool for the University of Cambridge and related Institutions. Devices can be then requested to be assigned to an MDM server by an institution.

During device activation with Apple (this happens when the device joins the network after the first boot of a new device or a wipe and reinstall) the device is directed to enrol with the assigned MDM server. Configuration is then applied with no user interaction required.

UIS has signed up to the DEP on behalf of the University of Cambridge and related Institutions.

Volume Purchase Programme (VPP)

VPP originally gave bulk discounts on Apple applications such as the iLife and iWork suites, Logic Pro and Final Cut Pro. Now it is primarily used to purchase App Store apps that can be deployed over the air to devices without use of an Apple ID. Applications can also be removed and redeployed to another device.

UIS has signed up to the VPP on behalf of the University of Cambridge and related Institutions.

Apple School Manager (ASM)

Apple School Manager is an Apple-provided web portal that allows MDM servers to be linked to the DEP pool and users created with responsibilities to manage aspects of DEP and MDM as well as associate devices to MDM servers.


Preparing to manage Apple devices

Steps and responsibilities

Step Institution action UIS Apple Support action
1 Institution selects and provisions MDM server
2 A DEP certificate signing request is generated by the MDM server and emailed to
3 CSR is uploaded to ASM and certificate is generated by Apple. This is returned to the institution.
4 VPP account is created for the Institution and an initial password provided.
5 VPP account is added to the MDM server.
6 Serial or IMEI numbers of devices to be managed are provided.
7 Devices are assigned to the MDM server.

Note: Steps 6 and 7 will be repeated whenever an Institution wishes to add more devices to their managed fleet. Devices can also be unassigned from an MDM server.

The benefits of Apple's enterprise deployment programmes

Aside from the fact that the direction of travel with Apple will likely make use of these programmes mandatory if Apple devices are to be managed in the future, there are the following benefits:

  • Devices are provisioned and configured through a secure and trusted channel.
  • App Store apps, management and configuration profiles can be delivered to any device connected to the internet.
  • The end user can use their own Apple ID to install apps that belong to them.
  • Some IT system admin tasks that are now restricted in newer macOS releases are available when a device is provisioned via DEP and MDM – for example, kernel extension whitelisting allowing seamless installs of McAfee AV products, DropBox etc.
  • Devices are activation-locked, allowing remote wipe, lost mode etc. and preventing the device from being wiped and sold.

Contact us

For more information please contact .

 

 

 

Apple support Twitter feed

Getting help


UIS Service Desk
General support queries

  Phone padded  (01223 7) 62999

UAS Service Desk
Administrative staff queries

  Phone padded  (01223 3) 32999

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website padded  Sign up for SMS/email status alerts

RSS Feed Latest news

Lecture capture cloud maintenance: Saturday 22 June

Jun 14, 2019

Panopto will be upgrading its cloud service on Saturday 22 June from 19:00 until approximately 22:00. Users will not be able to access or upload lecture capture recordings during this downtime.

Wi-Fi upgrade schedule

Jun 13, 2019

We'll be implementing a significant migration of the University Wireless Service to a new underlying operating system and controller platform in a carefully phased roll-out over the next 4 weeks.

View all news