skip to primary navigationskip to content
 

Managing Apple devices in the University

Managing Apple devices in the University using Apple enterprise programmes.

Apple deployment programmes

handdrawn imacApple provide the following to support managing macOS, iOS and tvOS devices in the enterprise:

  • Mobile Device Management (MDM)
  • Device Enrolment Programme (DEP)
  • Volume Purchase Programme (VPP)
  • Apple School Manager (ASM)

It is current best practice to use these technologies and it is likely their use will become mandatory at some point in the future.

Mobile Device Management (MDM)

MDM is a protocol comprising of commands that can be used to manage Apple devices. The commands cover installing configuration profiles, App Store apps and device management such as locking, rebooting, remote wipes and software updates.

The MDM protocol is published here. There are many implementations of MDM such as:

The School, Department or College will be responsible for running their own MDM server of choice. UIS uses Jamf Pro for centrally managed Macs and can offer advice on its use as well as limited advice on other MDM products.

Device Enrolment Programme (DEP)

DEP is a technology that automatically enrols Apple devices into an MDM environment. When integrating an MDM server with DEP, a certificate is generated by the MDM server and then signed by Apple. This is imported into Apple School Manager to create a trusted link between the MDM server and the DEP pool.

When an Apple device is purchased from one of the Apple Higher Education Framework Resellers it should be automatically added to the DEP pool for the University of Cambridge and related Institutions. Devices can be then requested to be assigned to an MDM server by an institution.

Eligible devices must be purchased through one of the following channels:

  • Apple Higher Education Portal (prior to Apple HE Tender)
  • Apple HE Tender Supplier (Academia, XMA, Insight, Stone)

Devices not purchased through one of the above channels cannot be used with Device Enrolment.

During device activation with Apple (this happens when the device joins the network after the first boot of a new device or a wipe and reinstall) the device is directed to enrol with the assigned MDM server. Configuration is then applied with no user interaction required.

UIS has signed up to the DEP on behalf of the University of Cambridge and related Institutions.

Volume Purchase Programme (VPP)

VPP originally gave bulk discounts on Apple applications such as the iLife and iWork suites, Logic Pro and Final Cut Pro. Now it is primarily used to purchase App Store apps that can be deployed over the air to devices without use of an Apple ID. Applications can also be removed and redeployed to another device.

UIS has signed up to the VPP on behalf of the University of Cambridge and related Institutions.

Apple School Manager (ASM)

Apple School Manager is an Apple-provided web portal that allows MDM servers to be linked to the DEP pool and users created with responsibilities to manage aspects of DEP and MDM as well as associate devices to MDM servers.


Preparing to manage Apple devices

Steps and responsibilities

Step Institution action UIS Apple Support action
1 Institution selects and provisions MDM server
2 A DEP certificate signing request is generated by the MDM server and emailed to
3 CSR is uploaded to ASM and certificate is generated by Apple. This is returned to the institution.
4 VPP account is created for the Institution and an initial password provided.
5 VPP account is added to the MDM server.
6 Serial or IMEI numbers of devices to be managed are provided.
7 Devices are assigned to the MDM server.

Note: Steps 6 and 7 will be repeated whenever an Institution wishes to add more devices to their managed fleet. Devices can also be unassigned from an MDM server.

The benefits of Apple's enterprise deployment programmes

Aside from the fact that the direction of travel with Apple will likely make use of these programmes mandatory if Apple devices are to be managed in the future, there are the following benefits:

  • Devices are provisioned and configured through a secure and trusted channel.
  • App Store apps, management and configuration profiles can be delivered to any device connected to the internet.
  • The end user can use their own Apple ID to install apps that belong to them.
  • Some IT system admin tasks that are now restricted in newer macOS releases are available when a device is provisioned via DEP and MDM – for example, kernel extension whitelisting allowing seamless installs of McAfee AV products, DropBox etc.
  • Devices are activation-locked, allowing remote wipe, lost mode etc. and preventing the device from being wiped and sold.

Contact us

For more information please contact .

 

 

 

Apple support Twitter feed

UIS Service Desk


  Phone padded  01223 332999

UIS Service Status

Phone padded  Service status line: (01223) 463085
Website  Sign up for SMS/email status alerts
Website  Read major IT incident reports

UIS bITe-size bulletin


A regular newsletter aimed at the University's IT community, highlighting service and project news from UIS.

Sign up >  |  Back issues

RSS Feed Latest news

Lecture capture: Panopto planned maintenance on Saturday 4 January

Dec 09, 2019

Lecture capture recordings will be unavailable during the evening of Saturday 4 January 2020 because Panopto is undergoing an upgrade.

Major upgrade to the phone system during 28–29 December

Dec 09, 2019

The University phone service will be disrupted on Saturday 28 and Sunday 29 December while we perform the annual upgrade of the system's core software.

View all news