#iPad Deployment - Do Over.

Source: http://www.eanes.wikispaces.net/iPad+PIlot 
At a recent regional technology directors' meeting, a few colleagues from a district set on deploying iPads in their District, asked a few questions that got me thinking about the following question:
If you had to deploy iPads starting soon, what would you do different from the way you did it in the past?
As a result of that question, I decided to ask a colleague who has deployed iPads in a large urban school district what his thoughts were on the subject.

"So," I began, "what would you do different when deploying iPads than what you did before?"
"I would be sure to choose a central management approach (e.g. Casper)."
Mobile Device Management (MDM) tools display console views of enterprise mobile devices, their users, and user profiles, and usually work with Active Directory or other third-party authentication and authorization platforms to assign privileges and policies. Major names in the MDM space include Good Technology, BoxtoneSybaseZenprise, and MobileIron. Cloud-based MDMs include AirWatchFiberlink, andTangoe.MDMs can enforce password policies and remotely wipe or disable lost devices. They can also install necessary applications and anti-virus clients, load patches, and ensure that any data copied to the device is properly encrypted.The problem with MDM-enforced encryption is that it’s typically an all-or-nothing function. While an iPad supports encryption of data in transmission, stored on the device, and loaded on PCs through iTunes, it’s a device-wide affair. “You cannot go in and say, ‘This application is not allowed to read this data,’” says Chenxi Wang, vice president and principal analyst at Forrester Research Inc. (Source: Email from Steve Young, 1/2012)
"Why is that?" I followed up.
"Some districts are choosing to just roll the iPads out to schools and staff, and it's left up to the individual staff or students to manage them. They are the ones responsible for loading the apps on the iPads."
"What's wrong with that approach?" I countered, although I could guess.
"When a staff or student leaves," he responded, "all their apps go with them. You have to start over with the app. And, you can't have customized profiles that work with particular grade levels or teams of people."
"This is sort of like imaging computers, isn't it?"
"Yeah, exactly, that's what you're doing."
"A centralized management approach...here, let me show you." He clicked on a few links and showed me this interactive chart. "You can see that Casper has the most features with iOS5. That's why if I had to do it all over again, I'd make sure that every device was running iOS5 because it allows you to remotely manage the iPads. There is another one called SCCM which features an adapted called Odyssey."
Source: http://www.enterpriseios.com/wiki/Comparison_MDM_Providers 
"Ok, let's review," as I reviewed my notes:
  1. Choose a mobile device management system, and you recommend Casper right now based on what it can do and the efficiencies it enables for iOS 5 devices and Macs.
  2. Make sure all devices are running iOS 5.
"What's next?" I asked.
"We're able to organize apps according to grade levels, like all high school apps. You can do that by building customized profiles through Apple iPhones' configuration utility."

Source: http://goo.gl/AzIc5
iPhone Configuration Utility lets you easily create, maintain, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.
Configuration profiles are XML files that contain device security policies, VPN configuration information, Wi-Fi settings, APN settings, Exchange account settings, mail settings, and certificates that permit iPhone and iPod touch to work with your enterprise systems.
 iPhone Configuration Utility 3.4  for Windows can be downloaded here: iPhone Configuration Utility for Windows.
For information on how to integrate iOS devices with your enterprise systems, visit http://www.apple.com/support/iphone/enterprise/.
He pulled up the Apple iPhone Configuration Utility on the screen so I could see it, clicking through. "You can do all sorts of things with this, like code it so profiles on the iPad with our WPA2 encrypted keys can't be removed by students."
"Is this how you manage or deploy apps to iPads in the fields?"
"We have Program Facilitators who are empowered to buy apps via Volume Discount, then they issue those to individual iPad users."
"Does each person have their own iPad under their own name? For example, in one district I know, they use their school email address and create a free account with no credit card associated with it. In other districts, they just issue the iPads to staff and students then its used under their own name and they pay for their own apps, whatever they may be. If a Special Ed teacher has to buy a $100 app, then they do that and are reimbursed by the District. How do you handle user accounts?" I asked.
"In my district, we create generic accounts for every iPad issued using GoogleApps for Education (GAFE). Each iPad has a generic account connected to an email through Google. We organize them into sub-domains for management, assigning Program facilitators to campuses."
"What's the role of the Program Facilitator?"
"Their role is to purchase apps through volume purchasing store. You get a discount because you are buying multiple copies. We load up on app codes with the Volume Purchasing account, then give those codes out."
"That is a lot of management, isn't it?" I asked, a bit in awe of the management.
"With Casper, it provides a storefront enabling easier management of everything. If you have to buy 25 copies of Keynote for teachers, you can send those out."

"Are there recommended apps?"
"Yes, we try to organize apps according to the 4Cs and grade level." He paused for a moment, then continued: "Anyone who is trying to do this really needs to chat with Carl Hooker (Eanes ISD) and Carmen Garza (McAllen ISD, who deployed 5000 iOS devices recently)."
"Well, I'll be sure to chat with them! Thanks for your time!"

To review, then, my colleague's recommendations include the following:
  1. Choose a mobile device management system, and you recommend Casper right now based on what it can do and the efficiencies it enables for iOS 5 devices and Macs.
  2. Enroll in the Apple Volume Purchase Program
  3. Make sure all devices are running iOS 5.
  4. Learn to use the iPhone Configuration Utility
  5. Connect with others who have deployed iOS devices and get their advice.
One of the other interesting questions that came up during the discussion at the regional technology directors' meeting was, "How hard is it to separate out iOS devices to have their own network?" This was a curious question because it appears to be more of a BYOD issue...you know, you allocate bandwidth for district-owned machines that have access to more content, and set aside a different network for devices students/staff bring from home. Here's how one person put it:
In addition to many other things, it gives you the ability to create virtual wireless networks (multiple SSIDs) and configure virtual LANs (VLANs). These features let you offer public or separated access, and are usually found only in more expensive enterprise-level gear. You get them and much more at the cost of just a cheap home router.
In this tutorial, we’ll create a second SSID, segregate it from the main SSID, make two of the LAN ports on the back of the router connect to just the new SSID, and leave the other two LAN ports connected to the main SSID.
You might want to, for example, use this second SSID to offer your visitors wireless Internet access, or encrypt it for use by another department in your organization. Plus, you can also plug computers into the individual networks and/or expand each with more access points. We’ll make it so users won’t be able to snoop or communicate with users from the other SSID or LAN ports, to protect your shared folders and resources.
How have you handled this in your district? I heard one person--I don't remember who exactly--have students come in and register their Media Access Control (MAC) addresses.

Helpful Links
Update 1/24/2012: My source for this article offers the following clarifications in bold letters:

iPhone Configuration Utility lets you easily create, maintain, encrypt, and install configuration profiles, track and install provisioning profiles and authorized applications, and capture device information including console logs.
The iPhone configuration utility doesn't have anything to do with itunes purchased apps.
"In my district, we create generic accounts for every iPad issued using GoogleApps for Education (GAFE). Each iPad has a generic account connected to an email through Google. We organize them into sub-domains for management, assigning Program facilitators to campuses."
A set of ipads are tied to one downloader account. It all depends on the grade level, classroom or department but not one for every ipad.
You may also want to read Carl Hooker's perspective in the comments.

Here's how another colleague in Texas schools manages iPads:

If you are in iOS5+ you might think about something like this: 
Reset one of the iPads and then sync it with the iTunes library and all the content, apps you want on it.  Then set all of the configuration and security settings locally on the iPad through the restrictions settings. Make sure you set the iPadto sync wirelessly (and give the iPad a name) and turn on automatic downloads in the store section.  At that point create a backup of the iPad through iTunes (or iCloud).  When you create the backup, make sure you know the time and date of the backup, because you aren't able to name the backup.  You have to chose it from a list of dates/times.  From there you can take the remaining iPads and restore them from that backup through iTunes (or if you have the bandwidth you could reset them, sign into iCloud and pull the settings down from the backup you sent to iCloud).  You may still have to connect each iPad to iTunes to enable the wireless sync option (I can't remember if this comes across from the backup).  As each iPad connects to iTunes (either through the cable or wirelessly) give them a name.  Oh and if you use a wireless config that requires a certificate (like WPA2 or something) then you will have to reset the network connection (the certificate doesn't get pulled through in the backup process). 
At this point you probably are wondering why you wasted your time reading all that, because you are still doing a lot of work.  :) But here's what you now have: 
Same1)You have the same security settings you had before
2)You still have to do some manual interaction with each iPad to sync new apps (only if you have disabled the App Store as part of your restrictions). 
New1)You can now sync content (iTunesU/videos/etc) on the fly wirelessly without any manual changes to individual iPads
2)iPads are set to sync (and automatically download - so you don't have to sync) apps wirelessly (but the app won't show up on the iPad until you re-enable the App Store restrictions)
3)They are named so that if they don't all connect wirelessly you can quickly identify which one(s) has issues.
4)You have an iCloud backup that can be used to restore any iPad on the fly without iTunes if needed
5)And if you set turn on the find my iPad option in iCloud on each device you have a possible way to track down theiPad if it gets lost/stolen
Read more about iPad stuff in schools....

Get Blog Updates via Email!
Enter your email address:
Delivered by FeedBurner

Everything posted on Miguel Guhlin's blogs/wikis are his personal opinion and do not necessarily represent the views of his employer(s) or its clients. Read Full Disclosure


Carl Hooker said…

I agree that centralized management via Casper has saved us quite a bit of time and headache. It's handy for deploying apps and tracking down iPads. Using the iPhone config utility is also extremely helpful when getting the iPads deployed and managed via a cart. However, one of the biggest benefits of the iPad is the freedom with which end-users can explore and customize their learning. That is taken away the second you start managing their account centrally and selecting what they have on their device. We felt, that while it's true there would be some loss with the apps when the person leaves, it's much like a consumable workbook that we used to buy.

For example, we spent over $120,000 in "materials" for ELA curriculum a couple of years ago. If we spend $50 per device (haven't hit that number yet) on all 2300 devices we have, we'd be close, but not quite at that number. Also, when we purchase, we include a $50 app fee so that VPP cards are both with the purchase of the device. Couple that with supplemental IMA dollars and we've more than covered our expenses this far, and have enough to maintain indefinitely. (or as long as the IMA exists)

So you see, he's right on track with the IT side of management, where we differ is in the educational approach. For some districts that will be a cost-benefit decision they will have to make at some point. For us, we're going forward with the use of their own accounts. After all, I'd hate for a student to go to college using some educational apps he got from us :-)
Tammy Worcester said…
Miguel -

Thanks for taking the time to post this well-written article. The more we share our frustrations and successes with mobile learning environments, the easier it will become for all!

- Tammy Worcester
Silver Lining said…
Interesting article but nothing is one size fits all. Decide on how you want to use the devices first, establish a solid governance framework that includes configuration management based on the use cases then pick the MDM (and there are several products out there) that allows you to optimize your use case, fits into your mobile architecture (you ought to have one before you buy your first iPad but we recognize it rarely happens that way) and is consistent with your security and policy goals. We help organizations deploy these consumer devices across the enterprise (mostly local governments, healthcare organizations and schools) and the approaches need to be as unique as the organizations and missions -- there is not a silver bullet or one size fits all approach. Good luck all!

Popular posts from this blog

COVID-19 Droplet Spread and #FREE Tests

Trying a New Pup Out #SPCA #Dog

AudibleNotes: Culturally Responsive Teaching for Multilingual Learners