Apple enterprise and iOS: how would you want it to work?

[Rydra]

I got asked a bit recently about some info on ipads and managing them and it got me thinking, how would/could/should they work in an environment such as ours?

My biggest bugbear, is annoying and seemingly pointless restrictions.
-5 computers per account
-5 accounts per device
-10 devices per account

This is such a useless restriction in our environment. Even if you follow 'Apples advice' and use multiple accounts for different device banks, these numbers are so abritrary. The average home user might not have more than 5 computers/devices or whatever, but we do! I have approximately 20 teachers with staff ipads, all wanting the same apps, and all want to be able to sync their work. So to use the devices I need 2 accounts, and I need to gift each app to myself 9/10 times. Great, except now I've got the restriction on computers, therefore I need to find shared-computers for them to sync to. This means they can't be used individually, since your now sharing your account and your syncs with 9 of your peers. So you need another account per device to handle the 'teachers' individual work which they can sync to their own computer.
Now you have 40 more ipads used by the students in loan sets. So that's 4 more accounts you need, each of which need a machine to sync to. But the teachers need access to these accounts so they can get at the work themselves, so now you've passed the account-per-device restriction.

The limiting factor here, is the 'personal computer'. Each device NEEDS one, and doesn't really work without it. So I'm hearing some chirping in the background about 'iCloud'..... Great! cloud based syncing, apps, mails, calendars, files! But ah, do you setup one per student? if so, expect a bill worth millions by the time you buy each app 500 times ( I recently passed 250 apps in the store, at least 40 of them are paid for, meaning I would be looking at £20,000 if each of the 40 apps only cost £1, which they did not!)
Not going to happen, so you setup your 6 school accounts to work with iCloud.. Problem solved! Except ah, now class 1 used set 1 last week which had account 1, and now they are using set 2 which is based on account 2.... So they need to login to iCloud account 1. This then REMOVES all the apps on the device, and ADDS the account 1 apps, files etc. (If anyone wants to correct me on this feel free, I've not tried iCloud as I don't own any personal Apple devices, but i've been told by people who have that it does this)
You've got 8gb of apps and files on your ipads, there's 10 devices, and you've got a 10mb internet connection. Assuming you're using 100% of the connection, you're going at 1.25mb per second, which if I'm right, will take 18 hours to download.... You've got 45 minutes of a lesson.

So say goodbye to iCloud here, it's not going to work.

Ok, so enough ranting.

What do I want it to do?

I want firstly a single-account volume licensing model, with no arbitrary limits on devices per account, be that computers or iOS devices.
I want iCloud to be able to pull down 'new' things and allow syncing, but don't touch what I've got on the device already you little bugger. What I'd like even more, is for them to work 'like computers do' and allow the ability to control the apps seperate to the login accounts, ideally with domain login ability.
I want a server based app-repository, which I can dynamically push out, recall and deploy apps from and to. Therefore, if an app is purchased on a device, it is then syncing to the server, and can if allowed be then pushed out via the server to all devices.
I want to tailor access to the App store on the Apple ID's, one for getting what is already purchased on the account, and another for 'adding new apps'.

What do you want, what would make this apple gear friendly enough to bring it into your environment and not cause you headaches from restrictions?

[Abaddon]

To be honest, at a bare minimum I'd settle for the volume licensing arrangement they have in the states. Yes, managing the iPads would still be a pain, but at least it would be easy to stay within licensing agreements.

Not sure about the 10 device per account limit - I have significantly more than that on the main school iTunes acccount here.

Everything you say seems reasonable though - if Apple really want this to work in UK schools, somthing has to be done about the mess that it currently is.

[Michael]

Windows Pro editions are designed for multi-user use, however Apple is definitely aimed more at personalised use - one device per user, but realistically this is too expensive for most businesses and schools.

In my opinion if you want to go Apple, you may as well do it throughout (including a Mac server). Getting Apple to talk to Windows isn't straight forward. WebDav opens options, but it isn't necessarily secure.

As you've also pointed out syncing iPads, updating apps and updating iOS is problematic when you have 30+ iPads. It's a full time job in itself. Without something third party, there doesn't appear to be a method by default of dynamically updating iPads. This may be possible with a Mac server though.

[Rydra]

To be honest, at a bare minimum I'd settle for the volume licensing arrangement they have in the states. Yes, managing the iPads would still be a pain, but at least it would be easy to stay within licensing agreements.

Not sure about the 10 device per account limit - I have significantly more than that on the main school iTunes acccount here.

Everything you say seems reasonable though - if Apple really want this to work in UK schools, somthing has to be done about the mess that it currently is.

Apple's T&C's and several of their services have a 10 device restriction. But so far it's not 'enforced' for the store, not sure if iCloud restricts/enforces this, but it states in their unreadable-small-grey-text-at-the-bottom-your-supposed-to-miss that some iCloud services are restricted to 10 devices.

Frankly I dont care much about their licensing agreements, they aren't there for me or to make my life better, they are for them to milk us for more money. The volume licensing I want is to make it so I dont have to mess about to get Apps onto multiple devices, and dont have a paperwork nightmare declaring the costs of it.

Windows Pro editions are designed for multi-user use, however Apple is definitely aimed more at personalised use - one device per user, but realistically this is too expensive for most businesses and schools.

In my opinion if you want to go Apple, you may as well do it throughout (including a Mac server). Getting Apple to talk to Windows isn't straight forward. WebDav opens options, but it isn't necessarily secure.

As you've also pointed out syncing iPads, updating apps and updating iOS is problematic when you have 30+ iPads. It's a full time job in itself. Without something third party, there doesn't appear to be a method by default of dynamically updating iPads. This may be possible with a Mac server though.

There's other threads about it, I've got a lion OS server here specifically for the ipads and macs, but if I'm honest it's not really doing what I want, and the way I'm doing it is not the way Apple want me to.

[glennda]

They need to sort out something for VL but found this tool last week for managing - Free and cloud based

Meraki Systems Manager

[ste1988]

They need to sort out something for VL but found this tool last week for managing - Free and cloud based

Meraki Systems Manager

That tool is worth a bit of time looking at, adding apps etc is so easy, i cant wait to roll it out on a few ipads to see how it goes.

Not sure you can lock them down as much as you can with profile manager but i might of just been missing something

[glennda]

That tool is worth a bit of time looking at, adding apps etc is so easy, i cant wait to roll it out on a few ipads to see how it goes.

Not sure you can lock them down as much as you can with profile manager but i might of just been missing something

You can lock them down from the web interface - but although i don't like apple as they control what goes into the store they remove most of the threat to the devices. You can use it on windows machines as well. We where playing in the office the other day running commands on each others pc's from the meraki system manager!

[Rydra]

Apple will either sue them for allowing people to use their product effectively in some patented way, or buy them out and break it knowing they way they've worked in the past

[glennda]

Apple will either sue them for allowing people to use their product effectively in some patented way, or buy them out and break it knowing they way they've worked in the past

Meraki themselves are actually a wireless vendor who are unique in the fact the controller is based in the cloud and you pay a yearly fee for it rather then have a hardware controller - this is why we found the free software. they also have a pretty good wifi analyzer which is also free on Android and also Windows. I should have a couple of NFR access points arriving at work in the next day or so (we have signed a partnership with them to resell in the uk).

The company started as a Uni project at MIT

[Sean-OC04]

Apple will either sue them for allowing people to use their product effectively in some patented way, or buy them out and break it knowing they way they've worked in the past

So you can expect them to do this with all the hundreds of other enterprise based MDM Solutions that support iPhone/iPads then......?

[Rydra]

So you can expect them to do this with all the hundreds of other enterprise based MDM Solutions that support iPhone/iPads then......?

No don't be silly. They only do it under circumstances

-It's successful
-It's useful
-It's innovative
-It works better than their own versions

For reference, see every tablet based device, every mobile OS, half the desktop OS's, anything with a menu, anything you click/touch/lick/look at in a specific manner, and of course anything beginning with one of the 24 letters* of the alphabet.




*Apple decided it didn't count the letters Z and J, and they've released these "NEW AND IMPROVED NEVER USED BEFORE" letters which I cannot type here as it's not apple. Z has been replaced with a complex pattern of swirls and pronounced "Uck" and the other has been replaced by something unpronounceable with a human tongue, but is a little like "NGHUER" then relieving yourself in someone elses underwear. The letter itself is a bulbous upside down 'T' with a pineapple on top.

[User3204]

I'd want to have a locally based 'iCloud' server, so that the Ipads and stuff would sync from this server rather than using using the internet, in the same way as we have WSUS \ WDS \ SCCM servers for the Microsoft.

One server locally, could also have the license server included, so that Apple would be able to keep rack of what software we're using (not sure I like this idea, but it's a way to control it).

Ideally there'd be a way in the settings in there to sync all the data onto a different server (IE the current data store you have for user files).



Assuming we're not able to get one device per user, then there should also be a way to uniquely identify a specific Ipad, and then this would lead onto a way of scheduling apps for certain times: Period 1 -> Maths -> Show all the Maths Apps; Period 2 -> French -> Show all the French apps; Period 3 -> not booked -> block internet access; etc etc. These rules would have to be created by the network admin, and there'd have to be some way to programmatically communicate these changes.


I'm going to go and have a look at the Meraki stuff now, so it may or may not do this.

[Rydra]

I'd want to have a locally based 'iCloud' server, so that the Ipads and stuff would sync from this server rather than using using the internet, in the same way as we have WSUS \ WDS \ SCCM servers for the Microsoft.

One server locally, could also have the license server included, so that Apple would be able to keep rack of what software we're using (not sure I like this idea, but it's a way to control it).

Ideally there'd be a way in the settings in there to sync all the data onto a different server (IE the current data store you have for user files).



Assuming we're not able to get one device per user, then there should also be a way to uniquely identify a specific Ipad, and then this would lead onto a way of scheduling apps for certain times: Period 1 -> Maths -> Show all the Maths Apps; Period 2 -> French -> Show all the French apps; Period 3 -> not booked -> block internet access; etc etc. These rules would have to be created by the network admin, and there'd have to be some way to programmatically communicate these changes.


I'm going to go and have a look at the Meraki stuff now, so it may or may not do this.

The internal iCloud I like, not sure about the point of the licensing server though. That can be cloud-based, since licensing is already handled at the Apple end rather than client end, they just track number of times license is used/tied against serial numbers of devices which apple pulls down anyway when you register them etc.

As to the time-controls of apps, that sounds needlessly complicated to me, and I've not heard of a PC based system that allows this level of application control based on times, at least not so dynamically, since windows relies on physical files for it's linking, so to turn that on and off would be a nightmare. It's begging for things to go wrong. Much better to have open access and have users with the concentration above a gnat and someone to manage the class effectively.

[Rydra]

I've tried to signup and try out Meraki stuff today, and the site won't go past registering name/email/company etc.

[HodgeHi]

Most of you have said what I think would be the best way to do this. I think the local iCloud server is the best solution along with a process to push stuff out to devices. While we are at it can we stick a local facetime/messages service on there as well.