Towards Zero-Touch iOS Deployment

One among my targets for the following deployment is to, neatly, do it sooner. The holy grail of iOS deployment is to “by no means contact the glass”. This is, to engineer a device wherein essentially the most you ever do to a tool is put it in a case and plug it right into a cable.

Is that this real looking? No longer totally however, with Software Enrolment, I believe we’re very shut.

Whether or not you’ll in truth get there is dependent upon what sort of state you need to ship the gadgets to customers in. There are three ranges of ‘preparation’ that you’ll practice to a tool:

  • Unconfigured: that is the ‘shrinkwrap choice’. The tool hasn’t been touched because it was once delivered. There is not anything at the tool.
  • Partly Configured: the tool is enrolled in MDM and configuration profiles had been put in however no apps are put in.
  • Totally Configured: the tool is enrolled, configured and apps are put in.

The “Unconfigured” choice is superb for companies, universities and perhaps even top colleges. Principally, any scenario the place the customers are grownup sufficient to paintings in the course of the setup assistant, log in with an Apple ID and let the setup whole.

The Partly Configured choice is a good suggestion for center college or some other scenario the place you need to ensure that the consumer will not be able to make use of the tool with out positive safety settings already in position.

The Totally Configured choice is perfect for more youthful customers or eventualities the place the to be had bandwidth to put in apps isn’t as much as the duty of many customers putting in a whole lot of apps on the similar time.

How are we able to ship every of those situations with ‘zero-touch’? Let’s have a look.

Bootstrapping the Software Enrolment Program

The Software Enrolment Program allows you to attach your Apple Units immediately into your MDM server at setup. Once your tool contacts Apple’s activation servers, it is redirected on your MDM server to be enrolled.

The query is: you want WiFi to speak to the activation server, so how do you get your gadgets up at the WiFi community and enrolling with out touching them?

Seems Apple Configurator is your pal right here. As a part of the Get ready step, you’ll inform gadgets to start “Automated Enrolment”. Necessarily, this initiates a mass jump-start of your gadgets into DEP. They are introduced up at the WiFi and Configurator begins off the Software Enrolment procedure.

What occurs after this is as much as your DEP server. You’ll be able to set choices there to skip more than a few of the iOS setup assistant monitors, as an example. On the finish of the DEP procedure, you’ll have an iPad this is enrolled on your MDM server and has the entire Configuration Profiles put in.

What you wouldn’t have is apps put in. For that to occur, you must whole the setup assistant at the tool. In more than a few situations, this would possibly require some involvement with the end-user or it will now not. Let’s take a look at a few of the ones situations.

0-touch Unconfigured Deployment

This one is moderately simple: principally do not do anything else! In an Unconfigured deployment you’ll, in idea, hand out an iPad in a shrink-wrapped field and let the consumer do the remainder.

There are a few caveats to this. Originally, you’ll’t be sure that the tool shall be on any particular model of iOS. iPads steadily pop out the field with moderately strangely previous variations of iOS. This is not in most cases an issue except for whilst you rely on positive options being to be had. In class eventualities, at this time, you are going to need to ensure that gadgets are on a minimum of iOS 9.3 to benefit from education-specific options.

If gadgets are in DEP, you’ll now drive an iOS replace out of your MDM server, which would possibly mitigate this drawback if you do not completely rely on a definite iOS model from minute 1.

0-touch Partly Configured Deployment

In some deployment eventualities, you want the true finish consumer to perform a little setup at the tool. That is in most cases as a result of you want the consumer to authenticate to a few listing carrier. The two maximum commonplace situations in iOS deployment are:

  • Logging into an Energetic Listing account as a part of MDM enrolment
  • Logging into an Apple ID as a part of iOS setup

The latter case is one of the vital common instance. That stated, on this present global the place you’ll assign apps to gadgets reasonably than customers, it isn’t essentially the case that each and every iOS tool must have an Apple ID.

When you do want an Apple ID at the tool, Partly Configured Deployment could also be your perfect wager.

In a Partly Configured scenario, you’ll ship the tool to the top customers such that:

  • The tool is enrolled in MDM
  • The tool has Configuration Profiles put in
  • The iOS Setup Assistant has now not been finished
  • No apps had been put in

On this situation, you might be the usage of the MDM server’s pre-stage options to design a setup revel in for the consumer that may well be a lot more practical than the usual out-of-the-box iOS setup revel in.

In pre-stage, you’ll configure the Setup Assistant to skip a number of panes of settings, comparable to Siri, Apple Pay, Zoom and Phrases and Prerequisites.

You’ll be able to additionally skip the Apple ID login pane and the Repair from Backup pane, despite the fact that you almost certainly do not need to to this. On this situation, you want the consumer to go into Apple ID credentials.

If you’re the usage of Controlled Apple ID, customers are assigned a short lived password. That is the place the consumer enters that password and creates their very own everlasting password.

The advantage of a partially-configured fashion is that you’ll be sure that your safety restrictions are in position ahead of the consumer sees the house display. The main downside is that, as soon as the customers have finished the setup assistant, they have got to stay up for apps to be put in.

My present fashion is to push an overly small collection of apps to each and every tool routinely after they whole enrolment. The chance here’s that the community takes an enormous hit at the first day of college when everybody completes the enrolment on the similar time and the ones apps all start to push.

Two tactics can mitigate this drawback: at the beginning, use Caching Server in Mac OS X Server. This may save your exterior bandwidth however might nonetheless kill your inner WiFi for some time.

The second one method is to stagger the roll-out of apps. I am intentionally maintaining my auto-install checklist very minimum: iTunes U, Pages, Keynote, Google Force. Simply sufficient to rise up and working on day one. The rest of the apps will all be made to be had for not obligatory set up thru Casper Suite’s Self Provider app. This fashion, the pupils can set up the apps they want when they want them.

A slight drawback to this system is that, when a scholar (or magnificence) reveals they want an enormous app like iMovie or GarageBand, the wait may well be moderately lengthy. What I would possibly do is upload the ones two apps into the Auto-install checklist one day after opening day.

0-touch Totally Configured Deployment

In any situation the place the top consumer does not have numerous skill to configure the tool, a Totally Configured deployment is acceptable. When would possibly this be true? In colleges, if you end up coping with more youthful customers or customers with further studying wishes. In different situations, when the consumer may not in reality “personal” the tool however simply use particular apps – assume public iOS kiosks, loaner gadgets at museums or different borrowed-use situations.

An absolutely-configured deployment is one the place the gadgets are delivered to the ready-to-use state by way of the sysadmin with out the top consumer’s involvement in any respect.

This situation is quite simple to enforce. In a majority of these eventualities, the consumer does now not want to have an Apple ID at the tool and apps will also be driven immediately to the tool by way of MDM.

The sysadmin can use Apple Configurator to begin the Software Enrolment Program working after which all this is required on every tool is to finish no matter steps within the Setup Assistant are required for the situation.

The one pane I nonetheless counsel everybody depart enabled is Location Services and products. The cause of that is that iOS makes use of location products and services to set its present time zone. When you block Location Services and products, the default time zone is US/Pacific and you’ll finally end up with unsuitable clocks in your gadgets.

As with different situations, you’ll’t in truth get to actually zero-touch as you must whole the setup assistant. On the other hand, you’ll get the remainder completed – apps and configuration profiles – over-the-air.


Are we at zero-touch deployment but for iOS gadgets? Kind of.

We will be able to do a zero-touch deployment if:

  • Finish customers are ready to finish a simplified setup assistant by way of themselves
  • Our community can maintain the automated app installations that occur when the gadgets whole setup
  • We do not want to ensure that a particular model of iOS at the gadgets

Here is what I will do for my deployment:

  • For the youngest customers, who do not want an Apple ID, I will be able to ship a fully-configured tool.
  • For all different customers, I’m going to be handing over a partially-configured tool

Probably the most major causes for doing partial-configuration as an alternative of zero-configuration is that, at this time, we need to make certain that everyone seems to be on a minimum of iOS 9.3. I have no idea what OS our gadgets will include, however we reasonably rely on a few of the ones options at this time. In years to come, this is probably not this sort of worry.

The second one explanation why I need to do partially-configured deployment is that I need to assign particular gadgets to express customers ahead of handing them out. That approach, I will be able to arrange asset tagging and so forth ahead of the customers get their gadgets. In an Unconfigured deployment, you must have a way of connecting a consumer with the tool they have got enrolled. Typically, you may do that by way of making the consumer log into their Energetic Listing account ahead of they enrol in MDM. We wouldn’t have AD, so we need to do that step by way of hand.

We aren’t completely at literal zero-touch deployment but for all situations however we’re very, very shut.