Towards Zero-Touch iOS Deployment

Considered one of my objectives for the following deployment is to, neatly, do it quicker. The holy grail of iOS deployment is to “by no means contact the glass”. This is, to engineer a device wherein probably the most you ever do to a tool is put it in a case and plug it right into a cable.

Is that this lifelike? No longer totally however, with Software Enrolment, I believe we’re very shut.

Whether or not you’ll if truth be told get there depends upon what sort of state you need to ship the units to customers in. There are three ranges of ‘preparation’ that you’ll observe to a tool:

  • Unconfigured: that is the ‘shrinkwrap possibility’. The instrument hasn’t been touched because it used to be delivered. There is not anything at the instrument.
  • Partly Configured: the instrument is enrolled in MDM and configuration profiles had been put in however no apps are put in.
  • Absolutely Configured: the instrument is enrolled, configured and apps are put in.

The “Unconfigured” possibility is excellent for companies, universities and even perhaps prime faculties. Mainly, any scenario the place the customers are grownup sufficient to paintings throughout the setup assistant, log in with an Apple ID and let the setup whole.

The Partly Configured possibility is a good suggestion for heart faculty or some other scenario the place you need to ensure that the consumer will be unable to make use of the instrument with out positive safety settings already in position.

The Absolutely Configured possibility is easiest for more youthful customers or scenarios the place the to be had bandwidth to put in apps isn’t as much as the duty of many customers putting in a variety of apps on the similar time.

How are we able to ship each and every of those situations with ‘zero-touch’? Let’s have a look.

Bootstrapping the Software Enrolment Program

The Software Enrolment Program means that you can attach your Apple Units at once into your MDM server at setup. Once your instrument contacts Apple’s activation servers, it is redirected in your MDM server to be enrolled.

The query is: you wish to have WiFi to speak to the activation server, so how do you get your units up at the WiFi community and enrolling with out touching them?

Seems Apple Configurator is your pal right here. As a part of the Get ready step, you’ll inform units to start out “Automated Enrolment”. Necessarily, this initiates a mass jump-start of your units into DEP. They are introduced up at the WiFi and Configurator begins off the Software Enrolment procedure.

What occurs after this is as much as your DEP server. You’ll be able to set choices there to skip more than a few of the iOS setup assistant monitors, as an example. On the finish of the DEP procedure, you’ll have an iPad this is enrolled on your MDM server and has all of the Configuration Profiles put in.

What you do not need is apps put in. For that to occur, you need to whole the setup assistant at the instrument. In more than a few situations, this may require some involvement with the end-user or it could no longer. Let’s take a look at a few of the ones situations.

0-touch Unconfigured Deployment

This one is rather simple: mainly do not do anything else! In an Unconfigured deployment you’ll, in concept, hand out an iPad in a shrink-wrapped field and let the consumer do the remaining.

There are a few caveats to this. At the start, you’ll’t ensure that the instrument shall be on any particular model of iOS. iPads incessantly pop out the field with rather unusually previous variations of iOS. This is not in most cases an issue with the exception of while you rely on positive options being to be had. In class scenarios, at the moment, you’ll need to be sure units are on a minimum of iOS 9.3 to make the most of education-specific options.

If units are in DEP, you’ll now power an iOS replace out of your MDM server, which may mitigate this drawback if you do not completely rely on a undeniable iOS model from minute 1.

0-touch Partly Configured Deployment

In some deployment scenarios, you wish to have the true finish consumer to perform a little setup at the instrument. That is in most cases as a result of you wish to have the consumer to authenticate to a couple listing carrier. The two maximum not unusual situations in iOS deployment are:

  • Logging into an Energetic Listing account as a part of MDM enrolment
  • Logging into an Apple ID as a part of iOS setup

The latter case is some of the common instance. That mentioned, on this present international the place you’ll assign apps to units quite than customers, it isn’t essentially the case that each and every iOS instrument must have an Apple ID.

In case you do want an Apple ID at the instrument, Partly Configured Deployment is also your easiest wager.

In a Partly Configured scenario, you’ll ship the instrument to the tip customers such that:

  • The instrument is enrolled in MDM
  • The instrument has Configuration Profiles put in
  • The iOS Setup Assistant has no longer been finished
  • No apps had been put in

On this state of affairs, you’re the use of the MDM server’s pre-stage options to design a setup revel in for the consumer that may well be a lot more practical than the usual out-of-the-box iOS setup revel in.

In pre-stage, you’ll configure the Setup Assistant to skip a number of panes of settings, similar to Siri, Apple Pay, Zoom and Phrases and Stipulations.

You’ll be able to additionally skip the Apple ID login pane and the Repair from Backup pane, even if you most likely do not need to to this. On this state of affairs, you want the consumer to go into Apple ID credentials.

If you’re the use of Controlled Apple ID, customers are assigned a short lived password. That is the place the consumer enters that password and creates their very own everlasting password.

The good thing about a partially-configured fashion is that you’ll ensure that your safety restrictions are in position earlier than the consumer sees the house display. The key problem is that, as soon as the customers have finished the setup assistant, they’ve to look ahead to apps to be put in.

My present fashion is to push an overly small selection of apps to each and every instrument mechanically after they whole enrolment. The chance this is that the community takes an enormous hit at the first day of college when everybody completes the enrolment on the similar time and the ones apps all start to push.

Two ways can mitigate this drawback: at the start, use Caching Server in Mac OS X Server. This will likely save your exterior bandwidth however would possibly nonetheless kill your interior WiFi for some time.

The second one method is to stagger the roll-out of apps. I am intentionally maintaining my auto-install listing very minimum: iTunes U, Pages, Keynote, Google Pressure. Simply sufficient to stand up and working on day one. The rest of the apps will all be made to be had for non-compulsory set up via Casper Suite’s Self Provider app. This fashion, the pupils can set up the apps they want when they want them.

A slight drawback to this method is that, when a scholar (or magnificence) reveals they want an enormous app like iMovie or GarageBand, the wait may well be rather lengthy. What I may do is upload the ones two apps into the Auto-install listing sooner or later after opening day.

0-touch Absolutely Configured Deployment

In any state of affairs the place the tip consumer does not have a large number of talent to configure the instrument, a Absolutely Configured deployment is suitable. When may this be true? In faculties, if you find yourself coping with more youthful customers or customers with further studying wishes. In different situations, when the consumer may not truly “personal” the instrument however simply use particular apps – assume public iOS kiosks, loaner units at museums or different borrowed-use situations.

An absolutely-configured deployment is one the place the units are delivered to the ready-to-use state by way of the sysadmin with out the tip consumer’s involvement in any respect.

This state of affairs is moderately simple to put in force. In a majority of these scenarios, the consumer does no longer want to have an Apple ID at the instrument and apps can also be driven at once to the instrument by way of MDM.

The sysadmin can use Apple Configurator to start out the Software Enrolment Program working after which all this is required on each and every instrument is to finish no matter steps within the Setup Assistant are required for the state of affairs.

The one pane I nonetheless suggest everybody go away enabled is Location Services and products. The cause of that is that iOS makes use of location products and services to set its present time zone. In case you block Location Services and products, the default time zone is US/Pacific and you’ll finally end up with unsuitable clocks to your units.

As with different situations, you’ll’t if truth be told get to actually zero-touch as you need to whole the setup assistant. Then again, you’ll get the remaining finished – apps and configuration profiles – over-the-air.


Are we at zero-touch deployment but for iOS units? Type of.

We will be able to do a zero-touch deployment if:

  • Finish customers are ready to finish a simplified setup assistant by way of themselves
  • Our community can take care of the automated app installations that occur when the units whole setup
  • We do not want to be sure a selected model of iOS at the units

Here is what I’ll do for my deployment:

  • For the youngest customers, who are not looking for an Apple ID, I can ship a fully-configured instrument.
  • For all different customers, I’m going to be handing over a partially-configured instrument

Some of the primary causes for doing partial-configuration as a substitute of zero-configuration is that, at the moment, we need to make certain that everyone seems to be on a minimum of iOS 9.3. I do not know what OS our units will include, however we quite rely on a few of the ones options at the moment. In years yet to come, this will not be any such fear.

The second one explanation why I need to do partially-configured deployment is that I need to assign particular units to precise customers earlier than handing them out. That approach, I will be able to arrange asset tagging and so forth earlier than the customers get their units. In an Unconfigured deployment, you need to have a way of connecting a consumer with the instrument they’ve enrolled. In most cases, you could do that by way of making the consumer log into their Energetic Listing account earlier than they enrol in MDM. We do not need AD, so we need to do that step by way of hand.

We aren’t completely at literal zero-touch deployment but for all situations however we’re very, very shut.