Over the last week I had my first Apple School Manager (ASM) and Shared iPad deployment.
While the end result was everything working as expected, there are some shortfalls in this newish system.
Apple School Manager is design for deployment within the USA
Most of the terminology is for a US audience, we don’t call Primary Schools K-12 and 30% of the Roles/Job titles don’t apply to the rest of the world. Would be nice to see Apple localise this product.
Apple School Manager is made up of a hierarchy of institutions. My guess is this hierarchy only exists for the US market. A School District would be the top entity with each school being a sub institution. This is great for the US but terrible UX design for the rest of the world that don’t need/shouldn’t need this feature.
When setting up ASM Apple makes this top institution for you based on the information collected during the signup process. This is all correct and seamless apart from one missing detail, LocationID. When you upload individuals via SFTP (wtf) an individual needs to be assigned to a institution via a LocationID. The default institution does not have a LocationID and this can not be edited.
This little oversight results in schools having to make a sub institution of itself to get a LocationID to upload Managed AppleIDs. Not a huge problem just unnecessary confusion out the gate which could be easily fixed.
“At this time we are not able to change your institution details within Apple School Manager ” – Apple Enterprise Support
Issues migrating from deploy.apple.com or older VPP accounts
“If you enrolled in Apple Deployment Programs on or after February 26, 2014, your institution may be able to upgrade from Apple Deployment Programs to Apple School Manager.” – Apple School Manager support website
Apple VPP launched in 2010. Any schools with older VPP accounts pre February 2014 will not be able to upgrade to ASM. This will result in having to apply and be vetted by Apple all over again.
This wouldn’t be a problem but once you have ASM running you will not be able to merge your older VPP account into your new Apple School Manager institution.
“At this time, there isn’t a way to consolidate those older VPP accounts into the ASM program after the ASM upgrade is finalized.” – Apple Enterprise Support
The web portal
Over all the portal is nice, but trying to cram everything in to a single pane of glass. This becomes more obvious when you are using it day in day out. Things like editing individuals and class data in a squashed space gets a little annoying.
User and Classes management (Cloud Directory) – syncing/lack of syncing, why are we using SFTP and .csv uploads, no delete (come on people make mistakes) and a bunch of other annoying stuff.
This is my biggest complaint about Apple School Manager and it’s “core purpose” managing AppleIDs.
Right now ASM offers three methods of loading Managed AppleIDs, two of which are tools to automate the process (SFTP and Direct connection to your schools SIS, from my knowledge this only works in the US).
These two options suck, but thanks to some MDMs SFTP doesn’t suck as much. ZuluDesk (Jamf School) for example has a built in SFTP uploader, this is useful because its a lot easier to import student, staff and class data into a MDM and use SFTP to get it into ASM. Sync the data back down to the MDM validate, make changes and repeat. Its not ideal but it works…
ASM does not offer bidirectional sync to and from a MDM and it will only sync changes down from Apples cloud. Hopefully the MDM API will be updated and offer bidirectional sync so we don’t have to use SFTP.
Below are a few MDMs that support ASM and should have STFP upload.
Another problem is password and passcode management. Right now once a Managed AppleID is created It will assigned a temporary password/passcode the individual will have to change at first login. This is very annoying for any institution with a “single log-on” policy in place (both Google and Microsoft have tools to combat this). Also not being able to lock password changes doesn’t help.
Once a Managed AppleID is made it also can’t be deleted, it can only be made inactive, try not to make mistakes!
Manually making a Managed AppleID in the web portal will not line up with a FTP import with the same values, this is also frustrating. Apple needs to implement a Source Anchor ID so you don’t get double ups of Managed AppleIDs that can’t be deleted ?
What needs to change?
In New Zealand you are either using Microsoft Active Directory on-site or have a pure Cloud Directory most likely Google G suite.
Schools using Microsoft Active Directory (Windows servers) already has some system in place to get student and staff data from their SIS into Active Directory (AD). Apple needs to follow the crowd (Google and Microsoft) and offer a tool to sync data from AD. This needs to be bidirectional so changes made in Apple Cloud Directory sync down to AD and changes made in AD sync to the cloud.
If a School isn’t using a on-site directory it will be using a cloud directory like Google G suite or Office 365 for education/Azure Active Directory. Again Apple could leverage both companies APIs and offer bidirectional sync so a users log-on information is the same across all their cloud directories.
The biggest problem right now is that an institution can’t claim a domain within Apple’s Cloud Directory like what Google and Microsoft offer. This would result in an institution taking over all AppleIDs made with the schools domain (@example.school.nz) even if its a “personal AppleID” someone may have made with their school email address.
Apple needs this feature for a few reasons;
- It would stop the huge mess of staff and students have multiple AppleIDs
- Management having multiple AppleIDs to manage different cloud services.
- If someones made a “personal” AppleID with their school email its still easy for the institution to gain access to it – so why limit functionality?
- Its better for security!
- It would make your Apple identity easy and its all about cloud identity now.
- AppleIDs won’t be the vain of a staff members life, constantly changing passwords to regain access.
When an Managed AppleID/individual is made within ASM it has to be assigned a Role. Right now these Roles are pre-set from Apple.
Feedback from Schools holding off moving to ASM is the lack of Student accounts not being able to get free Apps form the App Store.
The only options available for content is for staff roles or higher to buy VPP content to be distribute
ASM needs to forgo the the pre-set roles and let institutions make and manage their own. Not everyone fits within a “user persona” and these imposed limitations will stop Schools using Managed AppleIDs.
DEP still doesn’t work if you don’t buy directly from Apple.
This isn’t really related to ASM but a factor in the bigger picture; Zero-touch configuration is great and DEP is the magic that makes this happen. Here in New Zealand we don’t have any Apple stores and rely on resellers to purchase devices in bulk. Now that DEP is established it is reasonably easy to get devices into it.
But any devices bought before 2015 are a write off!
A lot of resellers would source stock from within their chain of stores making it impossible to track the information needed to get these devices into DEP. We also find an unwillingness to go back and get devices that are 2-5 years old into DEP as it involves a bit of work.
Also a lot of schools have parallel imported devices from Australia, making it impossible to work with resellers in another country to achieve this.
And on top of this we still have resellers that don’t want anything to do with DEP.
Apple Education support: https://support.apple.com/education ASM help portal: http://help.apple.com/schoolmanager/ Managed AppleIDs info: https://support.apple.com/en-us/HT205918 Apple School Manger SFTP info: https://support.apple.com/en-us/HT207029 Apple School Manger SIS info : https://support.apple.com/en-us/HT207409