Tips and Tricks for Modern Device Management John DeTroye johnd@filewave.com
Agenda - Deployment model overview - Best practices for each model - Apple s contributions (DEP / VPP / Apple ID) - Q&A
How much work can you do? Imaging Deploying Managing Maintaining
Responsibility and workload Imaging - IT owns the process and is responsible Deployment - IT owns this - most of the time Management - varies based on workflow Maintenance - varies based on workflow
What are the key workflows? Deployment models for Education Shared Use User Owned 1:1 (BYOD) Institution Owned 1:1
Shared Use Labs / Carts / Kiosks Goal - Consistent user experience Responsibilities: All IT, all the time User functionality - limited, focused use model
User owned 1:1 (BYOD) Defined by some as total anarchy User brings personally purchased device to school Responsibilities User is responsible for device, data, maintenance School/IT may provide software / services
Institution Owned 1:1 Designed for maximum flexibility Goal - maximize usability, minimize IT workload Responsibilities: IT sets it up, provides management/maintenance User does everything else; but
What s a 1:1? Define a 1:1 A device that is deployed for the exclusive use of a single user Define exclusive use User has control over the device, and responsibility for the device and all data
Personal Responsibility So, where is your backup? IT could provide infrastructure User s own their data and their backups
What s a 1:1 but? Responsibility shifts back toward shared model Our users aren t ready/capable/smart enough/old enough to manage their own devices. We have policies/procedures/rules/ IT takes over most, if not all, of the user maintenance
The three reasons 1:1 failure points Money Policies Politics
Best Practices
Shared Model - the easy one Goal is to maintain consistency of user experience Try using a Guest account Install only necessary apps Require users provide external storage for documents Optimize use of cloud/network apps and services
What about shared ios? Simple answer? It wasn t designed for that A heavily supervised/managed ipad is an ereader Can it be done? Try the short term 1:1 loaner instead
User owned 1:1 / BYOD Not the anarchy you worry about - if Focus on network services - speed and security Establish common formats -.pdf,.csv,.rtf,.png Secure only what needs to be secured - VPN helps here Adopt the carrot & stick approach to management
Network services Not just fast networks But yes - make it really, really fast Offer network storage / backup if possible Secure networks with profile based access (see C&S)
Common document formats Focus on sharing information - not specifying apps Examples: All printable docs in.pdf format All graphics in.png format Support work groups using common apps
Don t overdo security Most network traffic does not need to be locked down Keep the VLANs reasonable (student/teacher & admin) Require VPN access to secure information Gradebooks Student information
Carrot & Stick Make it worthwhile to be part of the MDM Provide access to the network behind a profile Provide apps the user can t afford otherwise Make sure they know the AUP is in effect
Carrots
and Sticks
Institution owned 1:1 How much work to YOU want to do? What if the user isn t the local admin? Train the users - don t babysit them Give them responsibility and reinforce it Provide the same services as in a BYOD
The 1:1 but options Stepping back from the edge If you are the local admin What about backup / app updates? Dual local admins User might remove it - use an MDM instead
Services What can you provide / take advantage of? School owned backup solutions Internal Jabber / chat servers Workgroup based network storage (non-cloud)
Apple s Contributions
Device Enrollment Program Wireless enrollment of ios and OS X devices Check out the ios and OS X deployment guides / help Expanding beyond direct purchases Allows you to preconfigure devices Is still focused on the 1:1 deployment model
Where is DEP going? Coming this fall for OS X Ability to create a hidden admin account Forces user into non-admin role Be sure you want to do this
Volume Purchase Program Institutional purchases of apps and books Allows students access to expensive apps Maintains control of deployment Provides an incentive for MDM enrollment
What are your limitations? VPP was designed around 1:1 deployments Items are assigned to an AppleID - not a device** School-generated AppleIDs can become problematical (DRM issues) - Apple Configurator vs DEP Licensed management vs redeemable codes
Changes for VPP this fall ** You will be able to assign apps to devices Only for ios 9(+) and OS X El Capitan Another big step forward to make shared deployments easier. Must own a copy of the app for each device Developers must opt-in
VPP and books It s a one way street App Store books always become property of user You can t get them back Internal ebooks can be assigned / revoked
VPP and OS X A different kettle of fish There is no auto-install User will see assigned apps in their purchased items Revocation may be immediate or 30 days
VPP and DRM Licensing and the joy of Apple IDs How many times has an app install decided to ask for the AppleID password? It s on purpose. It s may get worse before it gets better
Faux Enterprise ios apps You used to be allowed to do this New Ts & Cs from Apple Will probably work - until it doesn t VPP worldwide changed the rules
Apple IDs in education You might notice a trend toward 1:1 from Apple Expectation is each user with a personal AppleID The AppleID for students program Bulk / school based AppleIDs - worth it?
BTW Looking at trends (a Gartner view) Adoption of BYOD is inevitable (3-5 yrs) Users will have 3-4 devices on the network (0-3 yrs) Windows 10 (or WinX?) is going to be huge
Deployment models Choose wisely
You can t solve it all with tech IT sees mobility as a strategic issue End users see it as a tactical issue Use IT feedback forums Usability is more important than application strategies Be a minimalist (Gartner EMM report 2014)
Q&A