Managed Apple IDs a no go again
#ipaded #ipad
I hoped to use Managed Apple IDs (MAID) when setting up 1:1 student iPads this summer as Apple School Manager is now out of preview and MAID is the now the only official way for a school to create Apple IDs for students under 13. Unfortunately, MAID is still not a good solution for my school for the two reasons explained at length below. Any suggestions are welcome including pointing out that I’m wrong about something I state below. I’d love to be corrected and provided a better solution!

1) The obvious one known to many is that a MAID can not be used for Find My iPad. A rep at Apple Enterprise support said earlier this week that it would actually work now, but he was wrong. Apple's documentation still says it doesn't work, and I tested it. When you try to login to the Find iPhone app with a MAID it says the account doesn’t allow using Find My iPhone. If you login into iCloud.com with a MAID, the Find iPhone option just doesn’t show up on the Launchpad/menu.

We use JAMF Pro (formerly the JAMF Casper Suite) as our Mobile Device Management (MDM) solution. I was happy to see earlier this year that Apple provided MDM vendors the ability to activate Lost Mode and trigger the ping sound useful for finding a misplaced iPad. My colleagues and I weren’t thrilled with the idea that a student would have to go to IT to trigger even just the ping sound (as students frequently do this on their own to find misplaced devices), but we resigned ourselves to that being ok. Unfortunately, we discovered through testing that the only way to trigger a ping for an iPad using a MAID is via activating MDM lost mode. More unfortunately, the only way to disable Lost Mode when the iPad is found, is through the MDM. That means the iPad needs to have a working Internet connection after it is found in order to send the MDM command to disable lost mode. That’s find if all this happens quickly. However, sometimes an iPad gets turned off (or runs out of battery) for found or returned back to IT staff. Once that happens, you have a brick because an iPad will not connect back to a wireless network after a power off until it is unlocked. (Our speculation is that this is because the wireless connection settings are stored as part of the encrypted keychain.) When using MDM Lost Mode, you can’t unlock it without an Internet connection. Therefore, the only choice we can figure you have left, is to reset the iPad to factory defaults (losing all data if there is not a recent backup). It would be great if every student always had a recent iCloud backup, but the reality is that doesn’t happen. In fact, the frequency of people not having recent backups is increasing as iCloud is storing more, and Apple still only provides 5 GB of free space. With MAID, I haven’t even seen a way to up that 5 GB of space even if someone wanted to pay for it.

By the way, a colleague contacted both Apple and JAMF support about the issue of needing the MDM to unlock Lost Mode when using MAID. They both agreed it is a Catch-22, and there is no current solution. (Not helpful.)

2) While the risk of bricking a lost iPad and losing data isn’t great, the other issue preventing the use of Managed Apple IDs is that I can find no way to redeem a content coupon code on an iPad using a MAID. We need that for students to get some iBooks that we ask them to purchase for classes. Our student purchase paper and electronic textbooks from an online bookstore partner and the iBooks are provided via a link that uses a coupon code. This works find with a regular Apple ID (or the Apple IDs created using Apple’s Apple ID for Students service discontinued last summer). However, when I tried to redeem a content coupon VPP code on an iPad with a MAID, I was prompted for the password for the MAID, enter it, iTunes loads then goes to its start screen without actually purchasing the book. While it wouldn’t really help us, I tried distributing a book VPP code via JAMF MDM and that didn’t work either.

While I can distribute apps via MDM using device-based licensing, which works great, I still need students to have an Apple ID on the device for iCloud. Having 60+ students try to create Apple IDs on their own when we deploy iPads to all of our sixth-graders isn’t very practical. We’ve successfully deployed iPads to our entire MS for the past four years with few problems because we made sure the Apple IDs were ready in advance, and we actually logged them in on the iPads before distribution. (I might consider skipping the login before deployment, but the AIDs need to already exist to not turn deployment into a disaster.

So, that means the only option I feel like we have left is to manually create Apple IDs for all of our students getting iPads this year. Luckily, I was able to fix an old script last year that would do that in bulk via some AppleScript magic. (Unfortunately, the script repeatedly breaks as Apple changes the iTunes store and Mac app) With MAIDs being more mature this year, I didn’t expect to ever have to look at that script again. It seems I was wrong so I’m off to https://github.com/bsquidwrd/Apple-ID-AppleScript

#t
Shared publiclyView activity