How to manage 20+ Iphones without hating your life
Working at a farm that is pushing the boundaries of technology, we decided to get most of our employees I phones. This ended up to be a box of 27 I phones and a decision on how best to manage all of the I phones. We were originally going to set up 27 I cloud accounts, but that just seemed like a daunting task on its own because most of the employees getting the phones don’t have company emails. I really was against that option because I knew I would be the one resetting the password when someone lost it and tried to reset it. The other problem was that we wouldn’t be able to control what the phones could be used for. We obviously wouldn’t want workers out watching movies on Netflex while at work. There has to be a better solution!
Welcome to the world of the Device Enrollment Program(DEP) and Mobile Device Management(MDM) servers. To get started all it takes is an apple computer (Mac Minis work well) and Apple’s $20 server program on the Mac store. This server program handles everything from I phone management to file serving and contact server.
The setup is much easier than any linux server setup. There is even a wizard to walk you through the entire setup process to get the basic functionality configured. I had a few issues during setup and although apple has a fairly complete set of documentation, the actual process is hard to follow with apple’s documentation. Thankfully Todd Olthoff has incredible step-by-step guides on the functionality of apple’s server program. His latest playlist has most of the functionality covered, but if something is missing, his previous playlists most likely have the solution.
Once the server is set up, and running, you need to connect an administrative apple account set up for the Device Enrollment Program(DEP) and the Volume Purchase Program(VPP). This allows you to assign devices you have purchased to your server.
This is the part where I got really confused and needed apple to explain their system to me. I was trying to use apple configurator to assign devices to the server, but I missed the fundamental function of the DEP. When you set up your server, you need a Fully Qualified Domain Name (FQDN) which allows you to access administrative functions as well as communicate with the devices in the program. Once a device is enrolled in DEP, it is assigned to your server using the domain name. When a device is reset or on first boot, it looks to see it’s server assignment and when in DEP, it gets reassigned from apple’s servers to your server. For whatever reason, this is when it clicked that you don’t even need configurator and all you need to do is assign the device in DEP to your server and then reset the device. This will pull the profile from your server and the device will be enrolled properly.
From here on out, all you need to do is set up the parameters for the phones.
To start assigning cell phones to users, you first need to create users. This can be done using the users section of the server control app on the server. Once you have all the users set up in the server, they should show up in profile manager as shown above. Once you have the devices and users imported, the users can be assigned to a device by using the device tab under the user.
This assignment of the device will change the name of the device from the serial number to the user that it is assigned to. Once your devices are assigned properly, then profiles can be set up to associate certain properties to certain user groups.
I found that the best way to do this profile management is to have a group for each property of the profile that I am trying to deploy. This allows for flexibility later down the road when you need to remove certain restrictions or treat a certain subgroup differently.
Due to the ability to nest groups, I have a general group called Distributed devices and each aspect of the final profile is it’s own group. Thus I could make a separate group with only some of the features of the profile and assign that to a specific group.
Some profiles are responsible for apps and some are responsible for restrictions. The screenshot above shows the restrictions payload of a profile I have set up. This profile is set to remove apps that are not work related such as apple music, radio, iBooks, the app store as well as a few other restrictions. By having this as it’s own group, I can assign it only to the people that need those restrictions.
This flexibility allows groups to be assigned at ease while maintaining control of the devices. Also by using the full DEP and MDM, this means that even if a user resets a device, it is still assigned and controlled by the server it is assigned to.
