What a phenomenal presentation by Chris Nilsson (Lamar CISD in Texas) on iOS implementation. It’s well worth reading the notes, if you’re reading this prior to Thursday at TCEA2012 conference, attend Chris’ session on the subject. His presentation was the subject of lunch table conversation, it was that informative and relevant to what Districts are doing in schools!
Here are my imperfect notes on his preso:

iOS Headache? Get a Grip on Your Devices
Chris Nilsson – cnilsson@lcisd.org – @chrisnilsson
Director of Instructional Technology/Staff Development at Lamar CISD
  1. Lucky to have a team of people that still work with teachers at the campus. 
  2. Recovering high school Physics teacher…feels privileged to touch the servers from a teacher perspective. Glad there isn’t that disconnect in his district of 27000 students in the Southwest side of Houston. 32 main campuses, opening 5 campuses in the next 4 years. Always in a bond cycle to keep up with growth.
  3. How fast can we deploy these things…and how did we end up with these devices? It’s unfortunate that we’re here to talk about managing iOS devices. The deployment just took off on its own and you’re trying to wrap your hands around it…$2million deployment in Lamar, and we don’t know how to manage them. We treated them (iOS devices) as they were a recycling bin or something.
  4. INTERACT = staff development program where we invite 4 teachers from every campus and they spend an intense week (8-5pm) on Robert Marzano Strategies, becoming a master teacher with technology. We get the opportunity to do this. At the end, the teacher gets $10K to buy whatever they want for their classroom. Whatever works for you…any kind of technology.
  5. Not a district that wants to prescribe what you use to enhance your teaching. We’ll give you the tools to support you. 
  6. Agenda:
    1. Device management
    2. Content Management
    3. Volume Purchase Program
    4. Lamar CISD’s Hybrid Model
  7. iOS Progress
    1. iOS 2 – First true operating system for these devices. App store, iPhone Configuration Utility.  iPod Touch ships. Lamar is sitting on 3000 iPads and 6000 iPod Touch.
    2. iOS 3 – Multiple iTunes accounts on a device. You can sign out of an account and sign-in with another one. 
    3. iOS 4 – Native mobile device management (MDM), wireless App distribution*. MDM is the ability to touch devices from a remote server. Wireless app distribution comes from Apple, not from customers.
    4. iOS 5 – PC free, iCloud, Push Apps*. This breaks the link from the computer
  8. Device Management – Apple’s Version
    1. Device Settings – You can touch the device settings (e.g. Wifi, Passcode, Web Clips). Tip: put links to training materials so that can be pushed out to devices.
    2. Restrictions – Web, Youtube, App Store, Camera, FaceTime, iCloud, Content Ratings. You can turn the camera off, turn off stuff. You can set restrictions, but students can set their own restrictions. The app store can be restricted but it stops you from installing apps. If MDM is used, but app store is off, then you can’t load…we just want to remove access to AppStore not turn it off.
    3. User Configuration: Exchange, LDAP, VPN
    4. Security – APN, SCEP, x.509 (Cisco security firewall). This is more for proprietary companies with ultra confidential info.
    5. iOS Configuration Files – Uses XML file. You give it a key, then a string. You can build XML files and employ those settings.  The iPhone Configuration Utility allows you to build XML files visually.
  9. Content Management – Music is Personal. iTunes was designed to keep it that way. It all started with iTunes…the ecosystem of controlling–iTunes as the gateway to protect copyright–colors everything that happens on these iOS devices. We have to work inside the iTunes world.
  10. 3 types of accounts:
    1. Personal – What everyone uses, sync multiple personal devices, can purchase apps, iTunes is built around this. Teachers are encouraged to sign on with iTunes accounts. You can sync multiple personal devices with your iTunes. These are personal devices….the problem is that teachers are loading their personal account–and purchasing $.99 reading app–on classroom devices.
    2. Group – Sync multiple devices; Can’t pay for apps. For a set of iPads (e.g. library). District emails are used, you can’t buy anything for these.
    3. Volume Purchase Program (VPP) – Apple’s answer to enterprises, difficult to manage, full of holes, and all we have. There are more Android OS out there…Android does have a way to pay for multiple copies of an app. Apple is afraid of losing its top app developers.  
      1. Districts can attempt to comply
      2. Tax free
      3. Volume discounts – if you buy 20 or more copies of an app (like keynote at $10, you can get it for $5)
      4. Provides some degree of hierarchy 
      5. Holes
        1. Purchases are still treated as consumables. It doesn’t take long for $.99 app to hit the $10K mark, and the District doesn’t keep ownership of it. At some point, we’ll be held accountable for that. Are you providing them with income? Example: I have a district owned cell phone. I can’t make personal calls because then it’s considered as income. How long can we do the same with consumable apps?
        2. Updates are free – for apps, for iOS. I don’t want to treat something as consumable that I can upgrade for free.
        3. Purchases are NOT linked to an account at the point of sale. This is a huge hole in the VPP program. It takes 5 weeks to get your VPP account. Once you get access, you can get access to quite a bit.
        4. VPP volume portal card – It looks like the app store, key in your 12-digit number. Your master account controls it, and you have to create sub-apps. You put $100 into the Volume Voucher App Store. You select 10 copies of Keynote, provides you with Volume Purchase Codes and are linked to Keynote. They are not linked to the account who bought them, so they can be given to anyone.
      6. Enterprise Management
      7. MDM Platform – a utility that bundles the iPhone configuration utility, auditing, security, VPP management and takes advantage of push notification service. This is $100 per year for the VPP management.
      8. MDM Platform (JAMF SOftware’s Casper) – 
      9. when an iPad joins an MDM platform,  it agrees to be controlled. Once the enrollment is accepted, it can be touched remotely. 
      10. There are 20 major players in MDM. Jamf is about handling full Mac deployments,and this is a recent addition.
      11. (providing a walkthrough of the Casper MDM…features include General, Passcode, Restrictions, Wi-Fi, VPN, email, Exchange ActiveSync, LDAP, CalDAV, CardDAV). These features are in all the different apps.
      12. YouTube can be disallowed in a profile. 
      13. Profile named CIPA browsing–for iPads going home with students–and loads MobiCIPA browser, removing browsers that can go anywhere. When you delete the Profile, everything comes back. (this is impressive in the demo!!)
      14. Smart Mobile Device Groups – dynamically defined. Lets you do search codes based on a variety of items such as General info, mobile device details, location, purchasing, apps, security, network, certificates, config profiles, provisioning profiles…this metadata is stored and Casper can find it. You can scope policy, etc. to select devices. 
      15. You can manage policies from anywhere. You can also make groups within groups but they are all at the root level…no nesting of groups.
      16. VPP – everytime an app deployment profile is built, it is reflected in the list of Mobile Device App Catalog. You have to deploy 1 app at a time…you can’t group the apps together.
      17. For mobile device app, you can deploy automatically or make available in self service. Do not deploy apps automatically…
      18. When you purchase an app in Volume Purchase Store, you get a tabl. The table has code, status, date, username, device…Free apps can be loaded without codes, but paid apps.
      19. Scope – find a group that has the iPads you want.
      20. Casper Self Service – the code for this portal lives on the district server. “All apps installed through self Service portal must be loaded with LCISD iTunes account. Do not use a personal account.” When you install, the Apple ID and password pops up. When you do the app install, it shows you the Apple ID and password to the left. Every 4 hours, that password is changed, verifies that the password was saved, and then saves that password in the SQL database.
      21. MDM Limitations
        1. Users can delete the MDM profile
        2. Not a true app push
        3. Can’t delete apps
      22. If the user removes the MDM Profile, all apps associated go away. You cannot install a managed profile that is locked down. Students can remove the MDM Profile and they can do stuff. . .however, MDM admin will know that the students removed it.
      23. A Hybrid Approach
        1. Personal – encourage the use of personal accounts. Do not load your personal account on multiple devices.
        2. Group accounts – Turn autosync devices, managing installs from one iPad (teacher) and other devices (student) will get the app installed. If it’s a free app, load it here.
        3. MDM – for paid workshops.
      24. Session is being repeated on Thursday “iOS Headache”.