Apple School Manager

What is Apple School Manager?

Apple School Manager is a service that lets you buy content, configure automatic device enrollment in your mobile device management (MDM) solution, and create accounts for your students and staff. Apple School Manager is accessible on the web and is designed for technology managers, IT administrators, staff, and instructors.

Who should use Apple School Manager?

Currently there are two specific uses of Apple School Manager at Duke, intended for IT administrators that support Apple endpoint devices (macOS and iOS). Apple School Manager should be used for initial provisioning of devices, using the “device manager” role, and assigning Apple Mac / iOS App Store purchases, using the “content manager” role.

Duke & Duke Health share a single enterprise instance of Apple School Manager.

Terminology and definitions:

  • MDM – Mobile Device Manager, server software running at Duke used to administer devices. JAMF Pro and AirWatch are MDM services in use at Duke and Duke Health.
  • DEP – Device Enrollment Program, the Apple service
  • ASM – Apple School Manager, a service run by which is used to configure DEP and assign Apple devices (macOS and iOS) to specific MDM servers. The ASM service also manages purchasing and assigning of App Store licensing (Mac and iOS).
  • Apple ID – The user identity specific to Apple provided services, not in any way connected to Duke NETIDs. In ASM, all IT admins will be using Enterprise Managed Apple IDs. The enterprise managed Apple IDs are very different than ordinary “individual” Apple IDs and do not have access to the majority of services normally accessible by individual Apple IDs.

What is the plan for migration from the existing DEP and VPP portal to Apple School Manager?

In the Apple School Manager system there are multiple roles, but the primary role is the Admin role. There can be only 5 Apple IDs which are the Admin role. The Admin role has 3 primary responsibilities: accept EULA from Apple periodically, add / remove / role assignment of enterprise managed Apple IDs to the enterprise account, perform password / mutli-factor resets for enterprise managed Apple IDs.

In the call with Apple, they informed us that we can expect all existing device DEP assignments, VPP software assignments, DEP server configurations, and VPP software service tokens to remain valid after migration. No immediate action will be needed to maintain the connection of MDMs (JAMF or AirWatch) with Apple for DEP or VPP information.

Additionally, any Apple IDs currently associated with the Duke enterprise account will immediately become enterprise managed Apple IDs. This means that all software purchased by that Apple ID will be migrated with the account and accessible within the Apple School Manager service portal. However, no change will need to be made to existing software licenses already deployed to managed devices.

Apple has recommended that the migration process should only require a short blackout time for accessing the Apple DEP administration site, less than 60 minutes. As for VPP software, they recommend that IT admins be requested to not purchase any software using a VPP account for 24 hours. These blackout windows are only relevant to using the Apple DEP or VPP web interface, there will be no need for restrictions of any MDM use throughout the migration process.

I am finalizing a compiled list of currently associated Apple IDs and each respective DEPT or GROUP, based on MDM configuration information and information from the Duke Site License group. The list will be put into a shared Box folder for all to review.

For the process to go forward, the management of each team will be asked to approve a proposed date of Dec 10th (or in that week). Additionally, OIT and/or DHTS will need to determine if and how this migration should be submitted to change management control.

How does Apple School Manager enroll devices in a Duke MDM service?

The Apple School Manager service (hosted by Apple) allows the Duke IT admin with a device manager role to assign Apple device serial numbers to specific “servers”. The term “servers” in the ASM service refer to a specific DEP

 

Important and useful reference material:

Apple School Manager documentation

Apple School Manager: Upgrading to Apple School Manager
Upgrading from Apple Deployment Programs to Apple School Manager gives you more options than ever before for easily preparing, deploying, and managing Mac and iPad for your students and teachers. Come learn best practices to prepare for your upgrade, and participate in a live Q&A with an Apple system engineer.

Times: Mondays @ 11am Eastern Time
Link: https://appleinc-amr.webex.com/appleinc-amr/k2/j.php?MTID=t14e1ecf6e7c99a4f78e8cc420630bbe7
Password: apple1

Apple School Manager: Creating Managed AppleIDs
Join us to learn how you can use Apple School Manager to create Managed Apple IDs—accounts designed specifically for schools that enable students and staff to personalize their device and access key services from Apple. These accounts are built for students of all ages and are intended to make it easy for schools to create and manage accounts at scale. The accounts are designed to meet the privacy and security needs of schools. Includes a live Q&A with an Apple system engineer.

Times: Tuesdays @ 11am Eastern Time
Link: https://appleinc-amr.webex.com/appleinc-amr/k2/j.php?MTID=tcc5e3c92a81eb3048c9374a774336458
Password: apple1

Apple School Manager: Buying Apps and Books
This session will provide everything you need to know about easily funding, purchasing, and distributing apps and books for iPad and Mac with Apple School Manager. Discover how to leverage education volume discounts, and learn tips and tricks on getting the most from Apple School Manager from an Apple system engineer during a live Q&A.

Times: Wednesdays @ 11am Eastern Time:
Link: https://appleinc-amr.webex.com/appleinc-amr/k2/j.php?MTID=ta5f155d71f41bb9af5dd9129c4baf88c
Password: apple1