Skip to main content
Server

Own MDM solution with VPP - OSX Server

Micke Kring Micke Kring ·
Own MDM solution with VPP - OSX Server

Some time ago a good friend asked me if I could help him set up a solution for their iPads. Since they’re approaching 80+ of these devices it’s no longer an option to do it manually. The time from unboxing to the iPad being in use must be reduced. And management must be possible OTA (over the air). Because most of these are shared iPads, reinstallation needs to be optimised as well. So I thought I’d solve it with a Mac Mini running OSX Server and VPP - Volume Purchase Program. This is not a step-by-step guide but rather documentation of how I proceeded.

What we want to achieve

A cheap, reliable solution that will hold up over time. OSX Server and its MDM (Mobile Device Management) should theoretically handle up to 5,000 devices (both OSX and iOS). A Mac Mini with the server software doesn’t cost that many thousand kronor and combined with backup disks it should solve the problem for this smaller organisation. We end up with a final sum under 10,000 kr. The work time to set up the system is estimated at about one workday. Everything should be handled by the organisation itself.

What we want MDM and VPP to do

  • Push out some basic settings and restrictions wirelessly, with the ability to change these and push updates wirelessly.
  • Configure email, wi-fi and other things automatically so it’s ready when the iPad goes into use. This should also be pushed out and changed wirelessly.
  • Purchase and distribute apps and e-books wirelessly.
  • Minimise the number of steps and automate as much as possible, to get a newly purchased iPad from the box into use in no time. But also to be able to quickly reinstall — reset an iPad, since most are shared devices.

Apple VPP - Volume Purchase Program - Education

The first thing we do is apply for a VPP account with Apple. This is where we’ll buy our apps and books, or rather the licenses for them. Then we tie our MDM to the VPP. https://www.apple.com/se/education/it/vpp/ This takes a couple of days to get approved, but once it’s ready we can buy apps in bulk, as long as we have a credit card or other approved payment method on file. The nice thing is that most apps are 50% off if you buy more than 20 licenses at once.

DEP

For now we skip DEP.

OSX Server

The Mac Mini runs OSX El Capitan, which is the latest version at the time of writing. To that we buy the OSX Server add-on from the App Store which costs 209 kr. The server will only be inside the organisation’s own network and therefore I don’t bother setting up any domain name for it; I simply call it iosserver, which means it’s reached via the local domain https://iosserver.local I also enable Apple Push Notifications so the server can push settings and such OTA. The only two services I care about in OSX Server are Caching (to cache apps and other content so we don’t put too much strain on the internet) and Profile Manager (which is the MDM itself). The rest of the services are off. However I use users in OSX Server, since they form the basis for the info needed to push out the email settings.

The setup - from box to hand

I’ve named all the iPads p001, p002, p003 etc. The user accounts in OSX Server are named the same. I spent some time adding all the iPads as placeholders in the MDM so when they’re rolled in they’re already correct in the system with settings and apps. This also stays in place when the iPads are reinstalled. We no longer need an Apple ID for each iPad from iOS9, so that saves a lot of time. I’ve also created groups for apps and groups for settings. A device can therefore be in several different groups. Of course it’s possible to apply settings or apps down to the device level.

If we look at this step-by-step for a new iPad installation, the flow looks like this:

  • The iPad is unpacked
  • We open Apple Configurator on the server machine and set the name of the iPad, e.g. P0003, and start “prepare”.
  • Now we plug the iPad into the computer and Apple Configurator updates it to the latest iOS, installs wi-fi and enrolls it in the MDM automatically. This process takes about 3–4 minutes. We can of course plug in multiple iPads at the same time depending on the number of USB ports.
  • Now we can unplug the iPad and the MDM takes over and pushes out settings, apps and the email account over wi-fi. At this point the iPad can actually be handed over to the organisation, although it may take a while for all apps to finish downloading.

+ Positive

So far I have only positive things to say about this solution. However it remains to be seen how it will work out in the organisation and I’ll probably return to this post. Very simple and smooth to get started with and the possibilities for settings and automation are large.

- Negative

I would have liked users to remain linked to their device even when a reinstallation is done. It doesn’t take many seconds to add it again, but still. As soon as usage is scaled up every extra click becomes an extra burden.

As usual, if you have any questions feel free to ask them in the comments.

Micke Kring

About the author

Micke Kring

I'm fascinated by what happens when people and technology meet. After nearly 30 years in education and development, I explore, prototype and teach AI with the same playful curiosity as when I first started out.