Apple Makes Big Improvements In iOS Management Tools For Enterprise And Education

Apple has been busy in the IT department. Today, it released a slew of improvements and alterations to its large-scale deployment tools for education and enterprise customers.

Some of the tweaks get way out in the weeds of deployment strategies, so they’ll only be really exciting for the actual pros who deal with this stuff. But the big picture is that Apple is looking to make deployments at enormous scales more appealing for the people in charge of purchasing and maintaining iPhones and iPads. This, hopefully, will result in more major purchases by organizations and fewer negative stories about failed management scenarios.

The changes are outlined in a series of documents Apple posted on its IT deployment page today. These include changes to its Device Enrollment Program, Volume Purchase Program and the Apple ID for Students service. A new iOS deployment technical reference guide and Device Enrollment Program guide have been issued, updating its older versions with new options for device management. A new overview document provides a quick cheat sheet for enterprise folks looking to utilize the tools Apple provides to mass purchase apps and roll out huge numbers of iOS devices at a time. And a new iOS Security Document has been posted that provides in-depth details on how Touch ID and the A7’s Secure Enclave work.

I’ve had conversations with IT pros and people who roll out large iPad installs in the past and they’ve mentioned that one of the things that has continued to cause Windows devices to hold some appeal is their better remote installation and configuration support. To that end, Apple has made some updates to improve that situation.

Both the enterprise and education programs now have support for Mobile Device Management hands-free configuration. This ‘zero touch’ setup has been a long-requested feature for many pros, as it eliminates the need to cable up every deployed device and install a profile via Apple’s Configurator utility.

The zero touch configuration allows an organization to sign up for a profile and order devices directly from Apple that come pre-configured with all of their security and configuration choices. They can then manage them directly without ever having to touch them physically. Additionally, the ability to lock these profiles to the devices means that the end user won’t be able to remove them and do what they want to the devices willy nilly.

This way, the load is taken off of IT departments in the rollout phase and the user is able to customize and play with the devices without mucking up security profiles. It will also allow IT departments to easily and wirelessly conform users’ own devices to their company security policies with a simple opt-in.

“The other bit that’s interesting is that DEP-enrollment now allows admins to require and force MDM enrollment on devices they own,” Fraser Speirs, Head of Computing and IT at Cedars School of Excellence in Scotland, pointed out to TechCrunch. “This is huge for schools. The lack of enforceability of MDM enrollment was — by my guess — the central problem in the now-infamous Los Angeles Unified School District ‘hacking’ scandal.”

Schools in LA had deployed a large amount of iPads, but had to recall them after students were found deleting the enrollment profiles on their devices. This allowed the students to use them to *gasp* browse the web as they pleased and install unapproved apps on their personal units. The anarchy would not stand and the district began reconsidering its rollout — which has since resumed. These kinds of high-profile flubs likely didn’t do anything to help the momentum of Apple’s organizational rollouts. This enforcement should allow customization, while preventing circumvention of IT rules.

In short, it should make iPads even more attractive to these markets.

The Volume Purchase Program has also gotten a nice overhaul. It’s now available in all 10 VPP countries for both enterprise and education partners, allowing these organizations to bulk buy applications for installation on bunches of devices at once. These purchases are generally offered with hefty discounts, which makes them more appealing to schools with tight budgets.

In addition, VPP purchases are now able to be made via purchase orders by enterprise customers, something that was only available to IT pros in the past. Offering PO support to IT departments is going to open up VPP purchases to a huge segment that previously had no way to requisition software from Apple.

In the educational market specifically, Apple has opened up the ability for students under the age of 13 to obtain their own Apple ID. After a school is enrolled, they can request IDs from Apple, who will then send a communication to the parent, who will then be guided through the registration process. The school is then notified that the student has been given consent.

Though under-13 IDs were opened up late last year, the new changes open the way for students, specifically, to sign up — in a way that is COPPA-compliant. They require parental consent to sign up, for one. And these Apple IDs are limited in a specific set of ways.

For instance, a student Apple ID account features limited ad tracking, doesn’t allow them to opt-in to marketing and there is no iCloud email support by default. They also do not require a credit card to sign up and can notify a parent or guardian of any change in the terms of the account. These accounts convert over to a full account with all normal rights and privileges once the student reaches age 13. Apple has provided a new parent guide that details the exact process and allowances of these special Apple IDs and a guide for institutions who will utilize them.

“I think the overarching story here is that these changes are all about making deployments scale up to genuinely massive numbers,” says Speirs. “School districts are topping out at around 50k units right now — to my knowledge — but there are obviously bigger deployments in other areas of education – and enterprise.”

For now, we’ve confirmed that the Device Enrollment Program will only affect devices purchased by organizations directly from Apple. This means that schools like Speirs’, who work through retailers, won’t be able to use the program to pre-configure devices — yet. But that will likely be on the way.

“I do think these are major steps forward for IT organizations,” Carl Howe, Vice President, Research and Data Sciences at Yankee Group, told TechCrunch. “In many organizations, IT spends much of its time being ‘the department of no,’ where they tell employees that they can’t do things for reasons of manageability or security. By making Apple devices more manageable and being transparent with its security, Apple is helping those IT organizations go from being the department of no to ‘the department of yes.’ And given that ease of use boosts security compliance, the fact that this can be done in ways that don’t require the end-user to do anything special (i.e., their device gets provisioned to them fully linked up to their organization, secured, etc.), it should make Apple devices even more popular in businesses than they already are.”

iOS devices have gained a large amount of popularity in organizations by leveraging the bring your own device trend. If the boss gets a new iPad and loves it, the IT department will have no choice but to support it somehow. But in order to spur growth, and to keep the vaunted ease of use of iPads and iPhones intact, Apple has to continue to refine its offerings for device deployment.

These changes are an attempt to keep the way that people use an institutional iOS device and a consumer iOS device as close to parity as possible. If you’ve ever jumped through hoops to configure a company-issued laptop or phone, then you know how much of a pain that can be. If you imagine doing that 50,000 times, you can see why these improvements could spur a nice surge of adoption by purchasing departments.