Integrate with Apple Education features 编辑

You can use XenMobile as your mobile device management (MDM) solution in an environment that uses Apple Education. XenMobile support includes Apple School Manager (ASM) and Classroom app for iPad. The XenMobile Education Configuration device policy configures instructor and student devices for use with Apple Education.

You provide preconfigured and supervised iPads to instructors and students. That configuration includes ASM enrollment in XenMobile, a Managed Apple ID account configured with a new password, and required volume purchase apps and iBooks.

Here are highlights of XenMobile support for Apple Education features.

Apple School Manager

ASM is a service that lets you set up, deploy, and manage iOS (iPadOS) devices and macOS laptops used in educational institutions. ASM includes a web-based portal that lets IT administrators:

• Assign Apple Deployment Program devices to different MDM servers.

• Purchase volume purchase licenses for apps and iBooks

• Create Managed Apple IDs in bulk. These customized Apple IDs provide access to Apple services such as storing documents in iCloud Drive and enrolling in Apple App Store courses.

You can add multiple ASM accounts to XenMobile. For example, this feature enables you to use different enrollment settings and Setup Assistant options by Education unit or department. You then associate ASM accounts with different device policies.

After you add an ASM account to the XenMobile console, XenMobile retrieves class and roster information. During device setup, XenMobile:

• Enrolls the devices.
• Installs the resources you configured for deployment, such as device policies (Education Configuration, Home screen layout, and so on).
• Also installs both apps and iBooks purchased through volume purchase.

You then provide the preconfigured devices to instructors and students. If a device is lost or stolen, you can use MDM Lost Mode feature to lock and locate devices.

Classroom app for iPad

The Classroom app for iPad enables instructors to connect to and manage student devices. You can view device screens, open apps on iPads, and share and open web links.

Classroom is free in the App Store. You upload the app to the XenMobile console. You then use the Education Configuration device policy to configure the Classroom app, which you deploy to instructor devices.

For more information about Apple Education features, see the Apple Education site and the Apple Education Deployment Guide from the same site.

Prerequisites

• Citrix Gateway

• Enrollment profile configured for MDM+MAM.

• Apple iPad 3rd generation (minimum version) or iPad Mini, with iOS 9.3 (minimum version)

Note:

XenMobile doesn’t validate ASM user accounts against LDAP or Active Directory. However, you can connect XenMobile to LDAP or Active Directory for management of users and devices not related to ASM instructors or students. For example, you can use Active Directory to provide Secure Mail and Secure Web to other ASM members, such as IT administrators and managers.

Because ASM instructors and students are local users, there is no need to deploy Citrix Secure Hub to their devices.

MAM enrollment that includes Citrix Gateway authentication doesn’t support local users (only Active Directory users). Therefore, XenMobile deploys only required volume purchase apps and iBooks to instructor and student devices.

Prerequisites for Shared iPads

• Any iPad Pro, iPad 5th generation, iPad Air 2 or later, and iPad mini 4 or later
• At least 32 GB of storage
• Supervised

Configure Apple School Manager and XenMobile

After you purchase iPads from Apple or from Apple Authorized Resellers or carriers: Follow the workflow in this section to set up your ASM account and devices. This workflow includes steps that you perform in the ASM portal and in the XenMobile console.

Follow these instructions to configure your integration for any iPads that you use in a one-to-one model (one iPad per student) or for instructor iPads (unshared). To configure Shared iPads, see Configure Shared iPads.

Step 1: Create your Apple School Manager account and complete the Setup Assistant

If you plan to upgrade from Apple Deployment Program, see the Apple Support article, Upgrade your institution to ASM. To create your ASM account, go to https://school.apple.com/ and follow the instructions to enroll. The first time that you log in to ASM, the Setup Assistant opens.

• For information about ASM prerequisites, the Setup Assistant, and management tasks, see the Apple School Manager User Guide.

• When setting up an ASM, use a domain name that differs from the domain name for Active Directory. For example, prefix the domain name for ASM with something like appleid.

• When you connect ASM to your roster data, ASM creates Managed Apple IDs for instructors and students. Your roster data includes instructors, students, and classes. For information about adding roster data to ASM, see the ASM User Guide, referenced earlier.

• You can customize the Managed Apple ID format for your institution, as described in the ASM User Guide, referenced earlier.

  Important:

  Don’t change Managed Apple IDs after you import ASM information into XenMobile.

• If you purchased devices through resellers or carriers, link those devices to ASM. For information, see the ASM User Guide, referenced earlier.

Step 2: Configure XenMobile as the MDM Server for Apple School Manager and configure device assignments

The ASM portal includes an MDM Servers tab. You need the public key file from XenMobile to complete that setup.

1. Download the public key for your XenMobile to your local computer: In the XenMobile console, go to Settings > Apple Deployment Program.

   

2. Under Download Public Key, click Download and then save the PEM file.

3. In the Apple School Manager portal, click Settings, then Device Management Settings. Click Add MDM Server.

   

4. Type a name for XenMobile. The server name that you type is for your reference and is not the server URL or name. Under Upload Public Key, click Choose File.

   

5. Upload the public key that you downloaded from XenMobile and then click Save.

6. Generate a server token: Click Download Token to download the server token file to your computer.

   

7. Under Default Device Assignment, click Change. Choose how you want to assign devices and then provide the information requested. For information, see the ASM User Guide.

Step 3: Add the Apple School Manager account to XenMobile

1. In XenMobile console, go to Settings > Apple Deployment Program and under Add Apple Deployment Program Account, click Add.

   

2. In the Server Tokens page, click Upload and choose the server token (a P7M file) file that you downloaded from the ASM portal. The token information appears.

   

   Notes:

   • Organization ID is your customer ID for Apple Deployment Program.

   • ASM accounts have an Organization type of Education and an Organization version of v2.

3. In the Account Info page, specify the following settings.

   

   • Apple Deployment Program account name: A unique name for this Apple Deployment Program account. Use names that reflect how you organize Apple Deployment Program accounts, such as by country or organizational hierarchy.
   • Business/Education unit: The Education unit or department for device assignment. This field is required.
   • Unique service ID: An optional unique ID to help you further identify the account.
   • Support phone number: A support phone number that users can call for help during setup. This field is required.
   • Support email address: An optional support email address available to end users.
   • Education suffix: Flags the classes for a given ASM Deployment Program account. (The volume purchase suffix flags apps and iBooks for a given volume purchase account.) The recommendation is to use the same suffix for both accounts, ASM Deployment Program and ASM volume purchase.

4. Click Next. In iOS Settings, specify the following settings.

   

   • Enrollment settings

     • Require device enrollment: Require users to enroll their devices. Change this setting to No.
     • Require credentials for device enrollment: Require users to enter their credentials during Apple Deployment Program setup. For ASM integration with XenMobile, this setting is Yes by default and can’t be changed. Apple Deployment Program requires credentials for device enrollment.

     • Wait for configuration to complete setup: Whether to require user devices to remain in Setup Assistant mode until all MDM resources deploy to the device. For ASM integration with XenMobile, this setting is No by default. According to Apple documentation, the following commands might not work while a device is in Setup Assistant mode:

       • InviteToProgram
       • InstallApplication
       • InstallMedia
       • ApplyRedemptionCode

   • Device settings

     • Supervised mode: Place iOS devices in supervised mode. Don’t change the default, Yes. For details on placing an iOS device in supervised mode, see To place an iOS device in Supervised mode by using the Apple Configurator.

     • Shared mode: Enable shared mode on iPads. Devices that don’t meet the minimum requirements can’t share.
     • Allow enrollment profile removal: For ASM integration, allow user to remove the enrollment profile from the device. Change this setting to Yes.
     • Allow device pairing: For ASM integration, allow device pairing so you can manage them through Apple App Store and the Apple Configurator. Change this setting to Yes.

5. In iOS Setup Assistant Options, select the iOS Setup Assistant steps to skip when users start their devices the first time. By default, the Setup Assistant includes all steps. Consider that removing steps from the Setup Assistant simplifies the user experience.

   Important:

   Citrix strongly recommends that you include the Apple ID and Terms & Conditions steps. Those steps enable instructors and students to provide their new Managed Apple ID passwords and accept the required terms and conditions.

   

   • Location services: Set up the location service on the device.
   • Touch ID: Set up Touch ID on iOS devices.
   • Passcode lock: Create a passcode for the device.
   • Set up as New or Restore: Set up the device as new or from an iCloud or Apple App Store backup.
   • Move from Android: Enable transferring data from an Android device to an iOS device. This option is available only when Set up as New or Restore is selected (that is, the step is skipped).
   • Apple ID: Set up an Apple ID account for the device. Citrix recommends that you select the check box to include this step.
   • Terms and conditions: Require users to accept terms and conditions for use of the device. Citrix recommends that you select the check box to include this step.
   • Apple Pay: Set up Apple Pay on iOS devices.
   • Siri: Use or not use Siri on the device.
   • App analytics: Set up whether to share crash data and usage statistics with Apple.
   • Display zoom: Set up the display resolution (either standard or zoomed) on iOS devices.
   • True Tone: Set up the True Tone Display on iOS devices.
   • Home Button: Set up the Home Button screen sensitivity.
   • New feature highlights: Set up the onboarding informational screens, Access the Dock from Anywhere and Switch Between Recent Apps on iOS 11.0 devices (minimum version).
   • Privacy: Prevent users from seeing the data and privacy pane during setup of Apple Deployment Program devices. For iOS 11.3 and later.
   • SoftwareUpdate: Prevents the user from seeing the mandatory software update screen during setup of the Apple Deployment Program devices. For iOS 12.0 and later.
   • ScreenTime: Prevents the user from seeing the Screen Time screen during setup of the Apple Deployment Program devices. For iOS 12.0 and later.
   • SIM Setup: Prevents the user from seeing the Add Cellular Plan screen during setup of the Apple Deployment Program devices. For iOS 12.0 and later.
   • iMessage & FaceTime: Prevents the user from seeing the iMessage and FaceTime screen during setup of the Apple Deployment Program devices. For iOS 12.0 and later.

6. The account appears on Settings > Apple Deployment Program. To test connectivity between XenMobile and your ASM account, select the account and click Test Connectivity.

   

   A status message appears.

   

   After a few minutes, the user accounts from ASM appear on Manage > Users page. XenMobile creates local user accounts based on the imported Managed Apple ID for each user. In the following example, the domain name prefix of customized Apple IDs for user accounts is appleid.

   

To find all users for a given ASM account, type the account name in the user search filter.

Step 4: Configure an Education volume purchase account for Apple School Manager

In this section, you point XenMobile to the volume purchase account that you use to purchase volume purchase licenses for apps and iBooks.

1. To configure an Education volume purchase account for ASM, follow the instructions in Apple Volume Purchase. The Add a volume purchase account screen requires that you supply a Company Token. Download your token directly from your Education volume purchase account and paste it into the Add a Volume purchase account screen.

   

   

2. Wait a few minutes for the volume purchase licenses to import into XenMobile.

Step 5: Add passwords for Apple School Manager users

After you add an ASM account, XenMobile imports classes and users from ASM. XenMobile treats classes as local groups and uses the term “group” in the console. If a class has a group name in ASM, XenMobile assigns the group name to the class. Otherwise, XenMobile uses the source system ID for the group name. XenMobile doesn’t use the course name for the class name because course names in ASM aren’t unique.

XenMobile uses the Managed Apple IDs to create local users with the user type ASM. The users are local because ASM creates the credentials independently of all external data sources. As a result, XenMobile doesn’t use a directory server to authenticate these new users.

ASM doesn’t send temporary user passwords to XenMobile. You can import them from a CSV file or add them manually. To import temporary user passwords:

1. Obtain the CSV file generated by ASM when creating the Managed Apple ID temporary passwords.

2. Edit the CSV file, replacing the temporary passwords with new passwords that users provide to enroll to XenMobile. There is no constraint on the password type for this purpose.

   The format of an entry in the CSV file is as follows: user@appleid.citrix.com,Firstname,Middle,Lastname,Password123!

   Where:

   User: user@appleid.citrix.com

   First name: Firstname

   Middle name: Middle

   Last name: Lastname

   Password: Password123!

3. In the XenMobile console, click Manage > Users. The Users page appears.

   The following Manage > Users screen sample shows a list of users imported from ASM. In the Users list:

   • User name shows the managed Apple ID.

   • User type is ASM, to indicate the account originated from ASM.

   • Groups show the classes.

   

4. Click Import Local Users. The Import Provisioning File dialog box appears.

5. For Format, choose ASM user, navigate to the CSV file you prepared in step 2, and then click Import.

   

6. To view the properties for a local user, select the user and then click Edit.

   

   In addition to the name properties, these ASM properties are available:

   • ASM data source: The data source of the class, such as CSV or SFTP.
   • ASM managed Apple ID: A Managed Apple ID might include your institution name and appleid. For example, the ID might resemble johnappleseed@appleid.myschool.edu. XenMobile requires a Managed Apple ID for authentication.
   • ASM org name: The name you gave the account in XenMobile.
   • ASM passcode type: Password policy of the person: complex (a non-student password of eight or more numbers and letters), four (digits), or six (digits).
   • ASM person unique ID: Identifier for the user.
   • ASM person status: Specifies whether the Managed Apple ID is Active or Inactive. This status becomes active after the user provides their new password for the Managed Apple ID account.
   • ASM person title: Either Instructor, Student or Other.
   • ASM person unique ID: Unique identifier for the user.
   • ASM source system ID: Identifier for the system source.
   • ASM student grade: Student grade information (not used by instructors).

Step 6: Optionally add photos of students

You can add a photo of each student. If the instructors use the Apple Classroom app, the photos appear in this app.

Recommended for photos:

• Resolution: 256 x 256 pixels (512 x 512 pixels on a 2x device)

• Format: JPEG, PNG, or TIFF

To add a photo, go to Manage > Users, select a user, click Edit, and then click Choose image.

Step 7: Plan and add resources and delivery groups to XenMobile

A delivery group specifies the resources to deploy to categories of users. For example, you might create one delivery group for instructors and students. Alternatively, you might create multiple delivery groups so you can customize the apps, media, and policies sent to various instructors or students. You might create one or more delivery groups per class. You can also create one or more delivery groups for managers (other staff in your educational institution).

Resources that you deploy to user devices include device policies, volume purchase apps, and iBooks.

• Device policies:

  If instructors use the Classroom app, the Education Configuration device policy is required. Be sure to review other device policies to determine how you want to configure and restrict instructor and student iPads.

• Volume purchase apps:

  XenMobile requires that you deploy volume purchase apps as required apps for education users. XenMobile doesn’t support deploying such volume purchase apps as optional.

  If you use the Apple Classroom app, deploy it only to instructor devices.

  Deploy any other apps that you want to provide to instructors or students. This solution doesn’t use Citrix Secure Hub app, so there’s no need to deploy it to instructors or students.

• Volume purchase iBooks:

  After XenMobile connects to your ASM account, your purchased iBooks appear in the XenMobile console, in Configure > Media. The iBooks listed on that page are available to add to delivery groups. XenMobile supports adding iBooks as required media only.

After you plan the resources and delivery groups for instructors and students, you can create those items in the XenMobile console.

1. Create any device policies that you want to deploy to instructor or student devices. For information about the Education Configuration device policy, see Education Configuration device policy.

   

   For information about device policies, see Device policies and the individual policy articles.

2. Configure apps (Configure > Apps) and iBooks (Configure > Media):

   • By default, XenMobile assigns apps and iBooks at the user level. During first-time deployment, instructors and students receive a prompt to register to ASM. After accepting the invitation, users receive their ASM apps and iBooks at the next deployment (within six hours). Citrix recommends that you force the deployment of apps and iBooks to new ASM users. To do that, select the delivery group and click Deploy.

     You can choose to assign apps (but not iBooks) at the device level. To do that, change the setting Force license association to device to On. When you assign apps at the device level, users don’t receive an invitation to join Apple volume purchase.

   

   • To deploy an app only to instructors, select a delivery group that includes only instructors or use the following deployment rule:

      Deploy this resource by ASM device type
      only
      Instructor
      <!--NeedCopy-->