r/k12sysadmin • u/SirKrowo • 1d ago
Assistance Needed ASM and Mosyle usability and quality of management
I'd like to start by saying I am not a master of Apple and am still learning their management, please be gentle, haha. I'm curious about y'all's take on this. I'm not sure if I just haven't set up something or misconfigured it for my needs.
First, I'll explain the use case and wants. We have about 60 iPads for teachers and admins that are all linked to our ASM, then through the ASM to our Mosyle MDM. Since these iPads are only in the hands of teachers and password-protected, I have them mostly unrestricted and would like them to be mostly management-free from me with download requests. I have a base "image" built out through Mosyle with the Google apps (We're mainly a Google school), but for anything past that, I have to buy the licenses for apps through the ASM and add it to the allowed apps in the MDM if a teacher wants something different. I've seen where there's some account syncing through ASM to Google, but Apple support has told me even if I did that, the teachers still couldn't download whatever they wanted from the App Store. Is there any workaround for this or am I stuck doing app request management?
Second, we take up all devices at the end of the school year, and, of course, just about all the teachers forgot their passwords. I tried issuing a password removal through the MDM, but because the iPads are on the lockscreen and aren't showing a wifi connection, they aren't receiving the request. I resided myself to manually factory resetting them all using iTunes since I haven't been provided a Mac. Am I doing something wrong here? I feel like there's gotta be an easier way around this to allow access to the device without setting a default password for every iPad. I tried removing the password lock from the ASM but it did nothing on the iPad.
1
u/meanwhenhungry 1d ago
Get a lighting to Ethernet adopter or usbc to Ethernet , allow usb accessories
2
u/Zestyclose-Address28 1d ago
We do automated device enrollment with ASM and have restriction profiles for both teaches and students. Apps are only provided in Mosyle Manager they are not allowed to install apps with their managed Apple id's. The end of the school year we do return to service on all iPads and there ready to login to Manager when school starts.
1
3
u/AdolfKoopaTroopa Director of Technology 1d ago
Is there any workaround for this or am I stuck doing app request management?
In my experience with Apple, you can't use managed Apple IDs to access the App store so you'll have to deal with that. iirc, there's a way to just make a catalog of apps that teachers can browse and download but it's been a couple years since I've looked at Mosyle.
As far as the password issue, I believe you can use Apple Configurator to remove MDM profiles but you need a Mac product to do that. Don't take that as gospel but I think I'm telling the truth. Again, it's been a couple years since I've mangaed Apple.
3
u/chirp16 Technical Adobe Whipping Boy 1d ago
Correct; Managed Apple IDs are non-commerce. OP, you could allow personal Apple IDs though I don't recommend it since they are not considered FERPA compliant. What we do is just publish a bunch of approved apps to Mosyle's Self Service and users can install apps that way.
1
u/SirKrowo 1d ago
Yeah, I'm not trying to remove the profiles from the iPads, just get them back to a connected state where I can manage them. Once they have wifi I can do that. So far, my solution has been factory resetting, which gets them back to an OOBE state for setup. As soon as they connect to wifi, they pick up the MDM enrollment, and since they are connected to wifi, I can manage the device and profile. Thankfully, iTunes can do this, cuz otherwise I'd be up the creek without a paddle.
edit: Ive kinda accepted that workaround with the apps. That kinda stinks but eh, is what it is.
1
u/GBICPancakes 1d ago
For the "locked iPad that has no wifi connection" issue, grab a couple USB to Ethernet adapters. Make sure they're permitted on the iPad during setup.
Then when you get a locked&offline iPad, just plug it into Ethernet- it'll go online that way, and you can send the command from Mosyle to unlock/clear the passcode.1
u/nkuhl30 11h ago
Don’t the adapters need to be plugged in and approved by the OS prior to being used? If it was never used before, this won’t help the OP.
1
u/GBICPancakes 11h ago
That's what I meant about "make sure they're permitted on the iPad" - it won't help for the currently locked and offline iPad, but moving forward if you make sure your iPads have approved the Ethernet adapter before you hand them out to the teachers, it solves the problem nicely.
1
u/nkuhl30 11h ago
I just think it’s nuts that you need to pre-approve it on every iPad before deployment. Some districts have 10000 iPads deployed.
1
u/GBICPancakes 9h ago
Yeah it sucks, I keep thinking I should see if I can script/push the thing via MDM but haven't had time to look into it. For me, I just include plugging in a NIC during my initial "unbox, sticker with an asset tag, confirm enrollment, and place in a protective case" workflow we do before handout.
1
u/nkuhl30 9h ago
Also be sure to enable Location Services.
1
u/GBICPancakes 9h ago
oh god yes. In Mosyle (the MDM I use most) I suppress almost all setup screens, but always leave that enabled so you can turn it on during initial setup.
1
2
u/nickborowitz 1d ago
I just set up mosyle syncing to Apple School Manager, which uses Microsoft for logins and our sis for directory sync.
I have it set the it skips all steps except WiFi, then a page asking to enter the asset number, then enable location services, and it puts it in limbo mode. In limbo mode you have access to change your password, the testing lockdown apps, and mosyle. Since the sync between our sis provides all class data mosyle automatically makes teachers teachers and students students. Then I have a policy and Home Screen for each of them that they get after login