When using Apple Configurator, you can assign an existing supervision identity to be used with devices you place into supervision. To do so, first open Apple Configurator and click on Organizations.From Organizations, click on the plus sign (“+”). From the Create an Organization screen, click Next. When prompted to provide information about your organization, provide the name, phone, email, and/or address of the organization. If you are importing an identity, select “Choose an existing supervision identity” and click on Next. When prompted, click Choose to select the identity to use (e.g. exported from another instance of Apple Configurator or from Profile Manager). Click Choose when you’ve highlighted the appropriate certificate. Click Done.
Looks like Sal et al posted a suite of Automator Actions to link the Casper Suite to Apple Configurator at https://configautomation.com/jamf-actions.html. In my limited tests so far they work pretty darn well! Some pretty cool things here, like having the JSS rename a mobile device when managed through Apple Configurator, having Apple Configurator instruct the JSS to remove a device from a group, clear passcodes, update inventory, and other common tasks involved in workflows when leveraging Apple Configurator for en masse device management. Good stuff!
Apple Configurator 2 is a great tool. But you need to debug things from time to time. This might mean that a profile is misconfigured and not installing, or that a device can’t perform a task you are sending it to be performed. This is about the time that you need to enable some debug logs. To do so, quit Apple Configurator and then write a string of ALL into the ACULogLevel key in ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist:
defaults write ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel -string ALLTo disable, quit Apple Configurator and then delete that ACULogLevel key:
defaults delete ~/Library/Containers/com.apple.configurator.ui/Data/Library/Preferences/com.apple.configurator.ui.plist ACULogLevel
Enrolling iPads and iPhones into JAMF’s Casper suite can be done through Apple Configurator 2, text messages, email invitations, Apple’s Device Enrollment Program (DEP), or using links deployed to iOS devices as web clips. When doing larger deployments the enrollment process can be automated so that devices are automatically enrolled into Casper when set up using an Enrollment Profile that is manually downloaded from Casper and deployed to device. Additionally, a certificate can be needed if the certificate is not included in the profile, an option available as a checkbox in the setup. While you hopefully won’t need to download the certificate, we’ll cover that as well: Download the Enrollment Profile To download an enrollment profile from Casper MDM:
- Log into the web interface of the JSS.
- Click on the link along the top navigation bar for Mobile Devices.
- Click on Enrollment Profiles in the sidebar.
- Click on the plus sign (+).
- Provide a new name for the profile.
- Click on the User and Location Information tab.
- Enter any of the information you wish to have associated with this account when the profile is used to enroll a device into the JSS (not required – use this if you want your devices to have these associated, like if you use Configurator to setup departments and then associate a blueprint to each department and use an enrollment profile per blueprint).
- At the Enrollment Profiles screen, click on Download for the appropriate profile (for most environments there should only be one).
- Click on the Save button.
- Click on the General tab.
- Click on the Download button to download a .mobileconfig file that contains enrollment information.
- Click on the Trust Profile button to download the trust profile (a .mobileconfig with our cer).
- Once the profile is downloaded, it will automatically attempt to enroll the computer you are downloading it from in the Profiles System Preferences pane.
- Click on Cancel.
- Click on your downloads and you have now downloaded the two .mobileconfig files that will enroll devices into Casper. Note that if you have a cert signed by a CA you shouldn’t need the Trust Profile.
- Open Apple Configurator 2 on the client computer.
- Click File and then click on New Blueprint.
- Provide a name for your Blueprint.
- Once the new Blueprint is created, click on it.
- Click on Profiles.
- Click Add Profiles…
- Manually add the first profile by browsing to it.
- Drag any other profiles into the list.
- Apply the Blueprint to devices to see if it works.
Enter Apple Configurator 2, a free tool on the Mac App Store. This tool basically fixes most setup challenges for iOS, but does so over USB. This means that Apple Configurator is not necessarily a replacement for MDM. In fact, you can deploy Trust and Entrollment profiles for MDM and automate the MDM enrollment for a device through Apple Configurator 2. Instead, Apple Configurator 2 is a tool that can either help to manage iOS devices during a mass deployment and do so in a manner that is easy enough that you don’t need a firm background in IT to manage devices on a day-to-day basis. Here is what Apple Configurator can do:
- Update iOS devices to the latest version of iOS.
- Rename devices using a numbered scheme (e.g. iPad 1, iPad 2, etc).
- Erase (wipe) iOS devices.
- Backup and Restore iOS devices.
- Deploy profiles/policies (e.g. no Siri for you, disable cameras, setup wireless, etc) to iOS devices.
- Export profiles.
- Activate devices (after all a restore of a freshly activated device is an activation).
- Push any kind of app to devices.
- Track Volume Purchase Program (VPP) codes used on devices.
- Manage the wallpaper on “Supervised” devices (more on supervision later).
- Manage the names of devices en masse.
- Load content to apps on devices.
- Skip initial Activation steps on devices.
- In order to push apps through Apple Configurator, the system running Configurator needs access to Apple’s servers and Apple Configurator needs an AppleID associated with it that is not the VPP facilitator if you are leveraging any paid apps.
- You can use Apple Configurator “off-line” or without an AppleID to Prepare devices with Profiles, just not to Activate devices. For the initial device activation process, Macs running Apple Configurator will need to be online. Additionally, you’ll be prompted to enter your Apple ID routinely.
- If you push Trust and Enrollment profiles to automatically join Profile Manager (or another MDM vendor) the device isn’t associated with a user unless the MDM has been prepped to designate each UDID or Serial Number to a given user.
- If you accidentally plug in your iPhone to a machine and you’re using Apple Configurator on it and you’ve chosen to Erase in the application, then it will wipe your phone along with the 30 iPads you’re wiping. It’s awesome and scary like that (yes, I’ve accidentally wiped my phone).
- Company and education labs: manage devices end-to-end (no MDM, iTunes iPhone Configuration Utility or other tools needed), managed by the lab manager.
- One-to-One environments (schools): Manage the distribution of infrastructure settings (mail, wireless networks, etc) for devices as well as Trust Profiles to make it faster to enroll in MDM environments and Web Clips to manage the links for enrollment.
- Device distribution: Pre-load applications (that can’t be updated unless they’re cradled again), renaming, profiles, activation, iOS software updates, etc.
- Backup and Restore only stations where you don’t interfere with later iTunes use.
Apple Configurator has always been able to upgrade devices. But it can also now upgrade apps that are on devices. To run an upgrade, first open Apple Configurator 2. Once open, right-click on a device and click on the Update… option. You can update all assets on the device concurrently, using the default option. Here, we’re going to select to update only the items we need to in the drop-down menu. Select Only Some Apps and then you’ll see a list of each app that needs an upgrade on the device. Check the box for the apps to be updated and then click on the Update button. Apps are updated using an iTunes account. Here, you will need to authenticate using an account on the app store that owns these apps. Once entered, Apple Configurator will cache the apps and install them on a device or devices. The apps are only downloaded once, and then applied to many devices. These function even if the app store is disabled on devices.
Blueprints are a new option in Apple Configurator 2. Blueprints allow you setup a template of settings, options, apps, and restore data, and then apply those Blueprints on iOS devices. For example, if you have 1,000 iOS devices, you can create a Blueprint with a restore item, an enrollment profile, a default wallpaper, skip all of the activation steps, install 4 apps, and then enabling encrypted backups. The Blueprint will provide all of these features to any device that the Blueprint is applied to. But then why not call it a group? Why call it a Blueprint? Because the word template is boring. And you’re not dynamically making changes to devices over the air. Instead you’re making changes to devices when you apply that Blueprint, or template to the device. And you’re building a device out based on the items in the Blueprint, so not entirely a template. But whatever on semantics. To get started, open Apple Configurator 2. Click on the Blueprints button and click on Edit Blueprints. Notice that when you’re working on Blueprints, you’ll always have a blue bar towards the bottom of the screen. Blueprints are tiled on the screen, although as you get more and more of them, you can view them in a list. Right-click on the Blueprint. Here, you’ll have a number of options. As you can see below, you can then Add Apps. For more on adding Apps, see this page. You can also change the name of devices en masse, using variables, which I explore in this article. For supervised devices, you can also use your Blueprints to change the wallpaper of devices, which I explore here. Blueprints also support using Profiles that you save to your drive and then apply to the Blueprints. Blueprints also support restoring saved backups onto devices, as I explore here. For kiosk and single purpose systems, you can also enter into Single App Mode programmatically. You can also configure automated enrollment, as described here. Overall, Blueprints make a great new option in Apple Configurator 2. These allow you to more easily save a collection of settings that were previously manually configured in Apple Configurator 1. Manually configuring settings left room for error, so Blueprints should keep that from happening.
One of the things that Apple Configurator 2, or an MDM solution, can do to make large-scale iOS deployments easier is to disable some of the screens displayed to users during the initial setup of an iOS device. This is critical when trying to get to a zero-touch deployment. On a DEP-based device, most of these steps would be disabled by your MDM solution. However, on a non-DEP-based device, these options would be disabled on the iOS device directly. To disable the initial configuration screens during activation on an iPhone or iPad and therefore require less steps during the setup of devices, first plug a device into Apple Configurator. Then, right-click on the device and choose the Prepare… option. From the prepare wizard, first choose whether the configuration will be automatic or assist during the initial configuration of DEP-based devices. Because there’s no MDM in this scenario, we’ll select Manual. As mentioned, there’s no MDM for this deployment, so at the MDM server screen, we’ll elect not to use an MDM and then click on the Next button. At the Supervise Device screen, we’ll go ahead and enable supervision, so that we can make use of some other options, such as disabling features in profiles that are only allowed to be disabled using a supervised device. Click Next. Finally, we’re at that Apple Configurator 2 screen where we can disable activation screens. Here, choose the following that you’d like to disable:
- Language: Disables the screen to set the language. The language will default to English, but can be configured after the setup process is complete if English is not the preferred language.
- Region: Disables the screen to set the region during setup.
- Location Services: Disables the screen to disable Location Services at setup. Location Services can still be disabled once setup is complete.
- Set Up: Disables the Set Up screen.
- Apple ID: Disables the screen to configure an Apple ID during setup. An Apple ID will still be required to install apps manually and can be configured during an app purchase. Apple IDs will not be required for Volume Purchase Program (VPP) purchases using the device-based deployment options via MDM.
- Zoom: Disables the screen to enable the zoom options.
- Siri: Disables the screen to disable Siri, the voice recognition options on the iPhone.
- Diagnostics: Disables the prompt to send Diagnostic information to Apple.
- Passcode: Disables the prompt to configure a passcode. Passcodes can still be configured by users once the device has been setup.
- Touch ID: Disables the prompt to make a fingerprint your passcode. You an still setup Touch ID at a later time. Touch ID will be required in order to use Apple Pay.
- Apple Pay: Disables the prompt to set up Apple Pay during the activation process. You can still setup Apple Pay manually at a later time.
One of the things that is awesome and sometimes frustrating about Apple Configurator is that when you do certain tasks, you end up updating the OS on devices. The reason this is awesome is that it allows you to centralize operations. The reason this can be frustrating is that if you’re on a limited bandwidth connection, you may find that you can’t do very basic tasks before downloading a large OS update. And if you’ve got a bunch of Apple Configurator workstations, and you are running a training session, this can get infinitely more annoying. In these types of lab environments, you’re in luck. If you have an ipsw (the iOS OS update file), you can copy the file from ~/Library/Group\ Containers/K26BKF7T3D.group.com.apple.configurator/Library/Caches/Firmware/ onto another machine. To copy them onto a USB drive called bananarama for example, use the following command:
cp -R ~/Library/Library/Group\ Containers/K26BKF7T3D.group.com.apple.configurator/Library/Caches/Firmware/ /Volumes/bananarama/ipsws/And once you’ve moved that drive, to then copy them back:
cp -R /Volumes/bananarama/ipsws/ ~/Library/Group\ Containers/K26BKF7T3D.group.com.apple.configurator/Library/Caches/Firmware/
One of the more common requests we get for iOS devices is to restrict what sites on the web that a device can access. This can be done in a number of ways. One is using the content filter option in Apple Configurator 2. The second is using a Global HTTP Proxy. We’ll cover both here, using custom profiles. Both require the device be Supervised. Use the Content Filter To enable the Content Filter, open Apple Configurator and click on the New menu. From there, click on Content Filter in the sidebar. You have three ways you can use the Content Filter. These include:
- Built-in: Limit Adult Content: A basic profile that allows you to specifically whitelist and blacklist sites. This gives you very basic control of sites. Here, use the plus sign to enter a URL, as you can see here.
- Built-in: Specific Websites Only: This option only allows certain sites, and creates a badge for each in the bookmarks list of Safari.
- Plug-in: Allows you to install third party plug-ins on iOS devices. If using this, you would likely have instructions for building the profile from the vendor.