Learn about the latest developments in managing Apple devices in large organizations. Learn the latest techniques to wirelessly configure settings, monitor compliance with policies, install apps and bulk configure devices with ease.
TODD FERNANDEZ: Good morning and welcome to session 301.
I'm Todd Fernandez, and I manage Apple's device management tools
engineering teams and help coordinate our efforts
across the company to support deploying
and managing Apple devices.
I'm excited to be here with you this morning
to represent the many teams across Apple that have been hard
at work since we last met and introduce what's new
in managing Apple devices.
Apple's commitment to education and enterprise goes back
to the beginning of the company.
Serving the needs of educators
and students has been an important part
of Apple throughout its history.
Today, there's a whole new world of devices and content available
to teachers and students.
Technology can now be completely integrated, both inside
and outside of the classroom.
But those devices and content are also critically important
in the enterprise.
Though Apple's success
in the enterprise today dwarfs any past successes,
Apple's interest in fostering increased productivity
and enterprise started a long time ago with the VisiCalc
on the Apple II and continues through the myriad
of solutions now based on iPhones, iPads, and Macs.
From the factory floor to the office.
So how can we make it even easier for schools
and businesses to take full advantage of everything
that the Apple ecosystem offers?
Since the introduction of iPhone and accelerating with iPad,
Apple has created key technologies and services
to enable schools and businesses
to make the most of their devices.
This year we are building on that foundation
with a special emphasis on shared device deployments.
Now, I need to take a moment for a brief aside here.
I likely will be referring to these two programs
by their three-letter acronyms, DEP and VPP,
throughout this presentation,
but I owe marketing a dollar every time I call a Device
Enrollment Program a dep. If I slip, don't give me away.
I appreciate it.
All these device management features really boil
down to helping you spend less time with your devices looking
like this and more time with your students
and employees using them to do things like this.
Now, today we are going to cover the entire deployment process,
highlighting all the new features in both OSs,
the services and tools along the way.
The first step is to enroll your devices for remote management.
Of course, the best way to do that is using DEP,
the Device Enrollment Program.
Before we jump into the new features, though,
I want to take a moment to highlight two changes
that have already taken place.
The first is that we've expanded
from our initial launch in two countries.
The program is now available in 26 countries around the world.
And we've dramatically shortened the time it takes
to get replacement devices into the program.
So that's great.
Now let's talk about what is new and coming this year.
The first feature I want to talk
about is called Enrollment Optimization.
You might be thinking, what does that mean?
It's actually very simple.
This is a way for the MDM server managing the device
to keep the device in Setup Assistant
until it is fully configured.
This ensures that before a user can use the device,
all the settings, accounts, and restrictions
that the organization wants to have
in place are actually in place.
So how does it work?
There's a new key that is part of the DEP settings
that specifies that you want the device to wait
until it's fully configured.
When the device obtains its Device Enrollment Program
settings from the service, when it is enrolling
with the MDM server, it passes that state back to the server.
The server then knows it can take as many MDM commands
and install as many configuration profiles
as necessary to fully configure that device.
Once the device is fully configured,
the server sends a New Device Configured command
to the device, allowing it to exit Setup Assistant
and be used by the end user.
This is available in both iOS 9 and OS X El Capitan.
Next I want to talk about a feature specific to OS X
that gives you more control over how accounts are created,
or not created as the case may be, during enrollment.
In fact, you can now prevent user creation entirely
if you just want to use network accounts on your Macs.
This works great with Enrollment Optimization
if you set a passcode policy.
That policy will be enforced
when the user is creating their new account.
One of the most important changes is that now instead
of the user creating an admin account during DEP enrollment,
you can specify that that account will be a standard
account, which is typically what you want in education.
However, because OS X, of course,
requires an admin account to be on the system, if you specify
that the standard account will be created,
you can also create an admin account behind the scenes
that you can later use
for remote management via ARD or other tools.
And you can optionally hide that admin account
from any standard users on the system.
All these settings can be configured using a new MDM
command called Setup Configuration, which works well
in conjunction with Enrollment Optimization [applause].
TODD FERNANDEZ: This is great.
It will be very key in education in particular.
Now let's turn to iOS 9 and to a feature again
with a somewhat ambiguous name, but I'll explain.
Also very simple to explain.
Automated Enrollment is a way to enroll your devices
in MDM using the Device Enrollment Program
without anyone tapping on the device.
How does it work?
Well, the first step is you configure your DEP settings
like you would today,
but instead of having a user get the device and walk
through the Setup Assistant, you will connect the device
to Apple Configurator, which will tell the device
"configure yourself using your DEP settings."
The device obtains those settings
and fully configures itself all the way to the Home screen.
It's ready for the user to use
without anyone touching the device.
This is a great feature for shared deployments
in particular, enabling you to configure a cart of iPads
without touching them beyond connecting the USB cable.
This is not a new feature per se,
but we've expanded the number of Setup Assistant panes
that you can choose to skip as part
of your Device Enrollment Program settings.
Over the past year, we rolled out these three panes,
but in iOS 9 you can also remove the new Move From Android option
on the setup pane if your enterprise wants
to make sure there's no corporate data leaking
from their Android devices while they're transitioning
to an iOS device.
TODD FERNANDEZ: Finally I would
like to highlight something I mentioned last year, that,
analogous to what the MDM server can obtain
from the iTunes Store, to get the Store Bag,
which tells you all the APIs and URLs you can use
to control the VPP program and other tasks,
MDM servers can implement what we call MDMServiceConfig,
which will tell other device management tools, for example,
Configurator, what kinds of services it provides,
the most important being the DEP enrollment URL.
Why is that important?
In fact, the Profile Manager version
that we seeded this week supports this,
and Apple Configurator we seeded this week supports it.
And enables Configurator user, instead of having to type
in the entire URL, can just type in the host name
of the MDM server and obtain the URL for the user.
So that brings us to the end of the enrollment section.
We now have our devices enrolled, they're ready
for remote management.
The next thing we want to do is deploy the great apps
from the App Store and other sources.
Of course, there are, what did we say yesterday?
A million and a half apps in the App Store.
There are also a large number of B2B apps in the App Store.
There are in-house enterprise apps
that your organizations may be creating,
and developers may be using ad hoc apps to distribute,
for beta testing or other purposes,
using provisioning profiles.
I will talk primarily today about the first three,
but there is something towards the end
of the presentation also potentially relevant
for that fourth type.
There are many different ways to distribute apps to users,
but today I'm going to primarily focus on Apple's tools
as well as MDM in general.
Finally, there are three different ways to purchase apps.
Your users, of course, can just go
to the App Store and buy them.
We have VPP redemption codes,
which transfer ownership to the user.
Finally two years ago,
we introduced VPP managed distribution
to give organizations greater control and preserve ownership
of the apps they buy under the Volume Purchase Program.
That's what I want to spend our time right now on.
There are three big new changes that I want to highlight today,
each one larger than the last.
The first is similar to the Device Enrollment Program.
Over the past year we expanded from 10 countries
to the same 26 countries
where the Device Enrollment Program is available.
But the second item I want
to mention is bigger and builds on this.
We now have multinational app assignment as part
of VPP managed distribution.
What does that mean [applause]?
TODD FERNANDEZ: Maybe you know already!
We can go right through this slide quickly.
What that means is you can purchase your VPP apps in any
of those 26 countries, but distribute them to any country
where that app is in the App Store.
So to make it concrete,
if you are a multinational company headquartered in France,
you can buy all your apps in France but distribute them
to your users in the U.S., Canada, or even Kenya,
as long as that app is in the App Store in Kenya.
We think this is going to be huge.
Believe it or not, the next one is even bigger than this.
You can now assign your VPP mass distribution apps to devices.
TODD FERNANDEZ: Thank you.
We appreciate that.
So previously you could assign them to users,
and iTunes Store Apple ID.
What is different about device assignments?
Now there is no invitation process if you want
to use device assignments
because there's no Apple ID required on the device in order
to distribute the apps, install them, and run.
Even if there is an iTunes Apple ID configured on the device,
these apps will not appear in the user's purchase history
because they are not assigned to that user.
That further means there is no way for the user to manage
that app, or install it, or update it in the device UI.
It's completely at the discretion of the administrator
and the MDM server to control that timing.
A final difference I want to highlight is that,
in contrast to user assignments, where that app can be installed
on any device where that iTunes Store Apple ID is configured,
if you are using device assignments you need
to purchase a copy for each device, and you app developers
out there should be happy about that.
But I also want to repeat, there is no Apple ID required
on the device in order to install apps.
[ Cheers & Applause ]
TODD FERNANDEZ: Another big step forward
to make shared device deployments much easier.
So what has remained the same?
The purchasing experience is exactly the same.
You purchase VPP managed distribution licenses
on the VPP store, and they can be freely reassigned to a user
or a device and later revoked and assigned
to a different user or device.
We've also worked very hard
to make sure there's a smooth transition for all of the apps
that have already been installed based on user assignments.
If you wish, you can transfer and transition that assignment
to a device assignment without having to reinstall the app
or risk losing user data.
The app stays in place, as does the user data.
TODD FERNANDEZ: So what does this mean for app developers?
It is actually pretty simple.
First of all, early next month, iTunes Connect will allow you
to opt in to allow your app to be distributed
as a device assignment.
This is probably a good idea.
Remember that piece I mentioned, you might sell more copies?
Also, if your app is checking the receipt to ensure
that it is running on a device where a user is configured
that is the same user the app is assigned to,
you'll want to update that checking to do
that to make sure it's running on the device
that it's been assigned to.
Secondly, I want to make a pitch
that device assignments are a great feature
for shared device deployments, but another one
for you app developers is to move, if you haven't already,
to store your app's data and settings in the cloud,
whether it's Apple's cloud with iCloud Drive
if you're document-based, or CloudKit,
or your own cloud-based storage.
This will help your app fit in better in shared deployments.
There are a number of sessions this week that will show you how
to do that with our own solutions.
I encourage you to check those out.
I also want to highlight a change
to the caching server feature of OS X server,
which already caches OS updates and apps.
It now caches also iCloud data, including Drive documents,
CloudKit data, and iCloud photo library photos.
And those of you who have now heard about App Thinning
and on-demand resources, it will also cache those as well.
It just preheats the cache of cloud data on your network
to give you better performance and reduce your bandwidth,
and of course all of the data
in the cache is encrypted using keys only present
on the client device.
So turning to what this means for MDM developers,
if you are supporting VPP managed distribution already,
there are a few changes to the iTunes Store APIs,
which I'll cover in a moment.
You will use the same Install Application command
to the device to tell it to install this app.
You obviously should now support assigning apps
to devices and device groups.
We've built all of this to make it easier
to centralize the app's management workflows.
It will be much more reliable with device assignments
to be able if you wish to unify the assignment in the Store
with the installation command to the device.
So what are the changes for the Install Application command?
Well, if the app is not installed, it will install it.
If it already has been installed by the MDM server
and is managed, it will update it.
If the user already installed the app so it's
in an unmanaged state, the installation will fail,
so your server will need to handle that case
and respond appropriately.
For those of you who are already supporting this for OS X,
hopefully all of you, for device assignments you want
to use the same purchase method you have been using on OS X,
purchase method one for iOS device assignments.
That's the command to the device.
Now let's turn to the command for the iTunes Store
to update its records on which app is assigned to which device.
There are two new APIs that should make implementing support
for VPP managed distribution much easier.
The first supersedes the separate commands to associate
and disassociate licenses with users.
And it allows you to, with one call for a single app,
to associate with any number of users or devices
and disassociate any number of users or devices.
This will make it very easy to implement
that smooth migration I mentioned earlier.
The second API gives you an easy way to get the list
of apps the organization has purchased, including the number
of licenses of each app that they have purchased
without having to fetch the entire list
of every single license they purchased.
This will make it much easier to build a responsive app library
in your admin console.
Moving on to an existing API
that has gotten several new fields.
There are max limits for the number of licenses
that manage VPP licenses, API just mentioned.
You want to respect these values when you're calling that API
to not call with more than that number
of licenses in a single call.
We also have added a new Retry After header because,
how can I say this delicately?
I'll be blunt.
Some of you, and we know who you are, have some MDM solutions
that let's just say they send a few too many requests
to the iTunes store.
We need you to fix that but also respect this header
because if your solution continues to do that,
we will send this header and we may, if you ignore it,
create longer delays in rejecting your commands
and potentially even suspend the account of your customer.
So please, adopt this.
So moving away from strictly VPP managed distribution
to some more general app distribution topics.
There are a few things that are new.
Really, they are just more convenient.
The first is reiterating the point I made earlier
that we've made a very smooth migration from user
to device assignments to leave the app and data in place.
Secondly, if the app has already been installed unmanaged
by the user, it is now possible to convert that app
to managed state without having to reinstall
or lose user data [applause].
TODD FERNANDEZ: I'll give you the details in a moment,
but the third change is that you can now install apps via MDM
or Configurator even if you disabled the App Store.
Great improvement for education in particular.
How does this work?
Changing an app from unmanaged state to managed state is
as simple as sending a new Install Application command,
with this new field, Change Management State equals Managed.
And this will happen silently on a supervised device.
If it's an unsupervised device, you can use this,
but the user will be prompted to accept the change.
Once that change has happened, managed open in will consider
that app to be managed and all of that data will be
within the managed sphere, just as if it had always been.
If the app is not installed at all,
and you're passing this call,
it will still install the app as a managed app.
This works for App Store apps, all the different types of apps.
Let's talk about changes for enterprise apps.
We've created in iOS 9 a new UI flow to make it easier
for the user to understand
when they are installing an enterprise app
from a new developer.
I'll show you what that looks like.
We also made it easier for you to avoid your users
from ever having to see that great new user experience
because you can prevent them from trusting new apps
from other developers so that they can only use your in-house
And if they have enrolled with your MDM server,
they have implicitly given their trust to you as a developer,
and so any apps that you install the MDM
that are your enterprise in-house apps will be
TODD FERNANDEZ: So if it is an enterprise app
from a developer that they haven't trusted yet,
what does that look like?
Well, it looks like this.
After they installed the app and launch it, they can dismiss
that alert and then switch over to Settings and the profiles
and remote management area of Settings,
which was changed quite a bit and improved in iOS 8,
they can trust the app.
And that's it.
And then any further apps
from that developer will be automatically trusted,
but they can also always come back here and remove that trust.
It's just that easy.
Let's now turn to B2B apps.
Those of you who have worked on MDM console
or have used one know that it's really great.
You can have an app library that has the nice app metadata
with the icon, the app name, and any other details about it.
But if it's a B2B app, it looks something more like this.
Wa Wa. Well, I really have good news for you.
Later this summer you will be able
to get the same app metadata for B2B apps that you can
for App Store apps today.
So you can make a nice experience for your users.
What's more, that will also allow you to get the metadata
for any apps that have been removed from the App Store.
I thought you would be more enthusiastic about it.
Where are all the MDM developers [applause]?
TODD FERNANDEZ: All right.
At this point, we reached the end of our distribution section.
I would like to ask Shruti Gupta to come up here and demo a bunch
of these features on Macs running OS X El Capitan.
Take it away.
SHRUTI GUPTA: Good morning, everyone.
I am each excited to show you some of the cool features
that Todd talked about.
The first thing I will demo are the new enhancements
that we have made in account creation and password policy.
So here is my profile manager in OS X server.
I am using this profile manager server as my MDM solution
where I have a couple of Macs that are registered
in Device Enrollment Program.
If you look at the settings,
you can see that I've already created DEP profile
for the device group.
I have skipped all the Setup Assistant panes except
for the local account setup.
This is a new feature that would force the user
to create a standard user account.
Since OS X requires an administer account,
I provided administrator credentials here.
You have the ability to show
or hide this administrator account from the user.
For today's demonstration purpose I will hide the
I have also configured a passcode profile for these Macs
that would require the user
to use a complex password during this setup time.
What does this look like on the client?
Let's take a look.
So here is my Mac that is registered in DEP
and has been booted for the first time OS X El Capitan,
mimicking out-of-box user experience.
Let's go through the setup.
I select the United States for my country, U.S. keyboard.
Here we are at the configuration pane, which you will see only
if the systems are configured in DEP. So we come to them.
Now, the MDM server is prompting me to authenticate
that my directory server credentials.
I will enter my user name, Shruti,
and my password, hello kitty.
So what it is doing right now,
it is enrolling this Mac in the MDM.
It is going to fetch all the configuration profiles ever
configured for this Mac from my MDM server.
We are at the user account pane.
You will see we've populated some of the information
from the previous login.
I'm going to go ahead and enter my full name here, and let's see
if it likes my hello kitty password.
Oh, looks like I need to use a more secure password based
on the passcode policy that we set earlier.
I will enter a new password here.
What is cool about this is, it gives you immediate feedback
as I'm entering the password.
I'm going to complete the Password Verification field
So it is creating the user account as well
as the hidden administrator account in the background.
I'm going to select the time zone now, and you'll notice
that I didn't have to go through any
of the location services pane or the iCloud sign in pane
because we configured it to skip all those Setup Assistant panes.
Here, our account is all set up.
Let's see what kind of account really got created.
I will launch System Preferences,
go to Users and Groups.
You can see it is a standard user account.
The administrator account is not visible.
Just to prove that administrator account really got created,
I'm going to unlock the pane
with my administrator credentials
that I provided on the MDM server.
Ta-da! You can see that it's unlocked successfully.
The next thing I'm going to demo is one of the coolest features,
and I'm sure many of you have been waiting for,
being able to assign VPP app to the devices
without requiring the user to log in with their Apple ID.
So I'm going to push a VPP app to this Mac, which is going
to be Apple Configurator app.
So while it pushes the app, let's see,
check in the App Store that I'm not signed in.
So we look at the Store menu.
You can see that I'm not signed in here.
If you notice, the app has already started
to install in the LaunchPad.
There is our Apple Configurator app.
Thank you, back to Todd.
TODD FERNANDEZ: All right.
Thank you very much, Shruti.
So what did we just see?
Shruti installed a passcode policy before the user account
was created, and it was respected while
that user account was created.
It was a standard user account
that was created instead of an admin account.
She also created an admin account that she could use
if she needed to log in directly on the Mac or remotely later.
She also showed you assigning a VPP app to a device.
So let's move on to the third section of today's session
and talk about ongoing management of devices.
First, I would like to highlight the fact
that iOS 9 supports Exchange ActiveSync 16,
specifically a number of improvements
to calendar support, including improved reliability
for a number of common tasks and support for attachments
in physical locations.
Now let's turn to our own MDM protocol and profiles.
There are a number of new commands and queries,
and the ones I want to highlight at the top, there's a new query
that tells you what software updates are available
for that device and a command that will tell the iOS device
to update to the latest iOS for any devices in DEP.
TODD FERNANDEZ: Including being able to tell the devices
to download and stage the update so you can then command them all
to update at the same time.
I've already talked about the remaining commands and queries
in the enrollment section and the distribution section.
So I won't spend any more time on those.
Now let's turn to what's new with configuration profiles.
There are two new payloads, network usage rules,
which allows an organization
to control how their managed apps use the network,
whether they're allowed to use cell data or roam.
The OS X server account payload configures whether apps
that support the document provider API can access
documents on their OS X server account.
There are a number of other settings added
to existing payloads, including a lot of changes
in the IKEv2 VPN connection type, more about that later,
and a large number of new restrictions.
So let's look at those.
There are a handful that are applicable
on unsupervised devices, including the ability
to prevent users from trusting additional enterprise app
authors that I mentioned earlier.
We also now allow you to tell AirDrop to be treated
as an unmanaged destination [applause].
TODD FERNANDEZ: All right!
But the final thing I want
to highlight here are the three restrictions,
third from the bottom, modify device name,
passcode, and wallpaper.
These are particularly useful in shared device deployments.
If you have, say, some might say creative,
others might say malicious, students who like to mess
with their devices, you can now prevent them
from changing the device name, setting a passcode,
or changing the wallpaper.
TODD FERNANDEZ: One final note
about configuration profile restrictions in iOS 9.
There are a number of restrictions,
these nine in fact, created before supervision existed.
And in fact, they really should only be applicable
on supervised devices.
So this is your early warning that they are still applicable
or they still are honored on unsupervised devices in iOS 9,
but in an iOS version
to be named later they will be only honored
on supervised devices.
Now let's turn to OS X.
Just like in iOS 9, OS X El Capitan gives you a new query
that tells you what software updates are available
for that Mac, and you can tell it to install one or more
of those updates if the Mac is
in DEP. The device information query achieves parity with iOS
and you can now obtain, if you are using user assignments
for VPP managed distribution, you can now see
which account is configured on that device.
We already talked about setup configuration
and device-configured commands in the enrollment section.
There's also an active managed users query,
which will tell the server which users are logged in
and actively using the Mac so you can clean
up obsolete unused sessions.
There are also some changes to configuration profiles.
There's a new payload to configure an Ethernet proxy
and a number of settings for other payloads,
including a handful of restrictions
that were previously available on iOS
and now also are available on OS X.
As I alluded to earlier, there are a lot of changes in VPN
and enterprise network connectivity.
I encourage you to come
and checkout their session Friday morning
and learn all about that.
I will not steal their thunder here.
That brings us to the end of the management section.
I would like to ask Shruti to show you some
of these features on iOS.
SHRUTI GUPTA: Thank you, Todd.
So I'm going to demo some of the new features on iOS now.
So here is my device that is running iOS 9.
It is already enrolled in DEP.If you look at the settings,
you can see that I can currently set a passcode on this device.
I can change the wallpaper.
And if I go to General, About, Name,
you can see that I can edit the device name too.
Let's go to restrict these settings using our MDM server.
So the server is now sending the push notification to the device.
Keep your eyes on the screen as the settings get updated.
There you go, you can see
that I can no longer set a passcode on this device.
I cannot change the wallpaper.
If I try to tap on the Name field,
I cannot change the device name either.
Earlier we saw VPP app assignment on Mac.
Now we are going to see VPP app assignment on the iOS device.
I am going to push a VPP app to this device,
which is going to be WWDC app.
Let's confirm I'm not signed
into the App Store here while it's pushing the app
from the server.
I go to App Store Settings,
you can see that I'm not signed in with my Apple ID.
If you go to the Home screen, you'll notice
that App Store does not exist there.
That is because I restricted the App Store
from installing apps on this device.
SHRUTI GUPTA: I guess I'll give it back to Todd.
TODD FERNANDEZ: Thank you, Shruti.
You trust us, right?
It works great.
So what did Shruti just show you?
Again taking advantage of the three new restrictions
to prevent students and others from changing things
on the device that you don't want them to change,
and being able to assign apps to devices and install apps
on devices even when the App Store is disabled.
So let's turn to our fourth section
and talk a few minutes about tools.
The first tools that I want to highlight,
I hope that you MDM develops are aware of.
If not, this is your moment.
We created over the past year simulators
for both the Device Enrollment Program
and the Volume Purchase Program.
It allows you to simulate large numbers
of devices hitting your server as well
as all the service errors that may be difficult to simulate
in any other way and test your handling
to make sure it's robust.
Both simulators are available for download
on the Developer portal,
and we've released new versions this week
that support all the new features
that we talked about today.
Please, download and use them to make sure
that your implementations are as robust as they can be.
We use them to test our own device management tools.
For example, Profile Manager, which, of course,
has been updated to support all these new features.
Shruti showed you its support for several of them today.
Apple Configurator plays a role
in automated enrollment using the Device Enrollment Program.
I want to talk about Configurator.
Here is Configurator.
Has the three workflows.
Prepare, you can configure how the devices are prepared
and supervised, and assign them.
It was initially the only way to supervise devices.
You can install VPP apps using redemption codes.
You can install profiles.
It maintains and builds up a database
as you supervise devices, and import apps
from iTunes, and create profiles.
We received feedback over the last three years
and learned a lot about managing iOS devices
over the last seven years.
I am thrilled to tell you we have completely reinvented Apple
Configurator and created Apple Configurator 2.
TODD FERNANDEZ: So what were our goals
in creating Apple Configurator 2?
We wanted to invert the user experience
and put your devices front and center.
That's what you are looking at in your cart or on your desk,
and show you the state your devices are in,
which makes it easier for you to understand what you can do
with them and what is going to happen.
We've broken apart the workflows and given you discrete tasks
so you can perform exactly what you need to do
on a specific group of devices right now.
While at the same time making it very easy
to combine those discrete tasks into custom workflows
to prepare your devices
and manage them just the way you want [applause].
TODD FERNANDEZ: We also heard that many
of you are using multiple Configurator stations,
some even hundreds in a large school district.
You want to better be able to share data between the stations
and freely move devices between them.
We also of course want Apple Configurator to be a great tool
for managing a small number of devices
in a classroom, or a cart, or a lab.
But we also want it to be a great companion
to the Device Enrollment Program and an MDM server,
which is doing the bulk of the remote management.
But you might want to use Apple Configurator
for a few tasks here and there.
Instead of me talking about it anymore,
I would like to invite Enrique Osuna
to show you Apple Configurator 2.
ENRIQUE OSUNA: Thanks, Todd.
I'm excited to be here to talk to you
about Apple Configurator 2.
Why don't we go ahead and get started.
The first thing you'll see
when you launch Apple Configurator is the
This Devices window has all of your connected devices.
Each of the connected devices are represented by this icon.
These particular icons have an image
of the device's Home screen.
This is Configurator's way
to tell you these devices have been prepared.
Everywhere in Configurator where you see a collection of icons,
you can also view the same data as a list.
You can get there by clicking on the View button
in the toolbar and clicking on List.
Here, you see the same connected devices
with additional information.
To go back to the collection of icons, click on the View button,
and back to Collection.
One of the key features that Todd mentioned was the ability
to perform discrete tasks on connected devices.
These tasks are found in the Actions menu.
In the Actions menu you can do things like add, remove,
modify existing content as well as back up and prepare devices.
We will talk more about prepare in a second.
In the Devices window you see a big toolbar at the top.
The toolbar has all of the common actions of Configurator,
such as the Update button here.
In the upper right-hand corner
of these connected devices you see this big red badge.
What this red badge indicates is
that these devices require an update.
I'll go ahead and see what updates are available.
Let me select all my devices.
Click on the Update button in the toolbar.
Now what Configurator is doing is contacting the iTunes Store,
figuring out if there's any iOS or app updates.
Now, you can see that Configurator has identified
that the WWDC app on my devices need an update.
So I can update that app by clicking the Update button.
Configurator is contacting the Store, downloading the apps,
and actually installing them onto the devices.
For those who didn't notice, I didn't have to launch iTunes
in this entire transaction.
[ Cheers & Applause ]
ENRIQUE OSUNA: Configurator no longer has a database of apps
that you have to manage or maintain.
Now, as Configurator is finishing up the app install,
you'll notice the big red badge that was
in the upper right-hand corner should start disappearing
This is an indicator that these devices no longer require
Now, right before this presentation,
I was actually having some problems on one of my pads.
It was probably that one, trying to get on to the WiFi network.
Let's look at what might be going on.
If I double-click on one of these devices,
Configurator launches you into this new UI that allows you
to see some information about your device.
You can find things like the device's name, serial number,
as well as organization information.
In the left sidebar, you can find apps.
These are the apps actually installed
on my device, as well as profiles.
These are the profiles that are installed on my device.
Unfortunately, this device is missing my WiFi profile.
I'm sure I have other devices in my cart
that are missing a profile as well.
Let's go ahead and see if we can't figure it out.
I can go back to all my devices by clicking
on the Back button in the toolbar.
Here are my connected devices.
If I go to the Search field in the upper right-hand corner
and start typing WiFi,
Configurator offers me this fancy suggestion
of all the devices that have the WiFi profile installed.
The problem that I have is not
which devices have the profile already installed.
It's the devices that don't have the profile installed.
If I click on the token in the Search field
and it says profile is not installed,
Configurator will show me the two pads missing the profile.
Let me fix the problem.
I'll select both devices, click on the Add button
in the toolbar, and click on Profiles.
Configurator 2 no longer has a database of profiles.
These profiles can be found anywhere on your disk.
Let's navigate to the desktop.
Here I have my WiFi profile.
What is neat, you can have these profiles on mounted volumes
and even in your iCloud drive.
Now that Configurator is done, I can clear the Search field
and I can see my connected devices again.
Another cool feature
of Configurator 2 is the ability to tag a device.
Tagging a device allows you to create device groups, but again,
without a database of devices.
I can show you that right now.
If I select a couple of these devices, go to the toolbar,
and click on the Tag button and select a few of these tags.
Press the Return key.
What Configurator is doing is writing
that tag to these devices.
What is neat about the tags,
it is actually written to the device.
When you transport this device to another Configurator station,
those same tags appear there as well.
If I go back to the same Search field
in the upper right-hand corner and start looking for my tag,
I start getting a suggestion, fourth grade,
I'm going to go ahead and click on that.
Now Configurator is showing me just the pads
that are tagged with fourth grade.
Right under the Search field --
ENRIQUE OSUNA: Under the Search field,
there's a Save button.
Configurator allows me to save this search for later use.
Let me click on the Save button.
You'll notice a new entry in the favorites bar right here.
Now, whenever I add another device
that has the fourth grade tag attached to it, it will appear
in this particular view.
So one last thing that I want to do is rename my devices.
Let's go back to all devices right here in the favorites bar.
And let me select all of my devices.
Go to the Actions menu.
Modify. Device name.
Like Configurator 1,
Configurator 2 can rename your devices.
We offer you an opportunity to provide static text.
Let me go ahead and give it some static text.
And in Configurator 1, we introduced a feature
that allowed you to append an autoincrementing number
to the field.
In Configurator 2, we kind of let you do that too,
but we do that through what we like to call a token.
These tokens can be put anywhere in the name.
Here you see the autoincrementing number.
You see other information about the device,
like the device's serial number, type, and capacity.
For this demonstration, I like to use type
and the autoincrementing number.
Now I click on Rename.
Configurator is now going through all these devices,
grabbing those bits of information off the devic,
and creating a name and putting it back on to the device.
As you can see, my devices are named Townships Schools iPad 1
All these devices are configured.
I have a brand-new cart of devices I would like to add.
These are pads that are right out of the box and almost ready
to go as soon as Configurator is done with them.
The first thing that you'll notice is this big white Device
icon, what that represents is
that these devices are ready to be prepared.
I would like to show you that prepare right now.
Let me click on one of these devices.
Click on the Prepare button in the toolbar.
In Configurator 2, there's two prepare workflows.
One is manual, and the other is the automated enrollment
that Todd talked about earlier in the presentation.
For this demonstration,
I'm going to do these iPads using manual.
I'll click on Next.
Here is my opportunity
to manually enroll the devices into MDM.
I don't have an MDM server with me today,
so I will go ahead and click on Next.
Here, Configurator is asking me if I want
to supervise my devices to my organization,
and I absolutely do to take advantage
of the new iOS 9 supervise only features.
Click on Next.
This is the organization that is associated with the supervision.
This looks good.
Next. And this final pane is my opportunity
of skipping iOS Setup Assistant panes
on the device once I hand my device back to my users.
For this demonstration, I want to not show any of the panes.
I'll go ahead and click on Prepare.
Configurator is now preparing and supervising these devices.
I still have to tag, add some profiles, and add some apps
to this device, which actually is a lengthy process.
So, what we did in Configurator 2 is automated this process
with what we call blueprints.
I'll show you what a blueprint is right now.
If I click on the Apply button in the toolbar,
and click on Edit Blueprints, Configurator takes you
into this special mode where you can create a new blueprint,
and I'm going to do that.
Click New Blueprint.
Let me give it a name I can remember.
And press Return.
Now, what's really cool about these blueprints is
that they act just like a device.
Anything that I can do on a connected device,
I can actually do on a blueprint.
What the blueprint does, it records those actions,
and then later on I can replay those actions.
Let me do the first thing, which is prepare.
If I click on the blueprint,
I press on the Prepare button in the toolbar.
Configurator offers me the same view we had earlier
when we clicked Prepare.
Configurator remembered my last options.
And these options are fine.
I am breeze through these setup panes.
Click on Next.
Until we get to prepare.
Now that the blueprint is prepared,
I want to add some tags.
Click on the Tag button in the toolbar.
Select a couple of tags.
You will immediately notice the Blueprints label is updated
with my new tags.
I want to add an app.
Click the add button in the toolbar.
Apps. Now what you see here is all the VPP apps associated
with my VPP account.
I want to go ahead and push the WWDC app
to a part of this blueprint.
I click on WWDC, Add Apps, and then finally I want
to add my WiFi profile.
The same Add button, Profiles,
Configurator remembered the last spot I was at for profile.
I'll click on my WiFi profile.
Now, like inspecting the device,
you can also inspect a blueprint.
If I double-click on this blueprint, I'm presented
with this blueprint inspector.
Here you can see additional information about the blueprint
such as its name, its storage requirements,
here with the storage bar at the top of this inspector,
as well as the prepare options I highlighted earlier
and the tags that I've set.
Like a device inspector, you can also inspect the apps associated
with this blueprint and the profiles associated
with this blueprint.
Now I'm almost done.
I just need to rename the devices associated
with this blueprint.
So I go back to Info.
Click on Actions.
Modify. Device Name.
Configurator remembered my last rename options.
Those worked fine, so I'll click on Rename.
You notice here in the blueprint the device name options show
Great, this blueprint is done.
In the lower right-hand corner, I can click on the Done button.
Now I want to apply that blueprint to these devices
that are ready to be prepared.
Let me select those devices.
Go back to that same Apply button that we went to earlier.
Now you see an entry for my blueprint.
If I tap on that entry, Configurator is now going
through the actions I saved in that blueprint
and replaying them on to the devices.
This is Apple Configurator 2.
Thank you very much.
Back to Todd.
TODD FERNANDEZ: Thank you very much, Enrique.
So Enrique has showed you how
to configure devices using Apple Configurator 2,
including installing VPP apps.
I'll talk more about that in a moment.
You can create device tags that travel with the devices
between multiple Configurator stations using tags.
He showed you how to build and use a blueprint
to create a custom workflow and replay the set of actions
that you want on any number of further devices.
However, there's even more automation options
that we didn't show you here.
In addition to blueprints in the UI,
there's also a command-line tool.
There's a scripting library and suite of automation actions
for you to easily integrate Configurator's functionality
into your workflows.
TODD FERNANDEZ: You're in for a treat
because Sal Soghoian is going to talk about that
on Thursday afternoon, how to use Automator
and Configurator together
to automate your device management workflows.
Enrique showed you a lot of what Apple Configurator 2 can do
but there's more.
I mentioned multiple station support, all of those profiles
that you can find anywhere on your Mac can be saved in iCloud
in addition to other Configurator settings.
I mentioned the automation tools.
While Enrique showed you the cool additions to renaming
that Apple Configurator 2 has,
there are also some great enhancements to being able
to set wallpaper, which is no longer a preference,
but can be done as a command on any number of devices.
There are cool tricks if you look
at the options in there as well.
Definitely check it out.
We released the beta yesterday, and it's available for you
to download from the Developer portal
and we will also have it in the Lab.
That brings us to the end of our fourth section.
And I just want to sum up quickly for you administrators
that if you are using wireless remote management,
use the Device Enrollment Program
or Configurator using automated enrollment
to get your devices enrolled in MDM or use Configurator
to manage your devices if you are not going to use MDM.
You can use VPP managed distribution now not only
to distribute apps to users but also to devices.
As I mentioned the Configurator 2 beta is available now.
Turning to developers, again, you app developers,
please early next month in iTunes Connect you will be able
to opt in to device assignments for your apps.
MDM developers, please support VPP managed distribution device
assignments, your customers will appreciate that.
The documentation is available now,
and the new iTunes Store APIs that I mentioned and talked
to you about are already
in production, ready for you to use.
Support all the other new features in iOS 9
and OS X El Capitan, and use the DEP and VPP simulators
to test your implementation.
There are related sessions this week about CloudKit,
there's an enterprise get-together later tonight.
The VPN session on Friday and Sal's session on Thursday.
Check them out.
There's a great website with lots of resources for how
to integrate Apple devices into your enterprise.
Lots of documentation for MDM developers,
from the MDM protocol to the configuration profile reference,
and a forum where you can ask and answer questions.
Administrators, there's lots of reference guides
for deploying iOS and OS X in your organizations as well
as help for our tools and forums to ask and answer questions
about how to bring Apple devices into your organizations.
Thank you for your attention and wish you have a great show.
Thank you very much.
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.