Learn about the latest developments in managing Apple devices in large organizations including Classroom and Shared iPad for Education. Learn the latest techniques to wirelessly configure settings, monitor compliance with policies, install apps and bulk configure devices with ease.
[ Music ]
Welcome to Session 303.
I'm Todd Fernandez.
And I'm very pleased to be here with you this morning
to give you an update on what's new in managing Apple devices.
Now, before we begin, I do have to warn you
that I am still a little bit tired
after attending my college reunion last weekend.
And I'm not going to tell you which one,
but if it had been an anniversary,
I would have received some silver.
Now, despite being a little tired, I'm very grateful
to see you all here in the hall, but I also want to give a shout
out to all of you watching the live stream around the world,
as well as you future viewers watching this recording
at some indefinite period like some three-eyed raven.
Hello, future viewers.
But speaking of the passage of time --
no, not that kind of time,
although I do love my Apple Watch --
I want to talk about the calendar.
Now, many of you here in the hall today the spring may seem
like a quiet time for device management.
As we toil behind the scenes on all the new capabilities
that we're going to announce and preview at WWDC
and then ship in our fall releases.
But it turns out surprisingly enough
that schools actually want
to use those features before we typically ship our
They want to configure devices taking advantage
of all those new features over the summer
for use during the next school year.
But in order to do that,
they need to have already purchased their hardware
and software even earlier.
And in order to do that, they need to have evaluated all
of the new hardware, software, and tools options even earlier.
Which brings us to iOS 9.3.
It's really strange how that release date just kind
of jumped right out at us.
But the schedule isn't the interesting part;
what about the features?
There are a ton of new features that we released
in our spring software and service releases.
But the true stars of the show are clearly Apple School
Manager, Shared iPad, and Classroom.
Let's first talk a little bit about Apple School Manager,
which provides a streamlined enrollment process
to access Apple's device management services.
Those services include creating accounts for students
and teachers, as well as the class relationships
between them, configuring how their devices will be enrolled
for remote management, and purchasing the apps and books
and creating the curriculum that will help students learn.
And fortunately, one of the technology directors at one
of the school districts
which piloted these features earlier this year agrees
that Apple School Manager will save their tech staff lots
of time, allowing them to manage devices, content,
and our student accounts all from one place,
exactly what we intended.
Now let's turn to Shared iPad.
Shared iPad allows the majority of schools in the United States
and around the world which share devices
to provide their students with a personalized experience
and enable them to use the complete Apple ecosystem.
Shared iPad can be configured so that younger students can sign
in by simply tapping on their photo
and entering a four-digit pass code.
Student data is stored in the Cloud and downloaded
to a specific iPad when they sign in as needed.
Again, it's great to see that the folks who are responsible
for getting these Shared iPads into the students' hands agree
that Shared iPad will allow our district to transform a cart
of shared devices
into a personalized learning experience for each student.
Again, nailed it.
Classroom empowers teachers to keep themselves
and their students focused on learning,
rather than managing technology by placing a small set
of key capabilities at their fingertips right
in the classroom.
Teachers can easily open an app or a chapter in an iBook on all
or a selected group of student devices, project student work
to the Classroom Apple TV, or monitor and redirect a student
who may be off task even while they're working
with a different group of students across the classroom.
And I was very fortunate
to visit Mr. Garcia's classroom a few months ago,
and it was truly inspiring to see the projects
that his students were working on their Shared iPads
with his support using Classroom.
And after his experience he reports
that Classroom has been an extremely useful tool throughout
the school day to enhance the project-based learning that's
going on his classroom.
Classroom helps him to keep all of his students accountable
for their work while also keeping them extremely engaged
in their assignments.
Now while it's extremely gratifying to get this kind
of response to the features we released, it's also been great
to hear some great feedback about their quality,
including from some very difficult to impress customers
who have raved about the blazing performance and reliability
of Classroom's features.
Now, these spring 2016 changes
with an extremely well-received feature set
and high quality delivered on a schedule
which schools need underline Apple's commitment
to deliver not only the best devices
and most advanced operating systems
but also the best device management experience.
We've demonstrated this commitment by investing heavily
in providing a great experience
to schools bringing Apple devices into their classrooms.
But we need all of our partners, from NDM vendors
to tool providers, to all of you app developers who would love
to see your app used by thousands of students
around the world to join with us to ensure
that that great experience reaches all
of our joint customers all over the world.
But I do want to encourage to you keep
up because although we don't talk about future products,
we are definitely not done yet.
So today I'm going to cover all of the new developments
across the entire device management life cycle.
So let's go ahead and get started.
I'll cover a few changes to some existing features and go
into some detail about the new things
like Apple School Manager, Managed Apple IDs, and,
of course, Shared iPad.
So first I want to cover a few things that haven't changed.
For Enterprise customers we still have the Apple deployment
programs, the Device Enrollment Program
for configuring how your devices enroll for remote management,
as well as the volume purchase program for purchasing your apps
and books and distributing them to your devices and your users.
However, we've also added a number
of new device management commands and settings
in the spring and that I'm going to talk
about later in this session.
And we'll try to highlight those that are specific interests
to Enterprise customers, though many of the things we've done
for education also are useful in Enterprise.
Turning to education, now let's talk
about Apple School Manager in more detail.
As I mentioned, it allows the school to manage the people,
the devices, and the content the school is managing to deliver
that improved performance in the classroom.
With respect to getting those accounts created,
there are two options: You can connect Apple School Manager
to your student information system to pull
out all the student, teacher, and staff,
and relationship information; alternatively, you can upload
that information using a CSV template.
Once Apple School Manager has that information,
it creates managed Apple IDs for each student and teacher,
as well as creating classes that have those relationships
between which teachers have which students in their classes.
What are those managed Apple IDs?
Well, they're used both by the school staff
as administer accounts
and accommodate tiered administration
so that different administers can have different privileges
for managing your school's people, content, and devices.
The student accounts have a few special characteristics.
They're required to sign into a Shared iPad,
but they can be used for one-to-one deployments as well.
And in Apple School Manager you can configure the pass code
options for Managed Apple ID
from the full-strength iCloud password to a simpler four
or six-digit pass code.
Managed Apple IDs are special in another way
in that some services are disabled, such as commerce,
so that students using a Managed Apple ID cannot purchase things
from our stores.
There are also services such as FaceTime and iMessage
which can be enabled
if the school decides they would like to use them.
For you NDM vendors out there, of course,
just as with the Device Enrollment Program
and the volume purchase program, there's an API
to access this roster information
from Apple School Manager and give your NDM solution access
to all the student and teacher Managed Apple IDs,
as well as the classes.
In terms of the transition from schools moving
from the Apple deployment programs
to Apple School Manager, the good news for them is
that they do not need to download new tokens.
It will continue to work.
But your NDM solution needs to be ready for this transition
and be checking to see if their token is now an Apple School
Manager type and supports the new v3 API,
which will actually be what gives you access
to the roster service information.
On a parallel track, when you're interacting
with the Device Enrollment Program service, you can tell it
that you now support API v3 by including
that information in the header.
And you'll receive the additional information that's
now available via that API.
I also wanted to pass along a few best practices
that my team has learned
in adopting this API in Profile Manager.
The first is really a strong recommendation
that we think your customers will really appreciate.
If they have been using your product for a while,
they've undoubtedly connected it to their directory to get user
and group information so that your solution also has a
representation for each user.
Once you connect up to the roster service API
in Apple School Manager, you're going
to be getting a second representation of each user
in the form of the Managed Apple ID.
And we recommend that you allow the administrator
to provide some matching criteria
so that you can automatically merge those accounts
into one representation of each student and teacher.
And because that matching won't catch every single record,
we think you also should allow manual merging of records
to be able to tell you this directory user is the same user
as this Managed Apple ID.
One special note about records that have been created
by CSV uploads is that the person number that's uploaded
in the CSV template becomes the source system identifier
in the API results that you will receive.
That source system identifier corresponds to something more
like a student ID; it's not a GUID or a primary key.
So that field can actually be mutable
and is not guaranteed to be unique.
And you need to be prepared for that case.
The final practice I wanted to pass along was to point
out that there is no delta API so that you'll need
to do a full enumeration to get all of the records from the API.
Since the student information system syncing is only performed
once per day between it and Apple School Manager,
there's no need to automatically perform a full sync more
than that frequency.
And in fact, if you give your users an opportunity
to request a sync, you're going to need to throttle that so
that they're not overwhelming your product and our system.
Turning from people to devices, Apple School Manager allows you
to configure the Device Enrollment Program settings
for your school's devices,
including finding your purchases,
configuring the details of your MDM servers,
and then assigning devices to those MDM servers so that
when they're enrolled they'll be managed by those servers.
And finally content.
Apple School Manager allows you to jump
to the Volume Purchase Program store to buy your apps
and books, and it also offers access
to iTunes U Course Manager.
And I also wanted to mention
that we recently released iTunes U 3.3
which now supports integration with Apple School Manager
to pull managed course information into iTunes U.
Now let's talk about some of the other details of enrollment
to getting your devices ready for remote management.
Last year I talked about a new feature
in iOS 9 called enrollment optimization.
And just a recap this allows the MDM server to include a bit
in the Device Enrollment Program settings for a device
that I want to you wait
until I'm done configuring before allowing the user
to use the device.
That setting comes down to the Mac or the iOS device
in their DEP settings.
It then sends a token update with device ID back
to the MDM server, letting it know
that I'm ready to be configured.
The MDM server can then send as many commands,
install as many configuration profiles as needed to bring
that device up to spec. When it's done,
it then sends a device configured command
to the device, which then exits the Setup Assistant
and allows the student or the employee to use the device.
This enables the organization to ensure
that that device is not used prior to being fully configured.
Now that we have Shared iPad, there's a new wrinkle here
in that there's a new action in users signing in.
At that point the Shared iPad will send a token update back
to the MDM server.
But in contrast to the one I just talked
about that's device-specific,
this token update reports the Managed Apple ID
for the user who signed in.
That enables the MDM server to send, again, as many commands
as it needs to configure that device
with any per-user settings, which I will go
into a bit more later.
One crucial difference between this Shared iPad feature
and the device-specific enrollment optimization is
that unlike the prior one which waits in Setup Assistant
until the MDM server is done, the user is not blocked
from completing sign in until the MDM server is done.
A few security best practices.
Those of you who have been keeping up will know
that we removed support for MD5 in iOS 9.3 for SCEP servers.
We've also deprecated DES, but we also added AES support.
So the message here is that your SCEP servers should support 3DES
or AES as soon as possible because we want
to be using the most secure cryptography possible
and it's time to move on to the modern ones.
Next, a few details about configuring the Setup Assistant,
one of the other features of the Device Enrollment Program.
In iOS 9.3.2 we now allow you
to skip the new True Tone display Setup Assistant pane
on hardware which has that display.
And new in macOS Sierra, we have some great new features,
but in fact you might not want your users
to configure them during setup.
So you can skip the Siri or the iCloud desktop setup pane.
Now, this is another advertisement.
I think I've done this now, this is the third year running
for you MDM vendors to support MDMServiceConfig,
which allows tools like Configurator
to obtain information about your MDM server,
such as the DEP enrollment URL or where
to fetch the anchor certs.
Profile Manager has supported this for some time now
and Apple Configurator 2 takes advantage of it, enabling users
to simply enter the host name of your MDM server
and Configurator does the rest.
Now let's talk about Shared iPad.
Of course, this brings support for multiple users
to iPad in the classroom.
A few details about installing apps on them.
And then I want to talk a little bit about the details
of how it preserves user data.
As I mentioned earlier,
Shared iPad requires a Managed Apple ID to sign into.
Once a student signs in with her Managed Apple ID,
she is also signed into her iCloud account for data storage,
as well as her iTunes account for assigning books,
which I'll talk about in a minute.
It's also used for supporting iTunes U.
Now, since there isn't always an Apple ID signed
into a Shared iPad, you'll want to deploy apps
and install them using device assignments, which we added
to VPP managed distribution last fall in iOS 9.
MDM vendors hopefully have all added support for this already,
but you'll need to use the newer PurchaseMethod 1
to support device assignments.
All app types are supported from VPP apps
to [inaudible] apps to Enterprise apps.
Although in order to distribute VPP apps via device assignments,
the developer of that app must have accepted the latest T's
and C's in iTunes Connect to allow device assignment.
Now let's talk a little bit
about the underlying architecture.
As I mentioned, the student data is kept in the Cloud --
that's where the truth is.
But once they've signed into a particular Shared iPad,
their data is downloaded and cached there.
However, that cache may be purged
if additional students need
to be accommodated on that Shared iPad.
Each student can only see his or her own data.
But if they generate a lot of data during a session
and they sign out before all
of that data has successfully uploaded to the Cloud,
Shared iPad will continue to upload that data at the log
in screen or even if other students sign in.
The key to all this working is that all
of your apps are education ready.
That primarily means that you're storing all of your app's data
and settings in the Cloud.
We've got a whole session right after lunch about how best
to make your app education ready right here in this room,
and I encourage you come back for that one.
Now, just kind of animation to explain this a bit better.
Student enters her pass code.
Shared iPad gets her to the log in screen --
to the Home screen, excuse me.
Downloads her data.
See, she's working on her project, but now it's time
to sign out, to go to the next class,
or to go home for the day.
Even back at the login screen her data continues uploading.
Maybe she was working on a movie project.
But even if another student then signs in
and begins downloading his data,
the previous student's data continues uploading
until it's all safely stored in the Cloud.
But the next student can begin using the Shared iPad
So what do you MDM vendors need to do to support Shared iPad?
Again, hopefully all of you have done this already.
but for those of you who may be a little bit behind,
there's a new setting in the DEP settings very similar
to supervision that tells the device enter Shared iPad.
You also will want to use Enrollment Optimization
that I talked about earlier
to set some key options before student use.
And I'm going to go into a bit more detail
about both user quota and lock screen grace period.
So what is the user quota?
Well, it's the maximum number of the users
which will be cached locally at any one time.
Let's say six.
iOS will then automatically calculate how much storage
should be allocated each of those six users,
taking into account space reserved for iOS,
as well as books and apps that you're going to install.
As users log in, their data is downloaded
and cached on the Shared iPad.
But in this case with a quota of six, if a seventh user signs in,
one of the user data caches will be purged.
And we will purge the least recently used user
who doesn't have any data still remaining
to upload to the Cloud.
Some guidelines on how to choose this value, you really want
to try to get it close to what the number of students
who will actually use the Shared iPad during the day,
which will typically be the number
of class periods you have in a day.
Because if you have too few,
students will have their data purged more often
And if you choose a number too large, you're going
to allocate space that's not actually going to be used.
Lock screen grace period.
So let's imagine we set this to one minute.
And this option gives the schools
to choose the right balance between ease of use
for their students and data security for their students.
And I think it's easier to illustrate with an animation
than for me to talk about it.
Again, let's imagine we set it to one minute.
The teacher asks the students to put their Shared iPads down.
So the screen locks.
Let's imagine she doesn't have much to say
and after 30 seconds Mia swipes to unlock her device
and she gets right back to work without having
to enter her pass code.
Now let's imagine the teacher has rather more to say
and Mia swipes after five minutes.
She will be prompted to enter her pass code again.
So, again, this offers an opportunity for schools
to choose that right balance.
Another detail for you MDM vendors,
iOS as part of Shared iPad now has a user channel in addition
to the device channel that can be used
to send MDM commands and install profiles.
macOS has had a user channel all along, of course.
And this is very similar
but with some differences I'll cover in a moment.
In fact, if your MDM solution is already sending commands
over the user channel to Macs, if they were sending them
to iOS devices previously, they would have been ignored.
But with iOS devices 9.3
and later they will now pay attention to them.
There's a subset of configuration profile payloads
which are able to be used on the user channel
which I'll cover in a moment.
One important difference between the user channel in iOS
and macOS is that no user authentication is performed
before delivering those per-user commands to a Shared iPad.
So you should never send sensitive information
over user channel, and in fact, we will enforce
that no credentials are delivered over the user channel.
That includes the new Google OAuth account payload
that we introduced in iOS 9.3.
As I mentioned, all the accounts payloads,
including that new Google OAuth account payload, are supported
on the user channel, as are the new notifications,
Home screen layout and Safari auto-fill domains enhancement
to the domains payload that we introduced in iOS 9.3.
The existing restrictions payload can also be used
on the user channel, including the new show/hide apps features
that was added in iOS 9.3.
One important detail about restrictions payloads that may
at first seem confusing but in fact is not a change
from how they have always worked,
if a restriction's payload is delivered on a device channel
and the user channel, they will be combined by iOS
to compute an effective restriction
with the most restrictive setting winning.
This prevents a student
from installing another configuration profile
without that setting and freeing him or herself
from that restriction.
The reason this isn't really any different is this is exactly how
multiple profiles have always worked even
if delivered all over device channel.
And with that, I'd like to ask David Steinberg to come up
and give you a demo of Shared iPad and some
of the other education features we released this spring.
David, take it away.
It's great to be here demoing Shared iPad to all of you.
Let's take a look at what using Shared iPad
between a couple classes in a school is like.
To start we'll look at the log in screen.
Now, you can see the school's name's at the top.
We have some recent users of the iPad below,
and then a class list that the students can choose
from to log in.
When I want to log into this device I can choose my class
from the list, which is the class' name and a list
of students to choose from.
If this isn't my class, I can go back to the class list,
select a separate class, again, we see the class name and a list
of students we can choose from.
Now, if I'm not in any class on this device, I can still log
in using any Managed Apple ID that belongs
to the same organization as this iPad.
But to demonstrate Shared iPad today let's go back
to our recent users.
Here we have Ava, a second-grader, and Liam,
a third-grader, who both used this iPad
in their classes yesterday.
The second grade class is about to start.
So let's log in as Ava.
Now, when we log in and log
out our video sync will cut for a second.
So I'll show you here.
After she enters her credentials,
they'll authenticate against the Cloud, authenticate locally
on the device, the iPad will get ready and then will land
on her personalized Home screen
that the school has selected for her.
Now, while the video catches up,
let's talk about how this device has been configured.
The school configured this device specifically
for second and third-graders.
They chose the apps that each student
in those grades would use and then created Home screen layouts
for each of the students
that they would see every time they land on any iPad
within that organization.
So for Ava, as a second-grader,
they've chosen these apps and this layout.
You can see iBooks and Notes in the dock
because those are the most-used applications by second-graders.
In fact, Ava's been taking multiple notes
across a variety of iPads in school.
And you can see that all of her notes have synced
to this iPad from iCloud.
Now, we can create more notes on this iPad and they'll also sync
and be available on other iPads.
Today her class was learning about WWDC.
Of course, it's a great topic.
So let's help her out by taking note
to commemorate this session.
In fact, let's take a little video.
All right, everybody, say, "WWDC."
Perfect. Now she'll remember this forever.
Unfortunately, it's time for her to end the class and log out.
Now, when Ava logs out the device lets her know
which applications are saving data, and any data that needs
to be synced afterwards at the log in screen
or when another user is logged in is prepared then.
So when we land back at the log in screen or log
in as another user, that data can continue uploading
in the background.
For example, if we had been recording this entire session
up to this point instead of making a little video,
it would be given another chance now to start uploading.
Now a third grade class is starting
and Liam is back at this device.
So we'll log in as him.
Again, after we enter his credentials they authentic,
the iPad gets ready, and he will land
or his personalized Home screen.
For the third-graders the school has chosen most
of the same application as for the second-graders.
But they've also included a couple extra applications,
including the ones from iWork
because the third-graders produce multiple presentations
throughout the year.
And they've also included an app like Safari
so that the students can do research
for those presentations.
So if you look at the dock,
you'll see that Liam also has iBooks and Notes,
but he now has Maps and Safari
because the third-graders are studying the geography
and history of the great state of California.
Now, Liam needs to put together some notes in preparation
for a presentation he'll be giving.
And though Ava just used this same iPad to take notes,
Liam does not see any of her notes.
In fact, it looks like Liam has not been taking very many notes.
So let's help him get started here.
We'll create a new note.
And Liam's found some images online
that he'll be able to include here.
So let's add one of those now.
California state flag.
That's a great flag and a great start to some notes.
But unfortunately, class has come to an end,
so Liam needs to log out.
Thankfully, when he logs out,
he knows that his data is being saved and it will be available
when he gets home and wants to continue working on his project.
Every day throughout the entire day different students can use
the same iPads to work on their projects, their data's saved
and it's synced and available
across multiple devices throughout their school.
For Ava and Liam, that means being able to continue working
on their projects wherever they want, wherever they go.
Back to you, Todd.
Thank you very much, David.
Just a brief recap.
So David showed how you can preconfigure classes
on Shared iPad's log in screen, as well as take advantage
of building up a list of recent users who sign
in with their Managed Apple ID and pass code.
They had actually signed in using a [inaudible] user
and demonstrated that Ava
and Liam only see their own user data
in Notes and over other app.
And in fact, the school can choose to show a different set
of apps and Home screen layout
for different groups of students.
Well, that concludes our getting started section.
Let's continue with distribution.
We got a few changes to talk about this year.
And let's get right to it.
So there's a great new feature tied to Managed Apple IDs
that allows MDM servers
to programmatically link Managed Apple IDs from an organization
to their Volume Purchase Program account
so that no invitation process is necessary because we know
that this account is coming from that same organization
that wants to distribute apps and books.
This, of course, does require that the school's DEP
or Apple School Manager token and VPP token come
from the same organization.
But as I mentioned earlier, since the customer doesn't need
to download any new tokens after the transition
to Apple School Manager, this should be simpler.
For you MDM vendors, it is possible
that the school has different tokens from for DEP and VPP
that appear to be from different organizations.
There is a dedicated error code for this failure mode.
So you can try to perform this association
and just catch the failure and be able to notify them that,
"Hey, your tokens don't match, and you'll need to fix
that before we can give you this feature."
Of course, to give this feature to customers,
you'll have to adopt the API for it,
which is already available in production.
And this is going to be very important
for distributing iBooks Store books to Shared iPad,
which we'll talk about next.
So how can you get iBooks Store VPP books to a Shared iPad?
VPP books can only be assigned to users
and cannot be distributed to devices.
So the way it will work is
that once you've assigned the VPP books
to your Managed Apple IDs, each student when signing
into Shared iPad will then see them appear
in their iBook Bookshelf,
and they can simply tap the download button
to get those bits.
The good news is that the second and on to end student who wants
to use that book on that iPad will appear
to immediately download because the bits are already there
on the device and are only stored once to save storage
and bandwidth of downloading them repeatedly.
In contrast, non-iBook Store books like PDFs
or iBooks author documents or EPUBs can be device assigned
and managed just like assigning apps to Shared iPad.
Finally, a few important points in some chance we made
to how Enterprise apps
with universal provisioning profiles worked
that were introduced in iOS 9 but proved
to be somewhat confusing.
These universal provisioning profiles allow a non-App Store
app to run even if that specific device is not defined
on the provisioning profile accompanying the app.
For this to work, it requires both initial trust by the user
of that app signer, as well as ongoing periodic validation
by Apple that that specific universal provisioning profile
So, again, when installing one of these apps by any way other
than MDM, the user must explicitly trust the app signer.
However, if the device is enrolled in MDM,
those apps are implicitly trusted based on the fact
that they trusted this organization
when enrolling in MDM.
However, the second piece
that Apple must consider this UPP valid for the app
to continue to run requires that the device be able
to be online occasionally to see the validation server.
Even MDM installed apps also still require this
But an MDM server can trigger the device to say,
"Go validate all of these apps right now."
This is a really key feature for deployments
such as an electronic flight bag for an airline pilot
that will be offline for some period of time
on a regular schedule.
The MDM server can tell the device before it's going
to be offline, "Go ahead and validate all your apps to ensure
that they continue to run."
And in fact, for you MDM vendors,
and this is what we've done in Profile Manager, we recommend
that you just go ahead
and automatically validate any applications that you see
when fetching the application list at a sync
that are not validated, and that will keep them all running all
That concludes our section on distribution.
And now let's move on to all the changes
in device management capabilities that are used
in an ongoing basis to manage your devices remotely.
And to take us through this section I'd
like to invite Shubham Kedia up here to walk you through it.
Good morning, everyone.
I'm thrilled to be here to walk you all
through some great new management features we've added
to both iOS and macOS this year.
So let's start with iOS 9.3
where we added some brand new MDM commands and queries
to go alongside Shared iPad.
The settings command was updated with the ability
to now specify the maximum number of users
that can have local accounts on an iPad.
We saw Todd talk about this earlier.
You can now also toggle diagnostic submission via MDM.
We added some commands that are specific to user manager
as well, such as the user list command, which you can use
to get the list of all users that have accounts on an iPad
and even get information like whether
or not they're logged in, whether
or not they have data that's left to be synced to the Cloud,
as well as information about their user quota
and how much space they've used.
There are new commands to log out users
and delete users as well.
9.3 also introduced MDM Lost Mode and MDM Activation Lock.
Now, these aren't specific to Shared iPad;
these work across all supervised devices.
So you can rest assured that if a device gets misplaced,
you can remotely enable MDM Lost Mode with a custom message
and phone number and even be able
to get the device's location.
For devices like Shared iPads
where you don't have an Apple ID associated with them,
MDM Activation Lock is also a great option to prevent theft.
Now, before I move on I'd like to point
out these icons that you see here.
These represent commands, queries,
or configuration profiles that are specific
to either Shared iPad or supervised
that you'll see throughout the slides.
9.3 also introduced some great configuration profiles
that you allow to configure your devices exactly the way
The education payload is used
to configure both the Shared iPad log in screen
as well as Classroom app.
Notifications allows you
to configure exactly the notifications settings you'd
like for all applications.
You can preapprove or deny notification from apps
that aren't even installed yet and even toggle things
like sounds and badges.
The Home screen layout payload that we saw David use
in his demo earlier can be used
to configure exactly the arrangement of apps
and folders you'd like your students to use.
The lock screen message payload allows you
to specify a custom footnote that appears both
on the lock screen and the log in screen of Shared iPad.
The exchange and mail payloads saw some updates as well.
You can now choose whether you want to allow the use
of Mail Drop when sending emails from those accounts.
The domains payload has been updated with the ability
to now specify exactly the domains
for which Safari will offer to save and auto fill passwords.
For you Enterprise folks out there,
we've updated the VPN payload as well
with some great new IKEv2 settings,
and the restrictions payload has in number of new keys.
You can now restrict things like Apple Music,
iCloud Photo Library, and iTunes Radio.
You can also choose whether or not you want students
to be monitored by teachers when using Classroom app.
You can disable modification of notification settings,
which you may have set using the notifications payload,
as well as -- and you also have the ability to now show
and hide specific apps.
Again, we saw David use this in his demo earlier.
I'd like to talk a little bit more in depth
about the education payload.
It's extremely important that you adopt this
because not only does it configure which students
and classes you see in the log in screen of Shared iPad,
but it's also how Classroom app determines how teacher
and student devices should connect with each other.
In this payload you'll specify students, teachers, and classes,
and even be able to specify photos
for these students and teachers.
You'll do so by specifying URLs.
And it's important that these URLs are over HTTPS.
When you update these photos, you should also update the URLs.
Only one such payload can be installed per device,
and it's important to note that student
and teacher devices require different payloads.
So all these payloads that I've talked about can, of course,
be applied at the device level so they apply to all
of the users on a Shared iPad.
But there are five payloads that we support
over the user channel per user.
These include all of the accounts payloads,
including the new Google OAuth account, notifications,
Home screen layout, the domains payload with the new support
for Safari auto fill domains, as well as the restrictions payload
with the ability to show and hide apps.
Next let's talk about iOS 9.3.2.
Here we updated the settings command to allow to you enable
or disable app analytics,
as well as set the lock screen grace period.
Of course, we also updated the DeviceInformation
and SecurityInfo queries
to return the correct state from the device.
One thing to note here is
that the security info query will actually return pass code
lock grace period and pass code lock grace period enforced.
The enforced value might be more restrictive than what you've set
from your MDM server since it can't be made less restrictive
while users are logged in.
Now, one of the great uses for iPads in a classroom is
for standardized testing.
And we've had two great solutions for this
in past releases: Single App mode
and Autonomous Single App mode.
These continue to work the same as they have before
on supervised devices.
However, now with a new entitlement that you can add
to your app, you can use the same API
and also disable five system features that make sense
for your assessment app.
These include things like auto correct, Define,
keyboard shortcuts, predictive keyboard, and spell check.
And for the first time the entitlement also grants you the
ability to enable this mode on unmanaged, unsupervised devices.
Of course, we do have a safe escape
on unmanaged unsupervised devices
where you can simply reboot the device and exit this mode.
9.3.2 also added a new restrictions key
to prevent users from disabling
or enabling diagnostic submission,
which you may have set via MDM.
Now let's talk about iOS 10.
In iOS 10 we updated the contacts, exchange, Google,
and the LDAP payloads to include a new key
for communication service rules.
We saw earlier this week the new VoIP extension support
in iOS 10.
And what this key allows you
to do is specify a default application to be used
when making audio calls to contacts from these accounts.
The lock screen message payload has been updated
with new key names as well.
Of course, it remains completely transparent
for administers creating such payloads,
but we like MDM vendors to adopt these new key names
as the old ones have been deprecated.
The VPN payload now has support for EAP-only authentication
for IKEv2, as well as the ability
to specify a timeout for IPSec.
PPTP has also been removed from iOS 10 and macOS Sierra,
and existing payloads will not work.
The Wi-Fi payload saw some updates as well.
You can specify if you want to bypass captive network detection
and Cisco fast lane quality of service marking.
And for those of you who know what it is, it's fantastic.
Finally, the restrictions payload now has a key
to prevent users from toggling Bluetooth.
Now, this is extremely important in the Classroom case
since Classroom relies on Bluetooth
to connect its student and teacher devices.
So here are some restrictions
that were introduced before supervision was created.
And we talked last year about how in a future iOS release we'd
like to deprecate these and these would stop being enforced
on unsupervised devices.
Now, that future iOS release is not iOS 10,
but we promise we are going to get rid of them very soon.
So please note that these will stop being enforced
on unsupervised devices.
Next let's talk about macOS.
Earlier this year we introduced the ability
to install software updates from major OS releases
on Macs enrolled in the Device Enrollment Program.
This is going to be great come this fall
when macOS Sierra is released where you'll be able
to install it on all Macs enrolled
in Device Enrollment Program in your education or Enterprise.
New in macOS Sierra we also introduced a new configuration
profile payload to configure the IP firewall
and added some new updates to the restrictions payload.
We brought some keys back to the Mac from iOS,
such as Apple Music, iCloud Keychain
and iCloud Photo Library, as well as added some
that are specific to the Mac, such as Back to My Mac,
Find My Mac, and sharing to Notes, Reminders, or LinkedIn.
It's been my pleasure to walk you through some
of these great features we've added this year.
And with that, I'd like to turn it back to Todd.
Thanks. All right.
Thank you very much, Shubham.
Let's turn to our final section today on tools.
And of course, the most exciting new tool this year is Classroom.
We talked a little bit about it earlier
and it offers some amazing new features, that small,
carefully curated set of features
for teachers in the classroom.
But instead of hearing me talk about them,
you can read the list on the slide.
I'd like to ask Shruti Gupta to come on up and give you a demo.
I am so excited to show you one of our coolest apps, Classroom.
What you see here is a teacher iPad
that is running Classroom on it.
And there are a bunch of student iPads
that are configure as Shared iPad.
And all my students are sitting right here in front row.
When the class begins, the teacher assigns students
to the iPads and then students log in with their pass code.
For this demo the students are already assigned and logged
in since you've already seen the log
in process during David's demo.
Now, let's assume that I'm the teacher of the class
and today we'll be learning about healthy eating.
And for that I found a really great article that I want
to share with all my students.
So I'm going to tap on Navigate, Safari, Favorites,
and select the healthy eating article.
And it's navigating; it's opening the URL
on all student devices.
Okay. Looks like one student is offline right now.
But if you look at the Classroom app,
you can see that Classroom app created a dynamic group called
Safari, indicating that all students are now using Safari,
And if you tap on the screens, we can see that article open
up pretty much on all student iPads.
And I guess some are already trying to do something else.
Kids, pay attention to the class.
So for the next activity let's say I want
to divide the students into smaller group.
So I'm going to tap on Class button to create a group,
add a bunch of students by tapping on their names,
and give the group a name, let's say Greens.
Now when I launch this particular group
into activities specific for them,
let's say I want Green's group
to make a list of green vegetables.
I will open Notes app for them
so they can start working on their activity.
Okay? And while students are working or their task,
I want to see how they're doing.
So I'm going to go back to all student group
and observe their screen.
And it seems that Edison is not paying attention in the class.
Let's take a closer look.
I'm going to tap on Edison, tap on View Screen,
and clearly she is not working on her assignment.
So I'm going to go back.
Now I can either lock her screen by tapping on the Lock button
to get her attention back in the class, or I can lock her iPad
into Notes app by sliding the Lock button and tapping
on the Notes so she remains focused on her task.
Once the class ends, I can bring an end to the class by logging
out all the students iPads by tap on the Log Out button.
And all the students are now logging out.
Back to Todd.
Thank you very much, Shruti.
It was great of you to all cooperate
in this amazing stress test of Classroom
with the most iOS devices it's ever seen before.
Thank you very much.
So what did we see?
We saw Shruti use Classroom to open an app
on all the student iPads, create and edit manual groups
in addition to the dynamic groups
that Classroom creates automatically, lock a student
into an app to focus their attention,
view the students' screens to monitor what they're working on
and redirect as needed, including locking their device
if they get off track.
So a few brief notes about some other tools
that we make available to MDM vendors, some simulators
for the Device Enrollment Program
and Volume Purchase Program, which are a great way for them
to test their implementation of the API's for those services,
especially handling service errors
that may be very difficult or impossible
to simulate any other way with the real production service.
The simulators have been updated to support all
of the new features we've talked about.
And as always, they're available for download
on the Developer portal.
And I strongly encourage you to download and make use of them.
That brings us to the end of our content.
Just a few summary slides
to cover the key points for administrators.
If you're a school administrator, sign up for
and use Apple School Manager to manage the people, devices,
and content in your school.
Everyone can use the DEP program for wirelessly enrolling
in their remote management system of choice,
or you can also use Configurator to enroll in MDM
or to combine the two using Configurator's automated
enrollment feature that allows you to connect devices
to Configurator and complete the setup assistant based
on the DEP settings without having to touch each device.
If you're a school and doing shared deployment,
use Shared iPad with Managed Apple ID on those devices
and everyone can use VPP managed distribution to distribute apps
to devices or users depending on whether you want
to allow your users to use those apps on multiple devices.
For MDM developers, please add support for the new features,
including the programmatic association of Managed Apple IDs
for use with VPP, as well as all the new features
that Shubham talked about that are new
in iOS 10 and macOS Sierra.
Updated documentation was released yesterday.
And please, again, do test with the DEP and VPP simulators.
Last but not least, you app developers,
we want you to get your app's education ready
by storing your app's data and preferences in the Cloud.
And you can simulate testing on a Shared iPad
by testing using your app moving between two iPads.
And the session immediately following lunch
about best practices will go into much more detail
about what you need to do and how you can test it.
Speaking of which, this is the session I was just referring to.
Again, right here in a couple hours.
There's some great resources we make available
on our website both for education at Apple.com/education
and for Enterprise at developer.Apple.com/Enterprise.
I encourage you to check it out.
And finally, there are some additional resources,
direct links to documentations, and other resources
at our WWDC 2016 session-specific URL
for Session 303.
And with that, I will thank you for your attention
and hope you have a great rest of WWDC.
Thank you very much.
Looking for something specific? Enter a topic above and jump straight to the good stuff.
An error occurred when submitting your query. Please check your Internet connection and try again.