Transcript
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
[ Music ]
>> Good morning.
[ Applause ]
>> Welcome to Session 303.
I'm Todd Fernandez.
And I'm very pleased to be
here with you this morning
to give you an update on what's
new in managing Apple devices.
Now, before we begin,
I do have to warn you
that I am still a
little bit tired
after attending my college
reunion last weekend.
And I'm not going to
tell you which one,
but if it had been
an anniversary,
I would have received
some silver.
Now, despite being a little
tired, I'm very grateful
to see you all here in the hall,
but I also want to give a shout
out to all of you watching the
live stream around the world,
as well as you future viewers
watching this recording
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
as well as you future viewers
watching this recording
at some indefinite period
like some three-eyed raven.
Hello, future viewers.
But speaking of the
passage of time --
no, not that kind of time,
although I do love
my Apple Watch --
I want to talk about
the calendar.
Now, many of you here in the
hall today the spring may seem
like a quiet time for
device management.
As we toil behind the scenes
on all the new capabilities
that we're going to
announce and preview at WWDC
and then ship in
our fall releases.
But it turns out
surprisingly enough
that schools actually want
to use those features
before we typically ship our
fall releases.
They want to configure
devices taking advantage
of all those new
features over the summer
for use during the
next school year.
But in order to do that,
they need to have already
purchased their hardware
and software even earlier.
And in order to do that, they
need to have evaluated all
of the new hardware, software,
and tools options even earlier.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
of the new hardware, software,
and tools options even earlier.
Which brings us to iOS 9.3.
It's really strange how
that release date just kind
of jumped right out at us.
But the schedule isn't
the interesting part;
what about the features?
There are a ton of new
features that we released
in our spring software
and service releases.
But the true stars of the
show are clearly Apple School
Manager, Shared iPad,
and Classroom.
Let's first talk a little bit
about Apple School Manager,
which provides a
streamlined enrollment process
to access Apple's device
management services.
Those services include
creating accounts for students
and teachers, as well as
the class relationships
between them, configuring how
their devices will be enrolled
for remote management, and
purchasing the apps and books
and creating the curriculum
that will help students learn.
And fortunately, one of the
technology directors at one
of the school districts
which piloted these features
earlier this year agrees
that Apple School Manager will
save their tech staff lots
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that Apple School Manager will
save their tech staff lots
of time, allowing them to
manage devices, content,
and our student accounts
all from one place,
exactly what we intended.
Now let's turn to Shared iPad.
Shared iPad allows the majority
of schools in the United States
and around the world
which share devices
to provide their students
with a personalized experience
and enable them to use the
complete Apple ecosystem.
Shared iPad can be configured so
that younger students can sign
in by simply tapping
on their photo
and entering a four-digit
pass code.
Student data is stored in
the Cloud and downloaded
to a specific iPad when
they sign in as needed.
Again, it's great to see that
the folks who are responsible
for getting these Shared iPads
into the students' hands agree
that Shared iPad will allow our
district to transform a cart
of shared devices
into a personalized learning
experience for each student.
Again, nailed it.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
All right.
Finally, Classroom.
Classroom empowers
teachers to keep themselves
and their students
focused on learning,
rather than managing technology
by placing a small set
of key capabilities at
their fingertips right
in the classroom.
Teachers can easily open an app
or a chapter in an iBook on all
or a selected group of student
devices, project student work
to the Classroom Apple TV, or
monitor and redirect a student
who may be off task even
while they're working
with a different group of
students across the classroom.
And I was very fortunate
to visit Mr. Garcia's
classroom a few months ago,
and it was truly inspiring
to see the projects
that his students were
working on their Shared iPads
with his support
using Classroom.
And after his experience
he reports
that Classroom has been an
extremely useful tool throughout
the school day to enhance the
project-based learning that's
going on his classroom.
Classroom helps him to keep
all of his students accountable
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Classroom helps him to keep
all of his students accountable
for their work while also
keeping them extremely engaged
in their assignments.
Now while it's extremely
gratifying to get this kind
of response to the features we
released, it's also been great
to hear some great feedback
about their quality,
including from some very
difficult to impress customers
who have raved about the blazing
performance and reliability
of Classroom's features.
Now, these spring 2016 changes
with an extremely
well-received feature set
and high quality
delivered on a schedule
which schools need
underline Apple's commitment
to deliver not only
the best devices
and most advanced
operating systems
but also the best device
management experience.
We've demonstrated this
commitment by investing heavily
in providing a great experience
to schools bringing Apple
devices into their classrooms.
But we need all of our
partners, from NDM vendors
to tool providers, to all of you
app developers who would love
to see your app used by
thousands of students
around the world to
join with us to ensure
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
around the world to
join with us to ensure
that that great experience
reaches all
of our joint customers
all over the world.
But I do want to
encourage to you keep
up because although we don't
talk about future products,
we are definitely not done yet.
So today I'm going to cover
all of the new developments
across the entire device
management life cycle.
So let's go ahead
and get started.
I'll cover a few changes to
some existing features and go
into some detail
about the new things
like Apple School Manager,
Managed Apple IDs, and,
of course, Shared iPad.
So first I want to cover a few
things that haven't changed.
For Enterprise customers we
still have the Apple deployment
programs, the Device
Enrollment Program
for configuring how your devices
enroll for remote management,
as well as the volume purchase
program for purchasing your apps
and books and distributing them
to your devices and your users.
However, we've also
added a number
of new device management
commands and settings
in the spring and
that I'm going to talk
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
in the spring and
that I'm going to talk
about later in this session.
And we'll try to highlight those
that are specific interests
to Enterprise customers, though
many of the things we've done
for education also are
useful in Enterprise.
Turning to education,
now let's talk
about Apple School
Manager in more detail.
As I mentioned, it allows the
school to manage the people,
the devices, and the content the
school is managing to deliver
that improved performance
in the classroom.
With respect to getting
those accounts created,
there are two options: You can
connect Apple School Manager
to your student information
system to pull
out all the student,
teacher, and staff,
and relationship information;
alternatively, you can upload
that information
using a CSV template.
Once Apple School Manager
has that information,
it creates managed Apple IDs
for each student and teacher,
as well as creating classes
that have those relationships
between which teachers have
which students in their classes.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
between which teachers have
which students in their classes.
What are those managed
Apple IDs?
Well, they're used both
by the school staff
as administer accounts
and accommodate tiered
administration
so that different administers
can have different privileges
for managing your school's
people, content, and devices.
The student accounts have a
few special characteristics.
They're required to
sign into a Shared iPad,
but they can be used for
one-to-one deployments as well.
And in Apple School Manager
you can configure the pass code
options for Managed Apple ID
from the full-strength iCloud
password to a simpler four
or six-digit pass code.
Managed Apple IDs are
special in another way
in that some services are
disabled, such as commerce,
so that students using a Managed
Apple ID cannot purchase things
from our stores.
There are also services such
as FaceTime and iMessage
which can be enabled
if the school decides they
would like to use them.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
if the school decides they
would like to use them.
All right.
For you NDM vendors
out there, of course,
just as with the Device
Enrollment Program
and the volume purchase
program, there's an API
to access this roster
information
from Apple School Manager and
give your NDM solution access
to all the student and
teacher Managed Apple IDs,
as well as the classes.
In terms of the transition
from schools moving
from the Apple deployment
programs
to Apple School Manager,
the good news for them is
that they do not need
to download new tokens.
It will continue to work.
But your NDM solution needs to
be ready for this transition
and be checking to see if their
token is now an Apple School
Manager type and
supports the new v3 API,
which will actually be
what gives you access
to the roster service
information.
On a parallel track,
when you're interacting
with the Device Enrollment
Program service, you can tell it
that you now support
API v3 by including
that information in the header.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that information in the header.
And you'll receive the
additional information that's
now available via that API.
I also wanted to pass
along a few best practices
that my team has learned
in adopting this API
in Profile Manager.
The first is really a
strong recommendation
that we think your customers
will really appreciate.
If they have been using
your product for a while,
they've undoubtedly connected it
to their directory to get user
and group information so
that your solution also has a
representation for each user.
Once you connect up to
the roster service API
in Apple School Manager,
you're going
to be getting a second
representation of each user
in the form of the
Managed Apple ID.
And we recommend that you
allow the administrator
to provide some matching
criteria
so that you can automatically
merge those accounts
into one representation of
each student and teacher.
And because that matching won't
catch every single record,
we think you also should allow
manual merging of records
to be able to tell you this
directory user is the same user
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to be able to tell you this
directory user is the same user
as this Managed Apple ID.
One special note about
records that have been created
by CSV uploads is that the
person number that's uploaded
in the CSV template becomes
the source system identifier
in the API results
that you will receive.
That source system identifier
corresponds to something more
like a student ID; it's not
a GUID or a primary key.
So that field can
actually be mutable
and is not guaranteed
to be unique.
And you need to be
prepared for that case.
The final practice I wanted
to pass along was to point
out that there is no delta
API so that you'll need
to do a full enumeration to get
all of the records from the API.
Since the student information
system syncing is only performed
once per day between it
and Apple School Manager,
there's no need to automatically
perform a full sync more
than that frequency.
And in fact, if you give
your users an opportunity
to request a sync, you're going
to need to throttle that so
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to request a sync, you're going
to need to throttle that so
that they're not overwhelming
your product and our system.
Turning from people to devices,
Apple School Manager allows you
to configure the Device
Enrollment Program settings
for your school's devices,
including finding
your purchases,
configuring the details
of your MDM servers,
and then assigning devices
to those MDM servers so that
when they're enrolled they'll
be managed by those servers.
And finally content.
Apple School Manager
allows you to jump
to the Volume Purchase
Program store to buy your apps
and books, and it
also offers access
to iTunes U Course Manager.
And I also wanted to mention
that we recently
released iTunes U 3.3
which now supports integration
with Apple School Manager
to pull managed course
information into iTunes U.
Now let's talk about some of
the other details of enrollment
to getting your devices
ready for remote management.
Last year I talked
about a new feature
in iOS 9 called enrollment
optimization.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
in iOS 9 called enrollment
optimization.
And just a recap this allows
the MDM server to include a bit
in the Device Enrollment
Program settings for a device
that I want to you wait
until I'm done configuring
before allowing the user
to use the device.
That setting comes down to
the Mac or the iOS device
in their DEP settings.
It then sends a token
update with device ID back
to the MDM server,
letting it know
that I'm ready to be configured.
The MDM server can then
send as many commands,
install as many configuration
profiles as needed to bring
that device up to
spec. When it's done,
it then sends a device
configured command
to the device, which then
exits the Setup Assistant
and allows the student or the
employee to use the device.
This enables the
organization to ensure
that that device is not used
prior to being fully configured.
Now that we have Shared iPad,
there's a new wrinkle here
in that there's a new
action in users signing in.
At that point the Shared iPad
will send a token update back
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
At that point the Shared iPad
will send a token update back
to the MDM server.
But in contrast to
the one I just talked
about that's device-specific,
this token update reports
the Managed Apple ID
for the user who signed in.
That enables the MDM server to
send, again, as many commands
as it needs to configure
that device
with any per-user
settings, which I will go
into a bit more later.
One crucial difference between
this Shared iPad feature
and the device-specific
enrollment optimization is
that unlike the prior one
which waits in Setup Assistant
until the MDM server is
done, the user is not blocked
from completing sign in
until the MDM server is done.
A few security best practices.
Those of you who have
been keeping up will know
that we removed support for MD5
in iOS 9.3 for SCEP servers.
We've also deprecated DES,
but we also added AES support.
So the message here is that your
SCEP servers should support 3DES
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So the message here is that your
SCEP servers should support 3DES
or AES as soon as
possible because we want
to be using the most
secure cryptography possible
and it's time to move
on to the modern ones.
Next, a few details about
configuring the Setup Assistant,
one of the other features of
the Device Enrollment Program.
In iOS 9.3.2 we now allow you
to skip the new True Tone
display Setup Assistant pane
on hardware which
has that display.
And new in macOS Sierra, we
have some great new features,
but in fact you might
not want your users
to configure them during setup.
So you can skip the Siri or
the iCloud desktop setup pane.
Now, this is another
advertisement.
I think I've done this now,
this is the third year running
for you MDM vendors to
support MDMServiceConfig,
which allows tools
like Configurator
to obtain information
about your MDM server,
such as the DEP enrollment
URL or where
to fetch the anchor certs.
Profile Manager has supported
this for some time now
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Profile Manager has supported
this for some time now
and Apple Configurator 2 takes
advantage of it, enabling users
to simply enter the host
name of your MDM server
and Configurator does the rest.
Now let's talk about
Shared iPad.
Of course, this brings
support for multiple users
to iPad in the classroom.
A few details about
installing apps on them.
And then I want to talk a
little bit about the details
of how it preserves user data.
As I mentioned earlier,
Shared iPad requires a
Managed Apple ID to sign into.
Once a student signs in
with her Managed Apple ID,
she is also signed into her
iCloud account for data storage,
as well as her iTunes
account for assigning books,
which I'll talk about
in a minute.
It's also used for
supporting iTunes U.
Now, since there isn't
always an Apple ID signed
into a Shared iPad,
you'll want to deploy apps
and install them using device
assignments, which we added
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
and install them using device
assignments, which we added
to VPP managed distribution
last fall in iOS 9.
MDM vendors hopefully have all
added support for this already,
but you'll need to use
the newer PurchaseMethod 1
to support device assignments.
All app types are
supported from VPP apps
to [inaudible] apps
to Enterprise apps.
Although in order to distribute
VPP apps via device assignments,
the developer of that app must
have accepted the latest T's
and C's in iTunes Connect
to allow device assignment.
Now let's talk a little bit
about the underlying
architecture.
As I mentioned, the student
data is kept in the Cloud --
that's where the truth is.
But once they've signed into
a particular Shared iPad,
their data is downloaded
and cached there.
However, that cache
may be purged
if additional students need
to be accommodated
on that Shared iPad.
Each student can only
see his or her own data.
But if they generate a lot
of data during a session
and they sign out before all
of that data has successfully
uploaded to the Cloud,
Shared iPad will continue to
upload that data at the log
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Shared iPad will continue to
upload that data at the log
in screen or even if
other students sign in.
The key to all this
working is that all
of your apps are
education ready.
That primarily means that you're
storing all of your app's data
and settings in the Cloud.
We've got a whole session right
after lunch about how best
to make your app education
ready right here in this room,
and I encourage you
come back for that one.
Now, just kind of animation
to explain this a bit better.
Student enters her pass code.
Shared iPad gets her
to the log in screen --
to the Home screen, excuse me.
Downloads her data.
See, she's working on her
project, but now it's time
to sign out, to go
to the next class,
or to go home for the day.
Even back at the login screen
her data continues uploading.
Maybe she was working
on a movie project.
But even if another
student then signs in
and begins downloading his data,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
and begins downloading his data,
the previous student's
data continues uploading
until it's all safely
stored in the Cloud.
But the next student can
begin using the Shared iPad
right away.
So what do you MDM vendors need
to do to support Shared iPad?
Again, hopefully all of
you have done this already.
but for those of you who
may be a little bit behind,
there's a new setting in the
DEP settings very similar
to supervision that tells
the device enter Shared iPad.
You also will want to use
Enrollment Optimization
that I talked about earlier
to set some key options
before student use.
And I'm going to go
into a bit more detail
about both user quota and
lock screen grace period.
So what is the user quota?
Well, it's the maximum
number of the users
which will be cached
locally at any one time.
Let's say six.
iOS will then automatically
calculate how much storage
should be allocated
each of those six users,
taking into account
space reserved for iOS,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
taking into account
space reserved for iOS,
as well as books and apps
that you're going to install.
As users log in, their
data is downloaded
and cached on the Shared iPad.
But in this case with a quota of
six, if a seventh user signs in,
one of the user data
caches will be purged.
And we will purge the
least recently used user
who doesn't have any
data still remaining
to upload to the Cloud.
Some guidelines on how to choose
this value, you really want
to try to get it close to
what the number of students
who will actually use the
Shared iPad during the day,
which will typically
be the number
of class periods
you have in a day.
Because if you have too few,
students will have their
data purged more often
than necessary.
And if you choose a number
too large, you're going
to allocate space that's not
actually going to be used.
Lock screen grace period.
So let's imagine we
set this to one minute.
And this option gives
the schools
to choose the right
balance between ease of use
for their students and data
security for their students.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
for their students and data
security for their students.
And I think it's easier to
illustrate with an animation
than for me to talk about it.
Again, let's imagine we
set it to one minute.
The teacher asks the students
to put their Shared iPads down.
So the screen locks.
Let's imagine she
doesn't have much to say
and after 30 seconds Mia
swipes to unlock her device
and she gets right back
to work without having
to enter her pass code.
Now let's imagine the
teacher has rather more to say
and Mia swipes after
five minutes.
She will be prompted to
enter her pass code again.
So, again, this offers an
opportunity for schools
to choose that right balance.
Another detail for
you MDM vendors,
iOS as part of Shared iPad now
has a user channel in addition
to the device channel
that can be used
to send MDM commands
and install profiles.
macOS has had a user
channel all along, of course.
And this is very similar
but with some differences
I'll cover in a moment.
In fact, if your MDM solution
is already sending commands
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
In fact, if your MDM solution
is already sending commands
over the user channel to Macs,
if they were sending them
to iOS devices previously,
they would have been ignored.
But with iOS devices 9.3
and later they will now
pay attention to them.
There's a subset of
configuration profile payloads
which are able to be
used on the user channel
which I'll cover in a moment.
One important difference
between the user channel in iOS
and macOS is that no user
authentication is performed
before delivering those per-user
commands to a Shared iPad.
So you should never send
sensitive information
over user channel, and
in fact, we will enforce
that no credentials are
delivered over the user channel.
That includes the new
Google OAuth account payload
that we introduced in iOS 9.3.
As I mentioned, all
the accounts payloads,
including that new Google OAuth
account payload, are supported
on the user channel, as
are the new notifications,
Home screen layout and Safari
auto-fill domains enhancement
to the domains payload that
we introduced in iOS 9.3.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to the domains payload that
we introduced in iOS 9.3.
The existing restrictions
payload can also be used
on the user channel, including
the new show/hide apps features
that was added in iOS 9.3.
One important detail about
restrictions payloads that may
at first seem confusing
but in fact is not a change
from how they have
always worked,
if a restriction's payload is
delivered on a device channel
and the user channel, they
will be combined by iOS
to compute an effective
restriction
with the most restrictive
setting winning.
This prevents a student
from installing another
configuration profile
without that setting and
freeing him or herself
from that restriction.
The reason this isn't really any
different is this is exactly how
multiple profiles have
always worked even
if delivered all
over device channel.
And with that, I'd like to
ask David Steinberg to come up
and give you a demo of
Shared iPad and some
of the other education features
we released this spring.
David, take it away.
[ Applause ]
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
[ Applause ]
>> Thanks, Todd.
It's great to be here demoing
Shared iPad to all of you.
Let's take a look at
what using Shared iPad
between a couple classes
in a school is like.
To start we'll look
at the log in screen.
Now, you can see the
school's name's at the top.
We have some recent
users of the iPad below,
and then a class list that
the students can choose
from to log in.
When I want to log into this
device I can choose my class
from the list, which is
the class' name and a list
of students to choose from.
If this isn't my class, I can
go back to the class list,
select a separate class, again,
we see the class name and a list
of students we can choose from.
Now, if I'm not in any class
on this device, I can still log
in using any Managed
Apple ID that belongs
to the same organization
as this iPad.
But to demonstrate Shared
iPad today let's go back
to our recent users.
Here we have Ava, a
second-grader, and Liam,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Here we have Ava, a
second-grader, and Liam,
a third-grader, who
both used this iPad
in their classes yesterday.
The second grade class
is about to start.
So let's log in as Ava.
Now, when we log in and log
out our video sync
will cut for a second.
So I'll show you here.
After she enters
her credentials,
they'll authenticate against
the Cloud, authenticate locally
on the device, the iPad will
get ready and then will land
on her personalized Home screen
that the school has
selected for her.
Now, while the video catches up,
let's talk about how this
device has been configured.
The school configured
this device specifically
for second and third-graders.
They chose the apps
that each student
in those grades would use and
then created Home screen layouts
for each of the students
that they would see every
time they land on any iPad
within that organization.
So for Ava, as a second-grader,
they've chosen these
apps and this layout.
You can see iBooks
and Notes in the dock
because those are the most-used
applications by second-graders.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
because those are the most-used
applications by second-graders.
In fact, Ava's been
taking multiple notes
across a variety
of iPads in school.
And you can see that all
of her notes have synced
to this iPad from iCloud.
Now, we can create more notes on
this iPad and they'll also sync
and be available on other iPads.
Today her class was
learning about WWDC.
Of course, it's a great topic.
So let's help her
out by taking note
to commemorate this session.
In fact, let's take
a little video.
All right, everybody,
say, "WWDC."
>> WWDC.
>> Woo-hoo.
Perfect. Now she'll
remember this forever.
Unfortunately, it's time for her
to end the class and log out.
Now, when Ava logs out
the device lets her know
which applications are saving
data, and any data that needs
to be synced afterwards
at the log in screen
or when another user is
logged in is prepared then.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So when we land back at
the log in screen or log
in as another user, that
data can continue uploading
in the background.
For example, if we had been
recording this entire session
up to this point instead
of making a little video,
it would be given another
chance now to start uploading.
Now a third grade
class is starting
and Liam is back at this device.
So we'll log in as him.
Again, after we enter his
credentials they authentic,
the iPad gets ready,
and he will land
or his personalized Home screen.
For the third-graders the
school has chosen most
of the same application
as for the second-graders.
But they've also included a
couple extra applications,
including the ones from iWork
because the third-graders
produce multiple presentations
throughout the year.
And they've also included
an app like Safari
so that the students
can do research
for those presentations.
So if you look at the dock,
you'll see that Liam also
has iBooks and Notes,
but he now has Maps and Safari
because the third-graders
are studying the geography
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
because the third-graders
are studying the geography
and history of the great
state of California.
Now, Liam needs to put together
some notes in preparation
for a presentation
he'll be giving.
And though Ava just used
this same iPad to take notes,
Liam does not see
any of her notes.
In fact, it looks like Liam has
not been taking very many notes.
So let's help him
get started here.
We'll create a new note.
And Liam's found
some images online
that he'll be able
to include here.
So let's add one of those now.
Oh, beautiful.
California state flag.
That's a great flag and a
great start to some notes.
But unfortunately, class
has come to an end,
so Liam needs to log out.
Thankfully, when he logs out,
he knows that his data is being
saved and it will be available
when he gets home and wants to
continue working on his project.
Every day throughout the entire
day different students can use
the same iPads to work on their
projects, their data's saved
and it's synced and available
across multiple devices
throughout their school.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
across multiple devices
throughout their school.
For Ava and Liam, that means
being able to continue working
on their projects wherever
they want, wherever they go.
Thank you.
Back to you, Todd.
[ Applause ]
>> Thank you very much, David.
Just a brief recap.
So David showed how you
can preconfigure classes
on Shared iPad's log in screen,
as well as take advantage
of building up a list
of recent users who sign
in with their Managed
Apple ID and pass code.
They had actually signed
in using a [inaudible] user
and demonstrated that Ava
and Liam only see
their own user data
in Notes and over other app.
And in fact, the school can
choose to show a different set
of apps and Home screen layout
for different groups
of students.
Well, that concludes our
getting started section.
Let's continue with
distribution.
We got a few changes to
talk about this year.
And let's get right to it.
So there's a great new feature
tied to Managed Apple IDs
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
So there's a great new feature
tied to Managed Apple IDs
that allows MDM servers
to programmatically link Managed
Apple IDs from an organization
to their Volume Purchase
Program account
so that no invitation process
is necessary because we know
that this account is coming
from that same organization
that wants to distribute
apps and books.
This, of course, does
require that the school's DEP
or Apple School Manager
token and VPP token come
from the same organization.
But as I mentioned earlier,
since the customer doesn't need
to download any new
tokens after the transition
to Apple School Manager,
this should be simpler.
For you MDM vendors,
it is possible
that the school has different
tokens from for DEP and VPP
that appear to be from
different organizations.
There is a dedicated error
code for this failure mode.
So you can try to
perform this association
and just catch the failure and
be able to notify them that,
"Hey, your tokens don't
match, and you'll need to fix
that before we can
give you this feature."
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that before we can
give you this feature."
Of course, to give this
feature to customers,
you'll have to adopt
the API for it,
which is already
available in production.
And this is going
to be very important
for distributing iBooks
Store books to Shared iPad,
which we'll talk about next.
So how can you get iBooks Store
VPP books to a Shared iPad?
VPP books can only
be assigned to users
and cannot be distributed
to devices.
So the way it will work is
that once you've
assigned the VPP books
to your Managed Apple IDs,
each student when signing
into Shared iPad will
then see them appear
in their iBook Bookshelf,
and they can simply
tap the download button
to get those bits.
The good news is that the second
and on to end student who wants
to use that book on
that iPad will appear
to immediately download because
the bits are already there
on the device and are only
stored once to save storage
and bandwidth of
downloading them repeatedly.
In contrast, non-iBook
Store books like PDFs
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
In contrast, non-iBook
Store books like PDFs
or iBooks author documents or
EPUBs can be device assigned
and managed just like
assigning apps to Shared iPad.
Finally, a few important
points in some chance we made
to how Enterprise apps
with universal provisioning
profiles worked
that were introduced
in iOS 9 but proved
to be somewhat confusing.
These universal provisioning
profiles allow a non-App Store
app to run even if that
specific device is not defined
on the provisioning profile
accompanying the app.
For this to work, it requires
both initial trust by the user
of that app signer, as well
as ongoing periodic validation
by Apple that that specific
universal provisioning profile
remains valid.
So, again, when installing one
of these apps by any way other
than MDM, the user must
explicitly trust the app signer.
However, if the device
is enrolled in MDM,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
those apps are implicitly
trusted based on the fact
that they trusted
this organization
when enrolling in MDM.
However, the second piece
that Apple must consider
this UPP valid for the app
to continue to run requires
that the device be able
to be online occasionally to
see the validation server.
Even MDM installed apps
also still require this
periodic validation.
But an MDM server can
trigger the device to say,
"Go validate all of
these apps right now."
This is a really key
feature for deployments
such as an electronic flight
bag for an airline pilot
that will be offline
for some period of time
on a regular schedule.
The MDM server can tell the
device before it's going
to be offline, "Go ahead and
validate all your apps to ensure
that they continue to run."
And in fact, for
you MDM vendors,
and this is what we've done in
Profile Manager, we recommend
that you just go ahead
and automatically validate
any applications that you see
when fetching the
application list at a sync
that are not validated, and that
will keep them all running all
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that are not validated, and that
will keep them all running all
the time.
That concludes our
section on distribution.
And now let's move
on to all the changes
in device management
capabilities that are used
in an ongoing basis to
manage your devices remotely.
And to take us through
this section I'd
like to invite Shubham Kedia
up here to walk you through it.
Shubham?
[ Applause ]
>> Thanks, Todd.
Good morning, everyone.
I'm thrilled to be
here to walk you all
through some great new
management features we've added
to both iOS and macOS this year.
So let's start with iOS 9.3
where we added some brand
new MDM commands and queries
to go alongside Shared iPad.
The settings command was
updated with the ability
to now specify the
maximum number of users
that can have local
accounts on an iPad.
We saw Todd talk
about this earlier.
You can now also toggle
diagnostic submission via MDM.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
You can now also toggle
diagnostic submission via MDM.
We added some commands that
are specific to user manager
as well, such as the user list
command, which you can use
to get the list of all users
that have accounts on an iPad
and even get information
like whether
or not they're logged
in, whether
or not they have data that's
left to be synced to the Cloud,
as well as information
about their user quota
and how much space they've used.
There are new commands
to log out users
and delete users as well.
9.3 also introduced MDM Lost
Mode and MDM Activation Lock.
Now, these aren't
specific to Shared iPad;
these work across all
supervised devices.
So you can rest assured that
if a device gets misplaced,
you can remotely enable MDM
Lost Mode with a custom message
and phone number
and even be able
to get the device's location.
For devices like Shared iPads
where you don't have an Apple
ID associated with them,
MDM Activation Lock is also a
great option to prevent theft.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
MDM Activation Lock is also a
great option to prevent theft.
Now, before I move
on I'd like to point
out these icons that
you see here.
These represent commands,
queries,
or configuration
profiles that are specific
to either Shared
iPad or supervised
that you'll see throughout
the slides.
9.3 also introduced some
great configuration profiles
that you allow to configure
your devices exactly the way
you want.
The education payload is used
to configure both the
Shared iPad log in screen
as well as Classroom app.
Notifications allows you
to configure exactly the
notifications settings you'd
like for all applications.
You can preapprove or deny
notification from apps
that aren't even installed
yet and even toggle things
like sounds and badges.
The Home screen layout
payload that we saw David use
in his demo earlier can be used
to configure exactly
the arrangement of apps
and folders you'd like
your students to use.
The lock screen message
payload allows you
to specify a custom
footnote that appears both
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to specify a custom
footnote that appears both
on the lock screen and the
log in screen of Shared iPad.
The exchange and mail payloads
saw some updates as well.
You can now choose whether
you want to allow the use
of Mail Drop when sending
emails from those accounts.
The domains payload has been
updated with the ability
to now specify exactly
the domains
for which Safari will offer to
save and auto fill passwords.
For you Enterprise
folks out there,
we've updated the
VPN payload as well
with some great new
IKEv2 settings,
and the restrictions payload
has in number of new keys.
You can now restrict
things like Apple Music,
iCloud Photo Library,
and iTunes Radio.
You can also choose whether
or not you want students
to be monitored by teachers
when using Classroom app.
You can disable modification
of notification settings,
which you may have set using
the notifications payload,
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
which you may have set using
the notifications payload,
as well as -- and you also
have the ability to now show
and hide specific apps.
Again, we saw David use
this in his demo earlier.
I'd like to talk a
little bit more in depth
about the education payload.
It's extremely important
that you adopt this
because not only does it
configure which students
and classes you see in the
log in screen of Shared iPad,
but it's also how Classroom
app determines how teacher
and student devices should
connect with each other.
In this payload you'll specify
students, teachers, and classes,
and even be able
to specify photos
for these students and teachers.
You'll do so by specifying URLs.
And it's important that
these URLs are over HTTPS.
When you update these photos,
you should also update the URLs.
Only one such payload can
be installed per device,
and it's important
to note that student
and teacher devices
require different payloads.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
and teacher devices
require different payloads.
So all these payloads that I've
talked about can, of course,
be applied at the device
level so they apply to all
of the users on a Shared iPad.
But there are five
payloads that we support
over the user channel per user.
These include all of
the accounts payloads,
including the new Google
OAuth account, notifications,
Home screen layout, the domains
payload with the new support
for Safari auto fill domains, as
well as the restrictions payload
with the ability to
show and hide apps.
Next let's talk about iOS 9.3.2.
Here we updated the settings
command to allow to you enable
or disable app analytics,
as well as set the lock
screen grace period.
Of course, we also updated
the DeviceInformation
and SecurityInfo queries
to return the correct
state from the device.
One thing to note here is
that the security info query
will actually return pass code
lock grace period and pass code
lock grace period enforced.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
lock grace period and pass code
lock grace period enforced.
The enforced value might be more
restrictive than what you've set
from your MDM server since it
can't be made less restrictive
while users are logged in.
Now, one of the great uses
for iPads in a classroom is
for standardized testing.
And we've had two great
solutions for this
in past releases:
Single App mode
and Autonomous Single App mode.
These continue to work the
same as they have before
on supervised devices.
However, now with a new
entitlement that you can add
to your app, you
can use the same API
and also disable five system
features that make sense
for your assessment app.
These include things like
auto correct, Define,
keyboard shortcuts, predictive
keyboard, and spell check.
And for the first time the
entitlement also grants you the
ability to enable this mode on
unmanaged, unsupervised devices.
Of course, we do
have a safe escape
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Of course, we do
have a safe escape
on unmanaged unsupervised
devices
where you can simply reboot
the device and exit this mode.
9.3.2 also added a
new restrictions key
to prevent users from disabling
or enabling diagnostic
submission,
which you may have set via MDM.
Now let's talk about iOS X.
In iOS X we updated the
contacts, exchange, Google,
and the LDAP payloads
to include a new key
for communication service rules.
We saw earlier this week the new
VoIP extension support in iOS X.
And what this key allows you
to do is specify a default
application to be used
when making audio calls to
contacts from these accounts.
The lock screen message
payload has been updated
with new key names as well.
Of course, it remains
completely transparent
for administers creating
such payloads,
but we like MDM vendors to
adopt these new key names
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
but we like MDM vendors to
adopt these new key names
as the old ones have
been deprecated.
The VPN payload now has support
for EAP-only authentication
for IKEv2, as well
as the ability
to specify a timeout for IPSec.
PPTP has also been removed
from iOS X and macOS Sierra,
and existing payloads
will not work.
The Wi-Fi payload saw
some updates as well.
You can specify if you want to
bypass captive network detection
and Cisco fast lane
quality of service marking.
And for those of you who know
what it is, it's fantastic.
Finally, the restrictions
payload now has a key
to prevent users from
toggling Bluetooth.
Now, this is extremely
important in the Classroom case
since Classroom relies
on Bluetooth
to connect its student
and teacher devices.
So here are some restrictions
that were introduced before
supervision was created.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
that were introduced before
supervision was created.
And we talked last year about
how in a future iOS release we'd
like to deprecate these and
these would stop being enforced
on unsupervised devices.
Now, that future iOS
release is not iOS X,
but we promise we are going
to get rid of them very soon.
So please note that these
will stop being enforced
on unsupervised devices.
Next let's talk about macOS.
Earlier this year we
introduced the ability
to install software updates
from major OS releases
on Macs enrolled in the
Device Enrollment Program.
This is going to be
great come this fall
when macOS Sierra is
released where you'll be able
to install it on
all Macs enrolled
in Device Enrollment Program in
your education or Enterprise.
New in macOS Sierra we also
introduced a new configuration
profile payload to
configure the IP firewall
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
profile payload to
configure the IP firewall
and added some new updates
to the restrictions payload.
We brought some keys
back to the Mac from iOS,
such as Apple Music,
iCloud Keychain
and iCloud Photo Library,
as well as added some
that are specific to the
Mac, such as Back to My Mac,
Find My Mac, and sharing to
Notes, Reminders, or LinkedIn.
It's been my pleasure
to walk you through some
of these great features
we've added this year.
And with that, I'd like
to turn it back to Todd.
Thank you.
[ Applause ]
>> Great job.
Thanks. All right.
Thank you very much, Shubham.
Let's turn to our final
section today on tools.
And of course, the most exciting
new tool this year is Classroom.
We talked a little
bit about it earlier
and it offers some amazing
new features, that small,
carefully curated
set of features
for teachers in the classroom.
But instead of hearing
me talk about them,
you can read the
list on the slide.
I'd like to ask Shruti Gupta to
come on up and give you a demo.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
I'd like to ask Shruti Gupta to
come on up and give you a demo.
Shruti?
[ Applause ]
>> Thanks, Todd.
I am so excited to show you one
of our coolest apps, Classroom.
What you see here
is a teacher iPad
that is running Classroom on it.
And there are a bunch
of student iPads
that are configure
as Shared iPad.
And all my students are
sitting right here in front row.
When the class begins, the
teacher assigns students
to the iPads and then students
log in with their pass code.
For this demo the students are
already assigned and logged
in since you've already
seen the log
in process during David's demo.
Now, let's assume that I'm
the teacher of the class
and today we'll be learning
about healthy eating.
And for that I found a really
great article that I want
to share with all my students.
So I'm going to tap on
Navigate, Safari, Favorites,
and select the healthy
eating article.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
And it's navigating;
it's opening the URL
on all student devices.
Okay. Looks like one
student is offline right now.
But if you look at
the Classroom app,
you can see that Classroom app
created a dynamic group called
Safari, indicating that all
students are now using Safari,
yeah?
And if you tap on the screens,
we can see that article open
up pretty much on
all student iPads.
And I guess some are already
trying to do something else.
Kids, pay attention
to the class.
[ Laughter ]
>> So for the next
activity let's say I want
to divide the students
into smaller group.
So I'm going to tap on Class
button to create a group,
add a bunch of students
by tapping on their names,
and give the group a
name, let's say Greens.
Now when I launch
this particular group
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
Now when I launch
this particular group
into activities specific
for them,
let's say I want Green's group
to make a list of
green vegetables.
I will open Notes app for them
so they can start
working on their activity.
Okay? And while students
are working or their task,
I want to see how they're doing.
So I'm going to go back
to all student group
and observe their screen.
And it seems that Edison is not
paying attention in the class.
Let's take a closer look.
I'm going to tap on
Edison, tap on View Screen,
and clearly she is not
working on her assignment.
So I'm going to go back.
Now I can either lock her screen
by tapping on the Lock button
to get her attention back in the
class, or I can lock her iPad
into Notes app by sliding
the Lock button and tapping
on the Notes so she
remains focused on her task.
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
on the Notes so she
remains focused on her task.
Once the class ends, I can bring
an end to the class by logging
out all the students iPads
by tap on the Log Out button.
And all the students
are now logging out.
Thank you.
Back to Todd.
>> Thank you very much, Shruti.
It was great of you
to all cooperate
in this amazing stress
test of Classroom
with the most iOS devices
it's ever seen before.
Thank you very much.
So what did we see?
We saw Shruti use
Classroom to open an app
on all the student iPads,
create and edit manual groups
in addition to the
dynamic groups
that Classroom creates
automatically, lock a student
into an app to focus
their attention,
view the students' screens to
monitor what they're working on
and redirect as needed,
including locking their device
if they get off track.
So a few brief notes
about some other tools
that we make available to
MDM vendors, some simulators
for the Device Enrollment
Program
and Volume Purchase Program,
which are a great way for them
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
and Volume Purchase Program,
which are a great way for them
to test their implementation of
the API's for those services,
especially handling
service errors
that may be very
difficult or impossible
to simulate any other way with
the real production service.
The simulators have been
updated to support all
of the new features
we've talked about.
And as always, they're
available for download
on the Developer portal.
And I strongly encourage you to
download and make use of them.
That brings us to the
end of our content.
Just a few summary slides
to cover the key points
for administrators.
If you're a school
administrator, sign up for
and use Apple School Manager
to manage the people, devices,
and content in your school.
Everyone can use the DEP
program for wirelessly enrolling
in their remote management
system of choice,
or you can also use
Configurator to enroll in MDM
or to combine the two using
Configurator's automated
enrollment feature that
allows you to connect devices
to Configurator and complete
the setup assistant based
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
to Configurator and complete
the setup assistant based
on the DEP settings without
having to touch each device.
If you're a school and
doing shared deployment,
use Shared iPad with Managed
Apple ID on those devices
and everyone can use VPP managed
distribution to distribute apps
to devices or users
depending on whether you want
to allow your users to use
those apps on multiple devices.
For MDM developers, please add
support for the new features,
including the programmatic
association of Managed Apple IDs
for use with VPP, as well
as all the new features
that Shubham talked
about that are new
in iOS X and macOS Sierra.
Updated documentation
was released yesterday.
And please, again, do test with
the DEP and VPP simulators.
Last but not least,
you app developers,
we want you to get your
app's education ready
by storing your app's data
and preferences in the Cloud.
And you can simulate
testing on a Shared iPad
X-TIMESTAMP-MAP=MPEGTS:181083,LOCAL:00:00:00.000
And you can simulate
testing on a Shared iPad
by testing using your app
moving between two iPads.
And the session immediately
following lunch
about best practices will
go into much more detail
about what you need to do
and how you can test it.
Speaking of which, this is the
session I was just referring to.
Again, right here
in a couple hours.
There's some great
resources we make available
on our website both for
education at Apple.com/education
and for Enterprise at
developer.Apple.com/Enterprise.
I encourage you to check it out.
And finally, there are
some additional resources,
direct links to documentations,
and other resources
at our WWDC 2016
session-specific URL
for Session 303.
And with that, I will thank
you for your attention
and hope you have a
great rest of WWDC.
Thank you very much.