Hello and welcome to Jamf School!
In this document we will give recommendations and guide you in setting up the Jamf School Management System for managing your devices. In this document you will perform the following tasks:
- Open firewall ports and whitelist IP addresses needed for communication
- Creating and uploading a Apple Push Certificate
- Adding users
- Enrolling devices
- Creating device-groups
- Adding apps, documents and profiles
- Synchronising the system
- Show you some best practices, tips and recommendations
After this assistant is done you will have created a basic setup of Jamf School. Afterwards you can continue using Jamf School using the menu on your left.
We advise you to use this document to guide you through, since it makes the basic setup easier and you will get hints for a better understanding of Jamf School.
To ensure Jamf School can communicate properly with the devices you’re going to manage, make sure to follow the steps provided on the following article.
Step 1 - Initial Setup: Create an Apple Push Certificate
For Jamf School to work, we need to establish trust between your Jamf School account and your Apple account. You will exchange a file with Apple that works like a password. Your Jamf School account cannot manage your devices without completing this process. We recommend you to create a new Apple ID for this certificate.
There are multiple ways to get your users into Jamf School. Before you're adding your users toJamf School, you should first come up with a plan on how you would like to manage your iPads. First we will describe the option to import/create your users, next we will walk through the different plans. Please mind that you could also combine those plans.
- Apple School Manager: Here you can import your users, classes and locations from your Apple School Manager account.
- CSV Import: Here you select "Import users from CSV" and upload your file. When you go back to the overview, you can see the running import jobs and the status of each.
- Microsoft Azure: Here you can choose to import the users after they are signed in to the iPad with their Microsoft Azure account.
- LDAP synchronisation: Here are 2 synchronization options available:
- SOMToday (a school information system in the Netherlands)
- Manual: Manual editing of users can always be done under Users & Groups.
Tip: It is advised when creating groups to always create two user-groups; one for Students and one for Teachers
Shared iPads with sign-in required
In case you're going to use your iPads as a Shared iPad where you want your users to sign in to your device, you will need to have your users inside Apple School Manager. If you are going to set up your iPads like this, you will need your users to have a Managed Apple ID from Apple School Manager. For this reason it is very important to set up the synchronisation and make sure your users have their Managed Apple ID assigned to theirJamf School user account.
If your users aren’t imported into your ASM (Apple School Manager) account yet, you will have to add your users to ASM in order to synchronise those Managed Apple ID’s with Jamf School. You can import your users by connecting your Apple School Manager account to your Student Information System, Use SFTP to upload student, staff, and class data to Apple School Manager or follow How to connect Apple School Manager with Jamf School to use Jamf School to perform the SFTP upload to upload student, staff and class data to Apple School Manager. After you've added this information to Apple School Manager and you have set up the Managed Apple ID's, you can continue to this article to set up the synchronisation from Apple School Manager towards Jamf School.
If the users are already inside Apple School Manager, you can simply follow this article to set this synchronisation up.
After you've configured the synchronisation, you will have to synchronise your Jamf School account with Apple School Manager manually by going to your Dashboard inside the Jamf School Management System, and hit the Synchronize Now button.
Note: You will need to use Apple's Device Enrollment Program in order to enroll your devices as Shared iPads.
Note: Shared iPads must be running iOS 9.3 or higher, 32GB hard disk or higher, iPad Pro, iPad Air 2, iPad mini 4 or higher. If your device does not meet those requirements you could still use your iPad as a Shared iPad. Please follow the Generic Shared iPad without signing in plan as described below.
Tip: Please keep in mind that teachers should always have their own 1 to 1 iPad in case they are going to use Apple Classroom to manage the students devices within their classroom.
When you've got your users set up in your Jamf School account we can automatically set up a configuration for your 1 to 1 teacher devices so they can manage the students iPads within their classroom. In order to get this configuration, all you have to do is set up the users and classes, and distribute the Jamf School or Classroom app to your teacher devices.
You will have multiple ways to assign the 1 to 1 iPads to your imported users. This can either be done upon the enrollment of your devices, after enrolling them or even before enrolling them. Those methods will be described in Placeholders and Enrollment Authentication.
Generic Shared-iPads without sign-in
When your iPads do not meet the requirements to be configured as a Shared iPad, then it is still possible to have the iPad shared amongst your users.
For this plan it is not required to have all your users added to your Jamf School account. However, it will be useful to create generic user accounts to be able to differentiate the iPads you're managing.
Generic user accounts should be imported via a CSV file, which can look like this (please click on the image to download this template CSV file):
Step 3 - Initial Setup: Assigning your devices
You have multiple options to assign your devices to your users. In case you're going with the shared iPads in combination with signing in with Managed Apple ID's, you will not have to assign your devices to your users, as your users will not own any device.
In case you're using any other plan, it would be good to assign your devices to your users. This can be done either by creating placeholders, by using the Microsoft Azure Implementation or by enabling enrollment authentication.
A placeholder is a device that is not yet enrolled in the Jamf School MDM. As soon as the device is enrolled, the device will be automatically assigned to a group and get a device owner.
If you have many placeholders to create, then you can also use the bulk import tool (Organisation > Important / Synchronise). Just upload a .csv file with the usernames and Serial Numbers.
Microsoft Azure Implementation
Jamf School lets you enroll users from Microsoft Azure into Jamf School via an automated process by presenting a web clip onto the users device. This web clip enables authentication through Microsoft Azure, importing the user into Jamf School and linking the Azure account with the used iPad.
For more information on how to do this please take a look at our dedicated knowledge-base article: Microsoft Azure Implementation
It is possible to require an authenticated user to become the device owner using this feature, to enable this, check the option 'Make authenticated user the device owner' within a DEP profile, or by enabling the on-device/Apple Configuration enrollment authentication via Organisation > Settings > Enrollment.
Step 4 - Enrollment: Enrolling your devices
After you've figured out with which plan you wish to go with, it is time to plan your device enrollment. We would always recommend to enroll your devices using Apple School Manager / Device Enrollment Program, since you can prevent your users from removing the MDM Profile from the devices when enrolled using the Device Enrollment Program.
In case your devices are not in Apple's DEP program, If your devices support iOS11+ we recommend to add your devices to Apple's DEP program using iOS 11 and Apple Configurator 2.5.
If you are changing your MDM, and you haven't enrolled your devices using DEP, then you can also remove the MDM profile from your devices manually, and use Option 3: On-device enrollment.
To remove the MDM profile from your devices manually, you will have to perform the following steps:
- On the device, open 'Settings'
- Select 'General' and select 'Profiles'
- Select 'MDM Management profile'
- Click 'Remove', then 'Remove' again to confirm
Option 1 (Recommended): Apple School Manager + Device Enrollment Program (DEP)
When you're planning on using Apple School Manager / Device Enrollment Program to enroll your devices, you will first have to connect the Jamf School MDM Server to your account. Please follow the next steps to get this done.
- Download your public key in Jamf School
- Configure Jamf School in Apple School Manager
- Login at Apple School Manager
- Navigate to 'MDM Servers' and click on 'Add MDM Server'
- Enter 'Jamf School' as the MDM Server Name
- Add your DEP Devices to the MDM server you've just created
- Upload the public key you've just downloaded
- Download the server Token
- Don't forget to finalise the setup by saving the MDM Server
- Upload the Server Token in Organisation > Setttings > Devices (DEP)
After you've connected the Jamf School MDM Server to your ASM/DEP Account, you can configure and deploy a DEP Profile to enroll your devices into your Jamf School account.
Option 2: Apple Configurator 2
We've created a separate article for this option as it is quite lengthy, please follow the steps shown in this article
Option 3: On-device enrollment
To enroll your devices using the On-device enrollment method you can perform the following steps:
- On the device, go to: zuludesk.com/manage/enroll
- Enter your Network ID: (Your network ID can be found by going to Devices > Enroll device(s) after signing in to Jamf School Management System.)
- Press 'Enroll'
- In the Profile window that appears, press 'install', then 'install' again to confirm
Note: Using this type of enrollment will not supervise the devices, if you want to supervise devices please choose Option 1 or 2.
Step 5 - Configuration: Creating device groups to install Apps, Profiles and Documents
After you've successfully enrolled your devices it would be time to think about your device groups. It is required to use device groups in order to install Apps, Profiles and Documents using the Jamf School Management System. You can create an unlimited amount of device groups, but it is recommended to keep your device groups limited so you won't lose your overview in managing your devices.
The way you're configuring your device groups is completely up to you. You can either choose to create one device group for all your students, one for your teachers and one for your administrators, you can choose to create a device group for every class, grade or location. It completely depends on how you want to arrange your Apps, Profiles and Documents.
It is highly recommended to create separate device groups for iOS, tvOS and macOS devices. This is because the profiles and apps are different for those devices.
It is also highly recommended to separate your wifi, exchange and wifi profiles in separate profiles. Because devices need a constant connection in order to work properly you don't want other profile settings interfering with your wifi settings.
Below is an example of how you could arrange your smart group setup.
When creating a device group, you can choose from two types of device groups:
When you're creating Static Device Groups, you will simply have to add your devices to the group manually. This group assignment has to be done manually by selecting/editing the device and grant the group assignment.
When you don't want to assign the device groups manually you can make use of our Smart Groups. When you're creating Smart Device Groups, you can add different filters that your devices should meet in order to be part of the smart group.
Those filters can be based on the details of the device, the location of the device, the enrollment method and the user assigned to the device, and of course it can also be based a combination of the above filters.
Below is an example of how you could set up a Smart Group.
Step 6 - Configuration: Adding Apps to your Jamf School account
After you've set up your device group it will be time to start distributing apps to your devices. With the Jamf School Management System you will have a few options on distributing apps to your devices.
- Distribute apps via VPP
- Distribute apps via the App Store
- Distribute In-House apps for iOS or tvOS
- Distribute In-House macOS Packages
We highly recommend to distribute apps via VPP in case this is one of the possibilities. This is because you will need your users to sign in with their Apple ID in order to distribute apps via the App Store to their devices, which isn't needed when you're distributing those apps via VPP as you can assign the license to your users devices instead of their Apple ID's.
For custom apps, or software for macOS we recommend to add them In-House.
Your apps will be listed in the Apps overview after you have added an app with one of the options that are described below. Please note that you will need to synchronise your VPP account after purchasing/adding apps via VPP. This can be done by going to your Dashboard and hit the 'Synchronise now' button.
Distribute apps via Apps and Books in Apple School Manager (VPP)
It is possible to distribute in Apple School Manager itself using Apps and Books, you're able to distribute Apps and iBooks this way and works practically the same as the older Volume Purchase Program. You can assign apps to locations in Apple School Manager. When you've assigned apps to a location you're able to head to Settings > Apps and Books and download the token here. You can upload this token in Jamf School under Organisation > Settings > Content (VPP).Please note, due to licensing laws, books are only distributable to users and are not device assignable. To perform this action with VPP you will have to invite the end users Apple ID (Personal or Managed) to your VPP token via the MDM. We recommend using Managed Apple Ids and syncing them with the users in Jamf School so the VPP token invite takes place automatically. If you wish allow the use of personal Apple Ids you will have to manually invite that Apple ID to access the token via the MDM. The steps for a manual invite of standard Apple Ids can be found here.
Distribute apps via Apple's Volume Purchase Program (VPP)
The Volume Purchase Program from Apple allows education institutions to purchase apps in volume and distribute them within their organisations. We worked with Apple to seamlessly integrate the VPP portal with Jamf School Management System.
When you want to use the Volume Purchase Program (VPP) and integrate with Jamf School you need to:
- Create a VPP account
- Go to https://vpp.itunes.apple.com/ to purchase Apps and iBooks (Tip: You can get up to 50% discount for 20 licenses or more)
- Connect to Jamf School by downloading the token and upload it to Jamf School by navigating to: Organisation > Settings > Content (VPP)
Default App Assignment method
As of iOS 9, VPP also support device licensing, where an app license is associated with a specific device's serial number. Whereas licensing by Apple ID allows a specific user to use the app (as long as they've signed in with their Apple ID), device licensing allows anybody to use the app on a licensed device without needing an Apple ID.
You can choose which app assignment you want to use for your VPP token by navigating to: Organisation > Settings > Content (VPP) and clicking the cogwheel in the top left of the token.
Automatically invite users
On Organisation > Settings > Content (VPP) it is also possible to enable this settings. With automatic invitation you can automatically invite users to VPP when they enroll in Jamf School. This can be done by either a popup on the device or by adding a WebClip on the home-screen.
Distribute App Store Apps
It's possible to manually add iOS Apps to Jamf School via Apple's App Store. However, to install these Apps, you are required you to be logged in to a device with an Apple ID.
To add an iOS App navigate to the App overview and when adding an app select the 'Add iOS App' option, a popup will appear where you can search for App-store Apps.
Distribute In-House Apps for iOS and tvOS
It's possible to distribute in-house Apps for iOS and tvOS. This can be done by navigating to the App overview and adding a new in-house app for the selected OS.
Distribute In-House macOS Packages
It is possible to distribute your self-made packages for macOS, for more information how to do so check out: How to build packages for macOS.
Step 7 - Configuration: Distributing Apps to your devices
When you've successfully added your apps to your Jamf School account, you will be ready to install the added apps to your devices.
In order to distribute this apps to your devices, you will have to define a 'scope' where you wish to distribute the app to. This can be done as a bulk-action by selecting your apps and clicking the 'Edit scope' button, or by entering the specific app where you can edit the scope.
A scope is also known as a selection of device groups, so you will have to add the desired device group where you want to distribute your app to.
You will also have multiple options when distributing apps. You can choose to assign the VPP license to the user's Apple ID or the device's serial number, you can choose to assign apps to be installed on-demand or you can choose to install the app automatically. A default for the installation method can be set at Organisation > Settings > Apps & Documents.
****It is also possible to distribute Apps as a teacher to your students within a class.****
In case you're having trouble with an app installation we recommend to follow "Why won’t one or more VPP apps install?".
If you want to learn more about on-demand Apps check out our dedicated knowledge-base article: On-demand Apps, Documents and Profiles and how they work
Step 8 - Configuration: Creating and distributing Profiles
Profiles can configure settings on your devices like Wi-Fi networks, restrictions, e-mail accounts, and many more. It is fairly simple to create Profiles using the Jamf School Management System. You can do this by going to Profiles > Create Profile. There you can simply choose whether you want to create an iOS, tvOS or macOS profile.
Just like apps you can only distribute profiles to device groups and you will also have the option to install profiles on-demand.
It is recommended to create a global profile for all devices that configures a WiFi connection. It is also recommended to create separate profiles for students and teachers since they most likely will require different settings / restrictions.
Please have a look at the Profiles section of the Walkthrough Features in Jamf School Management System article to see more details about what you can do with your profiles.
Step 9 - Configuration: Adding and distributing Documents
The principle of adding distributing Documents is pretty much the same as it is for Apps. However there are a few things that you need to keep in mind when distributing documents.
- In-house documents are available to all devices and have no requirements.
- VPP Documents need to have an Apple ID tied to the device since these are only user-assigned.
- Documents are found in the iBooks App on the device when set to Automatic installation
- When the installation type is set to on-demand these apps will be available to download by the user from the ZuluDesk App
Step 10 - Finishing up: Synchronisation
The Jamf School Management System will synchronise automatically once a day with your connected services. In case you have made some adjustments within any of those services (i.e. VPP, DEP, Active Directory), you can synchronise manually using the ‘Synchronise now’ button on your Dashboard. This button does the following things:
- If you have enabled VPP, it will synchronize all VPP applications, books and users.
- If you have enabled DEP, it will synchronize all DEP devices and creating any missing DEP placeholders
- If you have enabled user synchronization (either through LDAP or SOMToday), it will synchronize all users with the remote service
- If you have enabled Apple School Manager, it will synchronize all classes and users with Apple School Manager
So, for example, if you have assigned new DEP devices to Jamf School in the DEP portal or Apple School Manager, you should press this button once to retrieve these.
Step 11 - Finishing up: Tips, Recommendations and Best Practises
Configuring Apple Classroom using Jamf School
When you're going to use Apple's Classroom app, Jamf School can provide you the setup you need for your teachers to manage their students within Apple's Classroom app.
Please follow Using Jamf School to configure the Classroom app for instructions on how to configure Apple Classroom.
Configuring the ZuluDesk Teacher app
Our brand new version of ZuluDesk Teacher is a complete rewrite from the ground up. In developing this second version of the Teacher app we have focused on creating a companion app that is complementary to Apple’s Classroom app. Use ZuluDesk Teacher app in conjunction with the Classroom app to take teaching to a new level!
Use ZuluDesk Teacher to easily prepare lesson profiles, which include apps and websites to be made available to students during lessons. You can also limit student distraction by setting restrictions, such as preventing notifications or disabling the camera function.
Begin a lesson with ZuluDesk Teacher by simply selecting a prepared lesson profile. Once your lesson has begun, students can only view apps and visit websites preconfigured with the “Prepare a Lesson” feature. More effective teaching. Better learning. Less distraction.
You can also easily update your students by sending them a message.
Please follow How to configure ZuluDesk Teacher using Jamf School Management System to configure the ZuluDesk Teacher app or visit ZuluDesk App Teacher Overview for more information.
How can I pre-configure my Profiles?
When you're distributing Profiles using the Jamf School Management System, you will have the option to pre-configure your profiles with usernames, password and other information created inside those profiles. This can be accomplished by using Payload Variables.
Use the ZuluDesk app to provide your users a Self Service portal
If you have configured (some of) your apps, profiles or documents to be installed on-demand, you can use the ZuluDesk app as a Self Service portal where your users can download those items from.
Please have a look at ZuluDesk App Self Service Overview for more information.
Let parents manage their children's devices when they're at home
Jamf School is being used in schools around the world to let teachers easily manage Apple devices. Less distraction, better learning. At home, parents can use ZuluDesk Parent to easily manage their children’s devices.
We think parents should be able to manage their children’s devices, after seeing the benefits of managing devices in school with Jamf School, we decided the tool could prove valuable for parents when their child is at home.
The ZuluDesk Parent option might be very interesting for you in case you're running a 1 to 1 deployment of Jamf School. Please visit ZuluDesk Parent for more information and follow How to configure ZuluDesk Parent (iOS & Webapp) for information about configuring the ZuluDesk Parent feature.
Knowledge-base / FAQ
Our Knowledge-base / FAQ with helpful articles can be found at http://jamfschool.com/help/.
In case you have questions regarding your deployment, Jamf School or anything related you can create a ticket inside your Jamf School Management System. This way our Support Professionals can assist you with any problem. There are no additional charges for any kind of online support Jamf School provides.