Best way to transition to Managed AppleIDs with app deployment

New here

Best way to transition to Managed AppleIDs with app deployment

We have yet to change over to Managed AppleIDs in our district high school because teachers in each individual class have traditionally had their own curriculum app needs that change during a semester, and so our established compromise that dates back many years due to both our limited IT staffing and that the fact that there didn't used to be Managed AppleIDs is to allow students to create their own personal AppleIDs (however they want) and then on our managed iPads (about 3500) we white list the apps in the Meraki MDM as the teachers request them, which allows the students to install the apps themselves.


We don't let students delete apps, and this can create problems especially on the 16GB iPads since they have so little app storage, and our remediation is to have students manually back up their data to the cloud, wipe their iPad, and have them reload everything that they need. In addition, if an iPad has a hardware issue or is damaged beyond usability and the student hasn't backed up recently, it means they loose their work. Moving to Managed AppleIDs will give students access to enough iCloud storage so that they should all be able to backup their iPads to iCloud which will be a big benefit to them.


Our IT staff is a total of 5 people to support about 6700 students and 700 staff. We collect the iPads at the beginning of the summer and don't wipe them, we keep track of what student has what iPad and return it to them so if they take care of it, they have the same iPad for all four years of high school.


Since Managed AppleIDs can't download apps from the app store and using those AppleIDs is intended for managed devices like ours the design intent is to deploy the apps to individual devices. That can be done with tags in the Meraki dashboard, but how best to manage this with limited staffing and resources is the question. Per-app tags could be cumbersome for 390+ apps. We are using tags right now for the widely deployed apps. The other way to do it is to create tags for the classes, and then associate the apps with those class tags, which could reduce the number of tags needing to be applied and simplify deploying groups of apps to iPads as students enroll and unenroll from classes since the number of tags to change on each iPad would be smaller. Our student information system is Infinite Campus, and I'm wondering if there would be a way to automate some/all of this through class rostering, maybe with periodic data exports from Infinite Campus and leveraging some custom scripts and the Meraki APIs for tagging iPads?


Also related to this project is how to automate the iPad owners... currently this been a mostly manual process (exporting data from Infinite Campus, hand editing it into a CSV, then manually importing it into the Meraki MDM at the start of each school year) but there is some automation possible since Infinite Campus can integrate directly with Infinite Campus for regular synchronizations and there is the ASM Sync functionality in the Meraki MDM to get owners into the Meraki side of things. Question is, what is the transition process going from a manually managed owners list to an ASM Sync? How are collisions handled in this scenario, i.e. what will happen to the iPads that already have owners assigned from the manually curated owners list when the ASM Sync happens with the same owners coming in?


Also we are in a holding patter on going through with the Apple School Manager domain verification (which is a prerequisite for SIS synchronization) because we know some percentage of staff and students have created personal AppleIDs in our domain and I know that collisions there will trigger communication users from Apple to move their personal AppleIDs to another email address and we haven't wanted to do that during a semester but also need to make sure we've communicated this change ahead of time to everyone in district so they aren't surprised by it (knowing exactly what they're going to see when the collision happens would also help us with what to communicate to them...)


We are collecting student iPads soon for the summer, and traditionally do not collect staff iPads. We've been letting staff manage most of the apps on their iPads, can we continue to do this when synchronizing with Infinite Campus in Apple School Manager and then doing an ASM sync in the Meraki MDM? I think it would be an impediment to teachers being able to test and screen prospective apps if they couldn't install and uninstall the apps they're interested in themselves from their school issued devices, and other than the iCloud storage I don't see a big advantage for teachers to use Managed AppleIDs for that reason.


Ultimately I'm trying to come up with the ideal transition process for moving to managed AppleIDs for the district high school. How does this sound:


1. Tell all staff and students that if they have AppleIDs in our school's domain they need to change them to use another personal email address by a certain date.
2. Verify our domain with Apple School Manager on that date.
3. Ask all staff and students to back up any data on their iPads they want to keep because we will be wiping them as part of moving to managed AppleIDs.
4. Collect all staff and student iPads and wipe them (wipe them because otherwise apps installed by students with their personal AppleIDs will never get removed from those iPads and would quickly create storage space issues for massive numbers of our student iPads).
5. Set up Infinite Campus synchronization in Apple School Manager.
6. Do an "ASM full sync" in the owners list in the Meraki MDM (and deal with any collision issues...)
7. Make sure the owner -> iPad mappings are correct in the Meraki MDM.
8. Set up all the class tags in the Meraki MDM and associate them with the needed whitelisted apps as soon as that data is available.
9. Since I assume there is no automated way to use rostering data in Infinite Campus to tag iPads for what class a student is in to give them the apps they need, manually tag iPads based on owners so that they have the right class tags, which will give them the apps they need. Throughout the school year the app to tag mappings will need to be updated/maintained in the Meraki dashboard as well as the class tags for each iPad so the right apps get installed/removed as needed on every managed device.


I assume there is no way to give teachers granular selective access to the Meraki dashboard such that they could maintain their own lists of apps for their classes, and individual app requests for classes would have to go through our IT staff throughout the school year?


Does this plan make sense? Am I missing anything? Has anyone else done this transition and have any other tips or suggestions?

Welcome to the Meraki Community!
To start contributing, simply sign in with your Cisco account. If you don't yet have a Cisco account, you can sign up.