U.S. Schools Experiencing Issues with iPad Supervision Profiles on iOS 7

[gkarris]

You forget, this is a school. That means the "IT admin" is really the English teacher who has never done anything like this before.

I'm not kidding, none of the people who make the decisions have ever done this before. When budgets get cut they fire support staff first then when they need them back they post a job offer for like $12/hour for a new IT guy. They mostly get what they pay for.

But in the end it will work out. After all some kid gaining access to Facebook is not the end of the world.

I know of this one high school district that was thinking of replacing IT workers (keeping the manager at each though) with each high school's IT Club members. They would work on equipment after school and during school, they would fix problems in the main day during study hall.

How about that for saving money?

I'm having a bunch of issues on iOS7 with my iPad 2 - seems like they designed it for the iPhone and just threw it onto the iPad and just crossed their fingers...

 

[mj1108]

Playing with the Configurator with a iPad that is supervised on 7.0, when it goes to update to 7.0.2, it downloads the ENTIRE 7.0.2 (1.4 gigs) and wipes the iPad and then installs it. Yet if you do it right on an iPad you get a 21 meg update that applies with no problem. It would be nice if we could get that 21 meg update to push out in the Configurator as well.....

 

[ufwa]

I think the better question is why is the school setting up policies to "protect children from improper content" instead of teaching proper browsing behavior?

So they don't their asses sued. Its as simple as that.

IMO schools shouldn't even be teaching kids proper browsing behavior. That kind of stuff starts at home. The kids should be taught by their parents not to be watching porn and do other stuff that not appropriate for their age.

A school's job is teaching academics not morals.

 

[960design]

I guess we were lucky.

About 2000 iPads and none dropped their supervision profiles. A couple did get 'stuck' while updating and carried away from the wireless router by an employee. A reset ( holding power/home ) fixed it.

Yeah... I'm paid a little more than $12 bucks an hour.

----------

Why is an IT admin worth their pay actually rolling out an OS update this soon after release without testing this first?

I've tested iOS7 for the last 4 or 5 months. So we were ready for the release.

----------

I think the better question is why is the school setting up policies to "protect children from improper content" instead of teaching proper browsing behavior?

Because it's the law. But we completely agree with you!

----------

There are hundreds of ios software engineering and testing employees in Cupertino. Apple sends the marketing message that "Apple products just work". The education sector is Apple's lifeblood for growing new users. Underserving it is unprecedented and gives eager competition from Mountain View another crack for a toehold up. Speaking of deleted supervisory rights, perhaps additional adult supervision is needed in ios development beyond color palette.

Agreed. I'd be happy to assist Apple with the very minor fixes that would make iPads shine in an enterprise environment. For example:
1) Deployment streamlining
2) Management capabilities at the enterprise ( as opposed to the individual ) level
3) Proper App deployment ( this is my real pet peeve with Apple ).
4) Security of iPads in an enterprise environment ( another pet peeve of mine ).

I could crash an entire school district's thousands of iPads overnight if I wanted to. So could any disgruntled student.

 

[seecoolguy]

Why is an IT admin worth their pay actually rolling out an OS update this soon after release without testing this first?

iOS updates are controlled by apple, there are no MDM controls that can prevent an admin from updating on the glass. The iPad as much as companies and schools may want, is still very much a consumer product.

we use them at my work and discovered the loss of supervision pretty early on. although all ipads are setup with findmyiphone, so they can't be wiped and setup with someone else's appleid.

supervision was a good way to keep the device locked down, while on MDM, and prevented users from adding their own music and movies to the device.

we've been using them for over a year and we've had good employee response with them even though they are treated as work devices and not iPad consumption devices.

 

[BlendedFrog]

iOS updates are controlled by apple, there are no MDM controls that can prevent an admin from updating on the glass. The iPad as much as companies and schools may want, is still very much a consumer product.

Here we actually prevent the devices from being able to update at the firewall level. While we cannot prevent the device from being able to update if it is taken outside our network, the firewall actually blocks the entire ip range of the apple download server. So the iDevices never get the badge alert for updates and if you go check for software updates it doesn't work.

 

[FirstNTenderbit]

Two huge issues here, that I have found to be critically large issues in my time both in school and working for a school:
-They rolled out iOS 7 without testing it. They couldn't have tried this with what, 4 iPads and found this issue right away and delayed it until they could proceed further? Or are the students installing iOS 7 on their own to get past that?

-The second, and perhaps more alarming, is the fact that they're collecting the iPads at the end of the day because the iPads could be used to browse different websites, etc. The school sees it as "We don't want our property to be used for this or that" but I guess I see it as these kids can't use their iPads to study after school.

My nephew is in an iPad program at school. They don't hardly use books. Or worksheets. Or even physical sheet music. When they play a concert they all pull up their iPads and play off of that. It's brilliant because these kids are more interested in learning, the learning can be far more interactive, and the iPad actually does save a ton of money in the long run.

If his iPad were taken away for, say, a week from school they would have severe issues. Even if he could use it at school that still means they're going to need to completely change how they do things outside of the school. That transition would probably take all the time it would take to get the protection back up on these devices.

Anyway, the long story shortened: Schools are more afraid of the negative that COULD happen with these devices than with the loss of education that WILL happen without them. Yikes.

You actually started with the 2nd issue. The 1st issue is Apples software update failure. Multiple post try to glide past this with a cursory mention so they can excoriate the schools. The genesis of the issue is in Cupertino: fact. School IT update was the 2nd issue.

The schools did the right thing removing the iPads. Can't study after school? Seriously? Even though they were not astute enough to test the iPads before updating (neither did Apple), do you seriously think the schools would be foolish enough to put all their eggs in one basket with a 100% iPad curriculum? I doubt it. The iPad programs are in their infancy and the schools are learning as they go. Most of the schools are using the iPads as supplemental learning tools, not primary.

Aside from liability the schools have a responsibility to protect the kids. The far outweighs the need to entertain them.

Bolded: Nothing about that is brilliant. It's completely irresponsible. I'm just going to say you may be a little mistaken about what's going on at your nephew's school. What you described is... fantastical.

 

[timeconsumer]

Issue is, the IT guys can't prevent the iOS update.

Reading the posts, the students initiated the update becuase Apple did not block that ability.

The only thing the school IT staff could do was block the URL for the update, but once the iPad was on an open WiFi, then the student could start an update.
(http://mesu.apple.com/assets/com_a...ate/com_apple_MobileAsset_SoftwareUpdate.xml)


This is will be a black eye for Apples education initiative.

Wow, somebody who actually knows what they are talking about. This is exactly correct. There's no way to block end-users from accessing settings in order to prevent them from updating to iOS 7. This is clearly a flaw on apples side.

Yes you can block it firewall level but as others mentioned, you cannot do anything if they take the device to a different network.

For those of you saying they should've tested, keep in mind some iPads it does not remove the supervision profile. So what if they tested 5-10 devices which did not have the issue then rolled it out to the rest of their thousands of devices which then had the issue?

Also please do some research on how apple configurator and MDM solutions work before criticizing an IT admin who is employed by a school.

 

[PracticalMac]

Silly question....the link you posted with the apple xml...what does it do?

That's the page to block on local server to prevent an iSomething from updating.

 

[charlituna]

They better hurry the heck up with this, my school's iPad roll-out is supposed to happen next week. (UK Sixth Form student here).

It really isn't Apple that much and hopefully the folks in charge of your rollout will have done a better job of things. Especially now that iOS 7 and the new version of Configurator is out. Although it doesn't mean that the MDM companies have done their part. Although with iOS 7 in preview all summer it is a shock they weren't ready for it.

----------

Why is an IT admin worth their pay actually rolling out an OS update this soon after release without testing this first?

More like 'why is an IT admin worth their pay letting these devices leave the school without making sure that the kiddies can't update iOS and break the apps they need for classes which might not have been updated yet'

And 'Why is an IT admin worth their pay allowing the use of security software from a company that apparently doesn't guarantee their software can't be broken by an OS update when they had access to said OS months before public release or that their profiles can't be deleted in a half second by anyone'

 

[charlituna]

There are hundreds of ios software engineering and testing employees in Cupertino. Apple sends the marketing message that "Apple products just work".

First off that is a hideous misquote. Apple has never sent out any message that their products are guaranteed issue free from day one like folks imply.

The whole 'it just works' was made in regards to the complex set up processes required on other computers at the time just to use it.

And a big chunk of this issue is a poor choice of MDM software which didn't seem to include things like passwords to remove all profiles, blocking users from running iOS updates or making sure their profiles etc can't be screwed up by new software when they could have been testing for weeks.

----------

Issue is, the IT guys can't prevent the iOS update.

Reading the posts, the students initiated the update becuase Apple did not block that ability.

I believe you mean because the MDM software didn't prevent it. Or because, if it was in Configurator, the IT staff didn't black list the servers.

----------

A little dose of reality re the LA story:
http://speirs.org/blog/2013/10/1/ba...ght.com&utm_medium=referral&utm_campaign=Feed

Not really, given that he admits to having zero actual facts and he's just guessing and the details.

 

[macs4nw]

…..This is will be a black eye for Apples education initiative.

Educate, not Edugate. Cheap shot, I know.

I don't know if it's a black eye or not, but it might give reason to pause for some school districts who are still sitting on the fence, and were contemplating introducing the iPads in their classrooms.

Short of completely locking down, and impairing these iPads, they are going to be used for other purposes. Some of these kids are going to be a step ahead of Apple's Configurator and the supervision profile. Human ingenuity takes care of that. Any weak spot will be ferreted out.

 

[Poisednoise]

A school's job is teaching academics not morals.

What an extraordinary thing to say. Are you suggesting that a teacher should teach the facts of the slave trade, but not allow discussion of the moral implications? That it is even possible to read Othello, or Tess of the d'Urbervilles, merely as an exercise in the use of words, without considering the meaning of those words? How far would you take this view of how education works - does the teacher focus on the quadratic equation, and ignore the child being bullied at the back of the classroom?

A school's job is to educate, in the broadest sense of the word. And I say that, not (as I suspect you did) as someone who is pontificating without any recent experience, but as a teacher of 20 years.

 

[Swift]

Actually, I think kids deserve a free zone where they can use Facebook or whatever. Give 'em 5 GB and a private locker. Like real school. Pitiful that everybody goes nuts when kids have some hacking abilities and a will of their own. Wait a minute, isn't that what they make money with?

 

[FirstNTenderbit]

Wow, somebody who actually knows what they are talking about. This is exactly correct. There's no way to block end-users from accessing settings in order to prevent them from updating to iOS 7. This is clearly a flaw on apples side.

Yes you can block it firewall level but as others mentioned, you cannot do anything if they take the device to a different network.

For those of you saying they should've tested, keep in mind some iPads it does not remove the supervision profile. So what if they tested 5-10 devices which did not have the issue then rolled it out to the rest of their thousands of devices which then had the issue?

Also please do some research on how apple configurator and MDM solutions work before criticizing an IT admin who is employed by a school.

You are exactly right on a lot of points. I criticized the lack of testing, but as you say, if they tested a representative sample and all went well why would they think something would go wrong. I am also guessing the testing would have occurred in the school environment where the firewall would have given the impression that all is well.

It's a learning process and things will get better.

 

[PracticalMac]

Even though they were not astute enough to test the iPads before updating (neither did Apple).

I read of one school IT did test, they found issues, told Apple multiple times, no action.

They used FireWall to block updates.

Apple did drop the ball, no question.

 

[seecoolguy]

Here we actually prevent the devices from being able to update at the firewall level. While we cannot prevent the device from being able to update if it is taken outside our network, the firewall actually blocks the entire ip range of the apple download server. So the iDevices never get the badge alert for updates and if you go check for software updates it doesn't work.

We use an MDM and it requires us to keep ports open so we are able to push in-house app updates to our iPads..

http://support.apple.com/kb/TS4264

we referenced this list in order to determine how to block other services like: iTunes Radio too, but it would be best if Apple allowed us to control these settings via the MDM otherwise what's the point??

http://support.apple.com/kb/TS1629

 

[BlendedFrog]

We use an MDM and it requires us to keep ports open so we are able to push in-house app updates to our iPads..

http://support.apple.com/kb/TS4264

we referenced this list in order to determine how to block other services like: iTunes Radio too, but it would be best if Apple allowed us to control these settings via the MDM otherwise what's the point??

http://support.apple.com/kb/TS1629

Ah...but we don't actually block itunes itself because like you we still need to be able to push out in-house apps via our mdm also. We only block via the firewall the specific ip ranges that deal with the apple download server for os updates. This prevents the os from checking for updates and displaying a system update badge.

 

[seecoolguy]

Ah...but we don't actually block itunes itself because like you we still need to be able to push out in-house apps via our mdm also. We only block via the firewall the specific ip ranges that deal with the apple download server for os updates. This prevents the os from checking for updates and displaying a system update badge.

would you be able/willing to share the IP ranges you blocked? this could be very helpful for anyone trying to do the same (or a link to a site that discloses that info?)

we're using Apple's MDM (Profile Manager 2.2 on 10.8.3) wondering what other's were using as compared to the Apple's PM, it works, but reporting off of it is terrible

 

[BlendedFrog]

would you be able/willing to share the IP ranges you blocked? this could be very helpful for anyone trying to do the same (or a link to a site that discloses that info?)

we're using Apple's MDM (Profile Manager 2.2 on 10.8.3) wondering what other's were using as compared to the Apple's PM, it works, but reporting off of it is terrible

Sorry I didn't see your quote notification earlier. I don't see it being an issue sharing this as it shouldn't be a trade secret/nda issue. Let me run it by our firewall ops team and I'll post it if I can.

 

[seecoolguy]

Sorry I didn't see your quote notification earlier. I don't see it being an issue sharing this as it shouldn't be a trade secret/nda issue. Let me run it by our firewall ops team and I'll post it if I can.

That would be awesome, thank you!

Are you also using Profile Manager2 or a 3rd party MDM?

 

[BlendedFrog]

That would be awesome, thank you!

Are you also using Profile Manager2 or a 3rd party MDM?

I put in the request over to our firewall ops team after I posted it on Friday and got a response this morning.

I was told that since the method we use was created in house and not endorsed nor supported by Apple I cannot share it. That is a downer because I personally think it is a great tool for others looking to do the same thing.

That being said, we use a 3rd party mdm...airwatch.

 

[seecoolguy]

I put in the request over to our firewall ops team after I posted it on Friday and got a response this morning.

I was told that since the method we use was created in house and not endorsed nor supported by Apple I cannot share it. That is a downer because I personally think it is a great tool for others looking to do the same thing.

That being said, we use a 3rd party mdm...airwatch.

Thanks for looking into it anyway BlendedFrog, I appreciate it. I shared what you mentioned to out IT team and they mentioned that Apple's ip range was very wide, and they are overworked, so I don't think they'll be applying it anytime soon too bad.

We're using PM2 which is fine but there are a lot of little annoyances, like I can't simply run a search for which devices are not yet updated to the newest version of our app, so much that we added a statement into our app that checks a local webserver for the current version, if it doesn't match it asks the user to contact the helpdesk to get the newest update.

I found out they (IT group) bought into an MDM called Dell Kace 3000. as Steve Jobs would say it's s***! PM2 is better lol.

thank you for replying though!