Apple Configurator v1 – Free iOS Management Tool - Walkthrough
On top of all the other Apple news from the other week, there was also a “silent” release of a new tool called the “Apple Configurator”. Think of it as a mixture of the Apple Xcode, iTunes and iPCU applications all wrapped into one.
It appears it has been tightly under wraps and with a small number of beta testers since the Apple WWDC conference last year.
The current OS requirements are: Mac OS X 10.7.2 or later – thus it requires a Mac machine running Mac OS X, but not Mac OS X Server. There currently is no Windows OS support, unlike for iPCU and iTunes which do have Windows versions.
You can download Apple Configurator from the Mac App Store. It is a free application, but you will need an Apple ID.
Some of the functionality that I will document in this walkthrough:
· Configure up to 30 devices at a time
· Update devices to the latest version of iOS
· Create and restore a backup of settings and app data from one device to other devices
· Import apps into Apple Configurator and sync them to new devices
· Use the built-in editor to create and install iOS configuration profiles
· Organize supervised devices into custom groups
· Automatically apply common configurations to supervised devices
· Quickly reapply a configuration to a supervised device and remove the previous user’s data
· Import apps into Apple Configurator and sync them to supervised devices
· Define and apply common or sequential names to all devices
· Restrict supervised devices from syncing with other computers
· Add users and groups manually or auto populate via Open Directory or Active Directory
· Check out a device to a user and restore the user’s settings and data on that device
· Check in a device from a user and and back up the data for later use, possibly on a different device
· Apply custom text, wallpaper, or the user’s picture to a device’s Lock screen
· Import and export documents between your Mac and Apple Configurator
· Sync documents between assigned devices and Apple Configurator
The installation quick quick and painless. During the installation the product prompted to upgrade and install the latest iTunes 10.6 as well.
Once run after the installation a very nice welcome screen is show to educate you on the 3 main application functions:
I will now go in depth for each function or task.
Before we dive into each task in the application a quick review of the all important Preferences which can be important to configure. Access the Preferences in the application menu:
The preferences have two sections, “General” and “Lock Screen”. It is important to use the same Apple ID as configured and authorized in iTunes (Store->Authorize This Computer) on the same machine.
The “Lock Screen” settings provide some nifty features to streamline a custom lock screen wallpaper. Drag and drop a new picture, custom text, and automatic user images from the directory service connected. This can only be applied to Supervised devices.
Tip: Reclick on the “Lock Screen” tab to update the wallpaper rendering.
Click on the Prepare icon.
Tip: If you have any devices connected to the Mac, you will see a number indicator on the upper-right of the Prepare icon.
The Prepare screen has two sections, “Settings” and “Apps”. The Settings screen provides the following:
Name: Device name that will be set. Defaults to a “No change”. You have the option to start at any number, just enter one, and click on the Number sequentially tick box. Here I entered 5 for example and have 3 devices connected.
Supervision: Set this to OFF if you want to configure a device once. Set it to ON if you want to reapply a configuration repeatable, and also bring the device to a known state every time it is connected. We will go into more of this in the next section.
iOS: Defaults to Latest, so you can upgrade automatically. You can choose Other, and point to a .ipsw file. The application will download the latest .ipsw automatically for every device type connected if Supervision is used.
Tip: This could be handy if you want to install a new Beta iOS. If you selected Supervision OFF, you can also select No Change. This doesn’t appear to be possible with Supervision ON.
If you are not installing a fresh iOS release, you can select “Erase all contents and settings”.
Restore: To install a backup to multiple devices choose it from the list. Please note that the “Don’t Restore Backup” when Supervise is ON will still erase all content and settings.
Tip: Set Supervision to OFF, then you can select “Back Up”, if you want to back up a connected device with no Supervision features. Otherwise you need to configure a Supervised device first. iTunes backups can also be used for un-Supervised devices.
Tip: Make a “master” device with the iOS Setup Assistant already completed, and you can then use the Prepare function with Supervise OFF to setup multiple devices with the same backup and let it install the same profiles and application on each one.
Profiles: Here you can import an existing .mobileprofile file created previous with iPCU or “Create new Profile” right in the Apple Configurator. The v1.0 version has all the same iPCU settings as in the recent new v3.5 version. See my previous article on that here. You can also Export the profiles you have listed.
Apps: In the “Apps” section you can browse or drag’n’drop .ipa files (for example from Home->Music->iTunes->iTunes Media->Mobile Applications if you transferred purchases from a device or a in-house developed application from Xcode).
If you add an application that is not free of charge or in-house developed a prompt for the Apple Volume Purchase Program (VPP) voucher codes will appear:
Please note that the VPP program is still not available for all countries and requires enrollment (businesses must have a DUNS number).
Dismiss the prompt(s) and review the applications you may have added:
You can then click on the “0” icon and import your VPP vouchers purchased for the selected AppStore application. The spreadsheets can be downloaded with your VPP account at any time from http://vpp.itunes.apple.com.
Once you have imported your codes, the number will decrement as the codes are used on the devices and you can track on which device they have been used on.
Click on the Prepare apply icon at the bottom of the screen when you are ready to start!
After an “are you sure” prompt, all the connected devices connected through USB will be updated and you can visually see their progress status:
Any issues will be marked, and successfully completion shown:
After you have Prepared your devices and have set the Supervise setting to ON, you can further manage them within the Supervise icon:
You can create groups and drag the devices into these groups. You can also add additional apps to the devices/groups:
If you have installed paid-for Apps and uploaded the VPP .CSV spreadsheet with codes, you can track and see which devices are using which codes and how many you have left:
But the really-really cool thing is if you remove the checkmark in-front of an app, that is a paid app installed with a VPP code, that the redemption code count goes back UP, and you can reinstall the paid app on another Supervised device!
Last but at least of the 3 functions in the product, is the “Assign” function. Here you can facilitate a check in and check out process to your Supervised devices, where the users’ data is left intact – think Windows roaming profiles.
Here you can add users and groups (even from a connected directory service) and drag and drop users in those groups.
You can assign and install documents to be used be specific users or a group of users. Click on the “+” symbol at the bottom of the 3rd panel, and choose the appropriate application that is installed on the device: (mine has several options since I imported a large number of apps, only those that support iTunes file sharing are supported)
Then browse to the files you want to be placed on each device the users are assigned to and the document is now associated with the user and will be installed when a device is check out to that user.
When you are ready to assign and check out devices to users, click on the “Check Out” at the bottom and pair the users to the available devices. When complete click on “Check Out”:
When users return the devices, and you wish the check in the devices again, attach them to the machine running the Apple Configurator and click on the user and click on “Check In” at the bottom. It will now transfer the files and any changes to those files that the user had made into a backup, so upon the next check out the files can be restored:
Unless you specified a backup in the Prepare stage as part of the device’s Supervise configuration the user data will remain on the device until you check out the device to another user.
Using a Supervised Device
A quick verification on the Supervised device shows that the lock screen indeed has been set as configured:
It is clear that the Apple Configurator tool provides a self-signed certificate, and places a Profile on each device that is Supervised. Of more concern is perhaps that the machine running Apple Configurator and it’s Network MAC address is part of the certificate signature:
It is also clear that the disabled iTunes tethering does work, and here is the prompt I received when trying to tether the Supervised iPad to my iTunes 10.6 installation:
Another useful feature in the application when in the Supervise function is to provide detailed asset information from the Supervised devices into a .CSV file:
In the scenario where you have users checking in and our devices, you could lock the device with profile settings so the AppStore and other functions are disabled. You would maintain the apps and the VPP codes used on all the devices in a contained environment. There would also be no need for individual Apple IDs for each user, unless they are using iTunes, and other apps that require it.
As with most new v1 applications there may be some bugs and steps to hash out.
I got some of these prompts while importing apps:
There is no detailed logging to see exactly which iOS apps are at fault in various stages in the application. You may have to guess or perform a process of illumination.
If this example I added a document to Adobe Reader, which isn’t present on the selected device:
As with any device management system, the local database that the Apple Configurator uses is critical to your long term usage of the product. You should properly back up the Mac you use to manage all of your devices regularly.
Specifically this paragraph in the http://support.apple.com/kb/HT5188 support article stats this:
"If you lose the Apple Configurator database, your users will retain rights to use the apps already installed on devices, and you can reimport any spreadsheets to install additional apps on devices using unredeemed codes. But if an app is deleted from a device after you lose the database, Apple Configurator will be unable to determine the device’s rights to that app, and you will need to redeem another code in order to reinstall the app."
I’m also wondering about the self-signed certificates that the devices have been setup with and assume they would have to be re-Prepared if moved to another machine running Apple Configurator.
I think Apple definitely has up the ante on the management features they provide. Above the beyond the Profile Manager features released in Mac OS X Server, and those found in Xcode, iTunes and iPCU.
It still lacks some of the larger scale enterprise features found in the various Mobile Device Management (MDM) products on the market (such as self-service Enterprise App Store, active monitoring etc), or a Exchange ActiveSync remote wipe. So it really depends on your requirements (and money budget). It could easily make sense for a small to medium sized iOS device deployment and management within a single facility.
Also if you have an educational or training type setup with a secure cart (as found from Bretford, Parat, Tribeam, or Datamation, etc) with a USB hub and connected MacBook, you can easily manage a cart full of devices with the Apple Configurator and the basic features that it can currently provide.
But if you have a larger deployment, and more dispersed geographic area, with additional security requirements and processes around it, I would highly suggest looking at a more full fledged MDM solution. The majority can be found here in a nice public comparison: http://enterpriseios.com/wiki/Comparison_MDM_Providers, although several are still missing.
A hybrid use case could perhaps also work where non-Supervised or Supervised devices also are used with another MDM solution, but more testing is highly recommended.
Now if the special logic used to reuse VPP vouchers from one managed (Supervised) device to another could also be found in the MDM solutions on the market you could have some strong new features.. :-) Also the shared user aspects are a sore spot for many current MDM solutions. It will be interesting to see if some of these new features get carried over.
Here are some further reference points:
Apple Support articles:
HT5185: Apple Configurator: Coordinating device names with labels or slot numbers in carts and racks
HT5188: Apple Configurator: Using Volume Purchase Program (VPP) Redemption Codes
HT5194: Apple Configurator: Backing up and restoring data
Apple Configurator Help Online
Randy Saeks also posted a great 11 minute video walk through here:
- and a nice 17 minute video here that goes more in depth on the Supervision aspects: