Jamf Nation Community

Hey David,

Bring this up tomorrow morning at the K12 iPads in Education Morning Coffee Talk mini session. I've had several conversations with folks this week at JNUC about it.

See you then.
~Joe

We have about 8K ipads and are 1:1 for all staff and students.

All staff have 'standard' Apple IDs and can buy their own apps if they want. That is so they can experiment with different apps as needed.

Student Apps are different per school except math apps; they are the same per-grade level for all grades and schools. All other subjects are more or less different per school. High School is the same for all students.

New apps are requested through our Help Desk solution and we have Technology Coaches who then approve or deny. (Everything gets approved!)

Thanks for the feedback. I've had a few discussions with various folks and presented the question in one of the morning sessions. Although I'm still holding out hope to get access to the data via the PowerSchool sync/integration in the next 3 years (it literally already has the students in Classes, so it already knows grade level and classes those students are enrolled in), worst case we could revert to assigning free apps to all devices. Paid apps would be more difficult but we could create static groups. We have a core set of paid apps that the district provides, but we could probably assign those to all users and just have to monitor license counts.

We have minimal groups in Active Directory other than graduation year info. We could use that for some app assignment that doesn't require a high level of granularity, but also would want to avoid wacking our database with constant membership checks. And of course SPED is another hurdle but we at least have gotten our SPED admin involved in managing her students and app assignments, so that's mostly off our plate at the moment.

We only have 2500 students, but I think our answers would be relevant. We are 1:1 iPad K through 12. Our buildings are grouped by grade level (which will become a factor below).

Apps are approved by the building principal. Teachers submit an app request to the principal via a form that includes curriculum areas, how it is going to be used in the classroom, etc. With the exception of some special education apps that are scoped to small groups of students, we made the decision to scope apps to an entire building. We felt scoping to an individual class required too much management, and that generally speaking, students should be getting the same curriculum in every classroom (yes, this could also be done in different apps that accomplished the same thing). Scoping to a grade level was also considered, but students can be under or over performing, so scoping to a grade level would limit flexibility.

We integrate the JSS into our directory via LDAP. When a student enrolls their iPad, the JSS knows the following information about the user: name, building, grade level, home room, email address. We use smart groups to identify them as a student in a particular building and scope apps to the devices based on those Smart Groups.

@david.yenzer - Did you ever get any answers to the various points in your post? You are pretty much in exactly the same position I am. I'd really like to start using Apple Classroom with managed classes, but don't see much point in going through the PowerSchool-->ASM-->JAMF integration if it doesn't give me what I need to scope apps, etc. I'm still mulling over the best way to handle this, but at the moment am leaning toward batch-updating our student AD accounts with the Section_ID from PowerSchool (their homeroom ID, basically), importing that into the Title attribute in AD, which I should then be able to create JSS Smart Groups from. This will give me groups I can scope apps to, and potentially populate classes with - but I would still have to hand-build all the classes. I understand from our Apple SE that most people are still using the SFTP upload to ASM to allow them to massage the data before importing to JSS, since using the web service just dumps ALL the data from PS. I really don't have the time to do that! Maybe the first time, but not on an ongoing basis. It seems really crazy we can't leverage the PS data in the JSS (especially the roster data) for more than just managed classes.

@dmillertds Our SIS isn't supported for the direct connection to ASM, so we're using SFTP. Once you get it going, it really isn't much work to maintain at all. Getting the data that we want out of the SIS in the format that ASM wants did take some work, but it's very do-able. Once we got the data in a good place, I just set up some scheduled tasks, and wrote a powershell script to take the .csv files the SIS spits out, make some minor changes, zip them up and upload them using the WinSCP cmdlet. Now, I get email notifications from ASM when the upload happens, and only ever need to look at the data itself if there's an error.

There is a feature request in to add Roster information to smart group criteria, but it hasn't gotten much traction.

As a side note, if you want to bring in AD attributes without mucking with the LDAP mappings you can create a computer or mobile device extension attribute to collect the data from any AD attribute, provided you have the LDAP box checked in your Inventory Collection settings. This also lets you name the attribute yourself, instead of using a pre-named field.

@dmillertds - We're still in the same boat as when the initial questions were asked. We've got some time to twiddle our thumbs and wait for those features to become available though, so haven't really pushed harder on the issue for now. I did send the question about accessing the existing data from the PowerSchool sync to Jamf Support, plus asked it in a session at JNUC, and it sounds like it's being worked on - just no specific date to expect it and no info on what data would be available or in what format.

In case it needs clarification, we are using the PowerSchool > ASM > Jamf sync in tandem with the Classroom app. Both in Shared Model and in single user mode. And as far as I know there are no technical issues with that, other than some duplicate user issues from lingering old user accounts that probably should have been deleted, which really only affects single user mode iPads in Classroom - the Shared Model ipads in Classroom are using MAIDs (Managed Apple IDs created in ASM), so all that stuff syncs over without issue or duplication.

The process is a bit time intensive up front for us, where we manually create each teacher's cart of iPads (typically 20-30) which is necessary because that's what gets assigned to the imported classes. After that you have to import the classes you'd like to use, or just import them all at once - then search out the ones you want and assign the group of iPads to that class. That's definitely the part of this whole automated process that is in no way, shape, or form automated. For every teacher there's probably an average of 7 classes where you have to assign the group. So you multiply that out and it does take some time to set it up.

All that said, it sounds like you might be onto something with getting groups from PowerSchool into AD. Then maybe the sync from PowerSchool could be leveraged to create the Classes. I'm not sure though that Smart Groups can be created using AD groups - unless I'm forgetting where that option is located. We did discover that you can go into specific apps and assign them by the middle tab of Limitations > LDAP User Groups. So that might work right there, it simply eliminates the use of Smart Groups. I think I'd like the Smart Groups, but could probably work with the Limitations > LDAP User Groups option if we weren't missing the Active Directory integration. Right now we don't have the detail we'd need such in AD groups like "7th Grade English".