Finding a good way to manage iOS devices so they are secured and continue to receive updates is a major pain. Cisco Meraki SM helps to alleviate much of that pain. My organization just got six brand spanking new Meraki AP's and they have been working magnificently. Management and monitoring of our wifi networks has never been easier. The next beast we needed to tackle was an issue with some iPads our organization was using for training and other uses. We originally went with Apple Configurator 2 because of the low cost for the management and it seemed to work ok, not great but ok and we had access to some free Youtube training and documentation for the use of Apple Configurator 2. However the use of Apple Configurator seemed to be inadequate as the number of apps use used got larger, iOS got bigger, and the ipads got older; it took longer and longer to do updates and secure the devices properly. The last update to 6 ipads connected to a MacPro Laptop had taken 2 days and was still working on doing updates so we had to do something otherwise this was going to be unusable as it was taking too much staff time to manage these devices.
VPP can not be an account that is already in use with the iTunes store or iCloud. Any purchases under those accounts will have to be re-purchased. To be authorized by the DEP program you must by your iOS devices directly from apple otherwise they are ineligible to be used with the DEP but they will still work with the VPP and can still be managed through the SM console. All the ipads we had were all in use with iTunes and iCloud accounts, some were supervised some were not. To use the iPads with the Meraki MDM I had to reset all the iPads and set them up as supervised under the account we are going to use for the VPP.
Setting up Apple MDM
When you first get going on the MDM you need to setup a Apple MDM Push certificate under the address we're going to use for the VPP account. https://appleid.apple.com/for the purposes of this blog post lets call it merakivpp@orgdomain.ca. Apple will make you use 2 Factor SMS authentication with this account.
Once done you download the MDM_Meraki Inc_Certificate.pem and upload it to the apple Push Certificate Portal and Download the token certificate and upload it to the Meraki MDM
Once that is all setup and configured we will add our the iPads to our MDM. To do that we have to make the ipad Supervised with Apple Configurator 2. With Apple Configurator 2, all you have to do is set the device to supervised and decide if you want it to sync with other computers. For this I set it to disallow the syncing with other systems. You can add the ipad via profile setting in the Apple Configurator 2 or by going to a link on your network provided by the Meraki MDM page.
Once the ipads are assigned to get apps you have to buy them from the VPP. If your not logged in, sign into the Apple VPP https://vpp.itunes.apple.com/store?cc=CA&l=en
Once that is setup purchase your apps, you will get an email with any receipts and you will also get notified when you can start using your VPP Purchase, this usually takes about 1 to 3 minutes.
Then you assign the apps via tags. as you can see below, iPad 1 gets Excel, iPad 2 gets One Note, iPad 3 gets PowerPoint and iPad 1 and iPad 3 both get Word. Unless the device has the tag where the app is assigned they will not get that app. I am using the scope with Any as I don't have a large number of restrictions that are required.
***IMPORTANT***
There are a few scopes for restricting apps
WIth Any (will assign to devices with a minimum of one of the tags)
with ALL (must have all the tags)
All Devices
without any (without the tag)
without all (without all the tags)
Now for the settings, I used the Meraki managed profile. This gives you access to the different configuration settings in Apple Configurator with a nice web front end. With the ipad connected to our Meraki MDM with a cert to get updates when we make changes, we don't really have to sync these ipads with a computer gain unless there is a major issue with the iOS device.
