Apple_School_Manager_and_Azure_Federation-_One_School_District_s_Story.pdf

Transcript

1. © JAMF Software, LLC Apple School Manager and Azure Federation:

   One School District’s Story 2:45 - 3:15 PM UP NEXT
2. None

3. © JAMF Software, LLC Brian Martin Apple Systems Administrator Lafayette

   School Corporation

4. © JAMF Software, LLC ASM-MS Azure integration Discussion objectives: Define

   federated authentication Why federated authentication? How to federate? Q&A

5. © JAMF Software, LLC Defining federated authentication Federated authentication Hands

   off verification of credentials to a 3rd party Authentication vs. Authorization

6. © JAMF Software, LLC Why federate? Account creds created in

   a single place Students only memorize one set of creds Password changes follow standard district policies! ASM two-factor turned OFF for most users

7. © JAMF Software, LLC Managed iPads without Apple IDs? Very

   possible…with device-based app assignment, device enrollment and Jamf Self Service But what are you missing?

8. © JAMF Software, LLC The missing pieces 200 GB iCloud

   Storage Apple Classroom Apple Schoolwork

9. © JAMF Software, LLC

10. © JAMF Software, LLC General Apple steps to federate 1.

    Decide which domain to federate 2. Connect to Azure to verify identity/ownership 3. View Apple ID conflicts on your domain 4. Resolve Apple ID conflicts on your domain 5. Notify end users of conflicts 6. Turn on and test federation

11. © JAMF Software, LLC Deciding which domain to federate Looking

    at Azure’s capabilities, we realized we could add ANY domain that we control to our Azure accounts, and (with a little bit of work) in the Microsoft console. Examples: lsc.k12.in.us apple.lsc.k12.in.us ipadatlsc.org

12. © JAMF Software, LLC Deciding which domain to federate (cont.)

    Our goal = single, securely-managed set of user creds for student-facing services. For better or worse, we chose federating our root domain (lsc.k12.in.us)

13. © JAMF Software, LLC Connect to Azure to verify identity/ownership

    Click Settings Click Accounts Click “Edit” button under Federated Authentication

14. © JAMF Software, LLC Defining an Apple ID conflict A

    conflict = ANY personal or hand-created Apple ID that already exists on the domain you are choosing to federate! ANY does mean ANY!

15. © JAMF Software, LLC View Apple ID conflicts on your

    domain Apple DOES NOT provide a list of account conflicts! The federation process only provides a number.

16. © JAMF Software, LLC Possible sources of Apple ID conflicts

    ANY truly does mean ANY! All personally created staff Apple IDs Old student Apple IDs Purchasing Apple IDs (ecommerce.apple.com) GSX Apple IDs (Service) Apple Developer Apple IDs Old Apple Configurator Apple IDs EVEN YOUR APNs CERT FOR MDM!

17. © JAMF Software, LLC Tip for seeing who has a

    conflict If Apple only provides a number of conflicts, how do you know which users will need conflict resolution help?

18. © JAMF Software, LLC Before Apple’s email is sent Communicate

    with your staff before you get “Why did I get this email?” work tickets! Outline future benefits (Schoolwork, backup, single set of credentials, etc…) Instruct users where they can get help resolving conflicting Apple IDs.

19. © JAMF Software, LLC Apple’s conflict resolution email “Learn more”

    link in this email: https://support.apple.com/en-us/HT209349

20. © JAMF Software, LLC End users and Apple ID conflicts

    After 30 days, Apple nudges conflicted accounts by deactivating FaceTime and iMessage. After 60 days, Apple resolves conflicts by migrating them to temporary Apple IDs. For example: [email protected] becomes [email protected]

21. © JAMF Software, LLC Conflict resolution tool: second domain For

    everyone thinking, “I’m not moving our mission critical Apple IDs to a Gmail account.” Use a second un-federated domain your organization controls for these Apple IDs.

22. © JAMF Software, LLC Turning on and testing federation

23. © JAMF Software, LLC

24. © JAMF Software, LLC Misc. concerns: project timing We wanted

    to cut over on May 1. This gave us a month to get federation process ironed out and still get iPads assigned to staff before summer break.

25. © JAMF Software, LLC Populating School Manager Using SFTP to

    upload to Apple School Manager https://support.apple.com/en-us/HT207029 Connect your SIS to Apple School Manager https://support.apple.com/en-us/HT207409

26. © JAMF Software, LLC Connecting ASM to Jamf Pro If

    updating a previous ASM integration, consider how changing a users email address may impact Jamf smart groups. Duplicate matching criteria: Managed Apple ID = Email (Jamf Pro)

27. © JAMF Software, LLC Helpful Apple links Get Ready for

    Federated Authentication https://apple.co/2ILVH8Q Intro to federated authentication with ASM https://apple.co/2J1Miu3 Apple School Manager User Guide https://apple.co/329qqmZ

28. © JAMF Software, LLC Helpful Microsoft links Get Help with

    Office 365 Domains https://bit.ly/34m9lrs Office 365 Domains FAQ https://bit.ly/36rvCpT

29. © JAMF Software, LLC Q&A

30. © JAMF Software, LLC Thank you for listening! Give us

    feedback by completing the 2-question session survey in the JNUC 2019 app. UP NEXT The Future of Assessment 4:00 PM