Apple Configurator 2 and restoring backups

Thank you for this! I've been struggling all week...

Couple of questions:

1. My devices are all now supervised. I take it that to successfully get a backup onto them I will have to remove MDM via DEP, then wipe them?

2. My students tend to mess around with the iPads, move the folders about, change settings, log out of dropbox/gmail etc. For child protection purposes, I need to be able to periodically wipe the iPads back to the restored backup state. Will I be able to do this remotely or will I have to plug each one into the mac physically? And then what will happen? Will they be forced to go through the entire process outlined above?

Really I just want to set them up how I like them, freeze them in that state, and if necessary, revert them back to that freeze state remotely. When I look at how difficult this all seems to be, I can only conclude Apple didn't bother employing a single ICT coordinator when designing the Apple Configurator.

3. On the subject of child safety, I've found that the inbuilt mail app retains all email addresses and sent mail. So if my students use it to mail each other or their own home addresses, then these email addresses get retained, but not in the address book where I can find them and delete them. If you type in a letter to the address section of the email, any email address ever sent to by that ipad will come up. It's a child protection nightmare.

I switched to Gmail so I could configure it not to retain sent mail or email addresses, but because gmail is not a core app, students can sign out of the gmail app and back in again with their own email addresses. They then leave themselves signed in and the next student who gets that email address can access that student's emails.

I have the same problem with dropbox. Again, I wish Apple would let us restrict what we need to restrict, or at least make it easy for me to revert the changes made by wiping it to a predetermined state.

Sorry for the long moan!

OK, I've managed to get all the way through the instructions above and it all seems to be working.

My findings/problems so far:

1) Login and password details for Word, Excel, Powerpoint and Dropbox are all saved and pushed onto the devices by Apple Configurator. However, Chrome and Gmail are not. This means I have to log into Chrome (we have a shared account so teachers can add their own bookmarks via folders etc) and Gmail manually on each iPad. (My reason for using the Gmail app over the Mail app is due to the latter's inbuilt save-all-email-addresses-you-send-emails-to setting which means kids can get hold of their classmates' personal email addresses).

2. I used the "attempt to manage unmanaged apps" setting and it doesn't work for a single app. So nothing installed via Configurator can be turned from managed to unmanaged. Is this because the iPads all come from a restored backup via the Blueprint?

3. The Meraki password to stop the Meraki profile from being removed doesn't work. I've done some reading on this and it appears this is a meaningless setting as Apple does not allow such a password to be set anyway. So how can I stop Meraki from being uninstalled? Prior to setting up with the instructions from weinsteinbevit above, the devices were enrolled on the DEP. So as soon as you wipe them, they get re-enrolled anyway. The instructions above said to unenroll them from DEP (so counterintuitive!) to enable the IT administrator to copy backups to supervised iPads.

I've just tried re-enrolling one iPad onto DEP (succeeded) and then wiped it via Meraki. It comes back as a clean iPad, which is not the result I wanted. So is there any way to get the device to automatically re-enroll or is this a necessary sacrifice in order to get the Blueprint and restore backup function to supervised iPads to work?

Well I will try to answer your questions as best as I can -

For #1 - I'm not sure what you can do to prevent a mail app from caching data from one user to the next. Have you considered having them use a web interface for email (web link on the iPads) instead? Most all web interfaces for mail clear out credentials/data once closed unless the user explicitly told the web browser to save the credentials, but I think that can be turned off in a restrictions profile.

For #2 - the "attempt to manage unmanaged apps" is actually a 2-stage process. I'm sorry I didn't realize this before. You must first check the "Attempt to manage unmanged" check box for an app, save the new settings, and then a link will appear under Status that says "Change to managed". Once you click on that and wait a minute for the devices to update, Meraki should take over management for that app.

For #3 - the Meraki Profile password seems to work okay on my end. When I go into Settings -> General -> Device Management and attempt to Remove Management it prompts for the profile passcode. Or are you talking about the Meraki app? If it's ever deleted you can just re-push the app from the client dashboard. The device remains managed by Meraki even if the app is removed.

The only thing DEP really does for you is automate enrollment/re-enrollment. Since automated re-enrollment prevents you from installing whatever specialized blueprint you've created, there's no point in using DEP at all. It's just going to dump a profile onto your device that you don't want in the first place. We just leave it off for our environment and use the QR Code for manual enrollment per device. As far as I can tell there is no 'reversion' solution no matter how you slice it. You'll always have to restore devices from a cart or direct iPad-to-Mac connection to get it back to the original state you want it in. Yes - this totally ***** for what you, me and many others who want better device management. Makes me wish for an iPad equivalent of Deep Freeze.

Can i create a "restore" blueprint for the teachers ipads using the same macbook or will that mess up the blueprints and profiles.

You should be able to make as many different restore blueprints as necessary on the same Macbook without running into any issues... student, teacher, or otherwise.

So If i have a backup for students and a backup for teachers...i would need two different macbooks?

No, you can create multiple backups using the same Macbook. You would then create several different restore blueprints and each of those blueprints would apply a different backup. Basically, you would repeat my step 8 as many times as needed for as many different backups as you have. Hope this helps.

thanks for the help...when AC2 is done, is it ok to disconnect the usb cable even though the loading symbol is there?

It's probably okay, but I usually let it go until those are all complete just to play it safe. I think that's just indicating that it's still refreshing the data from those iPads to determine their status.

Speaking from experience, just be sure to create your multiple backups from different iPads. Don't try to use the same device to create different backups. A second backup of the same device will overwrite the first one.

My question is, why i 'm losing my iPads names when i restore them? I try different setting but my 20 iPad finish with the same name: iPad.

It seems all of the iPads are renamed to the name the backed-up iPad had, unfortunately. I do wish there was a way to maintain the device names the way Apple Configurator 1 worked!

Thanks so much for the detailed post, has been extremely beneficial!

One note around DEP, I work in a school where we have school owned iPads and the advantage of DEP is that it prevents the MDM profile from being deleted. That said, I followed these steps but skipped steps 3 and 4 in the deployment step and it did work for a DEP enabled device. Now all of our iPads actually have DEP, and I'm not sure if this made a difference, but the Master Backup was actually from an iPad without DEP.

We're also using Meraki but the legacy version which is free for unlimited users but also lacks some of the new features, such as device based app distribution, which would greatly help us avoid using Apple IDs for these shared iPads. That's another topic I guess to explore.

Thanks again

@wheelspinning

That's potentially very interesting! So are you saying you've enrolled the iPads with Meraki and got them supervised and on the DEP so the Meraki profile can't be removed?

Or are they just unsupervised?

@wheelspinning

Assigning a passcode to the Meraki profile prevents it from being deleted (at least that's worked for us but it may be a feature in the newer version of Meraki). I will have to test your method to see how it works - I have a new set of iPads to run through it anyway and will give it a go.

Good info!