This document is aimed at Mobile Guardian staff and Partners, to support their work with end users. It provides an outline of possibly required information and covers key questions to help clients with their decision making processes.
2. Key Questions
What operating systems are you onboarding? Please take a look at OS-specific sections.
Do you operate a Global Proxy?
Do you operate across multiple site or will the devices be used in multiple locations?
If so, do you have the details of the Geo Fence area(s) needed?
Have these been validated against Google Maps for accuracy?
2.1. Considerations / School Scenarios
2.1.1. School purchasing / setup scenarios
- School-based devices enrolled via automated process (e.g. DEP for iOS devices).
- School-owned devices, purchased ad-hoc and initially setup by school staff (or allocated support)
- Devices brought into school as BYOD.
These can be further broken down depending on how the devices are going to be managed and used.
a) Devices are managed by the school and controlled as part of allocation to classrooms or areas. These devices can be used as standalone devices, via allocated use by authentication to online services such as VLEs, or set for sharing (though tools to allow users to login in, such as Apple School Manager, Google Classroom or Microsoft O365 Classroom. The amount / areas each tool subsequently allows that user to access will vary from platform to platform.)
b) Devices are managed and controlled by the school and allocated to an individual. This could be a school owned device or it may be at the request of parents.
c) Devices are generally managed and control by parents and students but some areas (e.g. filtering) are managed by the school.
3. Technical Pre-requisites
- An 802.11 wireless network that is open or using a Pre-Shared Key (PSK)
- Ports that need to be open for registration. 80, 443
- For Apple devices: https://support.apple.com/en-us/HT203609 but essentially TCP ports 5223, 2195, 2196, 443 (5223 and 443 for enroll and control. Rest of are for MDM servers). A check can be made by trying to access https://pqq.apple.com
- For Android and Chrome: Outbound TCP connections on ports 5228-5230
- Schools utilizing SSL-inspecting proxies will need to add a temporary network without SSL interception in order to configure tablets.
- Schools need to ensuring consistent connectivity and sufficient bandwidth is available for any initial deployment of apps
3.2. OS-Specific Areas
Are you enrolled in DEP (Device Enrollment Program)?
- If so, then need to set up to point to Mobile Guardian
- If not in DEP, access to Apple Configurator 2 (and mac to run it on)
Do you have a VPP (Volume Purchase Program) account?
- If so, log into your account at https://volume.itunes.apple.com/ and download the token.
- If not then ensure you have the details of the AppleID used to purchase apps
Do you have an existing ‘configuration’ file (usually from Apple Configurator)?
If you are onboarding more than 10 devices, then you will need to make use of the Apple Push Notification Service. Ensure you have a school controlled AppleID that can be used for this.
The following items should be considered for pre-configuration:
- WiFi (This can initially be done via Apple Configurator 2 and allows for devices to connect to continue registration automatically rather than to have to add details manually for each device)
- Device names. (This can be done within the Mobile Guardian Dashboard when you complete the initial Dashboard setup)
More details in the Apple Configurator 2 on boarding guidance is available as a separate guide. Any device running Apple Configurator 2 should be patched to the latest available version for all software.
Where possible, a MacOS workstation should be running MacOS Server with Caching enabled to improve performance on downloading and deploying software.