Preparing for Apple devices
As Apple devices are being deployed in more and more schools and businesses across the country we are regularly asked by IT Managers, “What can we do to prepare?”.
In truth the answer to that question can be very short or very long depending on the exact circumstances, but when it comes to many of our education customers the answer almost always includes three steps. In this article we will outline those three steps, and in doing that hopefully give you a head start in preparing for iPhone, iPad or Mac on your network.
Apple School Manager or Apple Business Manager
All of your devices need to be registered with Apple under your institutions' Apple School Manager or Apple Business Manager account. We have a great write up on what Apple School Manager is and how to get an account if you don't already have one here.
One of the first jobs any institution should do prior to embarking upon a new deployment of Apple technology, or refreshing an existing deployment is to generate an up to date inventoy of your Apple hardware and work with the original suppliers to get it enrolled in your Apple School Manager or Apple Business Manager account. If you're not sure how to do that please get in touch.
Once registered against your Apple account for device management we can leverage that to automate MDM enrolment, app installation and more.
Whitelist Apple and your MDM
To ensure that Macs and iPads can activate properly and communicate with your chosen MDM you may need to prepare your network. In our example here we're using the Jamf Pro MDM which underpins our FirstClass Managed Service for schools.
To check your existing network access grab a device, iPad is probably the easiest, and connect it to your network. Importantly make sure that the test device doesn't have SSL certificates installed for your web filter. Then simply try to access the following web sites using Safari (subtitute jamfcloud.com with your chosen MDM if not using Jamf Pro):
If you get an error page from your browser suggesting that you can't access these sites, or that you have an insecure connection to these sites then you need to work on your firewall and web filter to ensure that connection to Apple and Jamf bypass all outbound filtering and firewall rules. The basic requirements are:
1. Whitelist the Apple network block 17.0.0.0/8 on all ports
Ports 80 & 443 for http/https and 5223, 2195 and 2196 for Apple Push Notification services are the most important, but whitelisting all ports will alleviate any ongoing issues when Apple expand or change devices and services in the future. Apple maintain a full list of required connections on this page.
2. Whitelist your MDM server URL on port 443
KRCS managed services are underpinned by Jamf Pro as our chosen MDM so the wildcard URL https://*.jamfcloud.com/ has to be whitelisted. Like most other cloud MDM's this can't be resolved to an IP address because of a load balancers.
Further public information supporting this advice can be found via these links
- https://support.apple.com/en-us/HT210060
- https://support.apple.com/en-us/HT203609
- https://support.apple.com/en-gb/HT202944
- https://www.jamf.com/jamf-nation/articles/409/permitting-inbound-outbound-traffic-with-jamf-cloud
- https://www.jamf.com/jamf-nation/articles/34/network-ports-used-by-jamf-pro
Enable Apple Content Caching
Apple Content Caching is a service that can be enabled on a Mac running macOS X 10.13 High Sierra or later. When started it registers with Apple to tell them that your network has a caching service, and is then checked by all Apple devices when downloading Apps, books or iCloud data to see if a local copy exists before downloading it from the internet.
If a local copy doesn’t exist on the caching server, it’s cached during the first download from the internet, allowing future requests of the same data to come from your local caching server. All of which is invisible to the end user.
Content caching provides significant speed improvements to the user experience when installing apps and logging in to Shared iPads. To find out more about configuring the caching service click here.
We hope that this advice has been helpful, and potentially given you the ‘head start’ promised in preparing for Apple devices on your network.
For further information please contact your KRCS account manager, call us on 0115 985 1797 or email info@krcs.co.uk .