Before you can manage classes in Workspace ONE UEM, you must integrate with Apple School Manager (ASM). You must complete tasks in both the UEM console and in the Apple School Manager portal.

To complete integration, your organization must already be registered with Apple School Manager.

Workspace ONE UEM requires the following:

  • If you are uploading CSV files to Apple School Manager, have all your files prepared.
  • When you begin configuring the DEP profile using the wizard in the UEM console, keep the same browser session open. You cannot save your activity until you complete the final configuration step, so it is important to finish the entire configuration in one browser session.
  • Do not use Internet Explorer as your browser when performing any of the integration steps.

Enable Education Functionality

Enable education functionality to sync information later between Apple School Manager and the UEM console. Ensure that the organization group is set to the Customer level. To enable, navigate to Groups & Settings > All Settings > Devices & Users > Apple > Education.
Setting General

Enable Education

Features

 Select Enable to turn education functionality on.
Class Source Select your Apple or Workspace ONE UEM as your Education functionality provider.

Note that changing sources and saving the configuration will delete all existing classes.
Set Maximum Resident Users Specify the maximum number of users each device's memory can support. This value divides the local storage on the iPad evenly for that number of users. If the number of users exceeds this setting, additional users' information is stored on iCloud instead of on the device.

Configure Apple School Manager

Use Apple School Manager (ASM) to create classes, individuals, managed Apple IDs and a virtual MDM server container to assign devices for management. Before you begin, your institution must be enrolled with ASM and an administrator account must be set up.
Note: Do not use Internet Explorer to complete these steps.
  1. Navigate to Apple School Manager.
  2. Sign in with your organization's Apple credentials.
  3. Confirm your identity by entering the verification code. The Apple School Manager portal screen appears.
  4. Choose to Trust Your Browser if you are on a secure network.
  5. Select Get Started to automate MDM enrollment the first time you sign into ASM.
  6. Use the Set Up Assistant to add Managers, and Find Students Staff and Classes by connecting to your Student Information System or by uploading CSV files, and Create Accounts and Classes. For more information, see Apple School Manager Help.
  7. Select Close Setup Assistant when you are finished.
  8. Navigate to Device Assignments and select MDM Server in the left-navigation pane to begin configuring a server.
  9. Select Add MDM Server and enter the MDM Server Name to create a container that groups devices in the ASM portal for management in the UEM console. Leave this window and the browser session open. The MDM server name may refer to a server, department, or location.
  10. Navigate to the UEM console and obtain a Public Key as described in Link to Apple School Manager section.
  11. Select Upload File to upload the key.
  12. Download the Server Token and save it in a convenient location to upload to the UEM console later.
  13. Select Save MDM server.
  14. Choose to Assign Devices to Server and select the server name.
  15. Choose how to Manage Devices and add devices by manually adding serial numbers, order numbers, or uploading a CSV file.
  16. Select Done.

Link to Apple School Manager

Now that you created an MDM server in Apple School Manager (ASM), exchange keys to allow for mutual authentication between Workspace ONE UEM and Apple so that you can sync devices and class information later.

  1. n the UEM console, navigate to Groups & Settings > All Settings > Devices & Users > Apple > Device Enrollment Program and select Configure. A Device Enrollment Program window appears.
  2. Download the public key by selecting the MDM_DEP_PublicKey.pem file and save the public key. Leave this window and the browser session open.
  3. Navigate back to the Apple School Manager window you left open.
  4. Select Upload File and Upload your Public Key in Apple School Manager.
  5. Navigate to the MDM_DEP_PublicKey.pem that you downloaded from the UEM console and upload it. Select Next.
  6. Select Your Server Token to receive an encrypted Apple Server Token file (.p7m) and save it in a convenient location.
  7. Navigate back to the Device Enrollment Program window of the UEM console.
  8. Select Upload and select Apple Server Token File (.p7m). Select Next.

    Device Enrollment Program page shows Download Public key to get encrypted authentication token from Apple and Upload Public key to Apple.

Workspace ONE UEM and Apple can authenticate each other.

Profiles for Workspace ONE UEM School Manager Shared Device Management

Profiles are the primary means by which you can manage devices. Profiles are the settings, configurations, and restrictions that, when combined with compliance policies, help you enforce corporate rules and procedures.

The individual settings you configure, such as Wi-Fi, VPN, and passcodes, are called payloads. In most cases, only one payload is associated per profile for security profiles, which means you have multiple security profiles for different settings you want to establish.

When you configure a profile for a deployment integrated with Apple School Manager, you must select whether a profile applies to a Device or a User. User profiles are important for Shared Device deployments where users may log in to multiple devices, and need the proper Profile configuration present on each device.

DEP Profiles for ASM

Enrollment through DEP is required for Shared iPads and suggested for one-to-one devices to enable supervision on devices. After you create class rosters and configure your MDM server container, create an MDM configuration profile for devices using the Device Enrollment Program (DEP) wizard in the UEM console. For more information on configuring DEP profiles and syncing them in the UEM console, see the VMware Workspace ONE UEM Guide for the Apple Device Enrollment Program.

Build one profile for either Shared iPads or one-to-one devices using wizard now, and then select Add Profile to create additional profiles if you are deploying both shared and single-user devices. To do this, navigate back to the Device Enrollment Program window in the UEM console and continue using the DEP profile wizard.
Note: If you do not use the DEP option, then you must supervise devices using Apple Configurator 2 and enroll devices through the Web or the Workspace ONE Intelligent Hub.

DEP Profile Requirements for Shared iPads in Apple Schoool Manager Deployments

Shared iPads require specific configuration. Use the following table as a reference when completing the DEP wizard to ensure that your profile meets the following requirements.

Setting Description
Authentication

Prepare devices for enrollment using the following method.

  • Turn Authentication Off for Shared iPads.
  • Set the Staging Mode to Multi-User with Default Enrollment User options.
MDM Features

Enable ALL of the following features that are required for management.

  • Supervision - Put the device in Supervised mode, which is an alternative to configuring Supervised devices using Apple Configurator 2.
  • Shared Devices - Enable this option to use Shared iPads.
  • Await Configuration - Use if the MDM server is expected to send another command such as Maximum Resident Users before the device allows the user to proceed in the Setup Assistant.

This feature is optional for Shared iPad management:

  • Device Pairing - Allow the device to sync with any workstation through iTunes, Configurator, and Xcode.

    • Optionally, set this to Disable and choose specific devices with which to pair. Select Add > Upload > Choose File and follow the prompts to upload a supervised identities certificate that was downloaded from Apple Configurator 2 to pair those devices.
Setup Assistant Choose to Skip all the Setup Assistant features except for Locations Services if you want to search for devices in Lost Mode or track devices.

DEP Profile Requirements for One-to-One Devices in Apple School Manager

Configure these devices as needed for your organization. Use the following table as a reference when completing the DEP wizard.

Setting Description
Authentication Choose any of the features that best meet your organizational needs.
MDM Features Choose any of the features that best meet your organizational needs.
Setup Assistant Choose any of the features that best meet your organizational needs. You can choose to Skip or Don't Skip features. Choose Don't Skip for the Locations Services option if you want to search for devices in Lost Mode or track devices.

Manually Assign or Remove a DEP Profile

For Apple School Manager deployments, you must assign profiles to the appropriate devices after creating them for both Shared iPad and one-to-one configurations.

  1. Navigate to Devices > Lifecycle > Enrollment Status.
  2. Select the devices needed for the action.
  3. Select the More Actions > DEP Profile and select one of the following options:
    • Assign Profile – Assign new or additional DEP profiles to selected devices. The DEP profile is not updated on a device until the device is factory wiped or re-connected to Wi-Fi.
    • Remove Profile – Removes existing DEP profiles from selected devices.

Sync Class Rosters

After configuring Apple School Manager and the corresponding DEP profiles, sync the information with the UEM console. All the available classes and members populate the Class List and Members under the Education tab.
  1. Navigate to Hub > Education > Class List.
  2. Select Sync Classes.
  3. View the statuses that appear at the top of screen to notify you when the sync is in progress and when it's complete. Refresh the page as needed.
    Note: Whenever you update information in Apple School Manager, you must Sync Classes again to update the UEM console and enrolled devices.
    When the sync is complete, the time and date of the most recent sync is recorded in the tool tip for reference.

Use Sync Reports

If the UEM console fails to sync with Apple School Manager and the classes do not load, then review reports to find out why the sync failed.
  1. Navigate to Monitor > Reports & Analytics > Events > Console Events.
  2. Scroll to the Roster Sync Failed report and select the hyperlink to review the report.