Apple VPP & DEP setup with iOS devices

Screenshots removed with private data...

Started piloting a 1:1 iPad program for 2nd grade for the 2015-2016 school year. Previously, we'd been using a general Apple ID allowing teachers to download free Apps. And had also been using Apple Configurator. Knew there was a was to install iOS Apps remotely without any user interaction, so started investigating. This also bypasses the need to use Apple Configurator at all IF we purchased through the Apple Education Channel. Win!

In large part, used this documentation from JAMF on the process of getting iOS devices to join our MDM server straight out of the box, to VPP, and then deploying Apps. My general steps from using the guide:

1. Configure to work with DEP.
   When enrolled in Apple' DEP, had to set up the JSS to talk to Apple's DEP Server. Once the servers are talking to each other, the devices we've purchased through the Apple Education Channel need to be added to Apple DEP. Log in using dep@mtbethelchristian.org (access code is tied to John DuVal's cell phone) –> Device Enrollment Program (Get Stated > LINK) –> Manage Devices. Add by Serial Number or the Order Number and assign to our server.
2. Now back in the JSS, we should see the devices enroll there:
   
3. Set up devices for PreStage Enrollment. For lots of users, use the Mobile Device Names option. Throw them all in a CSV, Copy & Paste in, and don't have to type all the names into the iPads!
   Check the devices in Scope desired for this enrollment.
4. Create Smart Groups for iPads devices based on naming convention
5. Turn on the iPads, and they're all get enrolled automatically in the JSS. W00t!

VPP Invitations - Getting devices (users) in VPP:

1. Need to join Apple VPP (using your VPP Account) account to the JSS:
2. In the JSS, Under Mobile Devices, assign both a Username & E-Mail to the mobile device. Need to be consistant as this will be applied to a Smart Group to send out VPP invitations & codes.
   Examples:
   
   
3. Create Smart User Group (Use Like: Email address or Username depending on how gave out Username & e-mails).
4. Within Users –> VPP Invitations, invite those users to VPP.
   
   
5. On the iPads, they will get a prompt to access. If it's misentered, just his RESEND from the VPP Invitation JSS page. Users will be prompted on the iOS devices to access. Do so. Note that if they have NOT signed into iTunes, they will be forced to sign into iTunes in the end. Just sign in with the account assigned in Mobile Devices.
6. For carts, I used a tool to create them en mass. Read more here.
7. If need to change Username assignments, change it in the Users section. Changing the Username within Mobile Inventory creates a NEW name - the previous name will still be the Users inventory!
8. One users have accepted VPP Invitations, we now scope VPP licenses….

VPP Assignments (Users tab) - SCOPING VPP LICENSES (Via Managed Distribution)

1. After users have accepted their VPP Invitations, 1) Assign VPP licenses to Users and 2) Assign Apps to Devices. Assigning Apps uses up the VPP License. It can get a bit confusing since we're assigning Licenses to Users, but then the Apps are assigned by Device. Just have to be careful in distributing them.
   -Note that this used to be VPP Codes - we'd need to download an CSV with codes and then upload them into Apple Configurator or our MDM. By Syncing out Casper MDM with the Apple VPP Server as previously mentioned, those Licenses “purchased” (quotes because this also applied to Free Apps), we don't have to deal with the CSV Files. Hence, Licenses.
2. Log into the Apple VPP Page using vpp@mtbethelchristian.org
3. Purchase the Apps using the Manages Distribution (currently only option for Free Apps - Paid Apps still have the VPP Codes option. Codes bad, m'kay!).
4. Create a new App VPP Assignments - I usually give it the name of the VPP License from the Apple Page.
5. Only check ONE App per VPP Assignment. Will assign User Groups per assignment, though.
   -Note that Apps purchased in the Apple VPP page should automatically appear in the JSS Under APP Assignments as the 2 servers are supposed to sync with each other. If Apps are not appearing … Restart CasperServer and contact JAMF Support if they're still not.
6. Wait a bit before next step. VPP Assignment basically makes it like that User's iTunes account (as assigned via VPP Invitations) as if they've purchased it with that cloud icon in the App Store. Sometimes it takes a while for the account to get notification that they now “own” that App. There's won't be any user interaction during this period - it all silently happens in the background.
7. DISTRIBUTING APPS
8. Mobile Devices –> Apps.
9. Pick as App to assign and set the Distribution Method to Install Automatically/Prompt Users to Install. If we've assigned VPP licences properly to that Mobile Device's user, that App will then automatically install since they already “own” it. This step is basically telling the Mobile Device to now download the App.
10. As long as we get everything in place - 1) Inviting users to VPP and them accepting, 2) Assigning VPP Licenses, & 3) Assigning Apps; Apps will get silently deployed to end-users.

Logon (printer) scripts

I did some work on using logon scripts to map network printers the other day, but it's time to implement it. I normally set student security restrictions so they cannot add/delete printers, but they nonetheless inevitably get deleted or something.
Something like this:
(fyi, '::' comments out vb lines)

[x.bat]
net use s: \\server\share
::\\server\SHARE(sysvol for simplicity)\test2.vbs
\\server\SHARE(sysvol for simplicity)\test.vbs

[test.vbs]
Option Explicit
Dim netPrinter, UNCpath
UNCpath = "\\server\printer share name (Printer properties --> Share tab"
Set netPrinter = CreateObject("WScript.Network")
netPrinter.AddWindowsPrinterConnection UNCpath
::WScript.Echo "Your printer is mapped from : " & UNCpath
WScript.Quit

I comment out the Echo because students don't need to know where the printer is mapping from. Does anyone?
Regardless, this way, printers can be added even with gp saying otherwise. Rock on.

Security auditing

My project right now is to properly use server audits for log ons to the domain. As of now, lets just say the auditing is nonexistent. Now it's time to change that!

As you can see with two of my servers (which also happen to be the two domain controllers), the security audits are quite lacking:






On the other hand, you have my db server which is getting massive hits:



I'm not quite sure why all the hits. In the past, it's come from other users. Something I will surely investigate. However, right now, the plan's to get unsuccessful and successful logon on attempts onto domain computers logged!

Now for some more excitement, a snapshot of my current AD setup and GP links:

Note that the test OU is for, well, testing purposes. I use an XPSP2 VM to test my user-applied GP policies.

Well, looks like I somewhat failed at life. Looking at gpedit.msc:

I changed "Audit account logon attempts," but it seems that didn't get the right result. All I got in event viewer was access to resources on the server. That's not a bad thing, and I probably will enable it later (hm, who accessed a server resource at the time when this virus was created? Oh, this one user. hm!) Looking at details, it appears I need to enable "Audit logon events." Shall we see what happens now?
It's also worth noting that after each gpedit, I run gpupdate to propogate my edits- otherwise it takes 5 minutes or so. Not much time, but when working on this stuff, I don't want to wait 5 minutes b/w every update to see what my changes did.

Eureka! Take a look:

I logged on as test onto vm2. Looks like it's doing what I want now.
Well, I wasn't totally right. Turns out in addition to logging logon/offs, it records every access to a network resource. Again, not a bad thing, but I want to be specific here. Time for further investigation.