By Jon Xavier

If there’s one thing you learn quickly in the world of Apple IT, it’s that it’s full of acronyms. Virtually every Apple project or program for enterprise has a long name that quickly gets shorthanded to a different set of initials in day-to-day conversation.

Confusingly, it even seems like there are sometimes multiple acronyms to refer to the same thing. One such program is Apple School Manager. It’s commonly referred to as ASM, but depending on the context you’ll also hear admins throw around terms like VPP and DEP when discussing its functionality. We’re going to cut through some of the noise here and give you an overview of ASM and its components, and explain why it’s something Apple admins at schools will probably want in their toolkit.

About Apple School Manager

Apple School Manager rolled out in 2018 as a way to pull together several device management programs for educational institutions into a single, easy-to-use portal. It’s free, and open to administrators at institutions for K-12 or higher education.

Like its little sister, Apple Business Manager, Apple School Manager brings together Apple’s Device Enrollment Program (DEP) and Volume Purchase Program (VPP), giving admins better control over device provisioning, inventory, and app and ebook purchasing through iTunes.

ASM gives admins a number of important benefits:

  • A nearly “zero-touch” deployment experience for new devices
  • The ability to customize the setup assistant which new hires run through the first time they get on their computer.
  • Management through Apple Mobile Device Management (MDM) which cannot be removed or circumvented by end users.
  • Centralized license management for apps purchased through the App Store.
  • The ability to push apps to iOS and tvOS.
  • Integration with Student Information Systems
  • Additional role based access management options for teachers and students.
  • The ability to create and administer Managed Apple IDs for students, which allow them to log in to devices and iTunes U but not make commercial purchases.
  • Functionality related to tracking which classes devices are assigned to.
  • Integration with iTunes U, Apple’s school-focused app store, and Classroom, an app that helps teachers digitally augment their lessons with iPads.

Apple School Manager has built-in functionality for provisioning user accounts to students. It can integrate data from a School Information System (SIS) and uses it to create Managed Apple IDs, a special type of Apple ID that's owned by the school, administered through ASM, and can be used to log in to iTunes U, iCloud, and the Classroom app, but not normal iTunes, iBookstore, or commercial services.

Although it is powerful, it’s important to note that ASM is not a stand-alone device management solution. It’s designed to augment device management through mobileconfig profiles—either those installed manually through Apple Configurator or pushed remotely through the Apple MDM protocol. So you’ll need to integrate it with an MDM provider like Fleetsmith to get the best results.

What’s the difference between Apple School Manager and Apple Business Manager?

Apple Business Manager, often shortened as ABM, is Apple’s device management program aimed at companies and other organizations rather than schools.

The core of ABM is very similar to Apple School Manager. You get the Device Enrollment Program (DEP) and Volume Purchase Program (VPP), accessible through a single portal, with role-based access controls (RBAC) for security and compliance. Corporate IT doesn’t usually have anything analogous to student devices, however, so functionality related to that is omitted.

One interesting difference is that while Apple School Manager has account provisioning functionality built-in, with the ability to create Managed Apple IDs for students by pulling from a Student Information System, there's no corresponding Identity Provider (IdP) integration in Apple Business Manager. Although Apple Business Manager does support Managed Apple IDs, they are used solely as administrator accounts for ABM itself and not something that will be assigned to end users.

This does not mean Apple Business Manager can't be used with an IdP to create local user accounts. Some MDM providers integrate with IdPs, so this is something that can be set up as a part of onboarding through the Device Enrollment Program. But this is a feature of the MDM provider, rather than ABM itself.  

Device Enrollment Program (DEP) Overview

Apple’s Device Enrollment Program, or DEP, is the Apple program that allows for nearly zero-touch deployment of management on new Apple devices.

Device deployment is often one of the biggest time sucks for IT administrators. Every time a new employee starts or a new device arrives, there’s a whole process of creating new accounts, installing necessary software, drivers, and WiFi credentials; enabling encryption and storing the keys; and configuring the device to meet security and compliance guidelines. Done manually, this can easily add up to a couple of hours of work per device. It’s not uncommon for this to be something admins have to come in on the weekends to do.

DEP is intended to largely eliminate that workload. Once it’s set up, any devices purchased from Apple or an authorized retailer will come “pre-enrolled” in MDM, before they’re even unboxed. This allows admins to define the set-up steps ahead of time in their device management system and have them executed automatically on setup.

This all works through a step the OS takes automatically once it boots up for the first time. Upon powering on and connecting to WiFi, the device will poll Apple’s servers to see if it is supposed to be managed through an MDM. Apple will respond with a mobileconfig that will enroll the device, allowing the MDM to take over from there.

What’s more, MDM enrollment that happens through DEP is special in a few ways:

  • macOS devices enrolled through DEP are automatically considered to have User Approved MDM (UAMDM) without requiring any additional approval steps from the user.
  • iOS devices enrolled through DEP are automatically consider supervised devices.
  • The MDM enrollment cannot be removed or circumvented by the user if the admin chooses to enforce this option in Apple School Manager.

DEP is really nice compared to the ways that admins used to have to deploy new devices. So why doesn’t Fleetsmith consider it to be a “true” zero touch deployment? This is because there’s still usually a few extra touches with MDM+DEP before a device is completely set up: user accounts, apps, app configuration. There are also some limitations to management through MDM which mean it might not be enough to meet your needs on its own.

In our case, Fleetsmith installs the Fleetsmith Agent as its first order of business once enrollment through DEP is complete. That lets us complete any extra deployment steps seamlessly with no additional work from the admin. We call this True Zero Touch Deployment.

Volume Purchase Program (VPP) Overview

The Volume Purchase Program, or VPP, is the other major component of Apple School Manager. VPP simplifies the process of buying apps and ebooks through Apple and provides tools for centrally managing software licenses.

Without VPP, any app that is bought through the app store is the property of the user who buys it, not the school itself. That makes it difficult or impossible to reclaim that license and redeploy it in the event the user leaves, creating extra costs and extra headaches for IT.

VPP allows admins to purchase licenses in bulk ahead of time, assign them to devices, and then reclaim them when the devices are decommissioned or re-deployed. Although ebooks can also be purchased through VPP, they work a little differently—they can be bought in bulk ahead of time, but once they’re deployed to a device, they can’t be recovered. Another nice thing about VPP is it gives companies the option of doing app purchases through purchase orders, rather than credit cards, which is more in line with purchasing practices at larger companies.

In addition to purchasing licenses, VPP can also be used to deploy apps to devices. There are two models for this: redeemable codes, and managed distribution.

Redeemable codes is just what it sounds like: VPP generates a discount code that the user enters when purchasing an app through the App Store which results in one of the school’s licenses being assigned to them when they check out. Licenses assigned this way are permanent and can’t be revoked, however, so you should probably not use it as your primary solution for distribution.

Managed distribution requires a connected MDM provider, and works differently depending on which OS the device is running:

  • For devices running macOS 10.9 or later or iOS 7.0 or later, there’s the option to assign apps to a user. This requires the user to enroll their personal Apple ID in the school’s VPP program, which doesn’t give the school any access to their ID but does allow apps to be assigned to that user, which will cause them to be downloaded onto the device the user is logged in to. This can happen immediately or take a few hours, depending on when the device next checks in. These app licenses can be revoked as usual, but revoking a license does not remove the app from a user’s device. Instead, they’ll be prompted to buy their own license the next time they try to open the app.
  • Starting in macOS 10.10 and iOS 9.0, there’s the option to assign the app to the device instead. This does away with the separate Apple ID enrollment step, and also allows the app to be pushed directly to the device through MDM. It also gives admins the option to remove the app and its data from the device entirely when they revoke a license.

On Mac, deployment through VPP is not ideal, because the MDM protocol is less feature-rich than other device management options—in particular, it can be a pain to keep software up-to-date without more robust package management functionality. VPP is the only centrally-managed way to get apps onto iOS devices, however. If you need to manage a lot of iPads or iPhones, it’s going to be especially important to you.

There are a few other caveats to keep in mind with VPP:

  • Licenses sit in a big pot that MDM grabs from when an app is deployed. It’s usually not possible to deploy a specific license to a specific device or user, and you must keep an eye on your supply when deploying to avoid errors.
  • VPP is designed to handle everything through an app license, which is not ideal in the case of apps that are free. You still need to “buy” free licenses for these apps through VPP, and you must have sufficient licenses on hand to deploy these apps.
  • VPP can be used to deploy internally-developed or custom applications, but this requires an extra submission process through Apple.
  • For iOS, there’s a distinction in how VPP deployment operates between devices that are supervised and those that are unsupervised. For unsupervised devices, the user will have actually approve each download before it can be installed. For supervised devices, the apps will just appear on the device.

How to sign-up for Apple School Manager

Compared to Apple Business Manager, signing up for Apple School Manager takes one fewer step. Apple doesn’t require you to have a DUNS number to enroll in ASM, so there’s no need to go through an extra step to get one from Dunn & Bradstreet.

However, ASM does require your organization to be either a K-12 school, or an institution of higher education that grants accredited degrees. Apple will verify this themselves as a part of their review of your application.

To apply, go to school.apple.com and sign in with an Apple ID that’s not already in use for another organization. You’ll be asked to give some information:

  • Your country or region
  • Your organization’s legal name
  • Address information, city, and zip code
  • Phone number
  • Website URL
  • Organization type (K–12 or higher education)
  • Time zone and language

You’ll also be asked to give a contact at your organization that will confirm you are an authorized to enroll on its behalf—a school administrator, superintendent, principal, etc. Apple will actually call this person to verify this, so make sure you provide the correct information and let them know that this will be happening to avoid complications that could delay the enrollment. You should expect this process to take anywhere between a few days to a couple weeks.

One thing that’s important to note is that ASM will use the URL you provide as your domain when it creates Managed Apple IDs for your staff and students. That is to say, if you give your domain as somedomain.edu, the Managed Apple IDs will be user@appleid.somedomain.edu. If you need to your Managed Apple IDs to have a different domain for some reason, you should submit your application with the domain for your school’s website, and then change it once your application is approved but before you begin assigning devices.

Useful links