As we come up to the end of the school year, it's a good time to reflect on the administrative tasks we do in order to get ready for the next school year. One area of deployment that's been on my mind recently is structuring our Mobile Device Management (MDM) server to be easy to maintain in the long run.
This is one area in which, thus far, I have not done a great job.
We started with our MDM in August 2013. This was before the Volume Purchase Program Managed Distribution approach was available to us. We converted to VPP-MD in August 2014 and that approach has been highly successful in reducing to near-zero the amount of time iPads are removed from service in the classroom to be updated and have new apps installed.
Having said that, the internal structure of our MDM is not in great shape. In this article I'll explain the mistakes I made and come to some conclusions about how we're going to do things differently in the future.
I'll be writing with reference to the Casper Suite by JAMF, since that's what we use at Cedars. Full disclosure, JAMF also sponsor my podcast.
In the VPP-MD era, a Mobile Device Management server essentially has two major entities: mobile devices and users. Mobile devices can have configuration profiles applied and users can have apps assigned.
When we started with MDM, we only had mobile devices. There were no user objects in the Casper Suite. To install apps for the primary school, we brought the iPads back to base and used Apple Configurator. This process typically took a couple of hours a week. For the secondary school, we used Casper to make VPP Coupon Codes available to the students in Casper's Self Service app - effectively, but not technically, a "private App Store".
In some ways this old model was easier: you enrolled devices and assigned both configuration profiles and apps to those devices. In the VPP-MD era, you assign devices to users, assign configuration profiles to devices and assign apps to users. This is far more flexible but, in a one-device-per-person model, it appears to be complexity for the sake of it. It makes tons more sense if you understand that one user might have many devices.
Basically, I have two problems with our MDM:
Casper allows you to have two groupings of devices and four of users:
These smart groups are dynamic groups composed of users or devices who meet specified criteria.
Further, two distinct objects can be "scoped" to these six collection types:
Finally, Casper allows you to create "extended attributes" for both mobile devices and users. These are custom key/value pairs that you can add to either record type. All my User objects have an EA named "Class" that describes the class they are in.
At the moment, I have apps scoped to smart user groups. These user groups are generated by users' Class EA matching a specific value.
Secondly, I have configuration profiles scoped to a mixture of different things. I started in 2013 by defining each class through the "department" attribute on the device, so I hit some classes by scoping Configuration profiles to their 2013-14 department. I also later created some static device groups named "2014-15 Primary 7" to distinguish it from the "2013-14 Primary 7" that is encoded in the device's department attribute.
This is, as you might imagine, a bit of a mess:
In all of this, the biggest problem is that all these groups change their composition each year. If classes are departments, all the users change department once a year. That's too much churn.
I've taken this opportunity to re-think what we really need in terms of MDM control of app assignment and configuration profile distribution.
One of the first things that I've come to realise is that our deployment of configuration profiles is fairly stable. We have the following profiles that essentially everyone gets:
Almost everyone gets these profiles and they very rarely change. We also apply a couple of security profiles through Apple Configurator that limit apps to 12+ and disable downloading movies and TV shows.
In the past, it was necessary to have class-specific device groups as that was also how you scoped the distribution of VPP coupon codes.
In the future, I think class-specific device groups will be less necessary. I will probably just have one main device group named "All Managed iPads" and scope these configuration profiles to that group. If anyone needs to be excluded from these groups, Casper has a 'limitations' feature that allows me to specify "everyone in A excluding B", which computes the relative complement of the two sets of users A and B.
There are also a few configuration profiles that I keep up my sleeve in case I need them. Mainly, these are "Disable Camera" and "Disable App Store". These are rarely deployed except as a disciplinary measure. For these profiles, Casper allows me to target them to individual devices. They're never targeted at entire groups.
The model of grouping users for VPP assignments is harder. It's harder for several reasons:
My plan, right now, looks like this:
With that structure, all of the following situations are handled:
So that's how I intend to start moving forward in managing our Casper implementation. It allows apps to be assigned to compositions of year groups, if need be. It also minimises the number of structures or fields required to put things into the right place.
As an example, here's what would be required to enroll a new device for a new student:
With these steps, the user will be assigned the apps appropriate for their class and the device will acquire the correct configuration profiles.
I was catching up on Brad Feld’s blog this morning and saw that he had posted about the “40% rule” for SAAS companies.
I was at the same board meeting as Brad and came away similarly impressed by the simplicity of the rule and the logic behind it.
Here’s the 40% rule and it is aimed at SAAS companies:
Your annual revenue growth rate + your operating margin should equal 40%
So, if you are growing 100% year over year, you can lose money at a rate of 60% of your revenues
If you are growing 40% year over year, you should be breaking even
If you are growing 20% year over year, you should have 20% operating margins
If you are not growing, you should have 40% operating margins
If your business is declining 10% year over year, you should have 50% operating margins
I have never seen growth and profitability so nicely tied together in a simple rule like this. I’ve always felt intuitively that it’s OK to lose money if you are growing fast, and you must make money and increasing amounts of it as your growth slows. Now there’s a formula for that instinct. And I like that very much.
Thanks Brad for posting it.
Structurally critical glaciers from the West Antarctic ice sheet are disappearing way faster than we realized, two teams of scientists recently reported.
Their papers—one from NASA and the University of California, Irvine, the other from the University of Washington—both say there’s nothing we can do to stop it.
Here’s how the glaciers in question will collapse.
The West Antarctic ice sheet is located about 1,000 km (600 miles) southeast of Argentina’s southern tip. The bulk of it sits ina bowl-shaped bed of underwater land. But not all of it. Gravity’s pull yanks a steady flow of the glacial ice loose from the land, forming what’s called an “ice shelf.” This floating extension of the glacier extends into the sea, and as it builds up, actually helps hold back the mass of ice still standing on the land behind it.
Warming seas thin the ice shelf, lightening its load so that it’s even more buoyant. This is a natural phenomenon; Antarctic winds whip up naturally warmer water from the ocean’s depths, lapping away at the ice shelf as a roughly equal amount of snowfall replaces what’s melted.
But scientists think that rising sea temperatures are now eroding the ice shelf faster than the snow can rebuild it. Intensifying southern sea wind forces—likely a product of climate change—also exacerbate ice erosion(pdf, p.1,141). The lighter the ice shelf becomes, the more of it starts floating, exposing more ice to water. That process pushes the “grounding line”—the point where the ice separates from land and begins to float—further inland.
As the “grounding line” retreats, the “ice shelf” supports less and less of the frozen mass behind it, causing more and more of that ice to flow into the sea.
Thanks to the under-sea topography on which the West Antarctic ice shelf sits, this process is about to get a whole lot faster. That’s because the water is eating away at the ice quite close to the lip of a bowl-shaped undersea basin. Once the water gets over that hump, more ice will be exposed to it, kicking the whole melting process into a higher gear. “All of our simulations show it will retreat at less than a millimeter of sea level rise per year for a couple of hundred years, and then, boom, it just starts to really go,” says Ian Joughin, professor at the University of Washington and co-author of that team’s paper.
Don’t ditch beachfront real estate just yet; it’ll be at least two centuries before the actual collapse of the West Antarctic glaciers scientists are studying. (And it may be as long as 1,000 years.) But when they do go, the repercussions will be real. Scientists say the collapse of six vulnerable glaciers could boost global sea levels by 4 feet (1.2 meters). Their disappearance will also destabilize the rest of the West Antarctic ice sheet. And if that collapses, scientists say sea levels will surge between 11 and 16 feet, enough to engulf chunks of the Netherlands, Vietnam, Bangladesh and the southern United States, to name just a few places.