As we come up to the end of the school year, it's a good time to reflect on the administrative tasks we do in order to get ready for the next school year. One area of deployment that's been on my mind recently is structuring our Mobile Device Management (MDM) server to be easy to maintain in the long run.

This is one area in which, thus far, I have not done a great job.

We started with our MDM in August 2013. This was before the Volume Purchase Program Managed Distribution approach was available to us. We converted to VPP-MD in August 2014 and that approach has been highly successful in reducing to near-zero the amount of time iPads are removed from service in the classroom to be updated and have new apps installed.

Having said that, the internal structure of our MDM is not in great shape. In this article I'll explain the mistakes I made and come to some conclusions about how we're going to do things differently in the future.

I'll be writing with reference to the Casper Suite by JAMF, since that's what we use at Cedars. Full disclosure, JAMF also sponsor my podcast.

The Aspects of a Modern MDM

In the VPP-MD era, a Mobile Device Management server essentially has two major entities: mobile devices and users. Mobile devices can have configuration profiles applied and users can have apps assigned.

When we started with MDM, we only had mobile devices. There were no user objects in the Casper Suite. To install apps for the primary school, we brought the iPads back to base and used Apple Configurator. This process typically took a couple of hours a week. For the secondary school, we used Casper to make VPP Coupon Codes available to the students in Casper's Self Service app - effectively, but not technically, a "private App Store".

In some ways this old model was easier: you enrolled devices and assigned both configuration profiles and apps to those devices. In the VPP-MD era, you assign devices to users, assign configuration profiles to devices and assign apps to users. This is far more flexible but, in a one-device-per-person model, it appears to be complexity for the sake of it. It makes tons more sense if you understand that one user might have many devices.

The Mess

Basically, I have two problems with our MDM:

• I made groups for specific classes - as they were in 2013. That means that this year, I'm still managing groups that have names one year out of date.
• I have way too many ad-hoc groups for various quick hacks around the above structure.

Casper allows you to have two groupings of devices and four of users:

• Static Mobile Device Groups
• Smart Mobile Device Groups
• Static User Groups
• Smart User Groups
• Buildings (for devices)
• Departments (for devices)

These smart groups are dynamic groups composed of users or devices who meet specified criteria.

Further, two distinct objects can be "scoped" to these six collection types:

• Sets of apps, called VPP Assignments, can be scoped to individual users or to user groups, whether smart or static.
• Configuration Profiles can be scoped to individual mobile devices, smart or static mobile device groups, buildings or departments.

Finally, Casper allows you to create "extended attributes" for both mobile devices and users. These are custom key/value pairs that you can add to either record type. All my User objects have an EA named "Class" that describes the class they are in.

At the moment, I have apps scoped to smart user groups. These user groups are generated by users' Class EA matching a specific value.

Secondly, I have configuration profiles scoped to a mixture of different things. I started in 2013 by defining each class through the "department" attribute on the device, so I hit some classes by scoping Configuration profiles to their 2013-14 department. I also later created some static device groups named "2014-15 Primary 7" to distinguish it from the "2013-14 Primary 7" that is encoded in the device's department attribute.

This is, as you might imagine, a bit of a mess:

• There are too many steps to put a device into the "right" group for all the settings they need to have.
• A device needs to have its department set to its user's class - as it would have been in session 2013-14.
• The device might also need to be manually added to a static group representing the correct class for 2014-15.
• The User needs to have their Class EA set correctly.
• It's hard to determine the impact of assigning a profile to a given group or class.

In all of this, the biggest problem is that all these groups change their composition each year. If classes are departments, all the users change department once a year. That's too much churn.

The Future Model for Configuration Profiles

I've taken this opportunity to re-think what we really need in terms of MDM control of app assignment and configuration profile distribution.

One of the first things that I've come to realise is that our deployment of configuration profiles is fairly stable. We have the following profiles that essentially everyone gets:

• Deploy a web clip linking to CEOP
• A subscription to the school's calendar feed
• Restrict iMessage and Facetime
• Disable shared photo streams
• Require passcode
• Restrict in-app purchase
• Prevent installing profiles
• Prevent account changes

Almost everyone gets these profiles and they very rarely change. We also apply a couple of security profiles through Apple Configurator that limit apps to 12+ and disable downloading movies and TV shows.

In the past, it was necessary to have class-specific device groups as that was also how you scoped the distribution of VPP coupon codes.

In the future, I think class-specific device groups will be less necessary. I will probably just have one main device group named "All Managed iPads" and scope these configuration profiles to that group. If anyone needs to be excluded from these groups, Casper has a 'limitations' feature that allows me to specify "everyone in A excluding B", which computes the relative complement of the two sets of users A and B.

There are also a few configuration profiles that I keep up my sleeve in case I need them. Mainly, these are "Disable Camera" and "Disable App Store". These are rarely deployed except as a disciplinary measure. For these profiles, Casper allows me to target them to individual devices. They're never targeted at entire groups.

The Future Model for VPP Assignments

The model of grouping users for VPP assignments is harder. It's harder for several reasons:

• Students move classes each year
• Apps are usually a requirement of classes, rather than of students.
• Students can, from time to time, change class mid-year.
• The set of apps assigned to a class changes over the course of the year, usually by addition of new apps.
• Classes are sometimes composite classes of two year groups together and a teacher might only want an app for the upper or lower half of their class.

My plan, right now, looks like this:

• An "everybody" group, to which our core apps are assigned.
• An Extension Attribute on each user that is not their "class" but their year of graduation, which is more stable.
• Another EA on each user that designates them as staff or students.
• Classes are represented by a VPP Assignment that scopes a specific set of apps to one or more graduation cohorts.

With that structure, all of the following situations are handled:

• At the end of a year, we simply rename the current VPP Assignments for next year.
• If the composition of classes changes between sessions, we can change the class smart groups to select on different graduation cohorts.
• If a student moves grades, we change their graduation year EA which moves them into the right smart groups. This scenario is, honestly, quite rare.
• Apps are scoped either to "everyone" - for the core apps - or to specific class-based assignment groups.

So that's how I intend to start moving forward in managing our Casper implementation. It allows apps to be assigned to compositions of year groups, if need be. It also minimises the number of structures or fields required to put things into the right place.

As an example, here's what would be required to enroll a new device for a new student:

• Create a User record for the student with their graduation cohort and staff/student status set correctly.
• Enroll the device in Casper, set the device to be a "managed" iPad. There are a number of attributes in Casper you could use to identify a device as such.
• Assign the device to its user.

With these steps, the user will be assigned the apps appropriate for their class and the device will acquire the correct configuration profiles.

I was catching up on Brad Feld’s blog this morning and saw that he had posted about the “40% rule” for SAAS companies.

I was at the same board meeting as Brad and came away similarly impressed by the simplicity of the rule and the logic behind it.

Here’s the 40% rule and it is aimed at SAAS companies:

Your annual revenue growth rate + your operating margin should equal 40%

So, if you are growing 100% year over year, you can lose money at a rate of 60% of your revenues

If you are growing 40% year over year, you should be breaking even

If you are growing 20% year over year, you should have 20% operating margins

If you are not growing, you should have 40% operating margins

If your business is declining 10% year over year, you should have 50% operating margins

I have never seen growth and profitability so nicely tied together in a simple rule like this. I’ve always felt intuitively that it’s OK to lose money if you are growing fast, and you must make money and increasing amounts of it as your growth slows. Now there’s a formula for that instinct. And I like that very much.

Thanks Brad for posting it.

Structurally critical glaciers from the West Antarctic ice sheet are disappearing way faster than we realized, two teams of scientists recently reported.

Their papers—one from NASA and the University of California, Irvine, the other from the University of Washington—both say there’s nothing we can do to stop it.

Here’s how the glaciers in question will collapse.

​ NASA.gov

Topography

The West Antarctic ice sheet is located about 1,000 km (600 miles) southeast of Argentina’s southern tip. The bulk of it sits ina bowl-shaped bed of underwater land. But not all of it. Gravity’s pull yanks a steady flow of the glacial ice loose from the land, forming what’s called an “ice shelf.” This floating extension of the glacier extends into the sea, and as it builds up, actually helps hold back the mass of ice still standing on the land behind it.

This cross-section shows the undersea massif beneath the West Antarctic ice shelf. Pink=areas uncovered by ice; teal=ice shelf; blue=ice sheet, with shades representing 1,000m gradations of thickness. Screenshot from presentation: "Recent Changes in Greenland & Antarctica," Joughin & Poinar

Warming seas

Warming seas thin the ice shelf, lightening its load so that it’s even more buoyant. This is a natural phenomenon; Antarctic winds whip up naturally warmer water from the ocean’s depths, lapping away at the ice shelf as a roughly equal amount of snowfall replaces what’s melted.

​ Screenshot from presentation: "Recent Changes in Greenland & Antarctica," Joughin & Poinar

Thinning, floating and melting

But scientists think that rising sea temperatures are now eroding the ice shelf faster than the snow can rebuild it. Intensifying southern sea wind forces—likely a product of climate change—also exacerbate ice erosion(pdf, p.1,141). The lighter the ice shelf becomes, the more of it starts floating, exposing more ice to water. That process pushes the “grounding line”—the point where the ice separates from land and begins to float—further inland.

​ Jet Propulsion Laboratory, California Institute of Technology

As the “grounding line” retreats, the “ice shelf” supports less and less of the frozen mass behind it, causing more and more of that ice to flow into the sea.

From 1996 to 2011, Smith Glacier’s “grounding line” retreated 35 km. Screengrab from NASA/GSFC/SVS

Over the hump

Thanks to the under-sea topography on which the West Antarctic ice shelf sits, this process is about to get a whole lot faster. That’s because the water is eating away at the ice quite close to the lip of a bowl-shaped undersea basin. Once the water gets over that hump, more ice will be exposed to it, kicking the whole melting process into a higher gear. “All of our simulations show it will retreat at less than a millimeter of sea level rise per year for a couple of hundred years, and then, boom, it just starts to really go,” says Ian Joughin, professor at the University of Washington and co-author of that team’s paper.

What happens when the a glacier’s “grounding line” retreats past the edge of the sea valley. Created from presentation: "Recent Changes in Greenland & Antarctica," Joughin & Poinar

Inevitable, but not necessarily soon

Don’t ditch beachfront real estate just yet; it’ll be at least two centuries before the actual collapse of the West Antarctic glaciers scientists are studying. (And it may be as long as 1,000 years.) But when they do go, the repercussions will be real. Scientists say the collapse of six vulnerable glaciers could boost global sea levels by 4 feet (1.2 meters). Their disappearance will also destabilize the rest of the West Antarctic ice sheet. And if that collapses, scientists say sea levels will surge between 11 and 16 feet, enough to engulf chunks of the Netherlands, Vietnam, Bangladesh and the southern United States, to name just a few places.

Areas that would be inundated if sea levels rose around 5 meters marked in yellow. Image generated by University of Arizona, Department of Geosciences digital elevation model