I was doing my morning skim of the headlines before work this morning when I came across this article from The Post in New Zealand:
This was good timing as earlier this week I had attended an Apple reseller event where the topic and use cases for Managed Apple IDs was discussed at length and so I posted on an internal Teams chat whether this was a good example of where Managed Apple IDs may have prevented the cascading of bad decisions that led to students being exposed to inappropriate content:
So What Actually Happened?
It’s worth reading the article in full, but in case it’s removed or behind a paywall, a quick summary of the facts presented include:
- The teacher had been responsible for the purchase, set up, maintenance and upgrade of school devices, and uploading photos from school events.
- He had configured at least one of these iPads using his personal Apple ID, presumably so apps could be pushed out to the device(s) from the App Store
- (worth noting this is not a compliant way for schools to use Apple App Store apps in a school context)
- At some point, the teacher left the school and he later shared his login details when he was contacted by a primary school aged student using the device, who said the teacher’s password was required to remove his account.
- A key reminder, that can not be overstated enough, is that you should never ever share your password in any situation as unforeseen outcomes can flow from this
- The student must have entered the iCloud password onto the iPad which caused personal photographs and images on the former teacher’s iCloud account, including images of him and another teacher at the school “fully dressed and cuddling or sitting/lying close together” and memes with sexual statements, to sync to the iPad and be discovered by the students.
- The students then spoke to the school Principal about the images.
- Great to see the students doing the right thing and exercising commendable Digital Citizenship by alerting an adult when they encountered content online that made them feel uncomfortable.
Evidently, there was a litany of bad decisions related to the management of the school iPads made here, each compounding the other – NB this was not a school that our company managed/supported.
Helpful Internal Discussions Amongst The Team
One of the things I like about Microsoft Teams group chats is the speed and input that various team members can contribute to, allowing what I would describe as ‘ad hoc coaching’ – experienced team members reflecting on the incident above and sharing their insights from their experience. This allows rapid knowledge sharing and learning by the entire team and I’m going to share a few of these thoughts below:
Yikes what a situation. That’s a perfect example of why a school should be using an MDM for management of iPads. I bet the only reason that Apple ID was on the iPads would have been app deployment. Also super worrying the teacher just handed over his personal Apple ID credentials rather than removing the device from his iCloud account.Comment 1
What I like about the above is the immediate recognition of the absence of ‘best practice’ when it comes to managing iPads – the use of an MDM (Jamf, Intune etc), as well as an accurate diagnose of why a school may be using a personal Apple ID – trying their best to deploy apps to iPads, likely unaware of how an MDM could support this task in a more time efficient and infinitely more secure method.
Additionally, it was pointed out that sharing of the password was never the right approach here (or anywhere!) and you can remove devices associated with your Apple ID – instructions here.
Geez. All good points above.
- An MDM could have prevented the need for an Apple ID on the device
- At the very least, why not a School Specific Apple ID?
- Why did the student “need the Apple ID” to access the iPad? Potentially teacher PD required on that one
- Good on the student for taking the matter to the principal
Like the first commenter, the second commenter immediately identified best practice that an MDM removes this risk and also suggests a ‘less bad’ option of using personal Apple IDs of possibly creating a school specific Apple ID for the management of these devices – some lateral thinking.
The third point made was a good one – why, precisely, was the student needing access to something requiring the Apple ID on the iPad? Were they trying to buy new apps for the device from the App Store – something that the school would normally like to prevent students from being able to do. The training of educators on best practice of management of iPads in the classroom extends to helping them understand what students should and should not be able to do on these great devices for learning – generally it would not be required for a student to be accessing the Apple ID functionality on a well managed and secured iPad.
Lastly, recognising the student did the right thing by talking to the Principal. It’s imperative that ‘the adults in the room’ reinforce good Digital Citizenship behaviour when they see it. It was through no fault of their own that the students were exposed to this content but the fact they made good decisions and informed an adult should be recognised and applauded.
Considering they are deploying apps with a single Apple ID they probably will not be registered to ASM so managed Apple ID wouldn’t come into affect. I believe most of our customers these days use ASM which we are encouraging heavily.Comment 3
A third comment recognised the likely absence of Apple School Manager that would have solved for this issue, and the commenter has reinforced our company practice of strongly recommending ASM+MDM for the management of iPads.
The internal chat group then continued on in a more technical discussion of the pros/cons of Managed Apple ID in relation to the certificates associated with the Apple Push Notification Services in Apple School Manager (Establishing a certificate-based connection to APNs | Apple Developer Documentation).
Whilst most of the commenters were unconvinced by my initial ‘bait and switch’ comment of whether this news story was a good example where Managed Apple IDs would have ‘saved the day’, there was a general agreement that Managed Apple IDs could and should be used in relation to APNs
On the APNs issue – Cyclone’s standard is to ensure all APNs certificates are created using a Managed Apple ID. Any we find that are using a consumer Apple ID we go through a process with Apple to get the certificate migrated from the consumer ID to a newly created Managed Apple IDAPNs Comment 1
Again, this was a senior Apple engineer reinforcing for everyone on the chat group the company expectations for best practice when it comes to APNs using Managed Apple IDs – great learning.
For a random Friday morning, this ended up being a helpful discussion internally where various members of the team contributed expertise, knowledge and opinions related to a variety of topics:
- Digital Citizenship
- Teacher Professional Development
- MDM and Apple School Managed best practice
- Respective merits of Personal vs Managed Apple ID
- Apple Push Notification configuration best practice
- Real world examples/anecdotes to help educate potential customers on why managed services for school devices is a good idea.
Sparking these types of learning opportunities through the framing of a topical and real-world situation where things went wrong in a school (NB: this was not a school we manage/support) is a great way to focus a team discussion on how we can do things better and deliver a superior outcome for both our schools and the students they serve.