book

Xinca Deployment Guide

Hello and welcome to Xinca!

In this document we will give recommendations and guide you in setting up the Xinca Management System for managing your devices. In this document you will perform the following tasks:

  • Open firewall ports and whitelist IP addresses needed for communication
  • Creating and uploading a Apple Push Certificate
  • Adding users
  • Enrolling devices
  • Creating device-groups
  • Adding apps, documents and profiles
  • Synchronising the system
  • Show you some best practices, tips and recommendations

After this assistant is done you will have created a basic setup of Xinca. Afterwards you can continue using Xinca using the menu on the left.

We advise you to use this document to guide you through, since it makes the basic setup easier and you will get hints for a better understanding of Xinca.

Prerequisites

To ensure Xinca can communicate properly with the devices you’re going to manage, make sure to follow the steps provided on the following article. 

Required firewall ports and IP Ranges

Step 1 - Initial Setup: Create an Apple Push Certificate

For Xinca to work, we need to establish trust between your Xinca account and your Apple account. You will exchange a file with Apple that works like a password. Your Xinca account cannot manage your devices without completing this process. We recommend you to create a new Apple ID for this certificate.

How to Create an Apple Push Certificate

Step 2 - Initial Setup: Add your user accounts to Xinca

There are multiple ways to get your users into Xinca. Before you're adding your users to Xinca, you should first come up with a plan on how you would like to manage your iPads. First we will describe the option to import/create your users, next we will walk through the different plans. Please mind that you could also combine those plans.

  • Apple Business ManagerHere you can import your users, Departments and locations from your Apple Business Manager account.
  • CSV ImportHere you select "Import users from CSV" and upload your file. When you go back to the overview, you can see the running import jobs and the status of each.
  • Microsoft Azure: Here you can choose to import the users after they are signed in to the iPad with their Microsoft Azure account.
  • LDAP synchronisation
  • ManualManual editing of users can always be done under Users & Groups.

Tip: It is advised when creating groups to always create two user-groups; one for Users and one for Admins 

 

1-to-1 iPads

When you've got your users set up in your Xinca account we can automatically set up a configuration for your 1 to 1 Admin devices so they can manage the Users iPads within their departments. In order to get this configuration, all you have to do is set up the users and Departments, and distribute the Xinca app to your Admin devices.

You will have multiple ways to assign the 1 to 1 iPads to your imported users. This can either be done upon the enrollment of your devices, after enrolling them or even before enrolling them. Those methods will be described in Placeholders and Enrollment Authentication.

Generic Shared-iPads without sign-in

For this plan it is not required to have all your users added to your Xinca account. However, it will be useful to create generic user accounts to be able to differentiate the iPads you're managing.

Generic user accounts should be imported via a CSV file, which can look like this (please click on the image to download this template CSV file):

Screen_Shot_2018-04-18_at_09.41.59.png

Step 3 - Initial Setup: Assigning your devices

 

Placeholders

A placeholder is a device that is not yet enrolled in the Xinca MDM. As soon as the device is enrolled, the device will be automatically assigned to a group and get a device owner.

If you have many placeholders to create, then you can also use the bulk import tool (Organisation > Important / Synchronise). Just upload a .csv file with the usernames and Serial Numbers. 

Tip: You can use a barcode scanner to scan the device serial number from the box

Microsoft Azure Implementation

Xinca lets you enroll users from Microsoft Azure into Xinca via an automated process by presenting a web clip onto the users device. This web clip enables authentication through Microsoft Azure, importing the user into Xinca and linking the Azure account with the used iPad.

For more information on how to do this please take a look at our dedicated knowledge-base item: Microsoft Azure Implementation.

Enrollment Authentication

It is possible to require an authenticated user to become the device owner using this feature, to enable this, check the option 'Make authenticated user the device owner' within a DEP profile, or by enabling the on-device/Apple Configuration enrollment authentication via Organisation > Settings > Enrollment.

Step 4 - Enrollment: Enrolling your devices

After you've figured out with which plan you wish to go with, it is time to plan your device enrollment. We would always recommend to enroll your devices using Apple Business Manager / Device Enrollment Program, since you can prevent your users from removing the MDM Profile from the devices when enrolled using the Device Enrollment Program.

In case your devices are not in Apple's DEP program, but meet the conditions to upgrade to iOS 11 we recommend to add your devices to Apple's DEP program using iOS 11 and Apple Configurator 2.5

If you are changing your MDM, and you haven't enrolled your devices using DEP, then you can also remove the MDM profile from your devices manually, and use Option 3: On-device enrollment.

To remove the MDM profile from your devices manually, you will have to perform the following steps:

  1. On the device, open 'Settings'
  2. Select 'General' and select 'Profiles'
  3. Select 'MDM Management profile'
  4. Click 'Remove', then 'Remove' again to confirm

Option 1: Apple Business Manager / Device Enrollment Program (DEP)

When you're planning on using Apple Business Manager / Device Enrollment Program to enroll your devices, you will first have to connect the Xinca MDM Server to your account. Please follow the next steps to get this done.

  1. Download your public key
  2. Configure Xinca in Apple Business Manager
  3. Upload the Server Token in Organisation > Setttings > Devices (DEP)

After you've connected the Xinca MDM Server to your ABM/DEP Account, you can configure and deploy a DEP Profile to enroll your devices into your Xinca account.

Note: You will have to erase all content and settings on your iPad or Re-install macOS in order to install a DEP Profile, as the DEP Profile can only get installed during the Setup Assistant. 

Option 2: Apple Configurator 2

To be able to enroll devices using Apple Configurator, you will need to following:

  • a Mac computer
  • Apple Configurator 2
  • Optional: an USB hub to configure multiple devices at once
  • Create a blueprint
  1. Open Apple Configurator 2
  2. Click on blueprints > Edit blueprints
  3. Choose "Manual" for the configuration option
  4. Choose "New server" for the server option
  5. Give the new MDM server a name
  6. When asked to enter an Enrollment URL navigate to this page and find your MDM Server URL under Apple Configurator 2 (looks like: https://enroll.xincamdm.com/?network=XXXXXX)
  7. Choose "*.xincamdm.com" for the anchor certificate
  8. Check the box to supervise devices and optionally allow devices to pair with other computers
  9. Enter your organisation information
  10. Generate a new supervision identity
  11. Optional: Choose the steps you want to skip during the setup
  12. Press Prepare
  13. Finally press done in the bottom right of the window to save the blueprint and return to the view with all connected devices.
  • Apply the blueprint to devices
    1. Connect one or more devices to the computer while Apple Configurator 2 is running.
    2. Select the devices you want to enroll in Xinca (Tip: You can use cmd + a to select all currently connected devices)
    3. Click on the "Blueprints" button, then select the blueprint you've created
    4. Click on "Apply" to start applying the blueprints to the selected device(s)

Now you're done, Apple Configurator will automatically download and install the latest iOS, supervise the device and enroll it in Xinca.

Option 3: On-device enrollment

To enroll your devices using the On-device enrollment method you can perform the following steps:

  1. On the device, go to: xincamdm.com/manage/enroll
  2. Enter your Network ID: (Your network ID can be found by going to Devices > Enroll device(s) after signing in to Xinca Management System.)
  3. Press 'Enroll'
  4. In the Profile window that appears, press 'install', then 'install' again to confirm

Step 5 - Configuration: Creating device groups to install Apps, Profiles and Documents

After you've successfully enrolled your devices it would be time to think about your device groups. It is required to use device groups in order to install Apps, Profiles and Documents using the Xinca Management System. You can create an unlimited amount of device groups, but it is recommended to keep your device groups limited so you won't lose your overview in managing your devices.

The way you're configuring your device groups is completely up to you. You can either choose to create one device group for all your Users, one for your Admins and one for your administrators, you can choose to create a device group for every department or location. It completely depends on how you want to arrange your Apps, Profiles and Documents.

It is highly recommended to create separate device groups for iOS, tvOS and macOS devices. This is because the profiles and apps are different for those devices.

Below is an example of how you could arrange your smart group setup.

Screen_Shot_2018-04-18_at_09.51.50.png

When creating a device group, you can choose from two types of device groups:

Static Groups

When you're creating Static Device Groups, you will simply have to add your devices to the group manually. This group assignment has to be done manually by selecting/editing the device and grant the group assignment.

Smart Groups

When you don't want to assign the device groups manually you can make use of our Smart Groups. When you're creating Smart Device Groups, you can add different filters that your devices should meet in order to be part of the smart group.

Those filters can be based on the details of the device, the location of the device, the enrollment method and the user assigned to the device, and of course it can also be based a combination of the above filters.

Below is an example of how you could set up a Smart Group.

Screen_Shot_2018-04-18_at_11.00.03.png

Step 6 - Configuration: Adding Apps to your Xinca account

After you've set up your device group it will be time to start distributing apps to your devices. With the Xinca Management System you will have a few options on distributing apps to your devices.

  • Distribute apps via VPP
  • Distribute apps via Apps and Book in Apple Business Manager
  • Distribute apps via the App Store
  • Distribute In-House apps for iOS or tvOS
  • Distribute In-House macOS Packages

We highly recommend to distribute apps via VPP in case this is one of the possibilities. This is because you will need your users to sign in with their Apple ID in order to distribute apps via the App Store to their devices, which isn't needed when you're distributing those apps via VPP as you can assign the license to your users devices instead of their Apple ID's.

For custom apps, or software for macOS we recommend to add them In-House.

Your apps will be listed in the Apps overview after you have added an app with one of the options that are described below. Please note that you will need to synchronise your VPP account after purchasing/adding apps via VPP. This can be done by going to your Dashboard and hit the 'Synchronise now' button.

Distribute apps via Apple Business Manager's Apps and Books (VPP)

It is possible to distribute in Apple Business Manager itself using Apps and Books, you're able to distribute Apps and iBooks this way and works practically the same as the older Volume Purchase Program. You can assign apps to locations in Apple Business Manager. When you've assigned apps to a location you're able to head to Settings > Apps and Books and download the token here. You can upload this token in Xinca under Organisation > Settings > VPP.

Distribute apps via Apple's Volume Purchase Program (VPP)

The Volume Purchase Program from Apple allows education institutions to purchase apps in volume and distribute them within their organisations. We worked with Apple to seamlessly integrate the VPP portal with Xinca Management System (XMS).

When you want to use the Volume Purchase Program (VPP) and integrate with Xinca you need to:

Default App Assignment method

As of iOS 9, VPP also support device licensing, where an app license is associated with a specific device's serial number. Whereas licensing by Apple ID allows a specific user to use the app (as long as they've signed in with their Apple ID), device licensing allows anybody to use the app on a licensed device without needing an Apple ID.

You can choose which app assignment you want to use for your VPP token by navigating to: Organisation > Settings > Content (VPP) and clicking the cogwheel in the top left of the token.

Automatically invite users

On Organisation > Settings > Content (VPP) it is also possible to enable this settings. With automatic invitation you can automatically invite users to VPP when they enroll in Xinca. This can be done by either a popup on the device or by adding a WebClip on the home-screen.

Distribute App Store Apps

It's possible to manually add iOS Apps to Xinca via Apple's App Store. However, to install these Apps, you are required you to be logged in to a device with an Apple ID.

To add an iOS App navigate to the App overview and when adding an app select the 'Add iOS App' option, a popup will appear where you can search for App-store Apps.

Distribute In-House Apps for iOS and tvOS

It's possible to distribute in-house Apps for iOS and tvOS. This can be done by navigating to the App overview and adding a new in-house app for the selected OS. 

Note: tvOS does not support VPP apps and you will have to distribute in-house Apps for tvOS or download them on the device itself.

Distribute In-House macOS Packages

It is possible to distribute your self-made packages for macOS, for more information how to do so check out: How to build packages for macOS.

Step 7 - Configuration: Distributing Apps to your devices

When you've successfully added your apps to your Xinca account, you will be ready to install the added apps to your devices. 

In order to distribute this apps to your devices, you will have to define a 'scope' where you wish to distribute the app to. This can be done as a bulk-action by selecting your apps and clicking the 'Edit scope' button, or by entering the specific app where you can edit the scope.

A scope is also known as a selection of device groups, so you will have to add the desired device group where you want to distribute your app to.

You will also have multiple options when distributing apps. You can choose to assign the VPP license to the user's Apple ID or the device's serial number, you can choose to assign apps to be installed on-demand or you can choose to install the app automatically. A default for the installation method can be set at Organisation > Settings > Apps & Documents.

****It is also possible to distribute Apps as a Admin to your Users within a department .****

In case you're having trouble with an app installation we recommend to follow "Why won’t one or more VPP apps install?".

If you want to learn more about on-demand Apps check out our dedicated knowledge-base article: On-demand Apps, Documents and Profiles and how they work

Step 8 - Configuration: Creating and distributing Profiles

Profiles can configure settings on your devices like Wi-Fi networks, restrictions, e-mail accounts, and many more. It is fairly simple to create Profiles using the Xinca Management System. You can do this by going to Profiles > Create Profile. There you can simply choose whether you want to create an iOS, tvOS or macOS profile.

Just like apps you can only distribute profiles to device groups and you will also have the option to install profiles on-demand.

It is recommended to create a global profile for all devices that configures a WiFi connection. It is also recommended to create separate profiles for Users and Admins since they most likely will require different settings / restrictions.

Please have a look at the Profiles section of the Walkthrough Features in Xinca Management System article to see more details about what you can do with your profiles.

Step 9 - Configuration: Adding and distributing Documents

The principle of adding distributing Documents is pretty much the same as it is for Apps. However there are a few things that you need to keep in mind when distributing documents.

  • In-house documents are available to all devices and have no requirements.
  • VPP Documents need to have an Apple ID tied to the device since these are only user-assigned.
  • Documents are found in the iBooks App on the device when set to Automatic installation
  • When the installation type is set to on-demand these apps will be available to download by the user from the Xinca App

Step 10 - Finishing up: Synchronisation

The Xinca Management System will synchronise automatically once a day with your connected services. In case you have made some adjustments within any of those services (i.e. VPP, DEP, Active Directory), you can synchronise manually using the ‘Synchronise now’ button on your Dashboard. This button does the following things:

  • If you have enabled VPP, it will synchronize all VPP applications, books and users.
  • If you have enabled DEP, it will synchronize all DEP devices and creating any missing DEP placeholders
  • If you have enabled user synchronization (either through LDAP or SOMToday), it will synchronize all users with the remote service
  • If you have enabled Apple Business Manager, it will synchronize all Departments and users with Apple Business Manager

So, for example, if you have assigned new DEP devices to Xinca in the DEP portal or Apple Business Manager, you should press this button once to retrieve these.

Step 11 - Finishing up: Tips, Recommendations and Best Practises

Configuring the Xinca Admin app

Use Xinca Admin to easily prepare so called "Bundles", which include apps and websites to be made available to Users when this bundle is active. You can also limit Users by setting restrictions, such as preventing notifications or disabling the camera function.

Begin a Bundle with Xinca Admin by simply selecting a prepared Bundle. Once your bundle is active, Users can only view apps and visit websites preconfigured with the “Prepare a Bundle” feature.

You can also easily update your Users by sending them a message.

Please follow How to configure Xinca Admin using Xinca Management System to configure the Xinca Admin app or visit Xinca App Admin Overview for more information.

How can I pre-configure my Profiles?

When you're distributing Profiles using the Xinca Management System, you will have the option to pre-configure your profiles with usernames, password and other information created inside those profiles. This can be accomplished by using Payload Variables.

Use the Xinca app to provide your users a Self Service portal

If you have configured (some of) your apps, profiles or documents to be installed on-demand, you can use the Xinca app as a Self Service portal where your users can download those items from.

Please have a look at Xinca App Self Service Overview for more information. 

Knowledge-base / FAQ

Our Knowledge-base / FAQ with helpful articles can be found at http://xincamdm.com/help/.

Need Support?

In case you have questions regarding your deployment, Xinca or anything related you can create a ticket inside your Xinca Management System. This way our Support Professionals can assist you with any problem. 

Have more questions? Submit a request

0 Comments

Article is closed for comments.