Become Part of our Team and Push Digital Sovereignty
- Teamleader IT / Project Manager (m/f/x)
- IT Consultant (m/f/x)
- Outbound Sales Represantative (m/f/x)
- a.m.m.

The digitisation in schools that are equipped with UCS@school continues to progress rapidly. Many school authorities and federal states are providing schools with mobile terminals for use in the classroom. Apple’s iPads in particular are in demand. The devices are robust, easy to use and affordable. They are also equipped with a large number of special apps for digital education.
While iPads are usually tied to a single user, there is one exception for schools with the so-called shared iPads: Students authenticate themselves with their credentials and can thus access personal data, homework, apps, books, etc. This not only saves costs but in combination with mobile device management also a lot of time, as teachers can manage the contents centrally.
Prerequisite for the use of shared iPads is their connection to the Apple School Manager. The responsible administrators manage the students‘ user accounts, the devices and their contents via the web portal of the manufacturer. Apple’s Device Enrollment Program (DEP) facilitates the addition and initial configuration of new iPads. The purchase and distribution of apps and books can also be automated. The manufacturer calls this provisioning program the Volume Purchase Program (VPP).
An MDM (Mobile Device Management) system is required to use DEP and VPP. However, such a mobile device management is recommended anyway if a larger number of tablets is in use. Otherwise you would need to configure each device manually. An MDM system takes care of the software and the basic privacy-compliant settings of the iPads, integration with the school network, user accounts, classes, and more. The Apple School Manager provides an interface for MDM solutions such as ZuluDesk, FileWave und Relution – all available in the Univention App Center.
There are two things you need to consider when using shared iPads: In addition to basic considerations on data protection (e.g. “What about personal data on the device?”, “Are telemetry data transferred?”, etc.), the responsible administrators would like to see in particular a further automation of the user administration. For this reason we have developed the Apple School Manager Connector. It connects existing UCS@school installations with the Apple School Manager and fits perfectly into our vision for school IT infrastructure.
A typical application scenario looks as follows:
iPads purchased from the school authority or school get into the Apple School Manager via the Device Enrollment Program (DEP). The connector transfers users, classes, and course data from the UCS@school instance to the ASM via SFTP, i.e. SSL-encrypted – anonymously if desired. Our new app modifies the user data in such a way that it is not possible to assign the data on an iPad to an individual user. The clear names no longer end up in the ASM (and thus in the MDM). In order to increase user-friendliness, the user names can be made visible which in turn needs to be assessed by the responsible data protection officer.
The connector also ensures that the roles defined in UCS@school (students and teachers) are correctly transferred to the Apple School Manager. This provisioning of the user data is not a one-time action: After installing the connector from the Univention App Center, administrators can specify the synchronization interval in the settings. They can determine, for example, that the connector synchronizes the data once a day at a certain time.
MDM systems can then use this data to store profiles on the mobile devices. The connector is designed to work with all common mobile device management solutions, including those that are not available via the Univention App Center.
When designing the Apple School Manager Connector, we placed great emphasis on data protection. We involved data protection officers from school authorities in the development. During the set up of the ASM Connector, those who are responsible decide for themselves which data should be anonymized.
Anonymization is activated by default in the ASM Connector.
For example, the new app can generate managed Apple IDs for the login and thereby modify them. These managed Apple IDs are subject to restrictions. Find further information on this on Apple’s support website. It may also be necessary to ensure that cloud services such as Apple’s iCloud are disabled via an MDM system.
As to the situation in classrooms this still means that the results from each lesson will be saved in a file storage that conforms to data protection regulations before the user logs off from the iPad. For this purpose, we recommend ownCloud or Nextcloud. These solutions are both available from the Univention App Center. In the future, it will be possible to configure these online memories in such a way that users can access them without further time-consuming or error-prone registration. The aim is to facilitate the access significantly for teachers and pupils.
At the Univention Summit on January 31 and February 1, 2019, we will be happy to show you how the Apple School Manager Connector works and what it can do for you. At this event you will also be meeting numerous technology partners who make their solutions available in the Univention App Center.
Michel joined Univention in January 2014, initially working in the Professional Services team as an education project manager. Here he was involved in various projects in the school administration environment. Currently, as Product Manager Education, he is responsible for the entire education sector at Univention and is working on sustainably advancing digital education in Germany. When he finds time next to family and work, his personal interests are running, football and cooking.