Whitman College Technology Services has problems with Apple IDs and the Apple App Store. In this post, I’ll describe those problems and explain the strategies we are employing to address them.
DEFINING THE APPLE ID
Apple has decided that all new or upgraded software (I’ll call them “apps”) for Mac OS X and iOS will be done almost exclusively through their App Store. In order to do this, a person purchasing needs to have an Apple ID. The Apple ID is a system of authentication– a username and password– which individuals can create for use with a variety of Apple products and resources, in this case the App Store. The Apple ID username is tied to an email address, such as firstname.lastname@example.org. (Wikipedia has more specifics on Apple IDs.) Once an app is purchased, it is tied to the Apple ID under which it was purchased. This means that if the app is damaged or lost, it can be downloaded again for free, and updates to the app can only be downloaded via authentication using the Apple ID.
BUT THE PROBLEM IS…
As noted above, Apple IDs are used by “a person” or “individuals.” This creates two main complications for institutions, enterprises, companies, and groups (henceforth “institutions”) who seek to centrally control software purchase and management:
— If the end user purchases an app with institutional funds using a non-institutional Apple ID username, e.g. email@example.com, then the end user will own the app outright, even if they leave the institution.
— If the end user purchases an app using an Apple ID username associated with the institution, e.g. firstname.lastname@example.org, and leaves the institution and/or wishes to transfer ownership of the app, too bad: this is not possible.
- Site or volume licensed apps purchased by central IT can be distributed around the institution, however since the original app must be downloaded from the App Store with a single Apple ID, the only way for end users to update their apps is to know the original purchaser’s Apple ID credentials. In essence, this would mean that everyone at the institution who uses the app(s) would share the same Apple ID, which is an untenable solution for institutions.
WHITMAN COLLEGE’S STRATEGIES IN RESPONSE
According to our research, Apple does not currently have enterprise-level tools or solutions for institutions to manage Apple IDs or purchasing through the App Store. However, in consultation with Apple, Whitman College Technology Services (WCTS) has developed the strategies for purchase and management. None of the strategies are without drawbacks or limitations, and are subject to change as circumstances change.
For iOS devices (iPhone, iPad, iPod Touch): the email alias
In order to retain ownership of apps, WCTS has begun creating email aliases for individuals who wish to purchase apps using institutional funds. The alias is directed to the email account of the individual who will purchase the app. The email alias can be used to create an Apple ID. If the individual leaves the institution or transfer of the app to another individual is desired, the email alias can be directed to a new individual by WCTS.
Generic example: Professor John Doe in the Zoology Department wants to purchase Final Cut Pro. He is assigned the email alias email@example.com by the IT department, (which routes to his email firstname.lastname@example.org), which becomes his Apple ID username. He sets his own password for the Apple ID, and IT creates the security question and answer. Time passes and Professor Doe leaves the institution. IT reassigns email@example.com to a new faculty member, enabling that person to “own” and update Final Cut Pro. In the process, IT accesses the Apple ID account using the security question and answer to reset the password.
The greatest drawback WCTS has discovered with the email alias system is scalability. Currently, we have less than 25 email aliases on campus created for this purpose, but as time passes and the number of aliases grow dramatically, management of this system may become quite difficult.
A different possible solution is to use the Casper Suite for iOS for management. WCTS is beginning to explore this option.
Mac OS X devices (desktops, notebooks) in faculty/staff offices
As of OS 10.7 Lion, Mac OS X devices (I’ll call them “computers”) have begun to demand an Apple ID use for updating all non-core OS Apple software (e.g. iPhoto, Keynote, Final Cut Pro, etc). This means that when an image is created then distributed, end users can run Apple apps, but can not update them without the Apple ID credentials used by WCTS staff during the image creation process.
Rather than follow the same procedures outlined above for iOS devices, at Apple’s suggestion, we are looking for ways to distribute (push?) updates to Apple apps from on campus. According to Apple, when an update is available for an Apple app, what is available for download via the App Store is not an update package for an existing app. Rather, it is a brand new application that replaces the existing application on the end user’s computer. Thus, it is possible for an IT organization to use its own Apple ID credentials– the same ones used during the image creation process– to download the update (i.e. “new” app), then distribute that app as its end users. (Naturally, IT must have the appropriate number of licenses to do this.) Apple recommended that this distribution be done via a software management technology, such as Casper Suite for OS X. WCTS is beginning to explore this option.
Only one final element remains. For apps meant for widespread campus distribution, it is likely that an IT organization will purchase licenses through the Apple Education Licensing Program or Apple Volume Licensing. In such a purchase, Apple will provide download codes, 1 per seat. For example, 500 seats of iPhoto will result in 500 download codes. In creating an image for distribution on campus, only one download code needs redemption. The remaining codes need only be securely stored.
Mac OS X devices (desktops, notebooks) in Labs
In labs maintained by WCTS, the WCTS Apple ID will be used exclusively to create and update lab images. Since end users do not administer lab computers, control for WCTS is relatively simple. Apple suggested that we consider creating different Apple IDs for our different labs, but at present we will not pursue this. Our strategy for labs will probably not scale for medium and large size institutions. For them, the strategy described above for “Mac OS X devices in faculty/staff offices” might be more appropriate.
An alternative method: “consumable cost”
To avoid all Apple ID management issues, an alternative strategy to the ones above is for institution to relinquish ownership of apps, discontinuing the system of app management.. In this strategy, apps are treated as a consumable supply. Money is spent, and the app becomes the personal property of the individual employee. The drawback to this method is that it could over time dramatically increase overall software costs for the institution. WCTS is currently not employing this method, though it has recognized that due to the ease of creating Apple IDs and purchasing apps, individuals on campus may already be employing this method (not knowing about the complications described in this document) regardless of any of WCTS strategies.
If you’ve read through this article, I suspect your institution is having the same challenges as Whitman with Apple IDs and the App Store. Apple claims to be aware of the challenges for institutions, but in typical Apple style, is tight-lipped about the future solutions they might or might not offer. We have consulted with Apple in creating our strategies. Nonetheless, in reading all of this, are we missing something? Have you discovered different strategies than ours at your institution? I welcome your comments and ideas!