Deploy iPad with mobile data connections
In addition to providing Wi-Fi connectivity while in school, many education authorities are also helping their students learn from anywhere by deploying iPad devices with mobile data connectivity.
Deployments that include devices with mobile data differ from Wi-Fi deployments in a number of important ways and therefore introduce new elements to consider:
Subscriber Identity Module (SIM) type
Network provider selection
Mobile device management (MDM) support
For more information, see the video Planning for Cellular Connectivity.
eSIM versus physical SIM
A SIM is a package of data that securely stores the information and keys needed to authenticate with a mobile network. A physical SIM is a small integrated circuit that’s inserted into a device. An embedded SIM (eSIM) is a digital version that can be downloaded over a network connection. Because eSIMs are software based, they afford much more deployment flexibility and are also easier to secure; administrators can trigger eSIM installation remotely and restrict a user’s ability to remove it from their device. If there’s a need to change the network provider for devices after they’ve been deployed to users, an MDM command lets you do that without any user interaction. There are other advantages to using an eSIM. For example:
It can be locked with an MDM configuration profile to prevent the user from making changes
It can switch plans and network providers without interrupting the user
An eSIM doesn’t require physical installation of a SIM card, reducing steps in the workflow
Network provider selection
Mobile data activation requires either a physical SIM or an eSIM provided by the network provider. eSIMs are preferred for a number of reasons but your local provider may not support them at the scale your organisation needs. Network provider selection should also take into account coverage for where students live and go to school, as well as any facility where devices are initially configured.
When selecting a network provider, ask the following:
After an agreement is signed, what is the time period to create and make available the eSIMs so they can be assigned to iPad devices?
What is the URL for your network provider’s eSIM server (known as an SM-DP+ server)?
Regarding mobile coverage and capacity, can the network provider:
Provide a survey of mobile phone masts close to where the iPad devices will be provisioned and where remote learning may be taking place?
Reorient antennae to improve signal and reception in a given area?
Provide temporary coverage as needed at provisioning sites?
Note: Network providers may be sensitive to the number of devices simultaneously queuing for eSIM provisioning, and often request that automated provisioning events be communicated to them.
Mobile device management
MDM solutions can enforce restrictions that help ensure continuity of learning by preventing users from modifying crucial settings. Even more importantly, MDM solutions have the ability to remotely trigger and automate the download and installation of an eSIM to an iPad. This allows for a scalable and efficient deployment experience for IT and end users. The MDM solution you choose should support the following:
Allow for the iPad to be erased while retaining data plan (iOS 12 or later).
Support for (and the ability to automate) the Refresh Data Plans command. For more information, see MDM commands in Mobile Device Management Settings for IT Administrators.
Restrict modifying eSIM settings on the iPad.
Restrict modifying mobile app data on the iPad.
Restrict modifying data plan settings (non-US providers).
About the Refresh Data Plans command
The Refresh Data Plans command is sent from the MDM solution to the iPad and provides the address of the network provider’s eSIM (SM-DP+) server. The iPad then downloads, installs and activates it’s eSIM. It may take up to three minutes for the installation and activation to occur. You can troubleshoot installation and activation issues by:
Checking MDM logs to ensure the Refresh Data Plan command has been sent and received.
Verifying the iPad is connected.
Contacting the network provider to determine whether the eSIM profile for the iPad devices in question are available for download. If for example, the eSIM assigned to an iPad has already been downloaded once, it is deleted and won’t be available for further retries.
Contacting the network provider to verify activation of the account and data plan on the provider’s systems.
Devices deployed outside of a school’s network may require adjustments to content filtering strategies. Those devices use mobile data networks and home or public Wi-Fi. If existing content filtering solutions rely on the use of on-site networks (owned by the school) to provide content filtering, a new approach is required. Routing all traffic back through the school’s network (by using VPN or global proxy configurations) is an option, although this may require upgrading the school’s internet connection or other infrastructure.
Cloud-based filtering solutions may be better suited to mobile devices, as those don’t require data to travel back and forth through the school’s network.
On-device content filtering with apps that leverage the Apple Network Extensions framework provide the best user experience because very little traffic is sent from the device and content filtering controls are managed locally.
When using content filtering, consider that VPN/PAC file-based filtering solutions don’t filter Personal Hotspot traffic. A restriction can be added to a configuration profile to prevent the use of Personal Hotspot.
Note: Some providers have an IPv6-only mobile network. Any content filtering solution should be assessed for compatibility with IPv6-only networks.
Deploy iPad devices with eSIMs
To deploy iPad devices at scale with eSIMs, you must gather device identifiers, send this information to the network provider, enrol the devices in an MDM solution, then send the MDM command to activate the eSIMs.
Gather the requested identifiers (Serial number, IMEI, EID) using one of the following methods:
From your Apple sales team.
By scanning the barcodes on the product boxes.
By tethering devices to a Mac and using Apple Configurator 2 or the
cfgutilcommand-line tool to export the serial number and IMEI. You’ll still need to obtain the EID for each device using one of the other methods listed here.
If devices are already deployed, MDM has the ability to query for the serial number, IMEI and (new in iOS 14 and iPadOS 14) the EID.
Send the information to the network provider and get the eSIM server URL from the provider.
After the network provider confirms the eSIMs are ready, enrol the iPad devices in an MDM solution.
Use the MDM solution to send a Refresh Data Plans command that includes the network provider’s eSIM server URL to activate the eSIM. See your MDM solution’s documentation for steps to complete this step.
Protecting the eSIM when resetting devices
Since an eSIM is software-based, it’s important to understand the ways in which it can be removed when a device is being reset or erased. You may want to remove the eSIM when retiring or reselling a device. Understanding this helps you prevent users from accidentally deleting the eSIM, which would disrupt remote learning.
To ensure users don’t accidentally remove their eSIM, use MDM restrictions to stop users connecting their device to Apple Configurator 2 and prevent them from using “Erase All Content and Settings”.
Workflows that preserve the eSIM:
An iPad put in recovery mode.
An MDM Remote Wipe command with the “Preserve Data Plan” option enabled.
Going to Settings > General > Reset and selecting Erase All Content and Settings and preserving the data plan when prompted to preserve it.
Workflows that don’t preserve the eSIM
Using Apple Configurator 2 to reset a device.
An MDM Remote Wipe command where the “Preserve Data Plan” option is disabled.
Going to Settings > General > Reset and selecting Erase All Content and Settings and removing the data plan when prompted to preserve it.