Deploy iPad with cellular connections
In addition to providing Wi-Fi connectivity while in school, many school districts are also helping their students learn from anywhere by deploying iPad devices with cellular connectivity.
Overview
Deployments that include cellular devices differ from Wi-Fi deployments in a number of important ways and therefore introduce new elements to consider:
Subscriber Identity Module (SIM) type
Carrier selection
Mobile device management (MDM) support
Content filtering
For more information, see the video Planning for Cellular Connectivity.
eSIM versus physical SIM
A SIM is a package of data that securely stores the information and keys needed to authenticate with a cellular network. A physical SIM is a small integrated circuit that’s inserted into a device. An embedded SIM (eSIM) is a digital version that can be downloaded over a network connection. Because eSIMs are software based, they afford much more deployment flexibility and are also easier to secure; administrators can trigger eSIM installation remotely and restrict a user’s ability to remove it from their device. If there’s a need to change the cellular carrier for devices after they’ve been deployed to users, an MDM command lets you do that without any user interaction. There are other advantages to using an eSIM. For example:
It can be locked with an MDM configuration profile to prevent the user from making changes
It can switch plans and carriers without interrupting the user
An eSIM doesn’t require physical installation of a SIM card, reducing steps in the workflow
Carrier selection
Cellular activation requires either a physical SIM or an eSIM provided by the carrier. eSIMs are preferred for a number of reasons but your local carrier may not support them at the scale your organization needs. Carrier selection should also take into account coverage for where students live, go to school, as well as any facility where devices are initially configured.
When selecting a carrier, ask the following:
After an agreement is signed, what is the time period to create and make available the eSIMs so they can be assigned to iPad devices?
What is the URL for your carrier’s eSIM server (known as an SM-DP+ server)?
Regarding cellular coverage and capacity, can the carrier:
Provide a survey of cell towers close to where the iPad devices will be provisioned and where remote learning may be taking place?
Reorient antennae to improve signal and reception in a given area?
Provide temporary coverage as needed at provisioning sites?
Note: Carriers may be sensitive to the number of devices simultaneously queuing for eSIM provisioning, and often request that automated provisioning events be communicated to them.
Mobile device management
MDM solutions can enforce restrictions that help ensure continuity of learning by preventing users from modifying crucial settings. Even more important, MDM solutions have the ability to remotely trigger and automate the download and installation of an eSIM to an iPad. This allows for a scalable and efficient deployment experience for IT and end users. The MDM solution you choose should support the following:
Allow for the iPad to be erased while retaining cellular plan (iOS 12 or later).
Support for (and the ability to automate) the Refresh Cellular Plans command. For more information, see MDM commands in Mobile Device Management Settings for IT Administrators.
Restrict modifying eSIM settings on the iPad.
Restrict modifying cellular app data on the iPad.
Restrict modifying cellular plan settings (non-US carriers).
About the Refresh Cellular Plans command
The Refresh Cellular Plans command is sent from the MDM solution to the iPad and provides the address of the carrier’s eSIM (SM-DP+) server. The iPad then downloads, installs, and activates it’s eSIM. It may take up to three minutes for the installation and activation to occur. You can troubleshoot installation and activation issues by:
Checking MDM logs to ensure the Refresh Cellular Plan command has been sent and received.
Verifying the iPad is connected.
Contacting the carrier to determine whether the eSIM profile for the iPad devices in question are available for download. If for example, the eSIM assigned to an iPad has already been downloaded once, it is deleted and won’t be available for further retries.
Contacting the carrier to verify activation of the account and data plan on the carrier’s systems.
Content filtering
Devices deployed outside of a school’s network may require adjustments to content filtering strategies. Those devices use cellular carrier networks and home or public Wi-Fi. If existing content filtering solutions rely on the use of onsite networks (owned by the school) to provide content filtering, a new approach is required. Routing all traffic back through the school’s network (by using VPN or global proxy configurations) is an option, although this may require upgrading the school’s internet connection or other infrastructure.
Cloud-based filtering solutions may be better suited to cellular devices, as those don’t require data to travel back and forth through the school’s network.
On-device content filtering with apps that leverage the Apple Network Extensions framework provide the best user experience, because very little traffic is sent from the device and content filtering controls are managed locally.
When using content filtering, consider that VPN/PAC file-based filtering solutions don’t filter Personal Hotspot traffic. A restriction can be added to a configuration profile to prevent the use of Personal Hotspot.
Note: Some carriers (for example, T-Mobile in the United States) have an IPv6-only cellular network. Any content filtering solution should be assessed for compatibility with IPv6-only networks.
Deploy iPad devices with eSIMs
To deploy iPad devices at scale with eSIMs, you must gather device identifiers, send this information to the carrier, enroll the devices in an MDM solution, then send the MDM command to activate the eSIMs.
Gather the requested identifiers (Serial number, IMEI, EID) using one of the following methods:
From your Apple sales team.
By scanning the barcodes on the product boxes.
By tethering devices to a Mac and using Apple Configurator 2 or the
cfgutilcommand-line tool to export the serial number and IMEI. You’ll still need to obtain the EID for each device using one of the other methods listed here.If devices are already deployed, MDM has the ability to query for the serial number, IMEI, and (new in iOS 14 and iPadOS 14) the EID.
Send the information to the carrier and get the eSIM server URL from the carrier.
After the carrier confirms the eSIMs are ready, enroll the iPad devices in an MDM solution.
Use the MDM solution to send a Refresh Cellular Plans command that includes the carrier’s eSIM server URL to activate the eSIM. See your MDM solution’s documentation for steps to complete this step.
Protecting the eSIM when resetting devices
Since an eSIM is software-based, it’s important to understand the ways in which it can be removed when a device is being reset or erased. You may want to remove the eSIM when retiring or reselling a device. Understanding this helps you to prevent users from accidentally deleting the eSIM, which would disrupt remote learning.
To ensure users don’t accidentally remove their eSIM, use MDM restrictions to prevent users from connecting their device to Apple Configurator 2 and disallow them the ability to use “Erase All Content and Settings.”
Workflows that preserve the eSIM:
An iPad put in recovery mode.
An MDM Remote Wipe command with the “Preserve Data Plan” option enabled.
Going to Settings > General > Reset and selecting Erase All Content and Settings and preserving the data plan when prompted to preserve it.
Workflows that don’t preserve the eSIM
Using Apple Configurator 2 to reset a device.
An MDM Remote Wipe command where the “Preserve Data Plan” option is disabled.
Going to Settings > General > Reset and selecting Erase All Content and Settings and removing the data plan when prompted to preserve it.