GroundControl for patient iPads
An increasing number of hospitals are finding value providing iPads for inpatient use. During the current COVID-19 pandemic, many hospitals are severely limiting visitors. To communicate with their loved ones, iPads can be provided for email, messaging, video conference, and WiFi calling. The same devices can be used for education and entertainment.
These devices are most useful to patients if the iPads have very few restrictions. Allow access to a large catalog of apps. But then, when the patient is finished with the device, use GroundControl to completely and securely erase all data, with an absolute minimum of work by IT and clinicians.
GroundControl works with your existing MDM system to add the following features for patient iPads:
- Securely erase all PHI from iPads when plugged into the charging station
- Without any screen taps, automatically connect your erased iPads to WiFi, enroll iPads into your MDM, and skip all setup screens
- Monitor the MDM to ensure all apps are loaded
- Personalize each iPad with your hospital logo and unit name in large type
- Monitor and log the entire process within a cloud-hosted system
You’ll need the following:
- iPads, new or used/donated
- A PC or Mac in each unit
- A WiFi network that does not prompt with a captcha page
- Apple Business Manager to provide apps to devices
- An MDM solution such as VMware AirWatch / Workspace ONE
A USB hub is not required for this solution. Instead, you can erase iPads one-at-a-time using your USB port on your Mac or PC. For permanent installation, we do recommend Smart USB hubs for simultaneous wiping and charging.
GroundControl can work with iPads in Apple’s Device Enrollment Program (DEP). It can also work with non-DEP iPads, but the setup is a little different. DEP is recommended because devices become locked into your MDM system. This is a theft deterrent. If your iPads have been donated, they are probably not in DEP. Apple has outlined a method to add devices into DEP. GroundControl recommends this process only when you have a lot of time and patience.
Each unit with iPads will need a Mac or Windows PC to run GroundControl’s “Launchpad” software. GroundControl recommends Macs for this purpose, since Macs can support local caching of your apps. Be sure to test any PCs with your expected number of iPads — some PCs limit the maximum number of USB devices.
GroundControl is compatible with open, password protected, and 802.1x networks. Guest WiFi networks in hospitals often include a “Captcha” page to accept a policy before joining the network. Unfortunately, these pages interfere with automation, and are not compatible with the GroundControl process. Instead, use either a WiFi network that does not display this prompt, or whitelist device MAC addresses to bypass these prompts.
Apple Business (or School) Manager
Whether you are using DEP iPads or not, you must use Apple Business Manager’s bulk app purchase feature to provide apps to your devices. ABM removes the need for Apple IDs on your iPads. We assume you have already integrated ABM with your MDM, as this process is beyond the scope of this document.
It’s completely possible to use GroundControl without a USB hub. Just hang one or more USB-to-Lightning cables off your PC or Mac, and plug in one or more devices at a time. What happens if staff plug in their personal phones to charge? GroundControl will not erase their devices. But you do want to keep the cables available for your iPads, of course.
The iPad workflow is a bit easier if you use USB hubs to connect multiple iPads to GroundControl at once. When finished, the iPads will remain connected and start charging. Note that only a limited number of manufacturers can deliver the proper current to multiple iPads while simultaneously syncing with the Mac or Windows PC.
A subset of these hubs include LEDs that can be controlled by GroundControl to turn green or stop blinking once the iPad has completed its reset process. Our customers have found that this LED control is greatly appreciated by the nursing staff.
Set up your MDM
This use case usually requires GroundControl to send API commands to your MDM to delete/retire the device from MDM as it is being erased. GroundControl can perform this command on the following MDM systems:
- VMware Workspace ONE (AirWatch)
- MobileIron Core
- MobileIron Cloud
- Citrix Endpoint Manager
- IBM MaaS360
You will need to set up at least two things in your MDM.
Set up a DEP Profile (if applicable)
If using DEP, you will want to create a DEP profile specific to your iPads. This profile must be set to skip all setup screens. You can either require authentication — GroundControl can provide the username and password — or skip authentication and assign devices directly to a shared user, which is a little easier. If you are using AirWatch, this DEP profile should also direct all iPads into a specific organization group for your devices.
You will need to add GroundControl’s Supervision Identity to your DEP profile in order to enable full functionality.
You are welcome to assign as many apps as you wish to the shared user or group you will be using. Some of our customers add 30 apps to these devices, automatically installed at enrollment. Other customers install only a minimum of apps, but make others available via an app catalog on the device.
Before you set up GroundControl, you should be able to test an iPad to make sure it enrolls and installs apps as expected. If possible, use the same WiFi network you intend to use for production. You’ll be doing steps by hand at this point, but we do want to be sure your MDM is working as expected.
Set up GroundControl
There are a few steps we’ll do next, using GroundControl.
Set up a Launchpad
We have online instructions for installing your Launchpad.
Create a Workflow
In GroundControl’s admin console, click on the Workflows tab, then click New Workflow. Enter a name for the workflow, for example “Patient iPads."
Under Workflow Model, select DEP or Non-DEP, as appropriate for your devices. (If you are using both DEP and Non-DEP iPads, you will need one workflow for each.)
Add the following actions to your workflow:
- Erase: the default “Erase supervised and DEP devices” is recommended.
- Add WiFi: create a WiFi profile for your iPad SSID, or select an existing profile if you have already defined one.
- Device Enrollment Program (DEP workflows): if using DEP, be sure to select Do Not Authenticate if your DEP profile skips authentication, or choose Authenticate As and enter an MDM username and password.
- Enroll/Perform MDM Command: This step will install the MDM enrollment profile on your devices.
- Perform MDM Command: for all workflows, this is recommended to delete (or retire) the device from MDM, so each device refresh is a fresh enrollment in your MDM. You may also want “Clear Passcode” if your MDM supports it.
- Set Language and Locale: this step is required in order to skip all setup screens. You may keep the default language “en” and locale “en-US” if appropriate.
- Set Timezone: this step will help your iPad display the correct time.
When you have added all the actions to your workflow, click Save.
Test the Workflow
This is a good time to test your workflow, to make sure it is behaving as you expect.
- Erase your test iPad — this is needed only the first time you test.
- Start the Launchpad app on your Mac or Windows PC
- Plug in the iPad into your PC
- In the GroundControl admin console, in the Workflow page, click Deploy then select your Launchpad.
It should take between 2 and 5 minutes for the workflow to complete, depending on the speed of your iPad.
Create an Automation Rule
As a final step, set up GroundControl to automatically run your workflow when iPads are plugged in. In the Automation tab, click New Rule.
Give the rule a name, such as “Patient iPads.”
Add a condition, such as Device Model is iPad.
Add your workflow to the actions.
Enable the rule.
Test this automation by unplugging your iPad, then plugging it in again. With no other action, your iPad should erase, enroll in MDM, and begin to download apps.
There are a number of refinements you can make to your system if you like.
Smart Hub Support
GroundControl can control the LEDs on certain Smart Hubs. This helps your staff understand when iPads are busy, and when they have completed reset.
Recommended apps to hide
Certain apps are not appropriate for shared devices. Many Apple apps require an Apple ID, which you do not want on these devices. These apps can be hidden using either GroundControl or your MDM: App Store, Apple Store, FaceTime, Find My, Find My Friends, Find My iPhone, Game Center, Health, Home, iBooks, iTunes, iTunes U, Mail, Messages, Podcasts, TV, Videos, Wallet, Watch.
As these iPads are supervised, you are able to apply extensive restrictions. However you want to maintain a welcome experience, so only apply restrictions that are really needed. Here’s a minimal list:
You can improve your GroundControl workflow with the On Failure action. If the workflow fails for any reason, the system can retry as many times as you specify.
Brand your iPads with the Add Wallpaper action. Wallpaper works best if it is 2048×2048 pixels, and on a color, not white, background. GroundControl can also add additional text to the lock screen, like the iPad serial number, device name, or unit name.
Scaling the solution
Once you’ve set up the workflow as expected and have obtained approvals, it’s easy to scale the solution. Each location will need a Mac or PC, a optional USB hub, and of course iPads. Each Launchpad needs a username and password to register with the cloud, but the same credentials can be used everywhere. No other configuration is required; each location inherits the rules you’ve already set up in the cloud.
iPads will need to be erased by hand, the first time they are connected to GroundControl. As an alternative, you can use Recovery Mode to have GroundControl erase and update devices at the same time.
Macs should be set up with Content Caching (System Preferences > Sharing) to keep a local copy of any apps pushed by your MDM. Although Content Caching is not available on every network, it can speed the iPad setup time considerably while reducing the burden on your WAN. This setting also can use the Mac’s network connection for initial provisioning, installing apps via USB instead of WiFi.