iPad deployment: Backup/restore deployment strategy and steps

After months of research and a handful of iPad deployments, I have written the following document detailing the steps I now follow to deploy iPads in schools.

Backup/restore Deployment Strategy: step-by-step

Setup a school ipad admin email account. This email account will be used to create the iTunes account that the school will use to purchase content.
Setup a unique email account for each device. This email account will be used as the hostname for the device, to apply for a no-credit-card iTunes account, and for device based email.  Because these devices will be shared with multiple users, we felt that unique, generic, email accounts on each device would easily allow teachers and students to collaborate with each other.  A teacher could easily email materials to all the iPad email accounts, and students could email questions or finished assignments back to their teachers.
Setup iPad iTunes accounts. Use each device based email address to register for a unique no-credit-card iTunes account to be used for licensing applications and purchases where no access to volume purchasing is available.
Setup the iPad admin iTunes account. Use the ipad admin email account to register for an iTunes account to become known as the ipad admin itunes account.  Apps can be gifted to iPad iTunes accounts.
Setup an iCloud account. This account will be used later for iCloud features like “Find my iPad”.  You could also use the school iPad admin account instead of creating a new account.
Unpack and assemble the syncing cart or station.
Unpack, label, and power up all the i-devices. Store in cart. Powering up the devices now, saves time later when they are connected to the sync station as you don’t have to wait the minute for them to boot up.
Setup dedicated sync station. Preferably a Mac, as multiple devices can be synced at the same time. With Windows, it is widely reported that syncing any more than one at a time is problematic.  Make sure you are using the latest version of iTunes. Create a second admin user to be used for syncing.  The sync station should be a dedicated machine; not used as a workstation. iTunes configuration considerations: Disable “check for new software updates automatically” as if there is an update it will be displayed for each device connected, if automatic backups of the iPads are not required each time the iPads are connected then you can disable them from terminal using the following command “defaults write com.apple.iTunes AutomaticDeviceBackupsDisabled -bool true”.
Build master device. Rename the device in iTunes to something outside of your regular naming convention and recognizable like “student iPad master” or something similar. Update IOS on your master device. Download and install desired apps using iTunes on your sync station so they are all included in your library.  On your device or in iTunes, organize your screens and configure settings.  For more details on the settings I include please see the section titled “Settings”, at the end of this document.
Take encrypted backup of master. Once you have your master iPad perfect, take a backup of it but make sure it is encrypted.  Encrypting your backup saves many of the usernames and passwords you entered during the building of your master iPad. You can store a copy of this in another location in case it needs to be used again.  It is located in ~/Library/Application Support/MobileDevice/Backup.  Perhaps a designated folder on the computer can be used to store a copy.  Once I am done with the master I temporarily disable automatic syncing of devices in the preferences to keep devices from syncing after registration and activation.  Don’t forget to turn it back on later.
Activate, register, Restore, Restore from backup,  and sync recipient devices. Here is the workflow I follow to actually clone the iPads.  I plug in one iPad to the sync station or hub.  It shows up in iTunes and prompts me to activate and register the device.  I enter the school iPad admin account to register the device.  If there is an iOS update available I then click the restore button from the summary screen in iTunes to upgrade.  Upgrading this way won’t bother with a backup.  Once the restore upgrade is complete, the device reboots, then I perform a restore from backup on the device in iTunes choosing the backup of your master.  The device will reboot once more when this is complete.  At this time, if you are quick enough to be able to do it before the device starts to sync, you can rename the device, but I don’t do it at this time.  Now the device will start to sync all of the apps.  While this is happening you can start on the next iPad.  While you can sync many devices at the same time, you can only upgrade or restore one at a time.  I found that if i tried to hurry things along I would get upgrade failures or restore failures, so I recommend completing the steps to upgrade and restore one iPad before moving onto the next.  Let it finish its second reboot and start syncing before moving onto the next one.  Because you can now interact with the device while it is syncing you can name it and enroll it to your mdm while it is syncing.  If your are using a cart you may not have the slack in your cables to do this but if you are using a hub you might be able to.  Because I have been using carts I wait for them all to finish syncing, and then since I have to interact with them to enroll in the profile manager anyway, rename them then, and then enroll.  For large rollouts it has been suggested to separate the activation and sync tasks to increase workflow efficiency.  iTunes can be run in activation only mode to allow activations from a computer other than the dedicated sync station.
If available enroll all devices into Lion Profile Manager for device management. Using the shortcut to the mdm server I created in step 9, install the trust cert and enroll the device in Lion profile manager.  In Lion Profile manager I organize the devices into groups and can then set profiles all members of a group as well as individual devices.  The first profile for the group included the wifi setup to replace the existing manual setup.  Other profiles like restrictions can be applied to the group as a whole.  Settings that are unique to each device, like email accounts can be set per device as well.
Reset your iTunes preference for automatic syncing.  Now when you download apps to install, simply unplug and replug in your cart and all your iPads will sync.

The following are settings that are retained after an encrypted backup is restored on another device.  I like to include some of these settings in my master to decrease the amount of time spent configuring devices after they are cloned.

Wifi SSID and password.
iCloud login password and settings. At this time the only iCloud service I like to enable is the “Find My iPad” service.
iTunes store username, password and auto download settings. I have run into the following issues with the auto download setting:  after enabling books on more than 10 devices, I have been presented with an error informing me of this, purchasing large apps like garage band can bring a network to a halt when you have many devices on it configured to auto download apps.
MDM server shortcut in Safari. This makes joining your Lion Profile Manager server very quick.
Email account settings. Because we are using device based email accounts on many of our devices, we need to configure them after cloning.  These are just generic numbered accounts like abssipad01@domain.com.  I found it easy to setup the one account on the master and then just change the 01 in the account to the correct number for that iPad after it was cloned.
Restrictions. The 4 digit password to get into restrictions is retained.  The only restriction I enable locally is to disable delete apps.  Any other restrictions can be managed through profiles.