Explore new approaches to macOS management
The macOS management landscape is changing, due to improvements from Apple. Find out why incorporating Mac devices is becoming easier, and which management approach to take.
Organizations have a plethora of options to manage and secure Windows desktops, but Apple OS desktops are often treated as an afterthought.
In the last few years, however, macOS management has become easier -- partly because of Apple's own efforts, but also because of the introduction of modern management tools that incorporate multiple device and platform types. MacOS desktops aren't likely to replace Windows desktops anytime soon, but they still have a significant presence in the enterprise.
MacOS management is becoming a greater priority in many organizations as more end users bring their own devices into the workplace. In addition, when employees are given a choice of corporate-owned devices, many now opt for macOS. Fortunately, macOS management in the enterprise is starting to become a more practical option.
MacOS management in the enterprise
Windows and Mac desktops are very different systems, both in terms of the OS and the underlying hardware. Integrating Mac desktops into the Windows universe has often required additional tools or specialized skills. Even then, Mac desktops might receive only partial attention.
An organization might incorporate Mac desktops into its Active Directory (AD) domain, for example, but do little to manage the devices beyond that. In some cases, IT teams might forgo macOS management altogether, citing a list of more demanding priorities, while leaving users on their own to make their devices work in a business setting.
Until recently, IT admins had three primary options for managing macOS devices: incorporating them into their AD domains as they do their Windows computers, incorporating them into their AD domains but using special tools to administer them, or managing the Macs separately from Windows computers, just like they might do with mobile devices.
Incorporating Macs into an AD domain is a relatively straightforward process, but does not provide a complete management solution in itself. For this, IT needs additional tools, such as a macOS Server running on its own Mac computer. But this approach brings additional costs and complexity, as does managing Macs as an entirely separate process. These strategies also lead to administrative siloes, which is a less-than-ideal approach to enterprise device management.
New management options from Apple
To address the limitations of traditional approaches to Mac management, Apple now recommends a two-pronged strategy for managing Mac computers in the enterprise: participating in the Apple Business Manager (ABM) program and implementing a mobile device management (MDM) or unified endpoint management (UEM) platform that supports the ABM program.
The ABM program is a relatively new service that Apple offers to IT teams for automating device purchasing, deployment and content distribution. Administrators can purchase apps in bulk and then distribute them directly to managed devices. In addition, they can create accounts within ABM, designate roles at granular levels, and deactivate and delete those accounts.
Apple has integrated its Device Enrollment Program (DEP) and Volume Purchase Program (VPP) into the ABM service, which will completely replace the two programs by Dec. 1, 2019. In addition to macOS devices, the ABM service supports iOS and tvOS devices, whether purchased directly from Apple or through an authorized reseller or carrier.
The ABM service is designed to work seamlessly with UEM products so that IT teams can centrally deploy and manage all their Apple devices. IT can use any product that supports MDM and can integrate with the ABM service.
When the ABM service is used in conjunction with a UEM product, IT administrators can securely enroll macOS devices in their environment without having to touch or prepare them. After IT enrolls the devices, they can then wirelessly configure them, update settings, query the devices, deploy apps, monitor policy compliance and remotely wipe or lock devices. Administrators can also set up user accounts, enforce restrictions and password policies, and perform a number of other administrative tasks.
This approach to macOS management is possible because of the OS' underlying design. Starting with OS X 10.7, macOS devices incorporate the same common management framework as iOS devices, making it possible to use third-party UEM platforms to manage macOS desktops. UEM products can vary widely in terms of the services they support and the levels of framework integration, however. Even if a vendor claims that its product supports Mac management, decision-makers should still evaluate it to ensure that it meets their organization's needs.
Many UEM products can now manage Mac desktops, such as Centrify User Suite, Jamf Pro, ManageEngine Desktop Central, VMware WorkSpace One, MobileIron and IBM MaaS360. Of these, however, only Jamf and VMware clearly indicate that their products provide ABM integration, supporting features such as security policies, configuration settings and device enrollment.
Apple's next major macOS release, macOS 10.15 Catalina, promises to continue on its trajectory with a number of new features geared at enterprise management. For example, the new OS will include improvements to user account management, remote lock settings, configuration profiles and privacy preferences. Administrators will also be able to force macOS devices to automatically install OS and app updates. In addition, Catalina will include a new endpoint security framework to provide greater device protection.
Even after Catalina is released, the device management capabilities built into Mac computers are likely to improve, with the ABM service an integral part of that strategy. This approach could prove especially beneficial to organizations already committed to MDM and UEM platforms for device management.
The SCCM alternative
Although Apple now provides a clear roadmap for macOS management in the enterprise, some organizations might not have the resources or desire to follow the recommended strategy. Instead they may rely on a product such as System Center Configuration Manager (SCCM) to manage all their desktops, including Mac computers. SCCM is a comprehensive platform for deploying and administering Windows desktops. Many organizations have invested a significant amount of time and resources into SCCM and want to use it as much as possible.
Unfortunately, SCCM capabilities are limited when it comes to macOS and support only basic operations such as Mac discovery, hardware inventory, device enrollment and application deployment. In addition, an SCCM approach also comes with a certain amount of overhead, such as the need for a primary key infrastructure (PKI). Even so, organizations that manage only a few Mac computers and don't need a UEM product might be fine with the SCCM approach.
IT teams that are tied to SCCM might consider an SCCM plugin such as Parallels Mac Management, which extends the SCCM environment to provide more comprehensive management for macOS devices. Parallels Mac Management supports features such as macOS image deployment, patch management, FileVault encryption, remote wipe and software metering. For organizations not ready to jump on the UEM bandwagon but still need to manage Mac computers, an SCCM plugin could be a good option.