As organizations increasingly adopt Apple devices, it is essential to effectively manage these endpoints to ensure device security and regulatory compliance. Fortunately, Apple makes it possible to effectively manage these devices through various mobile device management (MDM) platforms.
Device enrollment options
To manage Apple devices, organizations must first enroll them in their MDM platform. If an organization permits the use of personal devices, users can manually enroll them through a dedicated web portal. Conversely, an organization can enroll corporate-owned devices automatically using either Apple School Manager or Apple Business Manager.
Apple School Manager is a cloud-based tool that can automate the initial provisioning of Apple devices. This service enables organizations to complete the enrollment process without physically handling the devices. However, to do so, devices must be associated with the organization at the time of purchase.
As its name suggests, Apple School Manager is intended primarily for use in schools, and much of that platform's functionality reflects that focus. For example, organizations can use Apple School Manager to create user accounts from student rosters, purchase apps and textbooks in bulk, and deploy them to managed devices.
Like Apple School Manager, Apple Business Manager is a cloud-based tool businesses use to enroll Apple devices and purchase apps and content in bulk. Organizations can also use it to manage their Apple IDs. In addition, Apple Business Manager supports role-based access control, allowing administrators to assign roles based on job responsibilities.
Although Apple Business Manager can manage an organization's Apple IDs, this does not mean users must use an Apple ID to sign in to their devices. Instead, Apple allows users to link the Apple Business Manager to an identity provider, such as the Active Directory. Doing so allows users to log on using their normal credentials -- typically, an email address and password -- even though they are working from an Apple device.
If an organization chooses to support federated authentication, it must add its domain to Apple Business Manager and complete domain verification. The organization must then establish an OpenID Connect connection before testing and fully enabling federated authentication.
It is worth noting that while Apple School Manager and Apple Business Manager are both designed to assist with the enrollment and management of Apple Devices, these services are designed to work with, not replace, other MDM tools being used. Apple Business Manager, for example, is designed to allow users to add their Apple device inventory to their organization's MDM offering.
Not surprisingly, numerous third-party MDM platforms are designed to work with Apple School Manager or Apple Business Manager. Microsoft, for example, provides a comprehensive tutorial explaining how to set up Microsoft Intune enrollment for devices listed in Apple Business Manager. Other MDM tools that work with Apple endpoints include Kandji, Jamf Pro, JumpCloud and ManageEngine.
Although all third-party MDM tools use the same APIs to integrate with Apple's management tools, some will inevitably provide a better, more seamless experience than others.
Considerations for selecting an MDM platform
Organizations already using an MDM platform to manage PCs and mobile devices should evaluate whether it adequately supports Apple devices before considering a change. Replacing an existing MDM platform could introduce additional expenses, increase implementation efforts and expand training requirements for IT staff.
For organizations shopping for a new MDM platform, ease of use is important. Some MDM tools are easier to use than others. Likewise, there are tools that work well with PCs, but provide a subpar experience for managing other types of devices.
Scalability is also important. Some MDM tools are specifically designed for use in smaller environments. Similarly, tools can become cost-prohibitive as the number of managed devices increases.
Finally, it is essential to consider the total cost of ownership, which goes beyond the license cost to include other hidden costs such as training or support contracts.
Declarative management
In addition to traditional MDM approaches, Apple supports declarative device management (DDM), which extends existing MDM capabilities, allowing devices to asynchronously apply settings, reducing the need for continuous server communication and enabling more timely status reporting.
Managing Apple devices is no longer just an IT task -- it is a core part of enterprise endpoint security and governance.
However, the benefits and capabilities of DDM are not consistent across all Apple devices. Some configurations require newer OS versions, and certain capabilities are dependent on devices being enrolled through Automated Device Enrollment, Device Enrollment or a similar method.
Declarative device management enables organizations to define desired states using declarations that devices evaluate locally. The following four primary types of declarations are used:
Configurations. These define settings, restrictions and account configurations. They are like traditional configuration profiles but are evaluated on the device.
Assets. Theseprovide reusable reference data used by configurations, such as user identity details or authentication credentials.
Activations. These group configurations and define the conditions under which they are applied. For example, an activation might apply only to devices of a certain type or OS version.
Management. This communicates the device's state and support status, enabling it to share details on its current configuration and compliance status.
Strategies for getting started
For organizations considering implementing MDM for Apple devices, there are several broad strategies they can adopt to make deployment more successful:
Standardize Apple environments. Align device types, security configurations and applications. Greater consistency simplifies deployment and ongoing maintenance.
Segment users by role. A single device profile rarely fits all use cases. Divide users into groups based on their job roles and apply role-specific configurations.
Align security policies with compliance requirements. Determine and enforce Apple device policies that align with compliance mandates.
Build an enterprise app store, if one is not in place. Manage app access through an app store rather than relying on a public app store to improve governance and visibility.
Use MDM to monitor the organization's Apple endpoints. Use MDM tools to detect deviations from security baselines and take corrective action.
Brien Posey is a former 22-time Microsoft MVP and Commercial Astronaut Candidate. During his 30+ year IT career, Posey has served as the CIO for a national chain of hospitals and healthcare facilities and as the lead network engineer for the U.S. Department of Defense at Fort Knox. He has also worked as a network administrator for some of the largest insurance companies in America.
