sign in sign up
<<
Home , Apple ecosystem, Apple TV (software), IPadOS, ITunes Store, Jamf, Mac App Store

A COMPREHENSIVE GUIDE

Apple Device Management FOR BEGINNERS According to Forbes, Apple 2 device growth in the enterprise is 20% year over year.

As Apple device adoption rises in business and education environments around the globe, it’s imperative that investments are maximized so that organizations can leverage Mac, iPad, iPhone and Apple TV to their full potential. This can put a heavy While some are very familiar with Apple already, burden on IT staff that are tasked with managing this influx many of you are diving into Apple device of new devices – especially those of you in established Windows management for the first time. This guide is for environments. As remote work and distance learning become the new normal, managing devices from the point of start to ongoing the latter, and will help you build and master your support is critical. Apple management skills by providing:

Introduction Apple services Understanding Insight for Industry-leading to Apple device and programs Apple lifecycle infrastructure Apple Enterprise management overview management planning Management

PAGE 3 PAGE 5 PAGE 7 PAGE 24 PAGE 25 3 How MDM works

Most Apple devices are able to understand and apply settings such as remote wipe or passcode restrictions thanks to a built-in management (MDM) framework. Two core components to the MDM framework are configuration profiles and management commands.

These components communicate to the device via Apple’s Push Notification service (APNS), which is Introduction kept private to your organization through obtaining a certificate from Apple. Apple’s then maintains a constant connection to devices so you don’t have to. Devices communicate back to your to Apple device management server and receive commands, settings, configurations or apps you define. management

When thinking about how to manage Apple devices, it’s helpful Configuration profiles Management commands to break the lifecycle down into ...define various settings for your Apple ...are singular commands that you can send common tasks you might do. These devices and tell that device how to behave. to your managed devices to take specific tasks are the same regardless of They can be used to automate configuring actions. Has a device gone missing? Put whether you are managing Apple passcode settings, Wi-Fi passwords and it into Lost Mode or send a remote wipe devices, non-Apple devices or a VPN configurations. They can also be command. Need to the OS? Send combination of both. used to restrict items such as device the command to download and install features like the , web browsers updates. These are just a few examples of or the ability to rename a device. These the different actions you can take on a fully profiles can all be specified and deployed managed Apple device. leveraging . 4 MDM and management

While Apple’s MDM framework provides the necessary control over iPadOS, This agent enables a hidden admin account to be added, allowing for remote iOS and tvOS devices, macOS is a robust platform that may require root to macOS and opens the door for more policies and scripts to more advanced functionality. Leveraging client management (only available be run on a . Since agent-based Mac management goes beyond for macOS), allows you to install a Mac agent, or binary, immediately after the the built-in MDM, you need a third-party solution, such as Jamf Pro, to take device is enrolled into management. advantage of advanced Mac management.

Examples of Client Management Functions

Install PKG/DMG Enforce FileVault Bind to Directory

Run Scripts Customize Dock Set EFI Password

Install Printers Create Accounts Set Update 5

Automated Device Volume Purchasing of Enrollment Apps and

Apple services This automated enrollment allows you You can purchase and license apps and books in bulk to configure any Mac, iPad, iPhone or Apple TV from Apple, and distribute them to individuals via and programs purchased from Apple or an Apple authorized Apple ID or directly to devices without an Apple ID. reseller and customize each device for your users Apps can be later reassigned as deployment needs – all without ever having to touch the device. change. You can link a token (received from Apple) to Hardware purchases are associated with your Apple your MDM solution for assignment and distribution. If As Apple devices became more popular customer number or reseller ID and automatically you’re an education institution, your instance is built enroll a device into management under an Apple in the enterprise and education, directly within Apple School Manager (see page). management solution.Automated Device Enrollment challenges arose about how to best enables you to provide a great -touch experience deploy devices at scale, how to address for end users. They simply open up the box, turn on Apple IDs and the purchasing of the device and get to work — regardless of if your apps. Apple, of course, looked to solve employees is on-site or remote. these issues and introduced various programs and services to take device Device Supervision Apple IDs management one step further, making it easier and more cost effective to Supervision is a special mode of iPadOS, iOS and Apple IDs are the personal account credentials manage devices in bulk. tvOS management where IT is granted greater control users use to access Apple services such as the App Not every Apple device management over devices they own when enrolled via Automated Store, iTunes Store, iCloud, iMessage and more. Device Enrollment, Approved MDM or Apple Depending on the needs of your organization, your solution supports Apple’s programs Configurator. A large number of management features end users can leverage their Apple ID on the job, or and services. Check with your vendor including Managed Lost Mode, blocking apps and you can avoid using Apple IDs altogether. If you’re to ensure they support these programs, silently installing apps all require supervision. It is an education institution, your students will receive a as well as the incremental changes recommended that corporate-owned and school- different type of Apple ID (see next page). Apple makes throughout the year. owned devices be put into supervision mode. 6

Apple School Manager Apple Business Manager

Launched in 2017, Apple School Manager is a web- Apple Business Manager is the platform for IT teams based portal for IT administrators to oversee people, and businesses to pair with an MDM solution to devices and content – all from one place. Exclusively for automate device deployment, app deployment and education, Apple School Manager combines Automated purchasing, and content distribution. Similar to Apple Device Enrollment and Volume Purchasing of Apps and School Manager, it combines the power of Automated Books and other management tools, such as Device Enrollment and Volume Purchasing in one the Classroom app, in one portal. Apple School Manager central location. enables Managed Apple IDs and Shared iPad and can be integrated with your school’s student system (SIS).

Managed Apple IDs Shared iPad

For education institutions, Managed Apple IDs are a By offering students a personalized learning experience, special type of Apple ID for students. They don’t require Shared iPad extends the value of an iPad device. special permission, and they allow you, as an IT admin, Several students, each with their own unique ID, can log to create and dynamically update user information. in and out while their apps, content and work stay intact. Managed Apple IDs are created in the Apple School Shared iPad is only available for education institutions Manager portal and can sync with Classroom , as and requires Apple School Manager. well as your school’s SIS. 7

Deployment and Configuration 1 Provisioning 2 management

Getting devices into the hands of end Applying the correct settings to devices. users. Lifecycle management 3 App management 4 Inventory stages Ensuring the correct software and apps Reporting on the status of each device. are on each device.

Apple’s device management Security User empowerment framework, commonly referred to 5 6 as the MDM framework, includes Securing devices to organizational Allowing users to self-help when they six key elements across the entire standards. require resources and services. lifecycle of your Apple devices.

MDM is Apple’s built-in From initial deployment to the end-user management framework — experience, it’s critical to understand, manage and available for macOS, iPadOS, iOS support the entire lifecycle of the devices in your and tvOS — and aids with these environment. This ensures both the security and functions: maximized potential of your Apple devices. 8 1 Deployment and Provisioning

Before configuring devices for end users, devices must be enrolled into management within an MDM solution. There are several enrollment methods available, but the two highlighted below are recommended for enterprise and education institutions looking for a streamlined and positive end user experience:

Supervision Description User Experience (iOS only) Best For

Automated Device Enrollment with User receives shrink-wrapped Shipping devices to remote employees, Automatic enrollment box, and the device is students or to speed up the onboarding Yes–wirelessly Apple School Manager over the air automatically configured when process. Providing users an out-of-box or Apple Business turned on experience. Manager

Manual enrollment over Unmanaged devices currently in User-initiated User visits a specific URL to the air or over the air via No the field or devices that need to be configure their device enrollment URL reenrolled into a new MDM server

Enrollment through a Mac app that connects IT manages the setup process Yes—wired Shared and cart-device models, labs (iOS and tvOS only) to devices via USB (does and hands devices to users not apply to Apple TV 4K) 9

BEST PRACTICE Automated Device Enrollments with Apple Business Manager

Device receives configurations and As a user turns their apps scoped to it, and Sign up for DEP via device on for the the user is brought to Apple’s and add first time, the device the screen. The your MDM server to the will automatically be Jamf can automatically device is now managed DEP portal. enrolled—no additional configure your iPad. and configured—all interaction is needed. without IT having to touch it! 1 2 3 4 5

Purchase devices and Device enrolls with the link them to your account. MDM server. Prepare any Ship them directly to configuration profiles and users. apps you’d like to apply to devices.

If using a cloud identity provider, devices can be provisioned with the appropriate applications and services based on the user’s cloud identity and can be accessed with a single set of cloud identity credentials. 10

BEST PRACTICE Automated Device Enrollment with Apple School Manager

Device receives configurations and As a user turns their Sign up for Apple School apps scoped to it, and device on for the Manager via https://school. the user is brought to first time, the device apple.com/ and add your the Home screen. The will automatically be MDM server to the Apple Jamf can automatically device is now managed configure your iPad. enrolled—no additional School Manager portal. and configured—all interaction is needed. without IT having to touch it!

1 2 3 4 5

Purchase devices and Device enrolls with the link them to your account. MDM server. Prepare any Ship them directly to configuration pro les and users. apps you’d like to apply to devices. 11 2 Configuration management

When it comes to configuring Apple devices, the world is your oyster. You can personalize and tailor individual devices or groups of devices based Don’t know where to start? Check out a list of MDM on the needs of your end users. configuration profileshere , or join the conversation on Jamf Nation.

Configuration Profiles Policies Smart Targeting Scripts

Define settings within iOS, iPadOS, Unique to macOS client management, Collect inventory details, including custom Part of policies, run scripts on macOS and tvOS by creating policies go beyond the basic device inventory attributes you define, for all of macOS utilizing the Apple device configuration profiles. These small XML management capabilities of MDM your managed devices, to identify which management capabilities within your can be distributed to devices utilizing configuration profiles and help you ones require software updates, security client management solution. Anything a managed solution. You can apply Wi-Fi, install custom software and printers, hardening or other management actions. that can be executed in Terminal via the VPN, email settings and more so users manage local user accounts and conduct If your device management solution command line can be turned into a script. can seamlessly connect to the resources advanced management workflows. allows, you can build groups based on The ability to run scripts provides far more they need. inventory criteria and then trigger device flexibility than standard configuration management tasks automatically to profiles, and opens the door to infinite specific individuals or groups, or make device management capabilities. items available to users with an enterprise app catalog. 12

3 Apple devices are wildly popular among consumers because of the native App management , learning and productivity tools available right out of the box, but the rich of apps in the App Store are what set the Apple App fundamentals ecosystem apart. With a device management solution in place to manage your app deployments, you ensure users have the apps they need — Today, we are all familiar with the App Store on our iPhone, iPad and configured for their and secured for your environment. Apple TV devices. They are the only way for consumers to get apps on Whether your organization is choosing to utilize Apple’s built-in apps, one their devices. Apple reviews the developer’s code to ensure security and (or many) of the millions of apps from the App Store or creating your own performance. This is one of the reasons why Apple enjoys a strong security in-house custom apps, you need to ensure users have all the apps they reputation. For the Mac, however, you can also get software outside of the need and are properly secured within your environment. App Store. are three app management options you can Popular titles not in the include Office and Adobe utilize for your devices. Creative Suite, so it’s important to have a Mac client management tools that’s able to deploy custom software. Some management tools, like Jamf Pro, have the ability to build custom .pkg or .dmg (Mac software install file types) by creating a before and after snapshot of an installation. That Deploy Apps with Place Apps in an On- App Deployment software package can then be deployed to managed Macs – all without Apple School Demand Self Service for Apple TV users needing to be admins. Manager or Apple Catalog with Jamf Business Manager Pro (more below) SOFTWARE INSTALLS AND PATCHING

For software that is in the App Store, we can use an Apple Take snapshots Create a Push install program to license and distribute of software custom .pkg via the Jamf apps to devices all without installs or .dmg Agent needing Apple IDs. 13 3 App management

When deploying App Store apps via Apple Business Manager or Apple School Manager, you gain extra security and configurations for that app (iOS only). Here’s what’s possible:

What is a Managed App? Managed Open In App Configurations

Introduced in iOS 5, managed apps differ from a Managed Open In takes the concept of managed apps Sometimes deploying an app isn’t enough and you’d standard app because they are flagged as owned by an a step further by controlling the flow of data from one like to pre-customize some of the settings. This is the organization. Specifically, managed apps are distributed app to another. With MDM, organizations can restrict premise for App configurations. App developers can via MDM technology and can be configured and what apps are presented in the iOS share sheet for define what settings can be pre configured by an MDM reassigned by MDM. opening documents. This allows for truly native data server for their app. For example, you could deploy the management without the need for a container. Box app with the server URL pre populated so users only need to enter their username and password to get the app up and running. 14

BEST PRACTICE Deploys Apps with Apple Business Manager for the Enterprise

Apple Business Manager for enterprises: The ability to purchase apps in bulk and automatically distribute them. Apps are deployed directly to the device. No interaction or Apple Sign up via Apple’s ID required. website and link Add your app licenses your account to your to your MDM server, MDM server. including free apps. 4 1 2 3 ? 4 5 Choose to assign apps to either devices directly or to a user’s Apple ID.

Find and purchase app licenses from the web store. You will also need to “purchase” free apps.

Invite users to participate in your Apps are linked to a user’s Apple ID deployment via email or push and are found in the Purchased tab notification. of the App Store. 15

BEST PRACTICE Deploy Apps with Apple School Manager for Education

Apple School Manager for education: A web portal to set up Apple IDs, manage device enrollment and distribute apps – all from one location.

Sign up for Apple School Manager via https://school.apple.com/ and add Add your app licenses to your your MDM server to the Apple School MDM server, including free apps. Manager portal.

1 2 3 4

Find and purchase app licenses Apps are deployed directly from the Apple School Manager to the device. No interaction web store. You will also need to or Apple ID required. “purchase” free apps. 16

BEST PRACTICE App Deployment for Apple TV

Apple TV provides support for enterprise apps (commonly referred to as in-house apps). These Want the ins and apps can be uploaded to your management server and pushed out to your Apple TV devices automatically and without Apple IDs, just like your iOS devices. Popular enterprise apps for Apple outs of Apple TV TV include digital signage, emergency alerts and more. deployment?

Check out our Configuration profiles Smart targeting Custom app and display Apple TV Management white paper support Using an MDM solution, IT With the ability to automatically can define settings with tvOS collect inventory details, including If and when businesses create configuration profiles and distribute Apple TV device names from all unique app experiences to deliver a them to Apple TV devices. As a managed devices, IT can quickly customized full-screen experience, result, Wi-Fi, restrictions and AirPlay and accurately identify which IT can leverage MDM to deploy settings are more easily applied devices require action. Based on these custom apps over the air. over the air. Further, Apple TV this inventory information, IT can Additionally, with the latest tvOS, devices can be put in Single App build targeted groups to trigger IT can now set a Home Screen Mode to customize the Apple TV automatic device management layout, show/hide apps as well as experience by class or Conference tasks. For example, IT can now restrict media content based on Display Mode for an intuitive find all Apple TV devices without age guidance. presentation workflow. AirPlay settings configured and then deploy that configuration. 17 4 Inventory

MDM solutions are capable of querying an Apple device to collect a large amount of inventory data, ensuring you always have up to date device information and can make informed management decisions. Inventory can be collected from a device at various intervals and include serial number, OS version, apps installed and much more.

Examples of data collected with MDM

Hardware Details Software Details Management Details Additional Details Managed Status Profiles Installed • Device Type • OS Version • • Supervised Status Certificates Installed • Device Model • List of Apps Installed • • IP Address Activation Lock Status • Device Name • Storage Capacity • • Enrollment Method Purchasing Information • Serial Number • Available Space • • Security Status Last Inventory Update • UDID • iTunes Store Status • • • Battery Level 18 4 Inventory

Why does inventory matter? Smart targeting By leveraging inventory data, smart targeting enables you to dynamically group devices and deploy configuration profiles and restrictions to those devices. At Jamf, this is referred to as Smart Groups.

Static Groups Patented Smart Groups

Find all Macs wtih 8GB RAM, with 80% full You can’t manage what you can’t measure. The inventory data your MDM solution Apply a Profile or Policy hard drives, running 10.12.2 or higher collects can be used for a wide range of business needs and empower you to answer common questions like:

1 2 3 Are all my devices secure? 4 5 6 How many apps do we have deployed? Apply a Profile or Policy What version of iOS, iPadOS, macOS and tvOS are certain devices running? STATIC VS. SMART GROUPS

Some management solutions even allow you to collect extra (custom) inventory Static Groups are a set of devices that are defined, like a classroom about specific hardware and software add-ons. For example, you can figure out or a lab. You can apply a management policy to that entire group. when a third-party backup utilitiy last ran or what printer drivers are installed. Patented Smart Groups, on the other hand, are dynamic and always changing based on inventory data. This enables you to dynamically group devices and deploy configuration profiles and restrictions to those devices. 19

The security and privacy of devices and access to corporate resources Coupled with an MDM solution, you can ensure that your 5 Security are a top priority for any organization. To address these worries, Apple devices are not only secure, but your apps and network has a number of security features built right into macOS, iPadOS, iOS are as well. and tvOS.

iOS/iPadOS Security Features macOS Security Features

1 tvOS leverages many of the security features found in iOS, such as direct software updates from Apple, vetted Software Secure System App Store Integrity Gatekeeper Updates Updates Protection (SIP) and secure App Store apps, app data protection with App Sandboxing and deeper levels of management through supervision.

Touch ID Hardware App App Store FileVault XProtect With management, Apple TV settings Encryption Sandboxing Encryption can be deployed to automate AirPlay security. This allows you to pair Apple devices with Apple TVs, so only the appropriate devices share their App Sandboxing Privacy Privacy Supervision screens wirelessly. 20 5 Security Apple’s deployment programs is the foundation for Apple’s operating systems, providing a strong kernel at the core. Apple’s OSs are built with security in and have unique security settings added. Those settings can be managed via an MDM solution. Management

1 Apple security features

Additionally, utlizing Apple’s deployment programs with an MDM Apple OSs solution allow for even more management of those settings within your environment. Foundation for Apple’s OSs UNIX 21 5 Security

MDM security commands for macOS, iOS, MDM Lost Mode for iOS/iPadOS iPadOS and tvOS By utilizing Apple’s Lost Mode with an MDM solution, you can lock, locate and recover lost or stolen iOS and iPadOS devices • Enforce FileVault without compromising privacy through ongoing tracking. When • Enforce Gatekeeper settings Lost Mode is , iOS devices receive a customized lock Set software update screen message, are disabled from use and send the location macOS • • Lock, wipe and restart computer to IT. • Delete restricted apps • Remove MDM Conditional access For organizations leveraging Windows Azure AD and Office • Enable Lost Mode 365, it’s critical to implement a conditional access path for Mac • Lock and wipe a device devices. Best-of-breed MDM solutions offer built-in conditional • Remote wipe access integrations. For more information go here. iOS/iPadOS • Update iOS • Clear restrictions and passcodes Software Remove MDM • By developing major versions of macOS, iOS, iPadOS and tvOS annually, Apple has set the pace of innovation. Each year, Apple unveils new and great consumer features, but also adds layers of security and fixes vulnerabilities. These updates can be Remote wipe • critical for devices used by employees or students in order to • Restart device tvOS protect their data. Your management solution not only needs to Single App Mode • be able to deploy updates from Apple, but also needs to quickly Delete restricted apps • support (ideally on day zero) all the new management features that come with them too. 22 6 User empowerment and adoption With enterprise app catalogs, users With the rise in self-sufficiency tools like Lyft, Prime and WebMD, today’s workforce have the ability to access: expects to get the tools they want, when they need them. Enterprise app catalogs meet the needs of users by empowering them with instant access to resources, content, tier one help and trusted apps through a single click from their device — all without submitting a ticket to IT. • App Store, B2B, in-house apps and third- party software App catalog for Mac App catalog for mobile • Email, VPN and other configurations • E-books, guides and • Bookmarks and • Printer mapping and drivers • Help desk ticketing and hardware requests • Password resets and compliance information • Basic maintenance and system diagnostics • Software and OS upgrades • Single Sign-on (SSO) integration • Localized language support for English, French, German, Japanese and Simplified Chinese

Example: Jamf Self Service for macOS, iOS and iPadOS offers a branded app catalog that can integrate seamlessly into any organization's internal resources or corporate intranet. 23 6 User empowerment and adoption

Benefits of on-demand app and resource catalogs.

What’s in it for IT. What’s in it for users. • Reduce help desk tickets and support • Give end users instant access to a full- Bonus: Third-party integrations costs while maintaining control of your service, self-help destination of diversified environment resources Apple device management is just one piece of • Automatically install an app catalog like • Intuitive user personalized for local your technology portfolio, but it’s a critical and Jamf Self Service on any managed Mac, language and your environment piece. Regardless of whether you iPad or iPhone • Bookmark common web services such use a help desk ticketing system like ServiceNow • Integrate with directory services to as HR tools, communication platforms or or an SSO authentication tool like Okta, your personalize content based on department, internal resources for an easy entry point to Apple device management solution must user role, location and more valuable company information integrate seamlessly with your existing IT tools.

• Automate common IT tasks, such as • Install organization-approved apps without Amplify the power of what you have and extend password resets and system diagnostics, for IT help the power of your ecosystem by leveraging third- tier-zero support • Fast resolution of common IT issues, such as party integrations like those seen in the Jamf printer installations and software updates Marketplace. From cross-industry integrations to specific solutions, integrations like these bridge IT • Receive real-time notifications for available teams and services, creating an integrated, secure services and security enhancements and seamless experience for end users.

Best-of-breed MDM solutions should offer the ability to brand your app catalog to match your existing corporate resources. This seamlessly integrates your app catalog among existing internal properties, increasing familiarity and ease of use. 24 More and more organizations are moving to the cloud.

Below are just a few reasons why enterprise organizations like Eventbrite are going cloud: Infrastructure Benefits of cloud hosting planning

Server provisioning, ongoing security Backup administration and testing and update management Where you your management environment is just as important as the management solution you choose. Not only does cloud hosting make upgrades a breeze, it Storage infrastructure for global Disaster recovery; offsite location takes the added pressure of server availability management, disaster recovery, and more off of IT.

Database administration, ongoing Server monitoring and response team security and updates The Standard for Apple Enterprise Management

Apple continues to build an interconnected ecosystem, with apps and services being cross compatible across devices. Growing enterprise partnerships (IBM, Cisco, SAP, etc.) and a boom in technology choice programs will only bring more Mac, iPad, iPhone and Apple TV devices to your doorstep.

To get the absolute most out of Apple and your technology investment, you require a management solution that Put our word to the test matches Apple’s intuition and has by taking a free test proven from day one that helping people drive. succeed with Apple is top priority. By integrating with all Apple services As the gold standard in Apple and providing immediate support for management and with dedication to the Apple operating systems and features, Start Trial since 2002, Jamf is Jamf empowers you with the tools the product most trusted by businesses necessary to address all support needs, Or contact your and schools that want to offer Apple and gives you the freedom to focus on and provide a consistent management strategic tasks so you can save your preferred reseller of experience across the entire ecosystem. organization time and money. Apple devices.