Apple Device Management for BEGINNERS Forbes Recently Reported Apple 2 Device Growth at 20 Percent in the Enterprise and That’S on Track to Double by 2020

A COMPREHENSIVE GUIDE

Apple Device Management FOR BEGINNERS Forbes recently reported Apple 2 device growth at 20 percent in the enterprise and that’s on track to double by 2020.

As Apple device numbers rise in business and education environments around the globe, it’s imperative that technology investments are While some are very familiar with Apple already, maximized so that organizations can leverage Mac, iPad, iPhone and many of you are diving into Apple device Apple TV to their full potential. This can put a heavy burden on IT staff that are now tasked with managing this influx of new devices – management for the first time. This guide is for especially those of you in established Windows environments. the latter, and will help you build and master your Apple management skills by providing:

Introduction Explanation of Outline of lifecycle Insight for Overview of the to Apple device Apple services and management infrastructure industry-leading management programs available stages planning Apple management solution

PAGE 3 PAGE 5 PAGE 7 PAGE 24 PAGE 25 3 How MDM works

Most Apple devices are able to understand and apply settings such as remote wipe or passcode restrictions thanks to a built-in mobile device management (MDM) framework. Two core components to the MDM framework are configuration profiles and management commands.

These components communicate to the device via Apple’s Push Notification Server (APNS), which is Introduction kept private to your organization through obtaining a secure certificate from Apple. Apple’s server then maintains a constant connection to devices so you don’t have to. Devices communicate back to your to Apple device management server and receive commands, settings, configurations or apps you define. management

When thinking about how to manage Apple devices, it’s helpful Configuration profiles Management commands to break the lifecycle down into ...define various settings for your Apple ...are singular commands that you can send common tasks you might do. These devices and tell that device how to behave. to your managed devices to take specific tasks are the same regardless of They can be used to automate configuring actions. Has a device gone missing? Put if you are managing Apple, PCs, passcode settings, Wi-Fi passwords and it into Lost Mode or send a remote wipe Android or all the above. VPN configurations. They can also be used command. Need to upgrade the OS? Send to restrict items such as device features like the command to download and install the App Store, web browsers or the ability updates. These are just a few examples of to rename a device. These profiles can all the different actions you can take on a fully be specified and deployed leveraging an managed Apple device. MDM solution such as Jamf Pro. 4 MDM and client management

While Apple’s MDM framework provides the necessary control over iOS This agent enables a hidden admin account to be added, allowing for remote and tvOS devices, macOS is a more robust platform that may require more root access to macOS and opens the door for more policies and scripts to advanced functionality. Leveraging client management (only available for be run on a computer. Since agent-based Mac management goes beyond macOS), allows you to install a Mac agent, or binary, immediately after the the built-in MDM, you need a third-party solution, such as Jamf Pro, to take device is enrolled into management. advantage of advanced Mac management.

Examples of Client Management Functions

Install PKG/DMG Enforce FileVault Bind to Directory

Run Scripts Customize Dock Set EFI Password

Install Printers Create Accounts Set Software Update 5 Zero-Touch Deployment Apps and Books

Apple’s automated MDM enrollment solution allows With Apps and Books from Apple (formerly organizations of any size to pre-configure devices purchased Volume Purchase Program or VPP) you can Apple services from Apple or an authorized Apple reseller without ever having purchase and license apps and books in bulk to touch the device. By leveraging the power of zero-touch from Apple and distribute them to individuals and programs deployments (formerly Apple’s Device Enrollment Program via Apple ID or directly to devices without or DEP), you no longer need to be the only person receiving, an Apple ID. Apps can be reassigned as unboxing and configuring new hardware. Instead, you can deployment needs change. You can link your ship new devices directly to individual employees and let Apps and Books service token (received from As Apple devices became more them unbox it. The first time the device is turned on, it will Apple) to your Apple management solution for popular in schools and the enterprise, automatically reach out to Apple and your mobile device assignment and distribution. questions about how to best deploy management solution to pull down relevant configurations, devices at scale, how to address Apple settings and management. IDs and the purchasing of apps arose. Apple, of course, looked to solve these issues and introduced various programs and services to take device Apple Business Manager Apple School Manager management one step further, making it easier and more cost-effective to Apple Business Manager is a web-based portal Apple School Manager is a web-based portal for IT manage devices in bulk. for IT administrators that combines Zero-Touch administrators to oversee people, devices and content Deployments and Apps and Books so everything Not every Apple device management - all from one place. Exclusively for education, Apple can be overseen from one central location. School Manager combines Zero-Touch Deployments solution supports Apple’s programs Apple Business Manager is available to all non- as well as Apps and Books and other classroom and services. Check with your vendor educational organizations. Organizations with management tools such as the Classroom app in one to ensure they support these programs, existing DEP or VPP accounts can upgrade to portal. Apple School Manager enables Managed Apple as well as the incremental changes Apple Business Manager within a few minutes, IDs and Shared iPad and can be integrated with your Apple makes throughout the year. or organizations can sign up for the first time at school’s student information system (SIS). business.apple.com 6 Apple IDs Managed Apple IDs

Apple IDs are the personal account credentials users use to access Apple services Apple School Manager for educational institutions enables Managed Apple IDs for such as the App Store, iTunes Store, iCloud, iMessage and more. Depending on the students and can be integrated with your school’s student information system (SIS). needs of your organization, your end users can leverage their personal Apple ID on Managed Apple IDs are a special type of Apple ID for students. They don’t require the job, or you can avoid using Apple IDs altogether thanks to the ability to deploy special permission, and they allow you, as an IT admin, to create and dynamically Apps and Books to devices direclty without an Apple ID. If you’re an education update user information. Additionally, managed Apple IDs are created in the Apple institution, your students will receive a different type of Apple ID. School Manager portal and can sync with Classroom data.

For businesses and government organizations, Managed Apple IDs are only used for administrative purposes within Apple Business Manager.

Classroom App Device Supervision

An instructional tool for iPad, Apple’s Classroom app empowers Supervision is a special mode iOS and tvOS devices are placed into teachers to streamline classroom instruction, encourage interaction and when enrolled via Apple Business Manager, Apple School Manager or collaboration, focus student iPad devices on a specific app or webpage, Apple Configurator. Supervision gives institutions greater control over and view student devices to check for understanding. New with macOS the iOS devices they own. A larger number of management features Mojave, the Classroom App is now available for Mac education customers including Managed Lost Mode, blocking apps and silently installing apps as well. all require supervision. It is recommended that institutionally-owned devices be put into Supervision mode. 7

Deployment and Configuration 1 provisioning 2 management

Getting devices into the hands of end Applying the correct settings to devices. users. Lifecycle management 3 App management 4 Inventory stages Ensuring the correct software and apps Reporting on the status of each device. are on each device.

Apple’s device management framework, commonly referred to Security User empowerment as the MDM framework, includes 5 6 Securing devices to organizational Allowing users to self-help when they six key elements across the entire standards. require resources and services. lifecycle of your Apple devices.

MDM is Apple’s built-in From initial deployment to the end-user management framework — experience, it’s critical to understand, manage and available for macOS, iOS and tvOS support the entire lifecycle of the devices in your — and aids with these functions: environment. This ensures both the security and maximized potential of your Apple devices. 8 1 Deployment and Provisioning

Before configuring devices for end users, devices must be enrolled into management within an MDM solution. There are several enrollment methods available, but Zero-Touch Deployments with Apple Business Manager and Apple School Manager are recommended for enterprise and education institutions looking for a streamlined and positive end user experience:

Description User Experience Supervision Best For

Providing users an out-of-box experience. With Zero-Touch Zero-Touch Deployment User receives shrink-wrapped Deployment you can: Automatic enrollment box, and the device is with Apple Business Yes–wirelessly Manager and Apple over the air automatically configured when • Ship devices to remote employees turned on • Speed up the onboarding process School Manager • Support education instituions with iPad programs

Enrollment through a • Shared and cart-device models, labs Mac app that connects IT manages the setup process Yes—wired • Devices purchased through a Apple Configurator to devices via USB (does and hands devices to users retailer such as Best Buy not apply to Apple TV 4K)

Unmanaged devices currently in Manual enrollment over User visits a specific URL to No the field or devices that need to be User-initiated the air configure their device enrollment via URL reenrolled into a new MDM server 9

BEST PRACTICE Deploy Apps and Books with Apple Business Manager and Apple School Manager

For education customers: Device receives configurations and sign up for Apple School As a user turns their apps scoped to it, and Manager device on for the the user is brought to For non-education first time, the device the Home screen. The customers: sign up for will automatically be Jamf can automatically device is now managed enrolled—no additional Apple Business manager configure your iPad. and configured—all and add your MDM server interaction is needed. without IT having to to the portal. touch it!

1 2 3 4 5

Purchase devices and Device enrolls with the assign them to your MDM server. Prepare any MDM server within Apple configuration pro les and School Manager or Apple apps you’tag">d like to apply to Business Manager. Ship devices. them directly to users. 10 2 Configuration management

When it comes to configuring Apple devices, the world is your oyster. You can personalize and tailor individual devices or groups of devices based Don’t know where to start? Check out a list of MDM on the needs of your end users. configuration profileshere , or join the conversation on Jamf Nation.

Configuration Profiles Policies Smart Targeting Scripts

Define settings within iOS, macOS and Unique to macOS client management, Collect inventory details, including custom Part of policies, run shell scripts on tvOS by creating configuration profiles. policies go beyond the basic device inventory attributes you define, for all of macOS utilizing the Apple device These small XML files can be distributed management capabilities of MDM your managed devices, to identify which management capabilities within your to devices utilizing a managed solution. configuration profiles and help you ones require software updates, security client management solution. Anything You can apply Wi-Fi, VPN, email settings install custom software and printers, hardening or other management actions. that can be executed in Terminal via the and more so users can seamlessly manage local user accounts and conduct If your device management solution command line can be turned into a script. connect to the resources they need. advanced management workflows. allows, you can build groups based on The ability to run scripts provides far more inventory criteria and then trigger device flexibility than standard configuration management tasks automatically to profiles, and opens the door to infinite specific individuals or groups, or make device management capabilities. items available on demand to users with an enterprise app catalog. 11

3 Apple devices are wildly popular among consumers because of the native App management communication, learning and productivity tools available right out of the box, but the rich library of apps in the App Store are what set the Apple App fundamentals ecosystem apart. With a device management solution in place to manage your app deployments, you ensure users have the apps they need — Today, we are all familiar with the App Store on our iPhone, iPad and configured for their use case and secured for your environment. Apple TV devices. They are the only way for consumers to get apps on Whether your organization is choosing to utilize Apple’s built-in apps, one their devices. Apple reviews the developer’s code to ensure security and (or many) of the millions of apps from the App Store or creating your own performance. This is one of the reasons why Apple enjoys a strong security in-house custom apps, you need to ensure users have all the apps they reputation. For the Mac, however, you can also get software outside of the need and are properly secured within your environment. App Store. Here are the most effective ways to manage Popular titles not in the Mac App Store include Microsoft Office and Adobe and deploy apps to your devices: Creative Suite, so it’s important to have a Mac client management tools that’s able to deploy custom software. Some management tools, like Jamf For the enterprise: For the education institutions: Pro, have the ability to build custom .pkg or .dmg (Mac software install file types) by creating a before and after snapshot of an installation. That software package can then be deployed to managed Macs – all without users needing to be admins. Deploy Apps and Books with Deploy Apps and Books with Apple Business Manager Apple School Manager SOFTWARE INSTALLS AND PATCHING

For software that is in the App Store, we can use an Apple Take snapshots Create a Push install program to license and distribute of software custom .pkg via the Jamf apps to devices all without installs or .dmg Agent needing Apple IDs. 12 3 App management

When deploying Apps and Books via Apple Business Manager and Apple School Manager, you gain extra security and configurations for that app (iOS and tvOS only). Here’s what’s possible:

What is a Managed App? Managed Open In App Configurations

Managed apps differ from a standard app because they Managed Open In takes the concept of managed apps Sometimes deploying an app isn’t enough and you’d are flagged as owned by an organization. Specifically, a step further by controlling the flow of data from one like to pre-customize some of the settings. This is the managed apps are distributed via MDM technology and app to another. With MDM, organizations can restrict premise for App configurations. App developers can can be configured and reassigned by MDM. what apps are presented in the iOS share sheet for define what settings can be pre configured by an MDM opening documents. This allows for truly native data server for their app. For example, you could deploy the management without the need for a container. Box app with the server URL pre populated so users only need to enter their username and password to get the app up and running. 13

BEST PRACTICE Deploy Apps and Books with Apple Business Manager and Apple School Manager

Apps are deployed directly to the device. Sign up for Apps No interaction or Apple and Books via Apple ID required. School Manager Add your app licenses or Apple Business to your MDM server, Manager and add including free apps. your MDM server to your portal. 4 1 2 3 ? 4 5 Choose to assign apps to either devices directly or to a user’s Apple ID.

Find and purchase app licenses from the Apps and Books section of Apple Business Manager or Apple School Manager. You will also need to “purchase” free apps.

Invite users to participate in your Apps are linked to a user’s Apple ID Apps and Books deployment via and are found in the Purchased tab email or push notification. of the App Store. 14

BEST PRACTICE App Deployment for Apple TV

Apple TV provides support for both App Store apps as well as enterprise apps (commonly referred Want the ins and to as in-house apps). These apps can be uploaded to your management server and pushed out to your Apple TV devices automatically and without Apple IDs, just like your iOS devices. Popular outs of Apple TV enterprise apps for Apple TV include digital signage, emergency alerts and more. deployment?

Check out our Configuration profiles Smart targeting App and display support Apple TV Management white paper

Using an MDM solution, IT With the ability to automatically IT can leverage MDM to deploy can define settings with tvOS collect inventory details, including both custom in-house and App configuration profiles and distribute Apple TV device names from all Store apps directly to Apple TV them to Apple TV devices. As a managed devices, IT can quickly devices. Additionally, IT can set a result, Wi-Fi, restrictions and AirPlay and accurately identify which Home Screen layout, show/hide settings are more easily applied devices require action. Based on apps as well as restrict media over the air. Further, Apple TV this inventory information, IT can content based on age guidance. devices can be put in Single App build targeted groups to trigger Mode to customize the Apple TV automatic device management experience by class or Conference tasks. For example, IT can now Display Mode for an intuitive find all Apple TV devices without presentation workflow. AirPlay settings configured and then deploy that configuration. 15 4 Inventory

MDM solutions are capable of querying an Apple device to collect a large amount of inventory data, ensuring you always have up to date device information and can make informed management decisions. Inventory can be collected from a device at various intervals and include serial number, OS version, apps installed and much more.

Examples of data collected with MDM

Hardware Details Software Details Management Details Additional Details Managed Status Profiles Installed • Device Type • OS Version • • Supervised Status Certificates Installed • Device Model • List of Apps Installed • • IP Address Activation Lock Status • Device Name • Storage Capacity • • Enrollment Method Purchasing Information • Serial Number • Available Space • • Security Status Last Inventory Update • UDID • iTunes Store Status • • • Battery Level 16 4 Inventory

Why does inventory matter? Smart targeting By leveraging inventory data, smart targeting enables you to dynamically group devices and deploy configuration profiles and restrictions to those devices. At Jamf, this is referred to as Smart Groups.

Static Groups Smart Groups

Find all Macs wtih 8GB RAM, with 80% full You can’t manage what you can’t measure. The inventory data your MDM solution Apply a Profile or Policy hard drives, running 10.12.2 or higher collects can be used for a wide range of business needs and empower you to answer common questions like:

1 2 3 Are all my devices secure? 4 5 6 How many apps do we have deployed? Apply a Profile or Policy What version of iOS, macOS and tvOS are certain devices running? STATIC VS. SMART GROUPS

Some management solutions even allow you to collect extra (custom) inventory Static Groups are a set of devices that are defined, like a classroom about specific hardware and software add-ons. For example, you can figure out or a lab. You can apply a management policy to that entire group. when a third-party backup utilitiy last ran or what printer drivers are installed. Smart Groups, on the other hand, are dynamic and always changing based on inventory data. This enables you to dynamically group devices and deploy configuration profiles and restrictions to those devices. 17

The security and privacy of devices and access to corporate resources Coupled with an MDM solution, you can ensure that your 5 Security are a top priority for any organization. To address these worries, Apple devices are not only secure, but your apps and network has a number of security features built right into macOS, iOS and tvOS. are as well.

iOS Security Features macOS Security Features

1 tvOS leverages many of the security features found in iOS, such as direct software updates from Apple, vetted Software Secure System App Store Software System Integrity Gatekeeper Updates Updates Protection (SIP) and secure App Store apps, app data protection with App Sandboxing and deeper levels of management through supervision.

Touch ID Hardware App App Store FileVault XProtect With management, Apple TV settings Encryption Sandboxing Encryption can be deployed to automate AirPlay security. This allows you to pair Apple devices with Apple TVs, so only the appropriate devices share their App Sandboxing Privacy Privacy Supervision screens wirelessly. 18 5 Security Apple’s deployment programs Unix is the foundation for Apple’s operating systems, providing a strong kernel at the core. Apple’s OSs are built with security in mind and have unique security settings added. Those settings can be managed via an MDM solution. Management

1 Apple security features

Additionally, utlizing Apple’s deployment programs with an MDM Apple OSs solution allow for even more management of those settings within your environment. Foundation for Apple’s OSs UNIX 19 5 Security

MDM security commands for macOS, iOS and tvOS MDM Lost Mode for iOS By utilizing Apple’s Lost Mode with an MDM solution, you can • Enforce FileVault lock, locate and recover lost or stolen iOS devices without • Enforce Gatekeeper settings compromising privacy through ongoing tracking. When Lost • Set software update Mode is activated, iOS devices receive a customized lock macOS • Lock, wipe and restart computer screen message, are disabled from use and send the location • Delete restricted apps to IT. • Remove MDM • Restrict Password sharing via AirDrop Conditional access For organizations leveraging Windows Azure AD and Office 365, it’s critical to implement a conditional access path for Mac Restrict Autofill passwords • devices. Best-of-breed MDM solutions offer built-in conditional Enable Lost Mode • access integrations. For more information go here. • Lock and wipe a device iOS • Remote wipe Software upgrades • Update iOS • Clear restrictions and passcodes By developing major versions of macOS, iOS and tvOS annually, • Remove MDM Apple has set the pace of innovation. Each year, Apple unveils • Block passwords via proximity requests new and great consumer features, but also adds layers of security and fixes vulnerabilities. These updates can be critical for devices used by employees or students in order to protect • Remote wipe their data. Your management solution not only needs to be able • Restart device to deploy updates from Apple, but also needs to quickly support • Single App Mode (ideally on day zero) all the new management features that tvOS • Delete restricted apps come with them too. • Block passwords via proximity requests 20 6 User empowerment and adoption With enterprise app catalogs, users With the rise in self-sufficiency tools like Lyft, Amazon Prime and WebMD, today’s workforce have the ability to access: expects to get the tools they want, when they need them. Enterprise app catalogs meet the needs of users by empowering them with instant access to resources, content, tier one help and trusted apps through a single click from their device — all without submitting a help desk ticket to IT. • App Store, B2B, in-house apps and third- party software App catalog for Mac App catalog for mobile • Email, VPN and other configurations • E-books, guides and videos • Bookmarks and shortcuts • Printer mapping and drivers • Help desk ticketing and hardware requests • Password resets and compliance information • Basic maintenance and system diagnostics • Software and OS upgrades • Single Sign-on (SSO) integration • Localized language support for English, French, German, Japanese and Simplified Chinese

Example: Jamf Self Service for Mac and iOS offers a branded app catalog that can integrate seamlessly into any organization's internal resources or corporate intranet. 21 6 User empowerment and adoption

Benefits of on-demand app and resource catalogs.

What’s in it for IT. What’s in it for users. • Reduce help desk tickets and support • Give end users instant access to a full- Bonus: Third-party integrations costs while maintaining control of your service, self-help destination of diversified environment resources Apple device management is just one piece of • Automatically install an app catalog like • Intuitive user interface personalized for local your technology portfolio, but it’s a critical and Jamf Self Service on any managed Mac, language and your environment instrumental piece. Regardless of whether you iPad or iPhone • Bookmark common web services such use a help desk ticketing system like ServiceNow • Integrate with directory services to as HR tools, communication platforms or or an SSO authentication tool like Okta, your personalize content based on department, internal resources for an easy entry point to Apple device management solution must user role, location and more valuable company information integrate seamlessly with your existing IT tools.

• Automate common IT tasks, such as • Install organization-approved apps without Amplify the power of what you have and extend password resets and system diagnostics, for IT help the power of your ecosystem by leveraging third- tier-zero support • Fast resolution of common IT issues, such as party integrations like those seen in the Jamf printer installations and software updates Marketplace. From cross-industry integrations to specific solutions, integrations like these bridge IT • Receive real-time notifications for available teams and services, creating an integrated, secure services and security enhancements and seamless experience for end users.

Best-of-breed MDM solutions should offer the ability to brand your app catalog to match your existing corporate resources. This seamlessly integrates your app catalog among existing internal properties, increasing familiarity and ease of use. 22 More and more organizations are moving to the cloud.

Below are just a few reasons why enterprise organizations like Eventbrite are going cloud: Infrastructure Benefits of cloud hosting planning

Server provisioning, ongoing security Backup administration and testing and update management Where you host your management environment is just as important as the management solution you choose. Not only does cloud hosting make upgrades a breeze, it Storage infrastructure for global Disaster recovery; offsite location takes the added pressure of server availability management, disaster recovery, and more off of IT.

Database administration, ongoing Server monitoring and response team security and updates Industry-leading Apple management

Apple continues to build an interconnected ecosystem, with apps and services being cross compatible across devices. Growing enterprise partnerships (IBM, Cisco, SAP, etc.) and a boom in technology choice programs will only bring more Mac, iPad, iPhone and Apple TV devices to your doorstep.

To get the absolute most out of Apple and your technology investment, you require a management solution that Put our word to the matches Apple’s intuition and has test by taking a free proven from day one that helping people succeed with Apple is top priority. test drive and you’ll see By integrating with all Apple services why 96 percent of Jamf As the gold standard in Apple and providing immediate support for customers stick with us management and with dedication to the Apple operating systems and features, Apple ecosystem since 2002, Jamf is Jamf empowers you with the tools year over year. the product most trusted by businesses necessary to address all support needs, and schools that want to offer Apple and gives you the freedom to focus on and provide a consistent management strategic tasks so you can save your Start Trial experience across the entire ecosystem. organization time and money.