With the rise of OS X and iOS devices in business, finding a way to manage these devices and ensure they’re in line with company policies is more important than ever – especially if you need your Mac users to work in harmony with a PC-based workforce. Here, we talk through some of the techniques and tools you can use to make sure all your Mac and iOS devices are managed and visible, without overburdening IT admin.
While the rise of Apple devices and BYOD/mixed platform environments can be great for productivity and end user satisfaction, it can be a cause for concern among IT admins, particularly as Apple have retired their server hardware, prompting a widespread move to managing Mac computers using Windows servers. And as the Mac user base grows, viruses are becoming increasingly targeted at the platform, making policy compliance and disk encryption incredibly important for mobile devices and desktops alike. Happily, Apple and a range of third parties are working together to make the situation manageable.
Device Enrolment Programme (DEP)
One of Apple’s latest initiatives, the DEP is designed to make it easier for you to enrol new devices on your company’s MDM system, and reduce the chance of any user accessing the network on an unsecured device. It is not an MDM solution in and of itself, but it does make a ‘zero touch’ MDM deployment possible for all new devices, drastically reducing the time and effort involved in setting up new users.
Put broadly, your create MDM profiles for different types of device and user, then share them with Apple’s servers. Apple will assign your MDM server a unique token, and when a device connects to it for the first time, DEP will push the correct MDM profile to the device as part of the initial startup process, so your end users can’t use their new devices without enrolling them in your MDM service, and no one from IT has to be on hand to oversee registration – it’s all done automatically.
You can enrol your company in DEP at deploy.apple.com.
Preparing for MDM
Before rolling out an MDM solution for Apple devices, you’ll need to make a decision about your Apple ID policy. Many apps and services, both free and paid for, rely on your end user having an Apple ID to authenticate their identity in the App Store and other areas. For this reason, we recommend you allow users to create individual Apple IDs (however, your admin team should use a shared Apple ID to access services like DEP and VPP).
Every Apple ID requires an associated email address – the degree of freedom you wish to allow users and whom ownership of the device sits with will determine whether you allow end users to use their personal emails and existing Apple IDs, or insist they create a separate Apple ID associated with their work email address.
MDM solutions: JAMF Software’s Casper Suite
JAMF Software are one of the most experienced Mac and iOS management experts out there, and their Casper Suite management solution is even used by Apple themselves. At the core of the suite is the JAMF Software Server, which acts just like a web server. It can be hosted on any existing Windows, Linux or OS X server at your premises, hosted remotely via JAMF Cloud or provided as a managed service by our accredited team.
Key features include:
Recon, an app included in the suite which scans your existing estate for Apple devices not currently enrolled in Casper Suite. Recon can then be used to enrol multiple OS X computers remotely. It will also scan IP ranges and enrol any computer it can connect to via SSH (Remote Login).
A range of imaging options, including monolithic imaging (IT builds a standard image including apps and settings, which is then deployed locally or over the network to all computers), thin imaging (IT builds a smaller, more modular image which is installed on top of a standard OS X installation, and other restrictions and apps are deployed using profiles and policies) and zero touch imaging (enrolment through DEP).
Self Service, an app which acts like an internal App Store for your organisation. It can contain apps linked to VPP, packaged apps, eBooks, printer settings, configuration profiles and custom profiles, all of which users can install on or apply to their own device without IT intervention.
JAMF software can be run completely on windows server hardware if required.
Volume Purchasing Program and Managed Distribution
Apple’s Volume Purchasing Program (VPP) is a purchasing scheme designed to save time and money for organisations who want to buy apps and books in bulk. It allows your IT admin to purchase several licences for a particular app, then centrally assign them to end users.
Traditionally, you had to buy your licences, download a spreadsheet of redeemable codes, provide a code to each user so that they can download the app without paying again, and then transfer ownership of the app or book to that user’s Apple ID permanently. Obviously, this is quite time consuming and messy, and involves you losing ownership of the app or book.
Now, if you’re using DEP, you can use Managed Distribution to license content to your end users, meaning they can use the app or book on a temporary basis but you can revoke access at any time. All you need to do is use Casper Suite to generate an invitation email for the end users who need access, and then they’ll be guided through the installation and licensing process without the need for IT admin’s involvement.
Casper Suite as a managed service
If you don’t have the resource to handle MDM in-house, or if your IT team are all PC-based and aren’t comfortable administrating Macs or iOS devices, we can provide Casper Suite as a managed service. You tell us what needs doing; our JAMF-certified team can set up and maintain your deployment. We can even help you optimise your infrastructure for Casper Suite, so you’re getting the best possible performance out of your software.