For those of you who have watched the mobility space for a few years now, you’ll have seen and understand the evolution of Mobile Device Management (MDM), through to Enterprise Mobility Management (EMM), to what we now refer to as Unified Endpoint Management (UEM).
Several years ago our goal was to manage email ‘securely’ on a mobile device. We now need to be able to manage any device and the vast ecosystem which comes with it within the enterprise and the modern workplace has changed this.
We now offer choice to our employees to pick any device from a portfolio and enable them to work as efficiently as possible. We need simplicity between the devices of choice and applications which are being used. Whilst also managing the privacy of a device being used for both work and personal use.
With close to 2/3 of the workplace being millennials there has been a shift in mentality towards what is expected within a working environment. A two year old hand me down laptop which was once the highlight of our careers, is now frowned upon. It is almost expected to be offered the greatest and latest tech. Studies have shown that some employees will either leave or not accept a new job if they are offered ‘substandard’ technology and with talent acquisition and retention a high factor in most organisations, macOS as choice is a great initiative to draw in that top talent.
Before modern management there was no standard way to manage a MacBook. You could image it either with Monolithic or Modular methods, manage using open source tools or like most organisations I walk into, just do nothing.
However, If you look back over the last several years. MDM came to macOS as early as 2011, so why all the hype now? Offering all the great functionality that we had with iOS including Certificate management, Security enforcements, Remote Wipe and even a Device Lock with PIN securing the device with a one time passcode, we have been able to remotely manage MacBooks for a while. Year on year Apple have been expanding the feature set, introducing the likes of DEP and VPP, package installation and OS updates to the ever growing APIs. With 2017 being the big year as we saw the release of the High Sierra and the much awaited APFS.
2018 brought the release of Mojave and the announcement for an app store redesign, with the exciting news that companies like Adobe and Microsoft will be releasing their applications natively to the store.
All the above led to speculation that Imaging is dead, which helped the transition of a new way to manage macOS within the enterprise.
Modern Management Paradigm
With Modern Management, comes great responsibility!Uncle Ben, Spiderman (if he was a mac Admin)
We have to consider three things:
How are we going to deploy and provision our devices?
How are we going to configure and manage our application portfolio?
How are users going to access their resources?
This is a really exciting time for UEM on a whole. With Identity Management and Zero Trust Networks being mentioned left, right and centre, we are in such a strong position to enable our users. No longer do we need to be domain joined and bound to a desk, we can freely work from any location like a home office, coffee shop or an airport, being just as productive.
Deployment and Provisioning
Apple Business Manager (ABM) has solved this issue for most customers. The possibility to utilise Device Enrolment to enrol your devices into your chosen UEM with arguably the most streamlined Out Of The Box Experience (OOBE) you can get. Below are two videos showing a traditional macOS experience without Device Enrolment and one with.
After being delivered a brand new MacBook, you already have high expectations. You slide the device out of the box, turn it on, enter your credentials for the first time, wait a few minutes and everything magically happens in the background. This is the golden standard of enrolment, one we have become very accustomed to with iOS which is just as great on macOS.
You would have noticed that during the enrolment flow above the Dock is different to what you’d expect, the splash screen in the centre of the screen isn’t normal and the background wallpaper changed. These are all configurable within Workspace ONE UEM and I’ll go into more detail in a future post.
For the meanwhile this guide here covers the different on boarding options to hand.
Configuration and Applications
We manage macOS devices just like we would an iOS, with profiles, compliancy and public or internal app distribution. Within Workspace ONE UEM we treat any device the same and macOS is no different.
With multiple GUI led payloads, anything which is not there can be managed either by custom settings (MobileConfig) or deployed via scripts.
For Applications we can go down two different routes, public apps deployed via ABM with Volume Purchase or internal app deployment with Workspace ONE UEM’s Munki integration.
With a single native application or web portal users can access all their corporate applications from one familiar location.
With an always on culture in our modern workplace, we need to be able to enable macOS users to access their resources at the right time, though the right workflows. Utilising Identity Management we can offer seamless Single Sign-On and Conditional Access to native macOS apps, SaaS applications and virtual.
Maybe a user is using their own MacBook at home which is not enrolled, we can throw up a 2FA prompt to ensure it is them. A user is on an unmanaged MacBook trying to access secure corporate data, we can force them to enrol. Finally, maybe the device is both enrolled and on the corporate network but not encrypted, we can force an encryption through FileVault to allow them access to those business critical apps.
By leveraging Identity and Access we can truly be in control of our data and say goodbye to everything being gated behind a VPN. However, if required the configuration and use of VPNs for both device wide and Per App are fully supported 🙂
EUC Specialist Solutions Engineer, 5 years AirWatch/WS1 knowledge and an Apple Champion.