Apple Device Management and Security

What to consider when managing a device management solution

By Joe Grafton
Systems Engineer

Joe explores some of the pitfalls & solutions to help

Managing Hardware

When using Device Management solutions often organisations add every device possible to the system and think that’s it, the device is managed and is no longer a vulnerability. Sometimes they fail to realise ageing hardware affects what software / OS can be ran on the devices, what security updates are installed and ultimately the end user experience.

Using Smart groups and alerting in Jamf Pro, you can create smart groups to identify devices that are older than the lifecycle required by the organisation and how many devices are behind on operating system upgrades. This can be exported as a report to make strategic decisions about hardware refreshes and hardware decommissions.

Application Screening and Testing

Device management is a great solution for deploying software and applications on mass, but how often are organisations testing new software on all models of their estate and on all operating systems. The introduction of M1 chip last year to the Mac estate highlighted this point. Most developers are releasing a M1 version and an intel version of their software, but is the scoping of the deployment being done properly using the correct version or by using the intel version with Rosetta 2. This issue doesn’t stop here. Deploying an update of the application can take more time and resource to deploy, even if you are keeping the software up to date.

DARE provides a solution called Update. We package and manage the application updates for the software deployed across the Mac fleet. This solution makes sure that all new devices added to your estate automatically install the newest version of the software titles, and for existing devices it will update the software, by a customised delivery to suit Users and compliance. JAMF also have App installer with a list of compatible software that it can deploy and manage updates for you.

Operating System Upgrades and Updates

Most organisations implementing MDM solutions don’t consider the difference between software updates and upgrades. A software update is normally a small enhancement or fix, whereas an upgrade is a whole new operating system normally with new components and features. Deploying updates and upgrades can be time consuming for the IT department and disruptive for the end user if not handled correctly.

With JAMF Pro there is a range of options which vary depending on working with iOS or MacOS devices. DARE provide support services to assist with all updates and upgrades in your estate by using in built Jamf Pro features as well as user interactive updating scheduling tools. Jamf Pro’s patch management also helps manage patch titles as well as defining definitions and patch policies.

Device Security

MDM solutions allow organisations to restrict what functionalities and behaviours end Users can perform on their devices.

Solutions like Jamf Protect can be deployed to Macs to monitor events, downloads, processes, and user behaviours. Together with Pro, it can perform actions in real time to remedy any non-complaint issues. Protect can also monitor files downloaded from the internet and remove threats to secure any sensitive data from being accessed. All this assists with compliance to industry certifications such as Cyber Essentials and ensure a secure User experience. Further security tools are now also available such as Threat Defense, Data Policy and Private Access. These solutions can be deployed to Mac, iOS, Android, and Windows devices. You can now secure a mixed estate such as a BYOD program, which many companies have now adopted in a hybrid working environment.

Managing the Hardware Lifecycle

Often organisations don’t consider the end-of-life actions required for former company devices. Each device has sensitive data on the device and the organisation is required to protect, manage, and erase the data for compliance. Currently the number of employees working from home is at an all-time high compared to previous years and most devices might not frequently or never physically be onsite in an office.

When a device comes to the end of life, JAMF can remotely erase the data and factory reset the device ensuring that the data is deleted responsibly and securely. This can be particularly useful when an employee leaves the organisation. This process of decommissioning a device then becomes simple all while maintaining security.

Set up and Hardware configuration

MDM solutions can be utilised to make an employee’s onboarding experience pleasant and stress free. By using a zero-touch deployment for enrolled devices, this allows organisations to ship devices straight to a new employee’s home and streamline the set-up of their device so that it is ready for the user to start work.

By using Jamf Connect with Pro, it can allow the IT department to configure the set up to only ask the user to select a language and connect to a Wi-Fi. The profile starts the automation and deploys all the required software, policies, company branding and configuration without the need of IT or further User action.

Do your Homework

With budgets being squeezed and company priorities ever changing, it can take time to make a solution the best for your environment and build knowledge. Trying to do everything yourself can sometimes feel daunting, so consulting professionals can assist with workflows, configurations and help achieve your objectives. This then creates a great, secure end User experience. It can also reduce any issues and disruption down the line.

The best options are to reach out to experts in plenty of time and consult about your plan to effectively scope the implementation, user needs and management of your solution. DARE has lots of experience in providing consultation, workflow, and support for using Apple and Jamf.

Future proofing your MDM solution

Many organisations will implement an MDM solution, but they might overlook how future proof the solution is. Options like on premise vs cloud solutions are a great example. Most companies now look towards cloud-based MDM solutions to mitigate downtime instead of an on prem setup. These can also carry the expense of personnel and resources needed on site to manage, but also the security implications around compliance and hardware.

Jamf instances can be cloud based on secure servers, so your Jamf instance stays up to date and receives all the secure updates to provide even better management to your Apple Estate. Jamf has released many features and functionality to remain agile and responsive to their customer’s needs. Feature requests can be also submitted by customers to highlight any requirements wanted in future releases to the Jamf products.

Integration with Third Party Applications

Many organisations might not consider the use of third-party applications with their MDM solutions, or know how to manage them and what they can do to help them.

JAMF marketplace is where you can check all the third-party applications that can integrate with Jamf. The most common third-party integrations are Google, Okta and Azure. These IDP’s integrate with Jamf Connect to manage authentication and password syncing on the Macs remotely, without the need of binding to a local Active Directory. Jamf can also integrate with remote support software such as TeamViewer to help with troubleshooting users’ issues.