Managing Macs in the enterprise
- 23 April, 2020 10:06
Apple Management tools are designed to make it as simple as possible for admins to provide their users access to applications, keep their fleet secured and up to date, and to create a Standard Operating Environment (SOE).
Apple’s current tools have a far lighter touch than the traditional SOE model. Modern Apple devices are expected to run the Operating System it came with, and admins can apply as many Apps, settings and guardrails as they need, with just a few tiny profiles and packages installed on a machine.
The benefit; in a perfect situation, a new staff member of your organisation should be able to unbox and set up a Mac themselves, and be up and running in just a few minutes.
“Enrolling with Apple Business or School Manager can seem like a pretty daunting process, but as long as you are able to provide the required information it can be set up quite quickly.” says Marcus Ransom, Senior Apple Systems Engineer at CompNow, Apple’s largest supplier of education and enterprise Apple solutions.
Businesses require a little more paperwork than schools to get going, but as Ransom explains; “The close scrutiny and verification ensures that someone else isn’t able to register as your business or school, so it’s definitely worth the additional oversight Apple requires.
“Once you have the portal up and running you are able to configure your devices to automatically enroll in your device management system (MDM), distribute free and paid apps without the end user needing to use an Apple ID, or set up a ‘Managed Apple ID’ that can be used to provide some of the functionality of a personal Apple ID but managed by the organization… Security, Privacy and Trust are constant themes throughout the process with Apple.”
There are many different MDM solutions to choose from, and most are simple, cloud based web apps.
The most popular Apple MDM solution in Australia is Jamf. The company offers Jamf Pro as an enterprise grade solution, Jamf Now for small business, and Jamf School for the K-12 market. The last two organisations I’ve worked for have chosen Jamf Pro thanks to its excellent Australian and online support, and the more advanced workflows you can create. It has become the default for most enterprise and higher education customers, as ubiquitous as Office 365 or Red Hat Linux.
Another very popular solution is the open-source Munki. It is technically not an MDM, more an application manager, so it must be paired with something like SimpleMDM or Addigy, but provides a fantastic end user experience and tonnes of controls for admins to tweak.
Tools Change, The Theory Remains The Same
“I got started in the 1990s doing Mac IT so everything I learned in the very beginning is completely inapplicable to what I'm doing today.” jokes Trouton.
“But, when you have been doing this a long time you get that kind of that breadth of knowledge that you know where the beginning of the story is, you know how it relates to what's going on today.”
Trouton and his team manages over 100,000 Apple devices at SAP, and at that scale, he has had to make choices very few admins might make, such as only supporting Apple’s current operating system. “We use a variety of carrots and sticks to entice them to upgrade within 90 days of any new release” he tells me.
It’s part of an overall philosophy of rolling with Apple’s changes, not fighting them or dragging your feet, to provide the best experience for his users.
“The secret [to modern Apple management] is get as close to the Apple Consumer model as you can, and you're going to have a much better time, and a much easier time.”
“Because Apple is testing things for the consumer market, and they’re not necessarily testing things for the enterprise market. Not too many consumers at home have an Active Directory domain that they're binding and setting up mobile users against, but every consumer [takes a new Mac] out of the box and runs through Setup Assistant. That’s the stuff Apple is testing thousands of times, so that’s the stuff that is bulletproof.”
Help is at Hand
There are fantastic open source products that all Mac Admins should take the time to explore, once they’re up and running. Most are free to download from github. A number of “DEP Splashscreens” exist to make that out of the box experience a little easier for your users, walking them through the software being installed, and the security requirements of your organisation.
Autopkg is a great tool to automate the repetitive task of downloading, packaging and uploading applications to your servers. Google provides the excellent software it uses to keep its users safe, and Microsoft provides countless simple profiles to tweak just about any feature in Office 365.
Join The Slack
And then there’s help from fellow Mac admins available on Slack, at macadmins.org. Trouton helped set this up, and it has become a vibrant, supportive community of Mac enthusiasts.
“It's a huge community. I think we have almost 30,000 people now, you lose track after a while… The channel I’m most proud of is the Getting Started channel, that is basically a no judgment zone. In there, no question is dumb, and you'll always find someone willing to help.”
Once you’re feeling more confident, there are channels dedicated to almost any software you can think of.
Says Trouton; “Whatever the tool, you'll find a channel dedicated to it and people who are using that tool, who are going to be able to talk with you about it. So no matter what your problem is… people will be able to point you in the right direction.
One of the most active vendors in the Slack community is Microsoft. Members of the Office 365 Product team are regulars in the channel, answering questions and tweaking future releases based on the comments and concerns of admins.
“Five years ago there was a wall up [between the community and Microsoft] and trying to get results was like shouting at the wall. But at this point the walls are gone and frankly, I think Microsoft's better off for it. I know the Mac community is better off for it.”