5 things you are doing wrong with Mac device management  

Emily Brown

Jul 23, 2020

8 min read

A system administrator would be having an incomplete skill set without the knowledge of Mac device management. The high quality hardware and security perks are just a couple of things that make Mac devices desirable for the corporate environment. Mac device management includes the deployment of the macOS devices to the employees, distributing required apps, content filtering, enforcing security restrictions, and other configurations. 

In comparison to PC device management, Mac device management is still a relatively new field. Hence, it is understandable if some things go wrong along the way. Here, we have listed out 5 common things that IT admins could find going wrong while managing their Macs and ways to prevent it from happening.


1. Using Apple Profile Manager for Mac device management

What is Apple Profile Manager? 

Apple Profile Manager is Apple’s very own MDM and is a part of macOS server. Profile Manager supports restrictions, payloads, and commands for iOS, macOS and tvOS devices. Profile Manager is actually a great option for new IT admins for testing purposes and comparing the Apple functionalities with third-party vendors. 

Why should you stay away from Apple Profile Manager for managing your devices? 

While Apple Profile Manager can look like a lucrative option at first glance, it is not recommended at all for a production environment. The admins using Profile Manager often face a lot of issues including not pushing the profiles and payloads properly. Remote management is more of a hassle if you have to continually troubleshoot not only the end devices, but also the very tool used for the management of the devices.  

Why does the Apple Profile Manager fail in a production environment? 

Profile Manager is meant to be a tool for testing out the features an MDM can offer. Therefore, it has a lightweight database which is not scalable at all. When the admin has to manage above a hundred devices, the Profile Manager becomes totally unreliable. There is also an additional security risk as it is easily corruptible. If you use the Profile Manager to manage your devices, it is recommended to have a full backup as it is a very unreliable method for managing Mac devices. Going for a solid third-party MDM with Apple Business Manager integration is the best way to manage the macOS devices in the long run.

2. Running unverified or unknown scripts

Mac Scripting
Mac Scripting

Scripting is an excellent method for automating the routine and repetitive time-consuming tasks. A script is a program that contains a set of commands or a sequence of instructions used for streamlining various processes for the managed Mac devices. Custom scripts can be executed easily with 
Hexnode MDM. System level configurations like installing/uninstalling apps, setting up app configurations, restarting the devices, pushing updates, and more can be achieved using scripts without any end-user interaction. For individual devices, the scripts can simply be executed from the device terminal.  

Dangers in scripting 

Scripts are different from other programming languages as it is executed directly via the Terminal. While there are definite pros to it, the major con is the risk in running unverified or unknown scripts. It is strongly recommended to avoid any scripts except those: 

  • Scripts written by the admins themselves. 
  • Scripts from a very trusted source. 

Avoid running scripts that you do not understand at all costs. The caution is essential while running scripts as scripts can be executed to perform any system level task or configuration in Mac devices. One wrong command could bring all the management architecture down. Troubleshooting would also be hundred-fold difficult if you do not completely understand the script that was run on the devices.  

One of the essential concepts in security is to use exactly those privileges that are needed. The admins have to take extra care while running scripts with root privileges at any point. If the attackers get their hold on root privileges, the entire system would be at risk and most of the security controls would be in vain.

3. Not keeping the managed devices updated with the latest OS and security updates

The users often have the tendency to skip out or postpone the security and OS updates for their own convenience. From a corporate point of view, it is highly desirable that the enterprise Mac devices be updated with the latest OS and security updates. The latest updates often consist of security improvements and enhancements.  

Updating the devices as soon as new updates are released might seem like a good idea. However, it is preferable if the admins examine the vulnerability studies and the exact boost the updates would provide.  

For Macs enrolled in Hexnode MDM with Apple Device Enrollment Program (Apple DEP), the admins can remotely manage and schedule the OS updates. The admin can choose to:  

  • Notify the end-user whenever an update is available. 
  • Download the OS update in the device. 
  • Download the update and install it immediately. 
  • Install an already downloaded update. 
  • Install the update at a later time.

4. FileVault Encryption/Decryption can be a tricky business 

FileVault keeps your data secure
FileVault keeps your data secure

Mac OSX 10.7 and above supports 
FileVault: a full disk encryption program. All the existing data and files are encrypted on enabling FileVault. From then on, all the new and changed data would also be automatically encrypted. FileVault uses AES-128 encryption with a 256-bit key. The method is incredibly secure. Attacking and deciphering the key space using brute force is nearly impossible.  FileVault is handy in protecting the corporate data and prevents unauthorized users from accessing data stored on the encrypted Macs. An encrypted device can be accessed only if you have the login password or the recovery key. 

The Mac devices used for corporate use should be encrypted using FileVault. There are three methods for encrypting the devices: 

  • Institutional Recovery Key: A common key is used to decrypt all the devices in the institution. 
  • Personal Recovery Key: Personal Recovery Keys are unique to the Mac device being encrypted. They are alphanumeric strings that are generated at the time of encryption.  
  • Institutional and Personal Recovery Key: Both the keys can be used for decrypting the device. 

Some common things that could go wrong with encrypting/decrypting your device: 

  • Not saving the recovery key in an external memory location. The recovery key should never be stored on the local disk exclusively. The encrypted devices cannot be decrypted without the recovery key. In the event of forgetting the login password and losing the recovery key, you will have to perform a factory reset to restore the device. Hence, backup of the key is an absolutely necessary precaution. 
  • Encryption is not equivalent to backup. The encrypted data could still get corrupted and result in data loss. Having backups of sensitive data is the safe option.

5. Other common malpractices in Mac device management

  • Tying personal accounts with organizational admin accounts
    Clear demarcation between personal and official accounts is essential for obvious reasons. It is especially recommended to use a separate managed Apple ID that is not associated with any individual for Apple Business manager account of the organization. It would prevent the reliance on any one individual and ensure smooth running even if the admin leaves the team or the organization.
  • Reusing administrative passwords/inadequate passwords
    Even though this one is not exclusive to Mac 
    management, it is an important one. Setting up the devices with weak passwords or using the same password in multiple devices pave the path for easy breaches in security. Weak passwords can easily be guessed using brute-force attack. If the same password is used in multiple systems, the hackers need to guess only one password to access all the systems. Stringent password policies should be in place so that the users are forced to configure strong passwords. For Mac devices enrolled with Hexnode MDM, the admin can make the passcode mandatory and enforce restrictions such as minimum passcode length, passcode age and the complexity of the passcode.
  • Running applications with root privilege
    As discussed with scripts, granting root privilege to applications is a risk that the system administrators have to look out for. Gaining the root privilege allows the application to control your system. Applications with root access from untrustworthy sources would make it easy for the attackers to execute any task in the system. It would result in the compromise of security of the devices. It is not recommended to run any application with root privileges in the managed devices unless absolutely necessary.

Mac device management is an important branch of the device management tree. Relying on the old methods for PC management would not be sufficient for Mac management. Getting to know all the features and scope is the first and foremost step. Having in-depth knowledge about the ins and outs of Mac management would be the easiest and failproof method to avoid any mistakes or errors. After all, a little and incomplete knowledge can be a dangerous enemy. Relying on the right tools and resources is an excellent start for effective Mac device management. 

MDM solution for Mac Device Management
Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts