Everything new in the Apple MDM glossary

As more Apple devices are entering corporate offices, classrooms and other places of work, IT admins are often tasked with the need to manage them. Although Apple Business Manager and School Manager provides a centralized platform to view devices and simplify the process of purchasing and deploying necessary content in bulk, it comes with limited remote management capabilities.

By integrating ABM/ASM with a UEM solution, IT admins can pre-configure the devices with necessary restrictions and applications and align them with their organization’s business requirements.

Apple device management terminology is quite extensive and they have expanded it a bit more within the past couple of years. Apple is constantly on the lookout to strengthen their rapport with enterprise users and hence have come up with some enterprise-grade products, apps and services.

It’s not always easy to stay on top of all these terms, so we have compiled a list of the new Apple device management terms and programs that every IT admin should know about.

Enrollment

User Enrollment

This type of enrollment is usually used in BYOD deployments where the device is owned by the user. Supported in iOS 13 and macOS Catalina, User Enrollment was first announced in WWDC 2019. Although Apple offered Automated Device Enrollment Program for admins to easily onboard users and automatically get the devices setup for both employees and students, it didn’t properly address on a deeper level, the challenges users could face in using their own devices for work or study related purposes.

User Enrollment can limit what an MDM server can do to the device and give users more flexibility to use their device in a way that it doesn’t disturb the personal data present inside.

When a device is enrolled via User Enrollment, an APFS volume will be created. All the managed applications and data will be stored in this volume. Once the device is disenrolled, the APFS volume will be erased as well, leaving the device just the way it was prior to its enrollment.

The MDM server would have complete control over just the managed content and nothing more. Enrolling the device via User Enrollment permits admins to do the following:

• Enforce passcodes and specified user restrictions
• Configure work applications, accounts and VPN
• Neatly segregate the user’s personal and corporate data
• Use Enrollment IDs instead of serial numbers or UDIDs

Given that the MDM server has limited management capability over the device, device centric actions such as remotely wiping off the device in its entirety cannot be performed. However, there are options to erase data within the managed space.

Account driven user enrollment

Businesses are now widely encouraging users to bring their own devices. Firstly, it boosts productivity and secondly it saves organizations from unnecessary expenditure in buying devices that users may not be comfortable to use in the first place. Apple understands that and that’s why they have bought in some new enhancements to user enrollment in this year’s WWDC event, streamlining the process even further.

Users can now get a clear picture on what’s being managed on the device with a quick glance at the settings where the managed account will be displayed.

Managed Apple IDs within iOS 15 and macOS Monterey will support iCloud Drive. In addition to giving users a built-in cloud storage, the drive will also neatly adhere to the Managed Open-in restrictions for managed applications and data access.

The coming of macOS Big Sur gave admins the convenience to install applications on a managed device just like they did on iOS devices. The installed applications could then be removed either with an MDM command or upon disenrollment of the device. With macOS Monterey, this functionality can now be found in user enrollments as well. The app data could be stored on a separate volume and the application will be uninstalled with an MDM command or upon disenrollment.

Other additions include:

• Controlling the amount of data pasted across managed and unmanaged applications
• Making the onboarding process of User Enrollment more secure

The MDM server can get to verify the user even before the MDM profile gets downloaded onto the device. Here’s how that happens:

Automated Device Enrollment

Formerly known as DEP, this helps automate the enrollment and configuration of Apple devices with no user intervention. Within the ABM portal, admins can pre configure the devices that are assigned to their MDM server and have the devices automatically enrolled.

Admins can even avail the option of preventing the MDM profile from being removed by the user. Automated Enrollment can only be done on devices owned by the organization.

Application Management

Apps and Books

Volume Purchase Program (VPP) streamlined the way in which business organizations and educational institutions could buy, distribute and manage their content (apps and books) in bulk.

With the release of ABM and ASM in 2019, Apple’s Device Enrollment Program (DEP) and VPP were integrated into these platforms to make it easier for admins to onboard users and manage their contents from a unified web console. Users can now deploy applications and purchase the books they need via the Apps and Books section found within ABM and ASM.

This integration comes with other benefits as well, these include:

• Transferring licenses in ABM/ASM to other locations. Once the transfer is complete, the licenses will be associated with the new location’s token.
• Purchasers who have access to the same location can share the licenses.

Required App

Announced in WWDC 2021, this allows an application to be silently installed on the device without prompting the user to manually install it on an unsupervised device. Earlier this could only be done on supervised devices.

Roles

Administrators

Formerly known as agents, this role held the highest level of administrative access within Apple Deployment Programs. They had the responsibility to accept the terms and conditions of the deployment programs on behalf of their organization. In ABM, agents are now known as administrators. A maximum of five administrators can be created in ABM within an organization.

Managers

Prior to upgrading to ABM, there were admins for both DEP and VPP. These admins are now known as Managers. Here’s a table to give a better idea on how the roles have changed with the coming of ABM:

Source: support.apple.com

An individual user can have multiple roles within ABM. If a user was an admin for more than one program, all the roles that apply in ABM will be assigned to them. Once the upgrade to ABM is done, the People Manager will have the responsibility to add, remove or change the Manager roles.

Device Management

Managed Apple IDs

Managed Apple IDs can be created and assigned to any employee who uses an Apple device for business purposes. It gives IT admins more control over the managed content. Essential applications and books can be easily assigned to specific users.

Before the introduction of Managed Apple IDs, apps had to be assigned to personal Apple IDs. This gave users the freedom to control the apps anyway they wanted to, putting the security of sensitive corporate data at risk. Managed Apple IDs helped take care of that problem by letting organizations have complete control over the managed applications and accounts.

Users can have access to multiple Apple services such as iCloud, iWork, Notes and other collaborative tools to improve their work flow. Managed Apple IDs can be used to sign in to ABM. Just like Apple IDs, Managed Apple IDs can be used to login to either a personal or a shared device, however, the organization will retain control over the Managed IDs since it is owned and managed by them.

The Managed IDs can either be created through federated authentication with Azure AD, SCIM or manually. With Managed Apple IDs, admins can perform a wide range of functions such as assigning roles or resetting passwords for a set number of users.

Declarative management

The MDM protocol has complete control in defining what profiles and agents can do. Being server centric, sometimes time lags can occur when the managed devices try to communicate with the server.

Declarative MDM helps take care of those time gaps by putting in some of the responsibilities on the devices themselves. This can lighten up some of the load on the servers. They update what can be included within the payloads. Known as declarations, these would include dictionaries with keys and values. They represent all the policies that admins would like to deploy on the devices.

Federated Authentication

Federated Authentication is useful for businesses that use Azure AD as their identity provider. They can link ABM to Azure AD by allowing users to use their Azure AD username and password as Managed Apple IDs. This gives them the convenience to use various Apple services and sign in to different individual and shared devices. All the login credentials will be stored in Azure AD.

In Federated Authentication, the login credentials that are stored in Azure AD will be passed on to the organization’s ABM account through SAML. Thus, Managed Apple IDs will be immediately created for the users as soon as they log in.

Shared iPad for Business

First introduced as a part of ASM in iOS 9.3, Shared iPads combined iCloud services and Managed Apple IDs to store student data. An iPad could be shared among multiple students. Once a user logs in with their right credentials, only information relevant to that user alone would be displayed on the device.

With the release of iPadOS 13.4, Apple released a new feature for enterprises – Shared iPad for business. IPads could be shared using the Managed Apple IDs from ABM.

The three main pre-requisites for Shared iPad for business include – Apple Business Manager, an MDM solution and Managed Apple IDs. Now, this all sounds great but how does it actually work?

As soon as a user signs in to the Shared iPad, the iPadOS will create a unique section on the storage space of the device. The Managed Apple ID stores the data in iCloud and the MDM solution that you use will communicate with the device to add in the necessary configuration of your device and app settings.

When the user logs out, their information will remain inaccessible to other users. This is all possible due to an in-built data separation which helps in assigning each user of the Shared iPad their very own separate space on the disk. This will be encrypted with a different password created by the user.

Before the concept of Shared iPads for business came into being, businesses using Apple devices who wanted a shared device enrollment had to use third-party solutions to get this done.

Enterprise Programs

AppleSeed for IT

The Apple ecosystem is vast. The devices keep getting better and more secure with the release of newer versions of its operating system. But, how do you make sure that the new OS is compatible for your managed devices and won’t slow down the workflow of your organization?

This is where programs like AppleSeed for IT can be of an immense help. It gives IT managers an opportunity to test the pre-release software within their own work environments. They can get to access pre-release versions of iOS, iPadOS, macOS, tvOS and watchOS.

Your organization has to be enrolled either in Apple Business Manager or Apple School Manager. You can go to appleseed.apple.com and sign in with your Managed Apple ID to try out all of the features of the program.

Apple Developer Enterprise Program

It allows organizations to develop and deploy applications for internal use. These in-house applications meant for private use can be easily made accessible to employees via an UEM solution.

The apps can be developed and distributed to the devices without uploading them to the App Store and going through the App Store review process. Apple Developer Enterprise Program as opposed to AppleSeed is meant solely for developers as it purely focuses on testing the compatibility and distribution of the applications within newer versions of the operating system.

Prior to enrolling to the program, organizations must meet the following requirements:

• Have a minimum of 100 employees or more.
• Be a legal entity.
• Use the program only to create in-house applications for internal use.
• Participate and pass Apple’s verification interview and evaluation process.

Apple Beta Software Program

This can be used by any user with a valid Apple ID. Apple Beta Software Program allows users to download public betas and report on any issues to Apple. It is meant to just collect feedback from the general public.

Understanding the difference between the three:

Apple Business Manager

With Apple Deployment Programs no longer being available from December 1, 2019, businesses were encouraged to upgrade to Apple Business Manager to continue enrolling devices via DEP and purchase and manage necessary content through VPP.

Apple Business Manager is a web-based portal that helps businesses to manage their devices and applications from a single place. Both store apps and B2B applications can be purchased and distributed via VPP, now known as Apps and Books within ABM.

When used with an UEM solution, admins can configure the device settings, seamlessly distribute both apps and books, remotely deploy applications in bulk and leverage more features that keep the devices secure and employees more productive.

While ABM allows organizations to view the devices they’ve purchased and invite additional users to the portal and purchase apps and books for a seamless distribution, it comes up with limited capabilities such as the inability to remotely manage devices and remotely distribute applications on its own. This can be done with the help of an UEM solution.

Apple School Manager – Making Apple device management easier within the education industry

Just like Apple Business Manager, Apple School Manager (ASM) is a web-based portal that give IT admins the flexibility to easily deploy and manage Apple devices in schools and other educational institutions.

Users can have access to a wide range of Apple services and have the option to purchase and distribute applications and books. Shared iPads requires Apple School Manager and it can give users a more personalized learning experience where students can log in to their device with their Managed Apple ID and have access to apps and data that is just meant for them. However, ASM also comes with limited remote management capabilities.

While ASM helps automate the device enrollment process, an UEM solution can give IT admins more control over the assets managed by the institution. It also helps prevent the user from purposefully disenrolling the device.

Bottomline

Managing your Apple devices with a Unified Endpoint Management solution like Hexnode helps IT admins to maintain the smooth user experience that Apple is known for and keep the devices secure at all times by pushing necessary restrictions and policies.

With all the updates that Apple brings in with its annual mid-year WWDC events, its entire ecosystem has grown to provide admins from enterprise and education industries the management capabilities they need to get their staff and students working in the most productive way possible.