Emily
Brown

A Beginner’s Guide to Mac Management

Emily Brown

Jun 19, 2020

11 min read

While the use of desktop PCs has been predominant in the enterprise world, Macs are fast becoming a new favorite desired for their higher security, manageability, and a lower total cost of ownership. Most of us are familiar with Windows PCs, hence managing the Macs can be a daunting task for IT Admins. The modus operandi for managing Macs for experts and novices alike is to use a Mobile Device Management (MDM) solution. MDM solutions like Hexnode lets organizations to securely manage the Mac devices in a business environment, push configuration profiles to the device, and secure corporate data.  

What is Mac Management? 

Macs as indispensable accessories in a business meeting
Macs as indispensable accessories in a business meeting 

Mac Management is the process of managing and monitoring the macOS devices in an enterprise or education environment, usually done remotely in a centralized manner.

Apple services for Mac Management 

Deploying devices in a large scale poses a multitude of challenges in any scenario. Apple seeks to resolve these challenges and has provided various services and programs for making the device management considerably easier and cost-effective. While choosing an MDM, it is essential to ensure that it supports these Apple services: 

  1. Apple Deployment Programs 
  2. Zero-Touch Deployment (Apple DEP) 
  3. Apps and Books (formerly VPP) 
  4. Apple ID 
  5. Managed Apple ID 

1. Apple Deployment Programs 

For bulk deployment of devices, organizations have to sign up for Apple Deployment programs. The educational institutions can sign up for Apple School Manager and enroll the devices, deploy apps and books directly from a single web portal. An enterprise can sign up for Apple Business Manager for availing these features. 

2. Zero-Touch Deployment (Apple DEP)

Also known as Apple Device Enrollment Program (Apple DEP), the Zero-Touch Deployment allows you to configure any Mac purchased from Apple or an authorized Apple reseller without even touching the device. The devices can be enrolled in a device management solution using just the device serial number or the order number. This allows the end-user to directly use the device out of the box. 

3. Apps and Books (VPP)

Formerly known as the Volume Purchase Program (VPP), Apps and Books allow bulk purchasing and licensing of apps and books from Apple. These purchased apps and books can then be distributed directly to the devices without using an Apple ID.  

4. Apple ID

Apple IDs are personal account credentials used to access Apple services like Facetime, iMessage, App Store, and iCloud. Depending on the business needs, the Apple IDs can be avoided entirely. 

5. Managed Apple ID

Managed Apple IDs are owned and used by an organization for accessing standard Apple services, iWork, Notes, and Apple Business/School Manager. The Managed Apple IDs allow you to perform password resets and role-based administration. 

How can you manage macOS using Hexnode MDM? 

A managed Macbook being used in office
 

Management of macOS devices with OS X 10.7 Lion or later can be achieved with ease using Hexnode MDM. For Mac device management, Hexnode MDM has a basic framework with two components: 

  1. Configuration Profiles: Various settings in the Mac computers can be pushed in the form of configuration profiles. These configuration profiles are then installed and the computer behaves accordingly. The settings such as Wi-Fi and VPN settings, passcode restrictions, app store restrictions, web browsing restrictions and more can be configured in a single policy from the web console and pushed to the device. 
  2. Remote Management Actions: The remote actions are unique commands that you can send to the enrolled macOS computer. One such action is Wipe Device action which can be used to wipe a lost macOS computer. The end-user would need to enter the Find My Mac Pin as specified in the Hexnode Web Console to use the Mac after the factory reset.

How does Mac Management work across the device lifecycle? 

For efficient management of the Mac computers, it is crucial to support, manage, and monitor the devices right from the initial deployment to the end-user involvement. There are eight critical elements for managing the entire lifecycle of macOS computers: 

Mac Management across the device lifecycle
Mac Management across the device lifecycle


1. Integration and setup

To communicate with the macOS computers, the Hexnode MDM server sends a notification to the APNs server which in turn communicates with the Macs. Apple Push Notification service (APNs) is a service provided for communication between Apple devices and third-party servers.

The first step for Mac management is configuring APNs certificate in the Hexnode Web Portal.

How to create an APNs certificate?

  1. Create a Certificate Signing Request from your Hexnode Web Console.
  2. Upload the Self-Signed certificate in the Apple Server.
  3. Upload the APNs certificate back to the portal.

 

2. Deployment and Provisioning

The Macs have to be enrolled with an Apple device management solution before they can be deployed to the end-users. There are different methods to achieve this. For enrolling a large number of devices, Zero-Touch Deployment also known as Apple DEP is the most recommended option. You can also go for user-initiated self-enrollment where the user can enroll using an enrollment URL unique to your Hexnode MDM server.
 

3. Configuration Management

After deployment, comes configuration. The configurations can be applied to individual devices or groups of devices based on your requirements. You can create either static or dynamic groups for applying the configuration profiles and policies.

Static groups  Dynamic Groups 
Defined groups with a fixed number of devices or users.  The devices/users in a dynamic group is determined by the conditions specified. It keeps changing according to the changing data. 
Useful to manage a small and fixed number of devices/users.  Key to manage bulk devices/users with smart targeting in mind. 

With Hexnode, you can manage your enrolled Macs using Policies or Scripts. Policies allow you to define settings such as Wi-Fi, VPN, dock and screensaver settings, email configurations, and more. You can also install printers, remotely bind the Mac computers to the Active Directory, sync with Directory Services like LDAP, and even schedule OS updates. The policies are pushed to the Macs as configuration profiles to reflect the changes.

Mac Scripts are icing on the cake for Mac device management. Anything that can be run on the Terminal can be converted to a script. A script contains a set of commands for performing specific operations. Beyond the limit of the policies, different custom scripts for Mac computers can be pushed from the Hexnode Web Console.
 

4. Identity Management

Whether it is a company-owned device or a personal one, it is essential to ensure that the corporate data can be accessed across the managed apps in a secure manner. Managed Apple IDs can be used for this purpose. The organization or the educational institution can create these using Apple Business/School Manager. For personal devices, the Managed Apple IDs can be used alongside their personal Apple IDs.

5. App Management

A crucial element in managing Mac computers is app management. With Hexnode, you can deploy both store apps and in-house enterprise apps (PKG files). If the organization is enrolled in any of the Apple Deployment Programs, the Apps and Books service can be used to purchase and deploy apps in bulk to the device. There is no need for any user interaction or Apple ID in such a case.

App Catalogs

Hexnode allows you to build a custom app store in the enrolled Mac devices. The required apps can be added to an App Catalog and pushed to the specific device or a group of targeted devices via a policy. The end users can install these apps from the App Catalog in Hexnode MDM Agent App in their Mac.

6. Inventory Management

For effective management of any devices, it is mandatory to maintain clear and concise reports. The reports have to be maintained dynamically and be always up to date with the latest data. The reports for device management should contain all pertinent info such as hardware info, software details, management details, and more for informed device management. With Hexnode, you can generate complete device or user reports at any time or schedule the reports as needed.

7. Security

For every IT Admin, security is a top priority in device management. There are a few foolproof methods to keep your Macs secure from ignorant actions or malicious intentions:

Passcode Policies

Enforce strong passcode policies to secure the corporate data in the Mac. The passcode can be made mandatory and you can set a passcode age so that the passcode is changed frequently.

Firewall Settings

Configure Firewall settings for creating a barrier between the internal and external networks.

Web Content Filtering

Enhance the internet security of the organization by blacklisting/whitelisting specified websites. Access to the websites can also be blocked on the basis of inappropriate content.

Conditional Access

App Store access can be limited according to the user requirement. The access can be limited to admin users, or the users can be limited to just the software updates. The device security can also be increased by restricting features such as Autofill Password or Requesting passwords from nearby devices.

FileVault

FileVault is Apple’s full-disk encryption program. The disk content is encrypted and the users have to provide a passcode on booting the device to access the data and files. It highly increases device security as it actively prevents unauthorized users from accessing sensitive corporate data. Hexnode provides you with three methods for encrypting your macOS computers:

  1. Personal Recovery Key: These are the unique alphanumeric keys that are automatically generated at the time of encryption. The user has to note the key for future decryption of the encrypted disk.
  2. Institutional Recovery Key: These are used by institutions or organizations so that a common key is used to decrypt all their devices.
  3. Institutional and Personal Recovery Key: As the name suggests, both institutional and personal recovery keys are generated for the user. This is the most recommended method for device encryption. A major advantage is that even if the personal recovery key is lost, you would be able to decrypt the device using the institutional recovery key.

OS Updates

While being feature-rich, OS X updates also have added security and fixes to the existing vulnerabilities attached to them. With Hexnode, you can schedule the OS updates to ensure that the Mac computer is kept up to date with all the security fixes.

Remote Wipe

Even with the utmost care, it is possible for a corporate device to be misplaced. In such an event, you can remotely wipe the device with Hexnode Remote Actions to ensure that the sensitive corporate data does not fall into wrong hands.  

8. End-User Involvement

The quality of a good manager is that the managed do not feel as if they are being managed. Similarly, for good device management, end-user empowerment is a desirable quality. The use of App Catalogs is a good method to provide users with the tools they need in one place. The repetitive and redundant tasks like installing printers can be done from the Web Console itself saving precious time for the employees. Broadcast messaging is yet another feature that allows the IT admins to communicate with the employees in an efficient manner.
 

A sweet perk: Third-Party Integration (OKTA) 

Mac device management is incomplete if it cannot be incorporated with your existing IT tools. An important one is the SSO authentication tool OKTA. OKTA integration with Hexnode allows you to enroll your macOS computers with OKTA authentication. The OKTA users are all automatically imported on integration with Hexnode. OKTA domain services take care of all interactions between the users and the domain.

How does an MDM for Mac Management benefit the IT admins and the end-users? 

Businesswoman using a managed Mac
Businesswoman using a managed Mac

For IT Admins, the benefits of using an efficient Apple device management solution are numerous. Reduced support costs without compromising on efficiency, managing the Macs remotely from a single web portal, integrating with directory services, automating redundant IT tasks such as password policy and device restrictions are a few of the important ones.
 

Similarly, using a suitable MDM for managing Macs helps the employees as well. For example, with Hexnode, the users have a self-help destination with an intuitive UI for installing the apps from the app catalog. The common IT complaints arising from printer installations and software updates can also be resolved with ease. 

Get started with Mac Management for your organization here. 

Share
  • 4
  •  
  •  
  •  
  •  
    4
    Shares
Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts