Get fresh insights, pro tips, and thought starters–only the best of posts for you.
Jan 5, 2021
8 min read
Workplaces are constantly evolving. Even before the advent of the Covid-19 pandemic, the trend of working remotely was gradually gaining traction. Now, when more and more employees are working from home or from remote places, the responsibilities of the IT admin remain the same: to manage, secure, and protect the devices, users, and corporate resources.
At HexCon20, we had the opportunity to listen to an illuminating breakout session by Bradley Chambers, an author at 9to5Mac with more than 11 years of experience at Apple device management. The scene of Apple Enterprise Management is very different now than that of 10-11 years ago.
One of the things that is unique with technology is that you are never done with technology.
Bradley spoke about the different responsibilities of an IT admin and methods to secure, troubleshoot, and manage the remote Apple endpoints. In this blog, we have attempted to cover the key points discussed in the session.
Working remotely is no longer an option to be mulled over. It is a legitimate way to work followed globally. Throughout the session, Bradley discussed the different steps that need to be taken to support the end-users working remotely. From device deployments to device repairs and off-boarding, we get an idea of managing the endpoints remotely throughout the device lifecycle.
The question may arise, does Shadow IT pose any problems? The answer is a definite yes. The requirements are satisfied temporarily, but the central IT department has no means to control or audit the external solution. The IT department is responsible for the company’s data and security. If the other departments use solutions without the IT department’s involvement, chances are that these solutions may not comply with the compliance and security goals of the organization.
How to get rid of Shadow IT? It is simple. The IT department should make sure that while choosing an IT solution, they take into consideration the needs of the organization and its employees as a whole.
Is Remote IT any different from Shadow IT? Of course, it is. Unlike Shadow IT, there is no unauthorized third-party applications or solutions deployed. In Remote IT, the IT admin enables the users to leverage tools and resources even though the admin has no direct access to the device.
Traditionally, the security of the network was built around the “perimeters” that isolated the internal servers from the external networks. As long as the perimeter was secured, the network would also be considered to be secured. The concept works fine until the attack comes from within. How to secure the networks completely? Hence, the revolutionary Zero Trust security concept of “Never trust, always verify” arose.
As Bradleys states, “In Zero Trust networking environment, everything is assumed to be insecure by default. Only after passing a checklist, the devices and users are deemed to be secure.”
There are two main aspects in device deployment. The first one is a no-brainer – Configuration management, i.e., setting up the devices correctly with all the proper configurations. The second aspect is logistics – how do you actually order the devices and ensure that it reaches the end-users?
An important step in device deployment is to select a suitable MDM solution and integrate it with your Apple Business Manager account. Using Apple’s Device Enrollment Program, the admin can use the device serial numbers to deploy devices in bulk by automatically applying the configurations and settings when the user turns on the device for the first time.
There is no guarantee that the remote workers would have regular uninterrupted IT support that they would otherwise enjoy in a typical workspace. The remote workforce should be independent enough to troubleshoot and resolve minor issues on their own to reduce the dependency on IT.
The first step in increasing autonomy is having well-developed documentation that the users can easily follow. What goes wrong in general and how to fix it? If the issue is not fixed even after the basic troubleshooting, the IT can swoop in to help with tools like remote access.
Installing applications remotely can be done either at the initial device deployment or at a later time when new applications need to be installed. There are two types of applications: apps from the App Store and apps that are not. Installing apps from the App Store remotely is a piece of cake for Apple devices. Go to your Apple Business Manager account, purchase licenses of the needed apps from the Apps and Books and deploy these using your MDM solution. For apps that are not in the App Store, the enterprise apps can be uploaded and deployed by your MDM solution. If you are new to Apple Device Management, I would strongly suggest you to try the 30-day free trial of Hexnode MDM to get an idea about the whole process.
Try Hexnode for 30 days absolutely FREE of cost!
Sign up now
Try Hexnode for 30 days absolutely FREE of cost!TRY 30 DAYS FREE
Remote Access tools are unavoidable when it comes to managing remote workers. As Bradley says, “The reason you need these tools is, sometimes you just need to see what the end-user sees because you can’t physically touch the machine.” It would be preferable if the remote access is granted only at user discretion. It increases trust and protects the privacy of the end-user.
When it comes to OS updates, there are two paths you can take. One is to delay the updates as long as possible to avoid any possible confusion and issues. The other is to install the updates right away for the relevant security fixes. Which one is the correct decision? Bradley states, “When you are doing an OS update, you are going from the most stable version of one Operating System to the least stable version of the next one.” Some users may be fine with that, while others may not. Most of the users do not care about the updates. They are just concerned that their workflow isn’t interrupted. Apple OS updates can be delayed up to 90 days using your MDM solution. Bradley suggests that we should delay the updates by a minimum of 30 days so that you do not have to deal with any initial big bugs.
Before forcing updates on the remote devices, it is advisable to inform the users so that they can safely backup important data and files. Whichever strategy you decide to adopt for OS updates, make sure to inform the end-user about it.
There are many things that could go wrong with the device, either accidentally or some technical issue. For remote work, it would spell disaster if the device cannot be used. How can you handle the repairs remotely? One method is to maintain a business relationship with Apple and setup repairs at the local Apple store. The users can directly take their damaged device to the nearest Apple store and get their devices repaired. What happens when there is no Apple store in the vicinity of the user? It is recommended to find the nearest Apple authorized reseller and get the repairs done there. If there aren’t any authorized resellers nearby, the admin would have to take additional measures such as dropshipping a new device to the user and repairing the older one in the meantime. It is recommended to keep some spare devices handy for such scenarios. The priority here is to prevent any loss of the employee’s time.
When a new employee is hired by the company, the employee has to be given access to different services such as the corporate email address, file sharing, HR software and so on. Similarly, when the employee leaves the company, access to these services has to be revoked. The admin has to ensure that the on-boarding and off-boarding process scales to remote work environments.
Soon, the majority of the workforce is going to be remote. The IT admins need to reconsider the existing device management and security practices. Bradley discussed with us the basics of remote management of Apple devices. Follow @bradleychambers on Twitter or contact him at Bradley@9to5mac.com to discuss more on the topic. You can always contact firstname.lastname@example.org or ping Hexnode chat support for any queries or help.