Apple@work: Apple device management for fully remote teams

Emily Brown

Jan 5, 2021

8 min read

Workplaces are constantly evolving. Even before the advent of the Covid-19 pandemic, the trend of working remotely was gradually gaining tractionNow, when more and more employees are working from home or from remote places, the responsibilities of the IT admin remain the same: to manage, secure, and protect the devices, users, and corporate resources.  

At HexCon20, we had the opportunity to listen to an illuminating breakout session by Bradley Chambers, an author at 9to5Mac with more than 11 years of experience at Apple device management. The scene of Apple Enterprise Management is very different now than that of 10-11 years ago.  

One of the things that is unique with technology is that you are never done with technology.

-Bradley Chambers

 Bradley spoke about the different responsibilities of an IT admin and methods to secure, troubleshoot, and manage the remote Apple endpoints. In this blog, we have attempted to cover the key points discussed in the session. 

Supporting End Users in a Remote Work World 

Working remotely is no longer an option to be mulled over. It is a legitimate way to work followed globally. Throughout the session, Bradley discussed the different steps that need to be taken to support the end-users working remotely. From device deployments to device repairs and off-boarding, we get an idea of managing the endpoints remotely throughout the device lifecycle. 

Shadow IT vs Remote IT 

Apple remote management with Bradley Chambers
Bradley Chambers highlights the differences between Shadow IT and Remote IT
What is Shadow IT? Consider a situation when the existing tools of your organization don’t meet the employee needs. When faced with such a situation, it is possible that the employee seeks out an external solution outside the purview of the IT department. Employing such external IT solutions without the knowledge of the central IT department is Shadow IT. 

The question may arise, does Shadow IT pose any problems? The answer is a definite yes. The requirements are satisfied temporarily, but the central IT department has no means to control or audit the external solution. The IT department is responsible for the company’s data and securityIf the other departments use solutions without the IT department’s involvement, chances are that these solutions may not comply with the compliance and security goals of the organization.  

How to get rid of Shadow IT? It is simple. The IT department should make sure that while choosing an IT solution, they take into consideration the needs of the organization and its employees as a whole.  

Is Remote IT any different from Shadow IT? Of course, it is. Unlike Shadow IT, there is no unauthorized third-party applications or solutions deployed. In Remote IT, the IT admin enables the users to leverage tools and resources even though the admin has no direct access to the device.  

A “New Network” in the “New Normal” 

Traditionally, the security of the network was built around the “perimeters” that isolated the internal servers from the external networks. As long as the perimeter was secured, the network would also be considered to be secured. The concept works fine until the attack comes from within. How to secure the networks completely? Hence, the revolutionary Zero Trust security concept of “Never trust, always verify” arose.  

As Bradleys states, “In Zero Trust networking environment, everything is assumed to be insecure by default. Only after passing a checklist, the devices and users are deemed to be secure.  

Deploying devices 

Deploying apple devices
Apple device deployment

There are two main aspects in device deployment. The first one is a no-brainer – Configuration management, i.e., setting up the devices correctly with all the proper configurations. The second aspect is logistics – how do you actually order the devices and ensure that it reaches the end-users? 

Apple Business/School Manager 
For enterprises focused on Apple, tools like Apple Business /School Manager and Apple’s online business portal help in easing the process of device deployment. The online business portal allows you to view and purchase business devices. While you can ship it after purchasing, Bradley suggests a simpler way – dropshipping the device to the end-users 

An important step in device deployment is to select a suitable MDM solution and integrate it with your Apple Business Manager account. Using Apple’s Device Enrollment Program, the admin can use the device serial numbers to deploy devices in bulk by automatically applying the configurations and settings when the user turns on the device for the first time.  

How to enable users to support themselves? 

There is no guarantee that the remote workers would have regular uninterrupted IT support that they would otherwise enjoy in a typical workspace. The remote workforce should be independent enough to troubleshoot and resolve minor issues on their own to reduce the dependency on IT. 

The first step in increasing autonomy is having well-developed documentation that the users can easily follow. What goes wrong in general and how to fix it? If the issue is not fixed even after the basic troubleshooting, the IT can swoop in to help with tools like remote access.  

Remote app installation and Remote Access tools 

Remote app deployment
Remote app deployment

Installing applications remotely can be done either at the initial device deployment or at a later time when new applications need to be installed. There are two types of applications: apps from the App Store and apps that are not. Installing apps from the App Store remotely is a piece of cake for Apple devices. Go to your Apple Business Manager account, purchase licenses of the needed apps from the Apps and Books and deploy these using your MDM solution. For apps that are not in the App Store, the enterprise apps can be uploaded and deployed by your MDM solutionIf you are new to Apple Device Management, I would strongly suggest you to try the 14-day free trial of Hexnode MDM to get an idea about the whole process. 


Remote Access tools are unavoidable when it comes to managing remote workers. As Bradley says, “The reason you need these tools is, sometimes you just need to see what the end-user sees because you can’t physically touch the machine. It would be preferable if the remote access is granted only at user discretion. It increases trust and protects the privacy of the end-user.  

OS updates 

When it comes to OS updates, there are two paths you can take. One is to delay the updates as long as possible to avoid any possible confusion and issues. The other is to install the updates right away for the relevant security fixes. Which one is the correct decision? Bradley states, “When you are doing an OS update, you are going from the most stable version of one Operating System to the least stable version of the next one.” Some users may be fine with that, while others may not. Most of the users do not care about the updates. They are just concerned that their workflow isn’t interrupted. Apple OS updates can be delayed up to 90 days using your MDM solution. Bradley suggests that we should delay the updates by a minimum of 30 days so that you do not have to deal with any initial big bugs.  

Before forcing updates on the remote devices, it is advisable to inform the users so that they can safely backup important data and files. Whichever strategy you decide to adopt for OS updates, make sure to inform the end-user about it.

Device Repairs 

Device repairs
Handling device repairs

There are many things that could go wrong with the device, either accidentally or some technical issue. For remote work, it would spell disaster if the device cannot be used. How can you handle the repairs remotely? One method is to maintain a business relationship with Apple and setup repairs at the local Apple store. The users can directly take their damaged device to the nearest Apple store and get their devices repaired. What happens when there is no Apple store in the vicinity of the user? It is recommended to find the nearest Apple authorized reseller and get the repairs done there. If there aren’t any authorized resellers nearby, the admin would have to take additional measures such as dropshipping a new device to the user and repairing the older one in the meantime. It is recommended to keep some spare devices handy for such scenarios. The priority here is to prevent any loss of the employee’s time. 

Employee On-Boarding and Off-boarding 

When a new employee is hired by the company, the employee has to be given access to different services such as the corporate email address, file sharing, HR software and so on. Similarly, when the employee leaves the company, access to these services has to be revoked. The admin has to ensure that the on-boarding and off-boarding process scales to remote work environments.

Concluding Remarks 

Soon, the majority of the workforce is going to be remote. The IT admins need to reconsider the existing device management and security practices. Bradley discussed with us the basics of remote management of Apple devices. Follow on Twitter or contact him at Bradley@9to5mac.com to discuss more on the topic. You can always contact support@hexnode.com or ping Hexnode chat support for any queries or help.


Emily Brown

Reading is therapy and writing is healing...sincerely, a cool nerd.

Share your thoughts