Deploying Mac introduces several “new” concepts for how to effectively provision and support the devices. Apple methods are different from traditional methods, such as those used in Windows environments, and therefore must be well-understood.
To help your IT team improve operational processes associated with managing Mac devices, this blog post highlights three tips for a smooth and successful deployment. We’ll also explore the tools and skillsets that can empower IT teams to provision and support the devices securely and efficiently—while delivering the best possible experience for end users.
1. Provisioning New Mac Laptops
An IDG Research poll found that 43% of IT decision makers feel their companies need to improve the efficiency of their Apple device management strategies. (Source IDG Research commissioned by WEI, March 2019) Most IT teams are accustomed to provisioning Windows devices. However, provisioning Mac devices is quite different. In a Windows environment, IT either wipes the devices and lays down a captured OS, or uses a thin-provisioning model. With Apple devices, these methods are not easy to achieve and therefore, not desirable. That’s because modern Macs include security features that can prohibit the devices from booting to network volumes or external drives to initiate an imaging process. In addition, some Mac models may include special drivers to help manage parts of the hardware, which can be difficult to capture in a traditional imaging workflow. While it is possible to work around these security features, it is often a multi-step process that is not considered best practice.
To overcome these issues, Apple provides a process that makes Mac provisioning easier—the Device Enrollment Program (DEP). Devices are registered into the program by the Mac reseller, and the company that purchases the Mac devices can access the program using Apple Business Manager, which runs in the cloud. Through Apple Business Manager, IT can register the serial numbers and enroll the devices in a Mobile Device Management (MDM) tool. In the MDM tool, IT sets up configuration profiles, which include the settings for the device as well as the user according to the designated user group. These settings might indicate, for example, which applications users should see on their desktop. The settings can also help devices auto-connect to a secure Wi-Fi access point and designate the level of security access for each user.
When end users boot their device and connect to the internet, their device serial number is picked up by Apple. Apple Business Manager then redirects the device to the organization’s MDM tool so devices can be enrolled into the MDM and automatically receive their designated applications and configuration settings. This Apple provisioning method uses the operating system that is pre-loaded on the Mac devices, rather than wiping them clean. Because the MDM installs the applications and the settings to the devices via the Apple cloud, end users can start working immediately without IT having to physically touch their laptop.
If preferred, IT has the option to handle the devices, enroll them, and execute the downloads for applications and configuration profiles on behalf of end users. The IT team can then verify that the configurations work before delivering the devices, and employees can log in to start using their machines right away.
2. Securing Devices and Authenticating Users
For Mac security, two-factor authentication is the primary solution. There are two methods that go beyond requiring people to enter their user names and passwords.
- Sending users a code via text message that they have to enter to gain access
- Giving users a thumb drive that they must plug into their devices
Without either the code or the thumb drive, users cannot log in and authenticate their identity.
For user identity services, Active Directory is the primary tool in Windows environments, and it can also be used for Mac laptops added to the network. IT can bind the Mac devices to Active Directory so people can log into their devices with their local user name and password. This set-up is handy when users need to move back-and-forth from an Apple application and a Windows application, such as Microsoft Outlook, which Mac users may rely on for email. With one set of credentials for both systems, end users can work more efficiently.
However, many companies are moving away from this approach because Mac devices often perform better when not joined to Active Directory. Under certain circumstances, there may be password synchronization issues that prevent users from getting into their systems and doing their jobs. This also causes IT to get involved and spend valuable time resolving the issue.
To eliminate this burden, many IT teams use tools like Apple Enterprise Connect and Jamf Connect (formerly known as NoMAD). Both tools eliminate the need for local machines to be directly joined to Active Directory while also tracking account credentials on local machines. Users can log in with a local account rather than the credentials derived from Active Directory. The tools then synchronize the credentials to Active Directory for identity authentication. Apple Enterprise Connect and Jamf Connect also provide some additional features. As examples, an icon in the menu bar indicates how many days until a password expires to simplify the process for end users, and common network shares can be mounted automatically when the Mac devices are connected to the organization’s internal network.
With these advanced tools, when the credentials are changed—either on the local device or in Active Directory—the tools will synchronize the account again. This approach simplifies the login process for end users while still giving IT departments the ability to enforce policies, such as requiring employees to change passwords every three months.
3. Applying Patches and Updates
For applying security patches, OS updates, and updates for frequently-used applications such as Safari and iTunes, IT teams have the option to leverage a free service that Apple provides called Software Update. All Mac devices are directed to the service by default, which runs in the cloud and automatically notifies end users of any patches and updates they need to apply, and prompts them to execute the downloads.
Apple no longer provides an on-premises software update mechanism, but there are alternative solutions that IT departments can use to manage the Apple catalog of software patches and updates.
Available third-party open source update servers include Reposado and Jamf Software’s NetBoot/SUS Appliance. Both operate on-premises and can function on any OS platform—including Apple, Windows, and Linux—utilizing Python code that runs in the background. IT can utilize an MDM platform, such as Jamf and AirWatch, to point all Mac devices to the platform in order to control which updates are published to those devices. Managing updates in this manner comes in handy, for example, when Apple releases a security patch. IT can disable the notifications so end users won’t receive a message each time a patch or update is available for download.
By utilizing an on-premises patch management and update tool, IT can test the patch on different device configurations to make sure it doesn't break the OS or any of the applications. Once the patch is ready for the machines to install, IT enables the patch through the open source tool. The patch then shows up as available for users to install, and IT can push the patch out through the MDM platform, where users can install it with just a few clicks.
In addition to managing updates, it’s also a good idea to buy extra Apple devices as testing devices. Ideally, IT will want to run machines with hardware specs and software similar to what end users have on their devices. IT can use the test machines to become familiar with user environments, as well as enroll the devices in the MDM platform to test how well the provisioning process and various services work.
Specific services to test include the ability to log into email, utilize VPN services, and access files in shared drives. It’s especially important to test when deploying antivirus software, which can sometimes break the OS and cause machines to have performance issues if not done properly.
Enabling Enterprises to Offer More Choices for End Users
Today’s end users want the freedom to choose when it comes to the desktop environments that they use to do their jobs every day. Increasingly, Mac laptops have been the devices of choice. WEI recommends embracing this trend, while giving your IT team the tools and skills they need to ensure the devices perform at a high level, employees are productive, and digital assets are secure.
If you’re about to bring Mac devices into your enterprise, or if you’d like to work with a partner who has expertise in managing the devices that are already deployed on your network, we’re here to help. As an Authorized Apple Reseller, We specialize in helping enterprise customers roll out new Mac devices, along with providing ongoing maintenance and support. Many of our customers have already made the transition to a hybrid Windows-Apple environment to improve productivity and enhance the end user experience, and we’re ready to support you as you embark on the same journey.
Learn more about WEI's expertise with all things Apple in our Apple Services Brief below.