Last updated April 19, 2019
While Apple’s MDM protocol has supported iOS for some time, macOS support is slightly newer and offers a modified set of functionality. This article is intended to provide a general overview of some of the capabilities that are available with native Apple MDM on macOS.
Please note that, while this article will be updated from time to time, it is not intended to cover the complete macOS MDM functionality provided by SimpleMDM.
One of the most notable benefits of using MDM for macOS is how it can help with onboarding new users. Traditionally this involved the tedious and time-consuming process of imaging machines or configuring them manually, and generally requires an IT technician to be present for hands-on setup.
With the help of MDM and the Apple Device Enrollment Program (DEP) and Apple Business Manager, device administrators can drastically reduce onboarding time and improve the overall experience. When a Mac is registered in Apple DEP and assigned to SimpleMDM, it will automatically enroll in MDM once connected to the internet, immediately after device activation. Enrollment through Apple DEP allows many of the initial Setup Assistant settings to be skipped for a faster setup. It also allows local admin accounts to be automatically created during initialization. After completing the enrollment via DEP, the device receives all the configurations, apps, and accounts that have been assigned to its group in SimpleMDM.
SimpleMDM provides out-of-the-box DEP integration. For more advanced setups, SimpleMDM allows for additional extensibility with third party tools. You can read more about how some of our customer’s have used SimpleMDM to improve their onboarding process here: Customer Spotlight: Tom Bridge’s macOS Deployment Playbook
Is DEP not an option for your organization? Existing devices and non-Apple DEP devices can be enrolled by simply visiting an enrollment URL sent by an administrator through the SimpleMDM interface. This enrollment link can be delivered by email or entered manually into a web browser.
MDM makes it easier to implement and enforce secure practices across your deployment. SimpleMDM offers many features to help. First, passcode policies can be enforced to ensure that devices have passcodes set and that those passcodes meet specified parameters. Second, firmware passwords can be enabled and stored within the admin interface. Additionally, the FileVault profile allows you to force users to enable FileVault encryption with the option to escrow the key to MDM. This allows you to easily retrieve firmware passwords and FileVault keys for managed devices.
Recent updates have brought some significant changes to macOS and MDM; two of the most notable additions are third-party kernel extension whitelisting and privacy preferences policies.
Many third-party apps require access to other programs on your computer. For example, a meeting app may need to access the Apple Calendar or Mail apps. After downloading the third-party app on macOS, typically a user/admin will need to provide these apps with permission to access other apps. If the app doesn’t have the proper permissions, it can be problematic to the end-user who may not understand why they can’t use an app they need. Luckily, this can be avoided by using a Privacy Preferences Policy profile within SimpleMDM. This profile allows you to specify certain apps that have pre-approval to access other apps so no end-user interaction will be necessary.
Some apps require special access to devices in order to function. This access typically must be granted manually by the user. The Kernel Extension Policy profile allows administrators to configure whitelists to pre-approve kernel extensions for third-party apps, making devices (and apps) another step closer to being completely user-ready.
SimpleMDM supports Apple Volume Purchase Program (VPP) app deployment as well as the ability to deploy macOS PKGs to Macs. By using SimpleMDM, you can ensure that your devices have all the software they need at deployment. Installed software inventory can also be viewed on a per-device basis within the admin interface.
Additionally, SimpleMDM pairs quite well when used alongside open-source Munki for more extensive software management capabilities. We’ve written more on this topic here: Munki Deployment Using Apple DEP And MDM
If a Mac is suspected to be lost, some admins may not have a specific course of action. With MDM, admins have the ability to remotely lock and wipe devices by sending a command from the interface, rather than requiring some user interaction to do so.
SimpleMDM allows both device-specific and group-wide accounts to configured remotely on devices. For Macs, this includes Email Accounts, VPNs, and Wireless Networks. A Restrictions profile can be used to enforce restrictions on users’ capabilities relating to the App Store, iCloud accounts, camera access, and more.
Custom certificates and configurations can be uploaded via the admin interface and deployed to devices as well. For more technical users, this provides room for much more capabilities and flexibility to create and use their own configurations. Our post here demonstrates how custom profiles, especially when combined with custom attributes, can used to one’s advantage to customize the experience on macOS: How To Use Custom Configuration Profiles With Custom Attributes
Finally, much of what cannot be done using only out-of-the-box features in MDM can be achieved through the use some combination of open source tools with MDM. SimpleMDM provides administrators with the flexibility to utilize their choosing of alternative tools alongside MDM; we’ve discussed many popular open-source pairings for Mac management here: Popular Open Source Tools for Mac Admins
For a more detailed look at what can be done with MDM on macOS, we encourage you to start a free trial with SimpleMDM.