Last updated November 7, 2019
While Apple’s MDM protocol has supported iOS for some time, macOS support is slightly newer and offers a modified set of functionality. This article provides a general overview of some of the capabilities that are available with native Apple MDM on macOS. The goal is not to provide a complete list of macOS MDM functionality provided by SimpleMDM.
One of the most notable benefits of using MDM for macOS is how it can help with onboarding new users. Traditionally this involved the tedious and time-consuming process of imaging machines or configuring them manually. It also generally required an IT technician to be present for hands-on setup.
With the help of MDM, the Apple Device Enrollment Program (DEP), and Apple Business Manager, device administrators can drastically reduce onboarding time and improve the overall experience. When a Mac registered in Apple DEP and assigned to SimpleMDM connects to the internet, it automatically enrolls in MDM immediately after device activation. Enrollment through Apple DEP enables skipping many of the initial Setup Assistant settings. This saves a considerable amount of time. It also allows local admin account creation during initialization. After completing the enrollment via DEP, the device receives all the configurations, apps, and accounts assigned to its group in SimpleMDM.
SimpleMDM provides out-of-the-box DEP integration. For more advanced setups, SimpleMDM allows for additional extensibility with third-party tools. You can read more about how some of our customers have used SimpleMDM to improve their onboarding process here: Customer Spotlight: Tom Bridge’s macOS Deployment Playbook
DEP not an option for your organization? Existing devices and non-Apple DEP devices can be enrolled by simply visiting an enrollment URL sent by an administrator through the SimpleMDM interface. Simple click the enrollment link delivered by email or enter the URL manually into a web browser.
MDM makes it easier to implement and enforce security practices across your deployment. SimpleMDM offers many features to help. First, passcode policies can be enforced to ensure that devices have passcodes set and that those passcodes meet specified parameters. Second, firmware passwords can be enabled and stored within the admin interface. Additionally, the FileVault profile allows you to force users to enable FileVault encryption with the option to escrow the key to MDM. This allows you to easily retrieve firmware passwords and FileVault keys for managed devices.
Recent updates have brought some significant changes to macOS and MDM. Two of the most notable additions are third-party kernel extension whitelisting and privacy preferences policies.
Many third-party apps require access to other programs on your computer. For example, a meeting app may need to access the Calendar or Mail apps. After downloading the third-party app on macOS, typically a user/admin will need to provide these apps with permission to access other apps. If the app doesn’t have the proper permissions, it can be problematic to the end-user who may not understand why they can’t use an app they need. Luckily, using a Privacy Preferences Policy within SimpleMDM prevents this. This profile allows you to specify certain apps that have pre-approval to access other apps so no end-user interaction will be necessary.
Some apps require special access to devices in order to function. The user typically grants this access manually. The Kernel Extension Policy profile allows administrators to configure whitelists to pre-approve kernel extensions for third-party apps, making devices (and apps) another step closer to being completely user-ready.
SimpleMDM supports Apple Volume Purchase Program (VPP) app deployment as well as the ability to deploy macOS PKGs to Macs. By using SimpleMDM, you can ensure that your devices have all the software they need at deployment. The admin interface also enables viewing inventory on a per-device basis.
Additionally, SimpleMDM pairs quite well when used alongside open-source Munki for more extensive software management capabilities. We’ve written more on this topic here: Munki Deployment Using Apple DEP And MDM
When a Mac goes missing, some admins may not have a specific course of action. With MDM, admins have the ability to remotely lock and wipe devices by sending a command from the interface, rather than requiring some user interaction to do so.
SimpleMDM allows both device-specific and group-wide accounts to configured remotely on devices. For Macs, this includes Email Accounts, VPNs, and Wireless Networks. A Restrictions profile enforces restrictions on users’ capabilities relating to the App Store, iCloud accounts, camera access, and more.
Custom certificates and configurations can be uploaded via the admin interface and deployed to devices as well. For more technical users, this provides room for much more capabilities and flexibility to create and use their own configurations. Our post here demonstrates how custom profiles, especially when combined with custom attributes, can be used to one’s advantage to customize the experience on macOS: How To Use Custom Configuration Profiles With Custom Attributes
Finally, the limitations of using only out-of-the-box features in MDM can be avoided through the use of open-source tools alongside an MDM. SimpleMDM provides administrators with the flexibility to utilize their choice of alternative tools alongside MDM; we’ve discussed many popular open-source pairings for Mac management here: Popular Open Source Tools for Mac Admins
For a more detailed look at what can be done with MDM on macOS, we encourage you to start a free trial with SimpleMDM.