The new normal; an Apple admin’s guide to employee onboarding

Yannis LagogiannisApple, Deployment, Management

The landscape of the corporate workspace has been altered many times over the last few decades. The rows of private offices (the best ones usually came with a view) gradually gave way to cubicle-filled open floors. The cubicle walls, which were almost universally loathed, progressively lowered to the point of disappearing altogether until the open-plan working culture took over, introducing informality through hot-desking and other flexible working practices. 

Today’s working environments feature collaborative and social spaces alongside the more formal private office or meeting rooms. Armed with a host of mobile devices to choose from, and supported by ubiquitous, super-efficient internet connectivity, as well as the flexibility provided by the Cloud, modern workers are making the most of this style of working. 

Alongside this transition, however, another more subtle but equally transformative change emerged – remote working. Fuelled by the same technological factors that aided mobility within the office walls, remote working grew from being a rare privilege to a frequently-leveraged tool for many organisations. 

The new normal.

And then…COVID-19 happened. Practically overnight, an organisation’s remote working capability was promoted, from being a complementary tool in its technology portfolio to a core necessity for business continuity. Entire industry sectors were ushered into a rapid and unprepared transition to remote working. 

Nevertheless, the way the vast majority of organisations have so far reacted to this change has been nothing short of astonishing. Most employees in organisations that promoted flexible working, and had invested in modern device and infrastructure management, just picked up a laptop…and went home.

Yes, there are still teething problems to address, some being significant. But at this point, we can safely say that, for the vast majority of businesses who have tried it, the rapid transition to remote working has been seamless. So seamless we have already started calling this mode of working ‘the new normal’. It will be interesting to see in the coming months just how much of the change inflicted upon us by this ‘new normal’ becomes permanent. 

The move away from desktops in favour of mobile devices, and the rise of online collaboration tools such as Slack, Microsoft Teams and Zoom has been steady for some time. This suggests the switch to remote working was not a sudden change of direction, especially in the information and services industries, but more of an acceleration of what was already taking place, albeit at a slower pace. One thing is certain, though. Even for those organisations that have successfully transitioned to remote working, more challenges lie ahead.

The remote employee Apple onboarding challenge.

Arguably, the onboarding of new employees joining a company in the coming months will be one of the hardest challenges for organisations to face. Having transitioned to remote, organisations will still have to address the difficult task of maintaining an equivalence of their technology capabilities, security posture, staff engagement, and business-as-usual operations outside the comfort and security of their LAN and a corporate firewall. 

Thankfully, those same advances in technology infrastructure and mobility management that made the transition to remote working as successful as it has been so far can be leveraged to ensure success in the onboarding of a new employee. And because at dataJAR, we live and breathe Apple, we offer a deeper dive into the essential components to successfully onboard a remote employee in the Apple platform ecosystem.

Remote onboarding, the Apple way.

At a fundamental level, a successful remote Apple onboarding process consists of three steps:

  1. Being able to dropship an unconfigured device to a remote user.
  2. Having in place an automated enrolment and configuration process, the user can perform unaided.
  3. Seeding control to the user, while maintaining an automated and secure onboarding process.

Those of us working in the Apple space are very fortunate to have solutions for all of these challenges at our disposal, through a rich set of technical capabilities for remote working as well as a dynamic and innovative third-party and open source ecosystem that drives Apple’s vision even further. 

Apple Device Management ecosystem

The beginnings of this ecosystem can be traced back to 2011 when Apple’s controversial move to discontinue the Xserve line and stay away from the enterprise device management space was heavily criticised at the time. But this move was part of a bigger plan. 

By allowing the space for third-party vendors and open source groups to innovate in device management while shifting the focus to the Mobile Device Management (MDM) spec and to services such as the Device Enrolment (DEP) and Volume Purchase (VPP) Programs, which they made available to everyone at no cost, Apple ushered us into the era of modern device management. 

Today, we are in a position to be able to leverage native remote working and learning capabilities within Apple’s operating systems, together with extremely capable device management solutions, such as our platform, to provide a seamless onboarding experience for any user and in any environment. 

Tools like Jamf Pro on the commercial side, and Munki in the open-source space, provide extensive management functionality for IT teams, as well as some of the most active developer and user communities in the sector. At dataJAR, we are proud to be key members of both.

Device Enrolment

Apple pioneered zero-touch provisioning through the development of the Apple Deployment Programs back in 2013-2014.  The Device Enrolment Program (DEP), as it was called at the time, has been instrumental in shaping the modern device provisioning process and has gone on to be copied in various guises within both the Windows and Android platforms. 

Device Enrolment works by automating the Mobile Device Management (MDM) enrolment and simplifying the initial device setup. Devices can be supervised during activation without the IT team touching them, and MDM enrolment can be locked for ongoing management.

Today, Apple provides two administration portals for Device Enrolment. Apple Business Manager (ABM), for enterprise and business users, or Apple School Manager (ASM) for education. Both portals are almost identical, with small industry-specific differences setting them apart. 

After registering your organisation with the relevant portal, you will be able to add your MDM tool, which you can then configure to assign PreStage configurations to devices that have been added to your Device Enrolment account by resellers or Apple directly. Not all Apple resellers can assign devices to Device Enrolment though, so always check your supplier’s capabilities and track record in advance. 

Apps and Content 

Parallel to the Device Enrolment Program, Apple developed the Volume Purchasing Program (VPP) to aid in the provisioning of App Store apps and content. While initially tied to specific Apple IDs, the popularity of VPP increased with the introduction of device-based licenses, which do not require an Apple ID for deployment and can be targeted at a managed and supervised device instead. 

This means an App can be deployed directly from the App Store onto a device without the user needing to log in with a named Apple ID. The same App can also be removed from a device, with the license being reclaimed and reissued.  

Volume Purchasing is now tightly integrated into Apple Business/School Manager and presented under the ‘Apps and Books’ heading. From here, administrators can add apps to their catalogue and make them available to devices through the MDM server integration within ABM/ASM. To enhance the native configuration capabilities of apps deployed via MDM, the AppConfig community have come together in creating a set of common standards.

There is still a challenge, however. While Volume Purchasing is an excellent feature for remote onboarding in iOS, the application deployment and patching challenge in macOS remains a difficult one to solve. This is primarily due to the sheer number of apps that are still not distributed via the Mac App Store, as well as the difference in app sizes between the two platforms, with Mac software often being much larger than mobile apps. 

At dataJAR, we decided to address this very challenge by developing a solution called Auto-Update. This automated packaging service includes more than 480 software titles that are updated daily and can be made available during the remote onboarding process, with no effort from the IT team.

User enablement

Once you have defined your process for the remote provisioning of the device, including the automated enrolment into an MDM server and the configuration of the user environment as well as the deployment of software, you are left with one final significant challenge to address: remote user enablement

Admittedly, this is an extensive area, without a definitive how-to guide. How you best approach this will depend on a range of factors, like which sector your organisation operates in, what your IT infrastructure looks like, what your technology stack consists of, any legal requirements you must meet etc. Within dataJAR we often call this ‘beyond device management’, referring to those technology capabilities that are more directly visible to the user and will shape their daily interactions with their Apple device as well as the IT team. 

From a dataJAR perspective, our strategy towards successful remote enablement relies on partnering with others to provide critical capabilities.  As an example, to help our customers address their remote enablement needs, we have partnered with market leaders such as Okta and Jamf in the Identity Management and Authentication space, with Code42 for Data Loss Prevention, and have also developed dataJAR Protect in partnership with Malwarebytes to provide threat detection and remediation directly into

The final ingredient. Culture!

Getting the technology right is fundamental to the delivery of a successful remote onboarding process, which ultimately determines long term success is a culture of empowerment. 

The importance of organisational culture as a deciding factor in the success (or not) of remote working is something that has become evident in these past weeks, during the response to COVID-19.

Ultimately, it is not enough to send an employee home armed with a managed laptop and collaboration tools. It will be our willingness to bend the technology to fit the needs of those who use it that will determine success during this time. I know I speak for everyone at dataJAR when I say that, we are here to help you make that happen.