There are also a number of Apple services available designed to aid the deployment of your devices such as:
By default Apple devices are not managed, each device has to be configured to use an MDM server and we call this process enrolment. Enrolling devices into an MDM server can be carried out in many ways. Some are more manual than others. One method involves the user visiting an enrolment webpage, but ideally the “zero touch” approach is favoured. This is where a new device becomes automatically enrolled the moment it is first switched on.
This can be achieved via the Device Enrollment Program (DEP). DEP is a service provided by Apple that allows a device to automatically enrol into an MDM server without user interaction and, more importantly, IT interaction. It truly is zero touch.
A DEP administrator can assign devices to a specific MDM server at the point they were purchased. Access to the physical device is not required.
The device is shipped direct to the end user. All they need to do is power it up and join a network with an internet connection. Once connected to the internet, the device looks up its details against Apple’s DEP servers and then automatically enrols into the specified MDM server.
If you need to wipe a device for some reason, the next time it is set up, it will automatically re-enrol.
More details on DEP can be found on both the Apple and Jamf websites which show videos of the user experience.
Mobile App Installation
Most commonly, apps are installed via Mobile Device Management and these usually originate from one of Apple’s various stores. Mobile Device Management enables you to send commands to install or uninstall specific apps. Apple’s Volume Purchase Program (VPP) makes the purchasing of apps much simpler. VPP allows you to buy licenses in bulk for both apps and books. You can then deploy these to designated devices. Read all about VPP here: https://www.apple.com/business/vpp/
These remote commands enable you to carry out specific tasks such as wiping a device, enabling lost mode and locking the device. These are extremely useful if the device is misplaced or stolen.
Configuration profiles allow you to apply management settings to a device. These can be created on your MDM server and then pushed to specific devices. A configuration profile contains a number of different settings that can be applied. These include:
- Restrictions and security settings
- Wi-Fi settings
- VPN settings
- Email server settings
- Exchange settings
- Directory service settings
- Calendar service settings
- Web clips
- Credentials and keys
As most devices are now mobile, restriction and security settings are of high importance. With a configuration profile, you can ensure users have compulsory passcodes on their iOS devices and enable FileVault encryption on Macs.
Configuration profiles also allow you to set up services for users. For instance, you could set up the user’s email client in advance with all the details they require. They would just need to enter their own password.
This is the least discussed feature of Mobile Device Management but possibly the most valuable. As you enrol devices, they upload their entire configuration state, including hardware, to the server and continue to update this information. This provides you with an inventory of your entire estate.
With this information you can subsequently run reports. As an example, a report can show the operating system version of each device, which lets you see which are security compliant and which are running out-of-date software.
Because devices regularly update this information automatically, you would also receive an early warning if any go missing.