A COMPREHENSIVE GUIDE

Apple Device
Management
FOR BEGINNERS
 According to Forbes, Apple device growth in the
enterprise is 20% year over year.
As Apple device adoption rises in business and education environments around the globe, it’s
imperative that technology investments are maximized so that organizations can leverage Mac,
iPad, iPhone and Apple TV to their full potential. This can put a heavy burden on IT staff that are
now tasked with managing this influx of new devices – especially those of you in established
Windows environments. And as the shift to remote work, distance learning and adjusting to
working and learning anywhere becomes the new normal, managing devices from startup to
ongoing support is critical.

While some are very familiar with Apple already, many of you are diving into Apple
device management for the first time. This guide is for the latter, and will help you
build and master your Apple management skills by providing:

Introduction to Apple services Understanding Insight for Industry-leading

Apple device and programs Apple lifecycle infrastructure Apple Enterprise
management overview management planning Management
(AEM)
 How MDM works
Most Apple devices are able to understand and apply settings such as remote wipe
or passcode restrictions thanks to a built-in mobile device management (MDM)
framework. Two core components to the MDM framework are configuration profiles

Introduction
and management commands.

These components communicate to the device via Apple’s Push Notification service
(APNs), which is kept private to your organization through obtaining a secure

to Apple device certificate from Apple. Apple’s server then maintains a constant connection to
devices so you don’t have to. Devices communicate back to your management server

management
and receive commands, settings, configurations or apps you define.

When thinking about how to manage

Apple devices, it’s helpful to break
the lifecycle down into common tasks
you might do. These tasks are the
same regardless of whether you are
managing Apple devices, non-Apple
devices or a combination of both.
Configuration profiles
... are XML files that define various settings
for your Apple devices and tell that device
how to behave. They can be used to
automate configuring passcode settings,
Wi-Fi passwords and VPN (virtual private
network) configurations. They can also
be used to restrict items such as device
features like the App Store, web browsers
or the ability to rename a device. These
profiles can all be specified and deployed
leveraging Jamf and be set at the device
or user level.
Management commands
...are singular commands that you can
send to your managed devices to take
specific actions. Has a device gone
missing? Put it into Lost Mode or send
a remote wipe command. Need to
upgrade the OS? Send the command
to download and install updates. These
are just a few examples of the different
actions you can take on a fully managed
Apple device.
MDM and client management
While Apple’s MDM framework provides the necessary control over iPadOS, iOS and
tvOS devices, macOS is a more robust platform that may require more advanced
functionality. Leveraging client management (only available for macOS), allows you to
install a Mac agent, or binary, immediately after the device is enrolled into management.

This agent enables a hidden admin account to be added, allowing for remote root access
to macOS and opens the door for more policies and scripts to be run on a computer.
Since agent-based Mac management goes beyond the built-in MDM, you need a third-
party solution, like Jamf, to take advantage of advanced Mac management.

Examples of Client Management Functions

Install PKG/DMG Enforce FileVault Bind to Directory

Run Scripts Customize Dock Set EFI Password

Install Printers Create Accounts Set Software Update


Apple
services and
programs
As Apple devices became more popular in
the enterprise and education, challenges
arose about how to best deploy devices
at scale, how to address Apple IDs
and the purchasing of apps. Apple, of
course, looked to solve these issues and
introduced various programs and services
to take device management one step
further, making it easier and more cost
effective to manage devices in bulk.
Not every Apple device management
solution supports Apple’s programs and
services. Check with your vendor to
ensure they support these programs, as
well as the incremental changes Apple
makes throughout the year.
Zero-Touch
Deployment
This automated enrollment process
allows you to configure any Mac, iPad,
iPhone or Apple TV purchased from
Apple or an Apple authorized reseller and
customize each device for your users – all
without ever having to touch the device.
Hardware purchases are associated with
your Apple customer number or reseller
ID and automatically enroll a device into
management under an Apple management
solution. Automated Device Enrollment
enables you to provide a great zero-touch
experience for end users. They simply
open up the box, turn on the device
and get to work — regardless of if your
employees is on-site or remote.
Device
Supervision
Supervision is a special mode of iPadOS,
iOS and tvOS management where IT is
granted greater control over devices
they own when enrolled via Automated
Device Enrollment, User Approved MDM
or Apple Configurator. A large number of
management features including Managed
Lost Mode, blocking apps and silently
installing apps all require supervision.
It is recommended that corporate-owned
and school-owned devices be put into
supervision mode.
Apps and
Books
You can purchase and license apps and
books in bulk from Apple, and distribute
them to individuals via Apple ID or directly
to devices without an Apple ID. Apps can
be later reassigned as deployment needs
change. You can link a token (received
from Apple) to your MDM solution for
assignment and distribution. If you’re an
education institution, your instance is built
directly within Apple School Manager (see
next page).
Apple IDs
Apple IDs are the personal account
credentials users use to access Apple
services such as the App Store, iTunes
Store, iCloud, iMessage and more.
Depending on the needs of your
organization, your end users can leverage
their Apple ID on the job, or you can avoid
using Apple IDs altogether. If you’re an
education institution, your students will
receive a different type of Apple ID (see
next page).
 Apple School Manager Apple Business Manager

Launched in 2017, Apple School Manager is a web-based portal
for IT administrators to oversee people, devices and content – all
from one place. Exclusively for education, Apple School Manager
combines Automated Device Enrollment and volume purchasing of
Apps and Books and other classroom management tools, such as
the Classroom app, in one portal. Apple School Manager enables
Managed Apple IDs and Shared iPad and can be integrated with
your school’s Student Information Systems (SISs).
Apple Business Manager is the platform for IT teams and businesses
to pair with an MDM solution to automate device deployment, app
deployment and purchasing, and content distribution. Similar to Apple
School Manager, it combines the power of Automated Device Enrollment
and volume purchasing in one central location.

Managed Apple IDs

Apple School Manager and Apple Business Manager enable

Managed Apple IDs for users. Managed Apple IDs are created in the
Apple School Manager or Apple Business Manager portal, and can be
integrated with a school’s student information systems (SISs). They do
not require special permission and, because they are owned by your
organization, they allow IT admins to create and dynamically update
user information or even assign apps and other services to the the
user or device.

Shared iPad

Shared iPad extends the value of an iPad device by providing

multiple users access to the device. Each user, with their own
Managed Apple ID, can log in and out while their apps, content and
work stay intact. Shared iPad is available for both educational and
enterprise organizations (requires Apple School Manager or Apple
Business Manager.)
 1 Deployment 2 Configuration
and Provisioning management
Getting devices into the Applying the correct settings
hands of end users. to devices.

Lifecycle
3 App 4 Inventory
management management management

stages Ensuring the correct software

and apps are on each device
and are up to date.
Reporting on the status of
each device.

Apple’s device management

framework, commonly referred to
as the MDM framework, includes 5 Security 6 User
six key elements across the entire
Securing devices to empowerment
lifecycle of your Apple devices. organizational standards.
Allowing users to self-help
when they require resources
MDM is Apple’s built-in and services.

management framework —
available for macOS, iOS, iPadOS
and tvOS — and aids with these
From initial deployment to the end-user experience, it’s critical to understand,
functions:
manage and support the entire lifecycle of the devices in your environment.
This ensures both the security and maximized potential of your Apple devices.
1 Deployment and Provisioning
Before configuring devices for end users, devices must be enrolled into management within an MDM solution.
There are several enrollment methods available, but the two highlighted below are recommended for enterprise and
education institutions looking for a streamlined and positive end-user experience:

Supervision
Description User Experience (iOS only) Best For

Automated Device
User receives shrink-wrapped
Enrollment with Automatic enrollment box, and the device is
Shipping devices to remote employees, students
Apple School Yes–wirelessly or to speed up the onboarding process.
over the air automatically configured when
Providing users with an out-of-box experience
Manager or Apple turned on
Business Manager

Users install the MDM profile by Unmanaged, personally

Account-driven Manual enrollment over
visiting the enrollment portal in No owned devices that need to be
User Enrollment the air via Settings App
the Settings app of their device enrolled into a new MDM server

Manual enrollment Unmanaged devices currently in the field or

User-initiated User visits a specific URL to
over the air or over the No devices that need to be reenrolled into a new
enrollment configure their device
air via URL MDM server

Apple Enrollment through a Mac IT manages the setup process

Yes—wired
app that connects to and hands devices to users Shared and cart-device models, labs
Configurator
devices via USB (does
(iOS and tvOS only)
not apply to Apple TV 4K)
Best Practice

Automated Device Enrollments with Apple Business Manager

Purchase devices, add them to Device enrolls with the MDM server.
your MDM inventory and ship them Prepare any configuration profiles and apps
directly to users. you’d like to apply to devices.

Jamf can
automatically
configure
your iPad.

1 2 3 4 5

Sign up for Apple Business As a user turns their device on Device receives configurations
Manager and link your account for the first time, the device will and apps scoped to it, and the
to your MDM server. automatically be enrolled – no user is brought to the Home
additional interaction is needed. screen. The device is now
managed and configured – all
without IT having to touch it!

If using a cloud identity provider, devices can be provisioned with the

appropriate applications and services based on the user’s cloud identity
and can be accessed with a single set of cloud identity credentials.
Best Practice

Automated Device Enrollments with Apple School Manager

Purchase devices, add them Device enrolls with the MDM server.
to your MDM inventory and ship Prepare any configuration profiles and apps
them directly to users. you’d like to apply to devices.

Jamf can
automatically
configure
your iPad.

1 2 3 4 5

Sign up for Apple School As a user turns their device on Device receives configurations
Manager and link your account for the first time, the device will and apps scoped to it, and the
to your MDM server. automatically be enrolled – no user is brought to the Home
additional interaction is needed. screen. The device is now
managed and configured – all
without IT having to touch it!
 Configuration management
2 of MDM configuration profiles here, or join
When it comes to configuring Apple devices, the world is your oyster.
You can personalize and tailor individual devices or groups of devices based
on the needs of your end users.
Configuration Profiles
Define settings within macOS, iOS, iPadOS and
tvOS by creating configuration profiles. These small
XML files can be distributed to devices utilizing
a managed solution. You can apply Wi-Fi, VPN,
email settings and more so users can seamlessly
connect to the resources they need.
Smart Targeting
Collect inventory details, including custom
inventory attributes you define, for all of your
managed devices, to identify which ones require
software updates, security hardening or other
management actions. If your device management
solution allows, you can build groups based
on inventory criteria and then trigger device
management tasks automatically to specific
individuals or groups, or make items available on
demand to users with an enterprise app catalog.
Don’t know where to start? Check out a list
the conversation on Jamf Nation.
Policies
Unique to macOS client management, policies go
beyond the basic device management capabilities
of MDM configuration profiles and help you install
custom software and printers, manage local user
accounts and conduct advanced management
workflows. You can specify the tasks you want to
automate, how often and when it should run, and
to which users and/or devices.
Scripts
Part of policies, run shell scripts on macOS utilizing
the Apple device management capabilities within
your client management solution. Anything that
can be executed in Terminal via the command
line can be turned into a script. The ability to run
scripts provides far more flexibility than standard
configuration profiles, and opens the door to
infinite device management capabilities.
 App management
3
App fundamentals Software Installs and Patching
Today, we are all familiar with the App Store on our iPhone, iPad and Apple TV devices. Jamf Title Editor extends the patch
They are the only way for consumers to get apps on their devices. Apple reviews the management capabilities of Jamf Pro for
developer’s code to ensure security and performance. This is one of the reasons why Apple macOS devices to provide custom software
enjoys a strong security reputation. For the Mac, however, you can also get software outside titles, override existing patch definitions and
of the App Store. create custom patch definitions. Better yet,
App Installers are Jamf-provided installer
Popular titles not in the Mac App Store include Google Chrome, Microsoft Office and Adobe
packages that streamline deployment
Creative Suite, so it’s important to have a Mac client management tool that’s able to deploy
of third-party apps.
custom software. Some management tools, like Jamf Pro, have the ability to build custom
.pkg or .dmg (Mac software install file types) by creating a before and after snapshot of an
installation. That software package can then be deployed to managed Macs – all without
users needing to be admins.

Take snapshots of Create a custom Push install via the

software installs .pkg or .dmg Jamf Agent Here are three app management
options you can utilize for your
For software that is in the App Store, we can use an Apple program to license and distribute devices.
apps to devices all without needing Apple IDs.
Deploy Apps with Apple School
Apple devices are wildly popular among consumers because of the native communication,
Manager or Apple Business
learning and productivity tools available right out of the box, but the rich library of apps in
Manager
the App Store are what set the Apple ecosystem apart. With a device management solution
in place to manage your app deployments, you ensure users have the apps they need —
Place Apps in an on-demand self
configured for their use case and secured for your environment. service catalog with Jamf Pro
(more below)
Whether your organization is choosing to utilize Apple’s built-in apps, one (or many) of the
millions of apps from the App Store or creating your own in-house custom apps, you need to
App Deployment for Apple TV
ensure users have all the apps they need and are properly secured within your environment.
 App management
3
When deploying App Store apps via Apple
Business Manager or Apple School Manager,
you gain extra security and configurations for
that app (iOS only).

Here’s what’s possible:

What is a Managed App? Managed Open In App Configurations

Introduced in iOS 5, managed apps differ
from a standard app because they are flagged
as owned by an organization. Specifically,
managed apps are distributed via MDM
technology and can be configured and
reassigned by MDM.
Managed Open In takes the concept of
managed apps a step further by controlling
the flow of data from one app to another. With
MDM, organizations can restrict what apps are
presented in the iOS share sheet for opening
documents. This allows for truly native data
management without the need for a container.
Sometimes deploying an app isn’t enough and
you’d like to pre-customize some of the settings.
This is the premise for App configurations. App
developers can define what settings can be pre
configured by an MDM server for their app. For
example, you could deploy the Box app with the
server URL prepopulated so users only need to
enter their username and password to get the
app up and running.
 Best Practice

Deploys Apps with Apple Business Manager for the Enterprise

Apple Business Manager for enterprises: The ability to purchase apps in bulk and automatically distribute them.

Find and purchase app licenses from the web Invite users to participate in your
store. You will also need to “purchase” free apps. deployment via email or push notification.
Choose to assign
apps to either
devices directly
or to a user’s
Apple ID.

1 2 3 4 5

Sign up via Apple’s website and link Add your app licenses to your Apps are linked to a user’s Apple ID and are
your account to your MDM server. MDM server, including free apps. found in the Purchased tab of the App Store.

Apps are deployed directly to the device.

No interaction or Apple ID required.
Best Practice

Deploy Apps with Apple School Manager for Education

Find and purchase app licenses from the Apple School Manager Apps are deployed directly to the device.
web store. You will also need to “purchase” free apps. No interaction or Apple ID required.

1 2 3 4

Sign up for Apple School Manager and link Add your app licenses to your
your account to your MDM server. MDM server, including free apps.
Best Practice

App Deployment for Apple TV

Apple TV provides support for enterprise apps (commonly referred to as in-house apps). These
Want the ins and
apps can be uploaded to your management server and pushed out to your Apple TV devices outs of Apple TV?
automatically and without Apple IDs, just like your iOS devices. Popular enterprise apps for Apple
TV include digital signage, emergency alerts and more.

Configuration profiles
Using an MDM solution, IT can define settings with tvOS configuration profiles
Check out our
and distribute them to Apple TV devices. As a result, Wi-Fi, restrictions and
AirPlay settings are more easily applied over the air. Further, Apple TV devices Apple TV Management
can be put in Single App Mode to customize the Apple TV experience by class for Beginners e-book.
or Conference Display Mode for an intuitive presentation workflow.

Smart targeting
With the ability to automatically collect inventory details, including Apple
TV device names from all managed devices, IT can quickly and accurately
identify which devices require action. Based on this inventory information,
IT can build targeted groups to trigger automatic device management tasks.
For example, IT can now find all Apple TV devices without AirPlay settings
configured and then deploy that configuration.

Custom app and display support

If and when businesses create unique app experiences to deliver
a customized full-screen experience, IT can leverage MDM to deploy these
custom apps over the air. Additionally, with the latest tvOS, IT can now set
a Home Screen layout, show/hide apps as well as restrict media content based
on age guidance.
4 Inventory
MDM solutions are capable of querying an Apple device to collect a large
amount of inventory data, ensuring you always have up to date device
information and can make informed management decisions. Inventory can be
collected from a device at various intervals and include serial number,
OS version, apps installed and much more.

Examples of data collected with MDM

Hardware Details Software Details

• Device Type • OS Version

• Device Model • List of Apps Installed
• Device Name • Storage Capacity
• Serial Number • Available Space
• UDID • iTunes Store Status
• Battery Level

Management Details Additional Details

• Managed Status • Profiles Installed

• Supervised Status • Certificates Installed
• IP Address • Activation Lock Status
• Enrollment Method • Purchasing Information
• Security Status • Last Inventory Update
4 Inventory

Why does inventory matter?

You can’t manage what you can’t measure. The inventory data your
MDM solution collects can be used for a wide range of business
needs and empower you to answer common questions like:
Smart targeting
By leveraging inventory data, smart targeting enables you to dynamically
group devices and deploy configuration profiles and restrictions to those
devices. At Jamf, this is referred to as Smart Groups.

Are all my devices secure?

How many apps do we have
deployed? Static Groups Patented Smart Groups
What version of iOS, macOS Find all Macs wtih 8GB RAM, with 80% full
Apply a Profile or Policy
and tvOS are certain devices hard drives, running 15.1.1 or higher

running?

1 2 3

4 5 6
Some management solutions even allow you to collect extra
Apply a Profile or Policy
(custom) inventory about specific hardware and software add-ons.
For example, you can figure out when a third-party backup utilitiy
last ran or what printer drivers are installed.

Static vs. Smart Groups

Static Groups are a set of devices that are defined, like a classroom or a lab.
You can apply a management policy to that entire group.

Smart Groups, on the other hand, are dynamic and always changing based
on inventory data. This enables you to dynamically group devices and deploy
configuration profiles and restrictions to those devices.
5 Security and privacy
The security and privacy of devices and access to corporate
resources are a top priority for any organization. To address
these worries, Apple has a number of security features built right
into macOS, iPadOS, iOS and tvOS.

Coupled with an MDM solution, you can ensure that not

only your devices are secure, but your network, data
and apps are as well.

iOS/iPadOS macOS
Security Features Security Features

1 1
tvOS leverages many of the security
features found in iOS, such as direct
Software Secure System App Store Software System Integrity Gatekeeper software updates from Apple, vetted
Updates Updates Protection (SIP) and secure App Store apps, app data
protection with App Sandboxing and
deeper levels of management through
supervision.
Touch ID Hardware App App Store FileVault XProtect
Encryption Sandboxing Encryption With management, Apple TV settings can
be deployed to automate AirPlay security.
This allows you to pair Apple devices
with Apple TVs, so only the appropriate
Privacy Supervision App Privacy devices share their screens wirelessly.
Sandboxing
5 Security
Unix is the foundation for Apple’s operating
systems, providing a strong kernel at the
core. Apple’s OSs are built with security
in mind and have unique security settings Apple’s deployment
added. Those settings can be managed via programs
an MDM solution.

Additionally, utlizing Apple’s

deployment programs with
Management
an MDM solution allow for
even more management of
those settings within your 1

environment.
Apple security
features

Apple OSs

Foundation for Apple’s OSs UNIX

5 Security

MDM security commands for

macOS, iOS, iPadOS and tvOS

macOS • Enforce FileVault MDM Lost Mode for iOS/iPadOS

• Enforce Gatekeeper settings
• Set software update
• Lock, wipe and restart computer
• Delete restricted apps
• Remove MDM
By utilizing Apple’s Lost Mode with an MDM solution, you
can lock, locate and recover lost or stolen iOS and iPadOS
devices without compromising privacy through ongoing
tracking. When Lost Mode is activated, iOS devices receive
a customized lock screen message, are disabled from use
and send the location to IT.

Conditional access
iOS/iPadOS • Enable Lost Mode
For organizations leveraging Windows Azure AD and
• Lock and wipe a device
Office 365, it’s critical to implement a conditional access
• Remote wipe path for Mac devices. Best-of-breed MDM solutions offer
• Update iOS built-in conditional access integrations.
• Clear restrictions and passcodes
• Remove MDM Software upgrades
By developing major versions of macOS, iOS, iPadOS and
tvOS annually, Apple has set the pace of innovation. Each
year, Apple unveils new and great consumer features, but
tvOS • Enable Lost Mode also adds layers of security and fixes vulnerabilities. These
• Lock and wipe a device updates can be critical for devices used by employees or
• Remote wipe students in order to protect their data. Your management
• Update iOS solution not only needs to be able to deploy updates
• Clear restrictions and passcodes from Apple, but also needs to quickly support all the new
• Remove MDM management features that come with them too.
6 User empowerment and adoption
With the rise in self-sufficiency tools like Lyft, Headspace and Duolingo, today’s
workforce expects to get the tools they want, when they need them. Enterprise
app catalogs meet the needs of users by empowering them with instant access
to resources, content, tier one help and trusted apps through a single click from
their device — all without submitting a help desk ticket to IT.

With enterprise app catalogs,

users have the ability to access:

•
 App Store, B2B, in-house apps and third-party
software
• E mail, VPN and other configurations
• E -books, guides and videos
• B ookmarks and shortcuts
• P rinter mapping and drivers
• H elp desk ticketing and hardware requests
• P assword resets and compliance information
APP CATALOG FOR MOBILE APP CATALOG FOR MAC • B asic maintenance and system diagnostics
• S oftware and OS upgrades
Example: Jamf Self Service for macOS, iOS and iPadOS offers a branded app • S ingle Sign-on (SSO) integration
catalog that can integrate seamlessly into any organization’s internal resources • Localized language support for English, French,
or corporate intranet. German, Japanese and Simplified Chinese
6 User empowerment and adoption

Benefits of on-demand app and resource catalogs.

What’s in it for IT? What’s in it for users?

• R educe help desk tickets and support
costs while maintaining control of your
environment
• A utomatically install an app catalog
like Jamf Self Service on any
managed Mac, iPad or iPhone
• Integrate with directory services
to personalize content based on
department, user role, location
and more
• A utomate common IT tasks, such
as password resets and system
diagnostics, for tier-zero support
• G ive end users instant access to
a full-service, self-help destination of
diversified resources
• Intuitive user interface personalized for
local language and your environment
• B ookmark common web services such
as HR tools, communication platforms
or internal resources for an easy entry
point to valuable company information
• Install organization-approved apps
without IT help
• F ast resolution of common IT issues,
such as printer installations and
software updates
• R eceive real-time notifications for
available services and security
enhancements
Bonus: Third-party
integrations
Apple device management is just one
piece of your technology portfolio, but it’s
a critical and instrumental piece. Regardless
of whether you use a help desk ticketing
system like ServiceNow or an SSO
authentication tool like Okta, your Apple
device management solution must integrate
seamlessly with your existing IT tools.
Amplify the power of what you have and
extend the power of your ecosystem by
leveraging third-party integrations like those
seen in the Jamf Marketplace. From cross-
industry integrations to specific solutions,
integrations like these bridge IT teams and
services, creating an integrated, secure and
seamless experience for end users.

Best-of-breed MDM solutions should offer the ability to brand your app catalog
to match your existing corporate resources. This seamlessly integrates your app catalog
among existing internal properties, increasing familiarity and ease of use.
Infrastructure More and more organizations are moving
to the cloud.
planning Below are just a few reasons why enterprise organizations are going cloud:

Where you host your management Benefits of cloud hosting

environment is just as important as
the management solution you choose.
Not only does cloud hosting make Server provisioning,
Backup administration
upgrades a breeze, it takes the added ongoing security and
and testing
update management
pressure of server management,
disaster recovery, and more off of IT.

Storage infrastructure for Disaster recovery; offsite

global availability location

Database administration,
Server monitoring and
ongoing security and
response team
updates
 The Standard for Apple
Enterprise Management
Apple continues to build an interconnected ecosystem, with apps and services
being cross compatible across devices. Growing enterprise partnerships (IBM, Cisco,
SAP, etc.) and a boom in technology choice programs will only bring more Mac, iPad,
iPhone and Apple TV devices to your doorstep.

To get the absolute most out of Apple and your technology As the gold standard in Apple management and with dedication to
investment, you need a management solution that matches Apple’s the Apple ecosystem since 2002, Jamf is the product most trusted
intuition and has proven from day one that helping people succeed by businesses and schools that want to offer Apple and provide
with Apple is top priority. a consistent management experience across the entire ecosystem.

Put our word to the test by taking Request Trial Or contact your preferred reseller of Apple devices.
a free test drive.