Modernising Apple Device Management

So you want to improve how you manage Apple devices and protect corporate applications and data in your organization (both corporate and personal devices), but where do you start? 

This is the first article in a multi-part series on how to modernise your device management (specifically Apple devices).

WHERE ARE YOU TODAY?

We’ve seen many global organizations on a journey to modernise their Apple device management approach in recent years. Organizations will generally fall somewhere along this spectrum: 

• Device purchasing is ad hoc, however, in many cases mobile devices are purchased via a carrier which also offers a device management service. 
• No mobile device management at all. Users have the ability to use their corporate email on their personal mobile devices without any controls in place. 
• Basic device controls by IT admin’s manually approving device access to email via controls in ActiveSync. 
• Limited device management for iPhones and iPads with Microsoft Intune or a 3rd party MDM. Set-up of devices is performed manually by IT or relies on the end-user to enrol their device. 
• Macs and MacBooks are used in a limited capacity (typically by executives in the organisation). 
• Personal Apple IDs are used on corporate devices – occasionally their personal Apple ID email is the same as the user’s organization email address. Use of personal Apple IDs means the organization’s owned device has personal data stored on it. 
• Limited use of Intune app protection policies and Azure AD Conditional Access policies to manage access to Microsoft 365 services on personal mobile devices.

WHERE DO YOU WANT TO BE?

While these points may describe where organizations are right now, drivers for improving device management capabilities include:

• Reducing the administrative overhead for managing mobile devices.
• Securing access to corporate data. This may be driven by the organization wanting to improve their security posture or the adoption of certifications such as ISO 27001.
• Moving to Microsoft 365 or adopting the capabilities provided in the Microsoft 365 license.
• Migration from a third party mobile device management solution – this may be driven by adoption of Microsoft 365 or a desire to bring MDM in-house (where MDM is provided as a service today).

WHAT DOES MODERN MANAGEMENT OF APPLE DEVICES LOOK LIKE?

Here’s a breakdown of what I believe all organizations should be striving towards:

1. The full lifecycle of a corporate-owned device is managed via a mature process which covers procurement, on-boarding/enrolment and off-boarding.
2. Corporate devices are purchased and sent directly to an end-user without IT needing to physically handle the device.
3. Unless a device is being reassigned from one user to another, users receive the full out-of-box experience including physically unwrapping the device, and over-the-air set-up and enrolment into device management.
4. IT admins have a similar ability to provision shared or kiosk devices over-the-air.
5. The organization has as much (or as little) control over corporate devices as required.
6. The organization has the option to assert control by requiring the use of managed Apple IDs for users signing into corporate Apple devices.
7. Managed Apple IDs are enabled with Single Sign-On (SSO) via an end-user’s corporate credentials.
8. Corporate iPhones, iPads, and MacBooks provide Single Sign-On (SSO) capabilities to Azure AD to improve the end-user experience.
9. The organization has the option to require personal iPhones and iPads to be enrolled into device management. This approach may be cause for concern regarding privacy, thus the approach may differ depending on the organisation’s requirements or alignment to local laws.
10. Organizations may instead opt to not manage personal devices but ensure corporate data is automatically and securely protected in authorized applications. IT admins should not need to manually approve access to these applications.
11. Access to Microsoft 365 applications and services (and even 3rd party applications) are controlled via Azure AD Conditional Access – policies enforce access to the tenant from authorized devices or applications.
12. Use of legacy protocols including ActiveSync, SMTP, POP3 and IMAP are disabled as these provide back doors which avoid access enforcement and multi-factor authentication (MFA).

HOW TO GET THERE

The first consideration for any organization is to determine whether access to corporate resources on personal Apple devices will be allowed and if so, what level of access will be granted. This will become one of the key guiding principles for what is to be implemented.

Automated Device Enrolment

Next is to enrol into Apple Business Manager (ABM) or Apple School Manager (ASM) and enable Automated Device Enrolment (ADE) for corporate devices. This capability is key to reducing administration overheads while improving the end-user experience for onboarding new devices.

The process of enrolling into Apple Business or School Manager is simple but surprisingly lengthy in terms of effort, so the sooner you start this process the better. You will need the following items which may require engaging your finance and procurement teams in this process:

1. A D-U-N-S Number.
2. An Apple Customer Number or Reseller ID (which will require contacting Apple or your reseller).

Now this is done, what’s next?

The Road To Success

For organizations in any of the configuration states mentioned previously, we will take them through a review of requirements and subsequently configure integration between ABM/ASM, Microsoft Intune and Azure AD Conditional Access.

Planning for releasing these changes into production is the key to success. Here are several items which could have the largest impacts on your rollout:

Consideration	Actions
Microsoft Authenticator adoption	Users should install and sign into the Microsoft Authenticator app on their mobile devices to ensure the best user experience. In some organizations users may have privacy concerns with installing the Authenticator app on their personal phone — address this concern by ensuring users IT administrators cannot see information on personal devices and how the Authenticator app simplifies the sign-in experience.
Protecting corporate data on personal iPhones and iPads	Adoption of Intune app protection is simple; however, the Microsoft Authenticator app is required — users will need to install this app on their device.
Protecting corporate data on Macs	macOS does not support app protection policies like iOS/iPadOS; therefore, enrolment into device management should be required. For corporate devices not enabled for ADE, users must download the Intune Company Portal and enrol their device. For support on personal Macs it is worth considering Microsoft Defender for Cloud Apps
Existing devices using ActiveSync	Review Azure AD sign-in logs for legacy protocols (which may include older versions of ActiveSync). Users will need to remove their existing email profile and add a new profile — the sign-in logs will allow you to report on and provide specific users with targeted assistance (if required).
Use of Personal Apple IDs	The backup and restore process for an existing corporate device used with a personal Apple ID is challenging. Transitioning from an unmanaged to a managed state may require guiding users on how to move their personal data off their existing device via other means (e.g. backing up photos to their personal PC via iTunes).
Existing corporate devices to be enabled for ADE	An administrator can enrol devices which are not enrolled on Apple Business/School Manager; however, this requires physical access to the device and a full device wipe and reset. Having spare device inventory which allows you to provide a rolling upgrade path will reduce end-user impact.
New corporate devices	Ensure the procurement process (which may not be handled by IT admin’s) manages the purchase of new Apple devices via approved channels and devices are automatically enrolled into ABM/ASM.
Enforcement of access via Conditional Access policies	Getting from an unmanaged state without enforcement to a well-managed state with access controls requires careful validation and piloting. These are the controls which allow you to grant users in your organization the level of device and application access they are allowed. Ensure changes are well communicated before a go-live date.

CONCLUSION

I’ve taken you through the key technical and process driven steps required to modernise management for Apple devices, however, these changes may represent considerable end-user impacts depending on where your organization is starting from. Both IT admins and end-users require support to implement and adopt these changes.

The best way to support modernising your Apple device management is to support the project with mature change management processes.

If you need any assistance with this, you can contact our expert IT consultants.

For my next blog I’ll discuss considerations for modernising management of Android devices. If you want to be notified of this and more (Windows is also coming), follow Insentra on LinkedIn.