Managing Apple devices in enterprises through EMM
Mar 23, 2017 | 42Gears Team
iPods, iPhones, and iPads have been shaking up the consumer tech market for many years now. Apple’s intuitive design approach and user-friendly features have not only fascinated consumers but also given a boost to businesses. Seamless and consistent end-user mobile experience for employees was the biggest motivator for businesses to explore Apple devices for enterprise use. Moreover, continuous additions of enterprise-friendly features in recent years have made Apple products even more lucrative for businesses.
With its vast array of products, Apple has been helping enterprises to enhance productivity, cut costs, and attain superior security. Before the development of iOS business products, purposefully built & secured rugged handheld devices or Blackberries were the only options available to enterprises. With a large number of people accustomed to iOS products, they found previously-used enterprise devices outdated. These people desired to have similar iOS products at workplaces to maintain consistency in device usage. Popularity among consumers as well as impressive state-of-art security framework of Apple products has paved a way to enterprise iOS adoptions.
Using iOS (consumer) devices extensively in enterprises gave birth to the BYOD (Bring Your Own Device) concept. Enterprises may have either corporate-owned devices, employee-owned devices or a combination of both which need to be managed through Dedicated Devices (formerly called COSU or Corporate-Owned Single-Use) & BYOD policies. For BYOD, Apple has added some groundbreaking enterprise features such as MDM, DEP & VPP. Later iOS introduced many Dedicated Devices related features to manage corporate-owned devices too.
Enterprise features offered by Apple:
Apple was the pioneer to realize the importance of device management and data security for enterprises. It offers some below mentioned key features:
Mobile Device Management (MDM) is a framework offered by Apple to manage iOS devices. This feature, now available inbuilt all iOS 7+ devices, empowers IT admins to manage and secure both corporate & employee-owned devices. It also helps to manage and distribute apps wirelessly. It is a powerful tool to configure device settings, handling large scale deployments and ensures data and device security.
Apple offers two vital tools called Profile manager and Apple configurator.
- Profile manager is a free MDM application offered by Apple. It allows IT admins to configure and enforce policies on Macs and iOS devices. Also, it can prevent users to work on specific IOS features like iCloud and Airdrop, camera, Safari web browser and more. Devices can be remotely locked or wiped out through this feature.
- Apple configurator is another Mac tool offered by Apple which can push configuration profiles to devices via USB to pass on content and apps and access profiles as well, with a secured set up. It can be downloaded from Apple app store and can be used to configure up to 30 devices at once. It is also useful to enable supervised mode on iOS devices which is essential for Dedicated Devices deployments.
Device Enrollment Program (DEP) is another way of enrolling devices for IT management. Devices enrolled with DEP, auto-enrolls to pre-configured MDM servers when it is turned on for the first time. It enables admins to configure any profiles and apps which are enrolled on MDM server and can apply to the devices. DEP also enables MDM solutions to supervise an iOS device wirelessly.
Volume Purchase Program (VPP) is used to find, buy and deploy apps as per business needs. IT admins can buy apps and e-books in bulk and distribute them among users.1 B2B apps also can be built specific to business needs by third party developers. Employees can also take the benefit of iBook store through VPP program.
Key benefits of MDM offered by Apple:
Hardware/software data details can be gathered through MDM. Hardware details include device name, type, model, battery level, and serial number whereas, software details feature iOS versions, a list of apps and storage capacity.
Traditional Containerization which involves wrapping enterprise apps with a 3rd party SDK to protect enterprise data from private apps is no longer needed in iOS. MDM framework segregates apps pushed via EMM as managed app and offers multiple policy options to make sure data from enterprise apps cannot be accessed by personal apps.
Locking or wiping of devices completely can be performed through MDM in the case of loss or theft of devices.
Lost mode is useful when a device is stolen, then it can be locked completely by using activation lock. With MDM, it is possible to unlock the device when it is back to admin or another verified user by using activation lock bypass code.
Kiosk mode enables users to transform their iOS devices into a kiosk by using guided access. It restricts other applications except the apps allowed by admins.
Separate MDM agent need not be installed in every device, as all iOS devices have their own in-built MDM.
Enterprise single sign-on enables users to get signed in with a single user name & password for all enterprise apps on the devices.
Initiate software updates via MDM enables admins to manage operating system & apps update remotely through MDM.
File-level data protection is useful for BYOD. It enables encryption of data on devices and prevents sharing between personal and enterprise apps.
Per app, VPN enables administrators to allow selective VPN access to only whitelisted enterprise apps.
Apple’s MDM vs third-party EMM solutions:
Apple’s free MDM solution (Apple Configurator and Profile Manager) serves a variety of benefits to enterprises. However, it consists of some limitations too:
An enterprise might have a variety of devices and platforms such as Windows, Android, and iOS which they have to manage together. But unfortunately, Apple offered MDM supports only iOS devices.
- While Apple provided MDM solution as a feature, complete with supporting all commands available in iOS MDM protocol defined by Apple, a comprehensive EMM solution goes beyond just pushing commands. Advanced EMM features like Enterprise App Store, Enterprise File Store, Telecom Management, Location Tracking, Geo Fencing, Security Policies, Compliance policies are must for an effective EMM strategy.
- EMM solution often needs to work in conjunction with existing IT infrastructure for organizations. It has to integrate well with LDAP/Active Directory, Exchange Active Sync, VPN, RADIUS to give a consistent and secure user experience to employees. Unfortunately, Apple’s Profile Manager fails to do this effectively.
iOS products are incredible and more compatible for enterprise use than any other platforms. With latest versions of iOS, Apple has shown remarkable improvements. In addition, iOS now has more advanced features required by IT organizations. From easy deployment to secured management and control of devices, Apple has emerged as a mature player for enterprise products. However, Apple’s MDM solutions are lacking some essential features that third-party EMM vendors can provide. Though, Apple provided MDM is quite helpful for SMBs, large deployments require more than what currently iOS MDM offers. 42Gears’ SureMDM can support all the platforms including Android, Windows, and iOS. Also, it can work well with large deployments and it overcomes all the iOS limitations. It’s a complete package with all the needed functionality through which enterprises can manage and control a variety of products in all platforms including iOS.
References
http://images.apple.com/business/docs/iOS_Deployment_Overview_Business.pdf