Introducing MDM+, the Apple MDM We Wish We Had

Posted on August 22, 2019

You’ve chosen Apple — or maybe Apple has chosen you. Maybe your business has acquired a company that is an Apple shop. Perhaps your design or product teams say they need Macs in order to do their jobs well. Maybe your new hire won’t take the job unless they can work on an Apple device. Or, maybe Apple has been your ride or die for as long as you can remember.

Despite the growth of Apple in the workplace, people still associate that choice with a specific type of business, a modern mindset, and an expectation for design and experience that is unique. It makes sense: in the modern business world, not much gets done without a powerful device in your lap, hand, or office. 

That’s why more businesses are choosing to invest wisely in their devices and a device management solution that keeps them operating securely and efficiently from day one. But, the Apple mobile device management (MDM) solution ecosystem is still maturing. Apple for business is growing fast. Apple device management is still catching up.

 

MDM Alone Is Not Enough

If you are administering a fleet of Apple devices, how do you ensure these devices are secure, even when they’re offline? How do you ensure a device for someone in sales, product, or engineering has all the necessary applications installed that are unique to that team? How do you block a dangerous app? How do you confirm that your security issue has been remediated? MDM alone is a great start, but it can often fall short quickly (we’ll get into this later on).

This post will explore a major Kandji release, created to finally give you a device management experience as powerful and elegant as your Apple devices. It’s called MDM+, and it’s all about extending your capabilities beyond the expected. Keep reading to learn what MDM+ means to us and why we built it.

 

Why MDM Alone Is Not Enough

Apple’s MDM Framework: A Starting Point

Apple provides an MDM framework, a starting point, to enable approved, third-party MDM vendors to build Apple device management solutions.

Here’s how Apple’s MDM framework works: The MDM framework is a Device Management API created by Apple for communicating with Apple devices. This allows an MDM vendor to design a powerful and complex MDM server that can communicate with devices, move data, and enable certain device controls (we’ll spare you the intricate details of creating a SCEP server).

MDM vendors study the Apple Device Management API and translate this information into their MDM solution. You, as the IT practitioner, use an MDM vendor’s solution to execute the instructions Apple has provided, which allow you to:

  • Send commands to devices: For example, sending a command to lock or wipe a device
  • Configure devices with profiles: Profiles (XML payloads) push down sets of configurations to your devices; for example, a profile might configure VPN, adjust settings on email accounts, set up FileVault, or launch your screen saver after two minutes
  • Connect to Apple Business Manager: Connecting the MDM server to Apple Business Manager allows you to do things like purchase and deploy devices with the Apple Device Enrollment Program (DEP) or purchase apps using the Apple Volume Purchase Program (VPP)

But, it doesn’t stop there. MDM vendors also have the ability to augment Apple’s MDM framework with their own software.

What’s Missing: The Power of a macOS Agent

The challenge, from an IT perspective, is that the capabilities readily available within the MDM framework are limited for Macs in the workplace. Apple’s MDM framework is just that - a framework. A starting point from which to build.

The reason? macOS is not only the most powerful OS ever created, it is ubiquitous. Macs are used by designers, DJs, engineers, YouTube stars, lawyers, and students. Hollywood uses Macs to create CGI. NASA used Macs to land the Curiosity rover on Mars. The use cases are limitless. macOS is woven into the essence of modern business. 

What does this mean? The MDM framework is evolving, but it’s not practical for it to finitely address every single use case, need, and edgecase across this vibrant and evolving ecosystem. Keeping up with modern business calls for a flexible, dynamic piece of software. So, Apple created a starting point (their MDM framework), but it’s on third-party MDM vendors to create, experiment, and learn.

This opportunity to augment Apple’s MDM framework can be done by creating a “macOS agent.” A macOS agent is software installed on a macOS device, and its capabilities are limited only by the engineering skill and creativity of its makers. The agent complements the MDM framework, but it is autonomous and flexible. The agent is where MDM vendors get to go above and beyond. It is within the macOS agent where compelling differentiators between MDM vendors begin to emerge.

The MDM framework is growing, and alone it can satisfy the needs of some downmarket MDM vendors serving certain smaller businesses with relatively standardized requirements. But, we don’t see the macOS ecosystem getting any less interesting, and for growing businesses, there is a crucial need for a flexible macOS agent to augment the capabilities Apple supports within its MDM framework. Apple’s MDM framework is critical, and we are committed to contributing to this foundational piece of the Apple device management landscape. It is our strong belief that MDM vendors must be as committed to living and breathing Apple’s growing MDM framework as they are to strengthening it with their own macOS agent.

 

Introducing MDM+, the MDM We Wish We Had

We’ve Felt Every Pain Point

Before we were Kandji, we ran an Apple-certified IT firm that served modern businesses running on Apple. We were the people painstakingly rolling out macOS compliance mandates to thousands of Apple devices, combing through CIS macOS benchmarks, rolling out iPads to healthcare organizations, and designing zero touch deployment strategies to create a painless onboarding process. We specialized in giving employees the best possible work experience while securing their Apple devices. And, before that, we worked for Apple. 

This is powerful because we’ve felt Apple device management pain from every angle. We worked side by side with the biggest names in tech to push the limits of Apple in the enterprise. We’ve felt gaps in the MDM market, because we spent over a decade deploying every MDM on the market.

We saw a dire need for a device management platform that could accommodate growing businesses and increasing regulatory demands. Existing solutions were either overly simplistic or mind-numbingly complex, and didn’t meet the needs of today's organizations. We knew there had to be a better way — so we built Kandji.

It Didn’t Exist, So We Built It

What does MDM+ mean to us? MDM+ is Kandji MDM + Kandji Agent. It is a match made in IT. The problem we set out to solve when we built Kandji was to create a proprietary macOS agent alongside an Apple MDM solution that wasn’t a hard tradeoff between power and simplicity. MDM+ means extending your capabilities beyond the expected.

Kandji’s proprietary macOS Agent is custom-built using Swift, a streamlined programming language specifically designed for Apple operating systems. We built it from scratch because we wanted it to be powerful but lightweight, not bogged down by unused code. It had to feel invisible.

Here’s a sample of some things the Kandji Agent unlocks for IT (that would not be possible without an agent):

  • Deploy custom scripts: For example, running a script to uninstall Sophos across all your machines
  • Deploy custom apps: For example, deploying an app that is not in the app store, like Google Chrome or Adobe Creative Cloud
  • See device activity and details: Review detailed and relevant device events in a straightforward activity stream, as they happen; for example, blocked applications, remediations, script execution, or app installation details
  • Create security alerts: For example, IT gets an alert when a remediation has failed
  • Blacklist applications: For example, blocking apps that are unsafe or have been retired
  • Manage devices, even when they’re offline: For example, blocking a suspicious app or remediating a security issue, even when a device is offline

The MDM Worthy of Your Apple Devices

Ultimately, it wasn’t about our wishlist of controls, it was about creating an MDM experience worthy of Apple. To us, Apple symbolizes the ultimate balance between power and simplicity, and Kandji needed to reflect that.

At Kandji, we believe everything should be as intelligent as it is intuitive and as powerful as it is beautiful. 

Here are some of the ways this philosophy has manifested itself in Kandji:

  • 150+ device controls: As the only MDM with a pre-built library of security controls (over 150 and growing), Kandji includes the industry’s first macOS compliance framework that automatically enforces and remediates issues, even when your devices are offline.
  • User-initiated enrollment: Our enrollment portal makes it easy to import your users from G Suite or Office 365 and invite them to enroll their own devices quickly and painlessly. 
  • Zero touch deployment: Kandji works with Apple’s Device Enrollment Program (DEP), now Apple Business Manager, to automate device deployment so your employees can use their devices right out of the box without a visit to IT.
  • Application management: Kandji gives you complete visibility into the applications installed on every device and makes it easy to deploy new third-party apps, leverage Apple’s Volume Purchase Program (VPP), or even blacklist unwanted software.
  • Limitless configurations: Choose from the largest library of configuration settings to customize the way your organization uses everything from Wi-Fi profiles to email accounts to custom scripts. 

Set-up, visibility, and the largest library of pre-built controls — Kandji makes device management beautifully simple and insanely powerful — just the way it should be. 

 

We’re Just Getting Started

With innovation and iteration at the core of everything we do, we’re constantly building solutions to give you more of what you need and improve upon features you already love. Stay tuned for more updates about the future of Apple device management.

The best way to make the most of your Apple investment is to ensure your people are getting the most out of their devices. So much of your business is run on Apple. It’s time you start managing your devices like your business depends on it. With Kandji, you can be confident that your Apple fleet is in safe and secure hands from deployment to retirement. Request a demo of Kandji today.