At Kandji, we get a lot of questions about best practices in mobile device management. We decided to get answers to some of those questions by asking the best sources we know: The IT admins who manage Apple devices day in and day out.
We’ve recently posted their thoughts on migrating to macOS Big Sur and on the subtle science of managing users. But we were particularly interested in hearing about their suggestions for adopting Apple-focused MDM solutions (such as Kandji) to manage fleets of Mac computers, iPad and iPhone devices, and Apple TVs.
Here’s what they told us:
- Take the time to find the right solution.
- Don’t wait to start managing mobile devices.
- Take advantage of Automatic Device Enrollment.
- Lean on existing skills.
- Test early and often.
- Nail down security.
- Stay one step ahead.
1. Take the Time to Find the Right Solution
Technical support analyst James Hastings advises that not all MDM solutions are the same; you have to find one that both meets your business’s needs and sits within your IT team’s comfort zone:
“There are a lot of MDM solutions designed for Apple products, but each one is different in the types of services/support it offers. Some require advanced programming knowledge, others are prepackaged with everything you need at the click of a button. Be sure your MDM supports your specific needs and that you are comfortable with the level of technical skill needed to use it.”
2. Don’t Wait to Start Managing Mobile Devices
Joshua Goffstein, a senior systems engineer at Affirm, manages thousands of devices, which demands he use “a centralized management platform for my security, software, and deployments.” The advantage? “Changes can be made systemwide in just a few clicks. This can seriously save your butt on a zero-day exploit or a major OS upgrade.”
Joshua’s advice to IT administrators? Whatever management platform you choose, deploy it as soon as possible. “Don't wait until you're at 3,000 people to start having these conversations.”
3. Take Advantage of Automatic Device Enrollment
Ryan Donnon, director of IT at First Round Capital, recommends Apple's Automated Device Enrollment (ADE) program:
“This will give you the ability to order a computer from Apple and have it shipped directly to an employee without IT needing to put their hands on it, which is especially good during Covid-19. When paired with an MDM, you can enforce security protocols and install enterprise applications on the endpoints without your users doing anything. Using Apple's device enrollment program also means that end-users can't remove MDM profiles from their machines and bypass security protocols.”
Alex Casiano, Senior IT Manager at Dosh, is also an ADE fan:
“Assigning devices to a user and a department-specific blueprint prior to enrollment ensures that users can get to work right after completing the zero-touch enrollment. Devices will enroll with users already assigned, so user-specific settings are pushed out and remediated. This keeps your MDM dashboard orderly and your end users happy.”
4. Lean on Existing Skills
William McGrory, technical manager at West Chester University, had advice for IT admins who have little (or no) experience with managing Apple devices:
“If you are not currently using an MDM solution, don't be intimidated: You can apply the skills you already have. Do you understand Active Directory device and user groups? You will see the same principle in an MDM. Deploying apps or configurations to devices? You will understand how that works, having used Microsoft Configuration Manager. Working as an endpoint admin, you already have skills you can apply to MDM.“
5. Test Early and Often
Many respondents mentioned the importance of testing as much as possible. As Lamar Wiggins, IT manager at Vida Health, put it: “As much as we just want to do, it is important to test, so you get as close to right as possible during the first deployment.”
Pax Whitfield, CTO at Winston Preparatory School, says:
“Test thoroughly and always! Testing the real-world effects of management settings, particularly related to security, scales with size and distance, and everyone's operating with more distance now. Simulate everything you do on spare hardware or in virtual machines, with special attention to edge cases like older devices that have less internal storage.”
6. Nail Down Security
Security was another consistent theme among our respondents. Thomas Malloy, director of sales at Hyperion Partners, emphasized the importance of adapting to changes in how many employees are working remotely these days: “Be sure to think about security, data encryption, and BYOD containerization when managing devices in a decentralized work environment.”
Jon Brown, CEO of Grove Technologies, seconds the notion that security is an evolving project: “One piece of advice I would give any aspiring new Apple technician: Start learning core cybersecurity frameworks and helping your fellow admins create a culture of security within the Mac community.”
On a similar note, Ryan McCrone (who says his top reason for using MDM is endpoint security) told us:
“The most important thing when managing your Apple devices is to make sure that you work with your network team to develop proper firewall rules. Many issues arise because a specific port or protocol is not called out properly in the rules.”
7. Stay One Step Ahead
Finally, Rachel Mendoza, a user support engineer at USC Law School, encourages admins to stay on top of changes in the marketplace:
“The key to managing Apple devices is to always be one step ahead. Since system updates and upgrades seem to be constantly evolving in the Apple sphere, being familiar with past, current, and future news will always help to troubleshoot at the end of the day. Logging all solutions to user errors or broken settings will help you move faster.”
The Kandji team is excited to continue fleshing out our Apple MDM solution. With powerful features like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.