For years, Managed Apps have been a powerful MDM capability for iOS devices, and now they're coming to the Mac. In this guide, we're going to discuss what we know about Managed Apps on macOS Big Sur, how using them extends the management capabilities of IT, what the process is like to transition to Managed Mac Apps, and more.
Here's a quick overview:
- macOS Big Sur Brings Managed Apps to the Mac
- What to Expect from Managed Mac Apps
- Moving from Personal Apps to Managed Apps
- Moving from Non-App Store Apps to App Store Apps
macOS Big Sur Brings Managed Apps to the Mac
At WWDC 2020, Apple announced that Managed Mac Apps will be included in macOS Big Sur. Managed Apps have been available on iOS for years now, and it looks like their functionality on macOS will be similar to iOS. Just as iPhone apps delivered to company devices via MDM are considered Managed, Mac apps pushed to company Macs running on Big Sur will also receive Managed status.
This new status extends the management capabilities that IT has over Mac app configuration. This includes securing sensitive corporate data that would otherwise be vulnerable if accessed through unmanaged (also known as personal) apps.
Personal apps refer to apps that an employee downloads through the Mac App Store. By using Managed Mac Apps instead, IT can control the flow of corporate data, keeping it out of an employee's personal apps or cloud services.
Managed Mac Apps also give IT other advanced capabilities, such as removing apps on demand via MDM commands, automating app removal upon device unenrollment, and converting eligible unmanaged apps into Managed Apps. We'll explore these new capabilities in more depth in the next section.
What to Expect from Managed Mac Apps
Managed Mac Apps can be free or paid apps from the Mac App Store or in-house custom apps. As long as they are installed via MDM, they will be classified as Managed. Similar to iOS apps, some Mac apps have built-in support for remote configuration, also known as AppConfig. These Managed Apps can be configured by IT without having to physically interact with the device.
IT can also use custom attributes with Managed App configurations to meet the needs of their company. Beyond securing corporate data, IT can also achieve nuanced workflows that use different configurations for Managed Apps based on device type, device group, and other device qualities.
This managed status will also give IT the ability to:
- Remove Mac Apps via MDM Commands: For Mac devices running on macOS Big Sur, IT will be able to remotely delete Mac apps by using MDM commands. This will also remove the data associated with those apps.
- Automatically Remove Mac Apps Upon Unenrollment: To minimize security vulnerabilities and save time, IT can also automate the removal of Managed Mac Apps from devices upon unenrollment.
- Convert Unmanaged Mac Apps to Managed Mac Apps: Depending on the eligibility of the app, IT will be able to convert some unmanaged Mac apps to Managed via MDM. However, it's important to note that Managed App conversion isn't supported for user-enrolled devices that have Managed Apps installed.
Moving from Personal Apps to Managed Apps
In enterprise environments, it's always advisable to use Managed Apps whenever possible. This will give IT the management and configuration capabilities they need to secure company data and streamline business apps for employees.
IT already has the ability to convert unmanaged iOS apps to managed apps. This can be accomplished with an MDM command that transfers the app license to MDM. As a result, the unmanaged app becomes managed, giving IT more configuration privileges. We'll see how this is done next.
How to Convert Personal Apps to Managed Apps
Employees often download popular business apps, such as Slack, directly from the App Store. Because these apps aren't delivered to employee devices via MDM, they won't be considered Managed, and they won't be configured according to your business' security or workflow needs.
On iOS, IT can run an MDM command to convert the personal app license to a Managed App license. Doing this will give IT access to the capabilities we mentioned earlier, AppConfig preferences, and other features such as restricting data from being shared on unmanaged apps.
Big Sur is bringing this iOS functionality to the Mac, opening up an opportunity for IT to have a lot more control over Mac apps in the workplace.
Kandji will automatically convert un-managed App Store apps to Managed Apps, however, this currently only applies to device based licenses from Apps and Books (formerly VPP). All you need to do is deploy the App to the blueprint.
Moving from Non-App Store Apps to App Store Apps
For years, macOS evolved without an app store. This made many Mac users comfortable with obtaining apps directly from developer websites rather than through an official app store. Even after the Mac App Store was introduced, developers continued to offer apps through their websites, so users continued to download apps as they always had.
This led to a pretty limited selection in the Mac App Store, where popular business apps like Zoom and Google Chrome still aren't available. Apple's announcement of the Apple Silicon Mac, which can run iOS apps, and Project Catalyst, which makes it easier to make macOS versions of iOS apps, is certainly going to change this.
However, in the meantime, distributing non-App Store apps across your company devices poses a few challenges for IT. We did a deep dive on these challenges in our guide to macOS app deployment, but for now, just know that bulk non-App Store app management is far trickier and less secure than managing apps from the Mac App Store.
For common business apps with Mac App Store alternatives, IT has the ability to transition non-App Store apps to their App Store versions. We'll take a look at how this is done next.
How to Convert Non-App Store Apps to App Store Apps
We’ll start with an example: Slack is a very popular business app, and it's common for users to obtain it by visiting Slack’s website and using the macOS installer package. As we mentioned in the last section, it can be challenging for IT to manage non-App Store Apps, such as this version of Slack.
Because Slack has a Mac App Store version, IT has the ability to convert the non-App Store version to the Mac App Store version. This is similar to the process used to transition personal apps to Managed Apps, but there's one key difference.
Instead of just changing the app's licensing, transitioning to the App Store version also involves replacing the previous version with the new one. For instance, in order for MDM to be able to replace the existing application the Bundle ID must match (not just the file name).
The entire Kandji team is excited to be supporting the latest MDM capabilities in macOS Big Sur. Our MDM solution is already packed with other features that make it easy to manage your devices, accounts, and security. With powerful capabilities like zero-touch deployment, one-click compliance, and offline remediation, Kandji has everything you need to enroll, configure, and secure your devices.