When you think of mass deployments of Apple devices, you might typically think of schools. IT admins who work in education know all about deploying hundreds, if not thousands, of devices at once and what that requires because they do it every year. They know it’s no trivial task. While they might try to make the process seem simple to the outside world, the truth is that it takes an incredible amount of planning and preparation to deploy thousands of devices at once.
Enterprise admins don’t necessarily need to deploy that many devices all at once on a regular basis. But the mass deployment model so familiar in the education market must sometimes be replicated on the enterprise side. Here’s what those in the enterprise can learn from their colleagues in education.
What Is a Mass Deployment?
Just so we’re clear at the outset: A mass deployment is when you need to deploy many, many systems in a short period of time. Just how many is open to debate. Setting up 20 Mac computers over two weeks is very different from setting up 20 Mac computers a day for two weeks.
The reasons for the mass deployment could be anything from starting up a new office, onboarding a large cohort of new employees, transitioning from Windows to Mac, upgrading a fleet en masse, and more. Those devices might be new or being redeployed to new users.
For example, think about a retailer upgrading its point-of-sale systems to Apple platforms, an airline replacing its old in-flight management tools, or a rapidly expanding start-up opening an entirely new office. Such deployments must be managed at scale and usually against some kind of deadline—that's what makes them "mass."
There is also a difference between deployment and provisioning. The first is about getting equipment out to users and setting it up, the second may be on an equally large scale but is more focused on ensuring everyone has the software and services they require.
So what needs to be in place for a large-scale deployment to work?
One lesson that you learn in managing mass deployments in education: You have to make it easy for end-users. They receive the new hardware with a passcode or password to log into their device; your selected device management solution then handles the rest. Depending on how you configure that initial startup experience, users may not need to interact with their new devices anymore during that setup phase.
But that’s just how it looks to them. Behind the scenes, creating this simple end-user experience requires meticulous planning. That planning includes selecting the right device management vendor and determining the kind of enrollment that’s required.
Mass deployment is a project and so requires project management. Someone needs to solve the logistical challenges of acquiring the new devices and ensuring that they arrive on schedule, sometimes to geographically dispersed teams. Tech support needs to be scheduled so it’s available when all those devices hit users’ hands. Fundamental problems, such as how to safely store and secure the new equipment, as well as how to insure it all, must be resolved. Software licenses, as well as security and access policies, must be in place. You have to make sure that the organization’s network is up to the task of having all those devices go online in a short period of time.
Things can (and often do) go wrong. Supply-chain challenges, electrical supply problems, a strike at your distribution company—someone must be in a position to manage unexpected obstacles. In particular, software vendors may suddenly find their servers being pushed to provide large quantities of data to your users. Apple's U.S. education customers deploy millions of devices in the last few weeks of summer vacation, which can lead to unexpected loads and delays throughout the ecosystem. Business customers who have the flexibility will want to factor this into their deployment date decision-making.
What’s the Workflow?
To get a sense of the mass-deployment workflow, imagine a retailer opening new stores in multiple locations. The IT department must gather the new Mac computers (or iPhone and iPad devices). Those devices will be updated, tagged, added to Apple Business Manager (using Apple Configurator if necessary), and provisioned with the necessary apps and configurations before being shipped to staff. They will develop a quality-assurance process to ensure devices were provisioned correctly. They may assign apps and user authorizations using their device management solution.
While each deployment differs, there are some common tools that each requires: Apple Business Manager, a device management solution, Apple’s deployment documentation, and Apple Configurator.
The latter lets you add devices that weren’t purchased directly from Apple or its authorized sales channels to Apple Business Manager. It's particularly useful when you’re repurposing existing devices or using systems sourced elsewhere. Apple Configurator 2 for Mac also lets you create blueprints for Automated Device Enrollment on iPad, iPhone, and Apple TV. Those blueprints can ensure that the device connects to the network if using Wi-Fi and then direct the device to enroll in the device management solution, which then completes the provisioning process.
Experienced admins often use
cfgutil—a command-line tool installed within Configurator—because it provides finer-grained control of the process than Configurator alone, while also helping to gather more data from devices.
While Apple has improved the Mac provisioning process with features such as Erase All Content and Settings, the challenge remains to pull all the required software across a network. End-users—particularly those working remotely—must have access to networks that are robust and secure. While IT can prepare the organization’s in-office networks to meet the needs of many, many users connecting and downloading profiles and software all at once, it may not be feasible or cost-effective to prepare the entire network for such transient demand.
Wi-Fi networking is probably the biggest hurdle most people encounter during a mass deployment. Most enterprise Wi-Fi networks aren’t built to handle the data demand of provisioning thousands of devices in a short span of time, all in one place.
If you intend to deploy hundreds of devices simultaneously over your existing networks you must anticipate problems, as the medium contention will be very high. Wi-Fi works fine for a small number of users, but when you are attempting to upgrade the maximum number of supported devices via one base station, throughput will slow to a crawl.
There are alternatives to provisioning over the air. Apple Configurator can activate iOS and iPadOS devices that are connected via USB as long as the Mac running it has an Internet connection. If you want to use Apple Configurator with more than a few iPhone and iPad devices at a time, you’ll want to invest in high-quality USB hubs (ideally Apple MFi certified solutions) or specialized hardware (such as the Cambrionix ThunderSync). Or as with Mac, you can use USB-Ethernet adapters.
Apple's content caching service, built into macOS, can help mitigate network problems by caching apps from the App Store. Apps will be downloaded once when they are first required and made available to devices over the LAN, without having to download the same version from Apple again. Multiple content caches can work together to share content, too.
For Mac apps distributed outside the App Store, which can’t be cached in this way, most device management tools provide some kind of solution. In all cases, though, consider which content absolutely needs to be on the device at first use and which content can be installed later using the end-user's network—either automatically by your MDM or manually using self-service.
Consideration should also be given to the robustness of the network on which the device will be used. After Wi-Fi saturation, Internet connection saturation is often the next bottleneck.
In planning a mass deployment, it can help to think in terms of three models and decide which one most closely meets your organization’s and your users’ needs.
Out of the Box (a.k.a. zero-touch): IT purchases the device from Apple or an authorized reseller, assigns it to its device management solution using Apple Business Manager, and ships the device to the end-user without ever breaking the seal on the box. This is Apple's preferred method. The user experience is Apple's Setup Assistant, though IT can suppress most of its steps using the MDM and Apple Business Manager.
This model requires less work per device for IT but may mean the end-user has to wait for their critical apps to be provisioned. It may also require more help-desk support, to assist users in getting started. This technique often gives users a greater sense of ownership of the device, which can lead to greater care taken with the device.
Fully Pre-Provisioned: IT uses device management and local tools to provision systems with the complete set of configurations and apps that employees will need. Maintenance is done by MDM or by bringing devices back to IT for updates. IT has complete control over the user's initial experience, and the configurations and content that the user needs are in place from the very beginning.
This model requires a lot of time upfront from IT, to ensure that the configuration is complete and correct. Each device must be configured by hand by IT before it can be given to the end-user, which can create delays in delivery. End-users typically have a lower sense of ownership of the device and may not treat it as well.
Middle-ground (or hybrid): IT preloads apps and configurations that will be necessary from the moment the user begins using the device. Additional content and configurations are applied later, either automatically when the device checks in or via self-service. This model reduces the amount of work IT must do upfront and helps engender a sense of ownership of the device, while still ensuring the user can be productive as soon as they receive the device.
The model you select should reflect the unique needs of your business and your users, but there are times when it really is necessary to fully pre-provision your devices:
- Shared-device fleets: Devices must be reprovisioned to a neutral state after use.
- Kiosks: When iPad devices are used as menus or retail sales tools, they don’t require personalization.
- Education: Administrators may choose not to rely on students to complete setup or to rely on their network infrastructure to deploy large app loads.
- Healthcare: Hospitals and patient services may provide devices to patients for the duration of their stay, which means personal data must be removed between users.
Selecting the user-experience model that's right for your organization will help determine your mass-deployment plan. Once you've decided how such a deployment should work for your users, you can then start the painstaking process of planning it.
Whether you're deploying a couple of new devices to end-users or hundreds, Kandji is ready to help. With powerful and time-saving features such as zero-touch deployment, one-click compliance templates, and plenty more, Kandji has everything you need to bring your Apple fleet into the modern workplace.