Skip to content
guide for apple it: zero-touch deployment for mac
Blog Recent News Guide for ...

Guide for Apple IT: Zero-Touch Deployment for Mac

Kandji Team Kandji Team
10 min read

As an Apple admin, setting up new devices for end users became trickier in the last couple of years. With so many employees suddenly working outside the office, the workflows for equipping them with Apple devices needed to adapt. Personally handing a Mac to each new team member on their first day was no longer always feasible. That's why zero-touch deployments have become more important than ever. 

With zero-touch deployments, you can drop-ship devices directly to new hires, wherever they’re working. Those devices can be preconfigured to enroll in your Apple device management solution the first time they start up; your desired apps and settings can then be deployed to them remotely. Because those settings can put those devices in your preferred security posture, zero-touch can bolster your organization’s safety as well as streamline deployments.

In this guide, we’ll explain how zero-touch works and how to implement it. Note that, for the purposes of this post, we’ll focus on zero-touch for Mac computers. But remember that it’s also available for iOS and iPadOS devices.

What Is Zero-Touch Deployment?

Let’s start by defining what we mean by zero-touch deployment. The phrase means exactly what it sounds like: Your IT department has to touch your new devices zero times when deploying them to employees. Or, in Apple’s own words, this deployment method lets you “automatically enroll devices in your mobile device management (MDM) solution without having to physically touch or prep the devices before users get them.” Zero-touch means nobody in IT touches the computer; only end users do.

Apple Business Manager is the key to zero-touch. (If you're managing devices in the education world, the same applies to Apple School Manager; for simplicity's sake, we'll refer to Apple Business Manager in this guide.)

Devices you’ve bought from Apple itself or from an authorized reseller or carrier automatically appear in Apple Business Manager. After you’ve configured that service correctly, when one of those devices is turned on for the first time and connects to the internet, it will check with an Apple service to see if it’s been assigned to your device management solution. 

If it has been, the device then contacts that solution and downloads an enrollment profile. That profile can include information about your device management solution, certificates, and instructions on which Setup Assistant steps to show or skip in the initial setup process. The profile can also prevent users from removing the device from management. 

Now that it’s enrolled, the device can download other profiles from your management solution, and those profiles can install apps and configure settings. 

This initial process—better known as Automated Device Enrollment, or ADE—is not exactly the same as zero-touch deployment. The main difference is that zero-touch means no IT person has physically touched the device before the user. ADE means only that the device is enrolled automatically, regardless of whether or not an IT person physically touched it. Zero-touch relies on ADE.

ADE Kandji_shadowThere are, of course, other ways to deploy devices. You can, for example, use the Apple Configurator app on an iPhone to deploy Mac computers. But that’s hard to scale, and it's anything but zero-touch for IT. You can also have users navigate to a web portal and enroll there, but that puts an extra onus on users. With macOS Big Sur and later, they must log in with administrator status and affirmatively accept enrollment; they can't just click a button and, boom, be enrolled. 

Compared to these other deployment methods, zero-touch is clearly the easiest for IT. But there are cases where it isn’t appropriate—specifically when the device isn’t owned by the organization, when it’s already in use, or when it's shared among multiple users, none of whom are ultimately responsible for it. In those cases, zero-touch isn’t the answer. But for new employees, especially those working remotely, it’s ideal.

The Advantages of Zero-Touch Deployment

There are three good reasons to consider zero-touch deployments for your organization: Time savings, money savings, and improved security.

Faster Deployments

The old in-person deployment process took a lot of steps: Unboxing the device, creating a user account to enroll it, configuring it, and installing apps that the user will need. If your business is growing and you’re deploying many devices at once, this will take a lot of time. 

With zero-touch, you spend some upfront time configuring Apple Business Manager and your device management solution. It then takes some more time to order your drop shipments correctly. But once that’s done, your initial deployments run automatically. With the time saved, your IT team can get on with more important projects.

Automating deployments can save users time, too: They don’t need to enroll through a web portal manually. They take the computer out of the box, turn it on, connect to the internet, and complete Setup Assistant; then they’re ready to go. 

Money Savings

In addition to saving your team time, zero-touch can also save your company money. Think about the shipping involved in other, less automated workflows: The vendor ships the computer to you, as Apple admin, you do your configuring, and then you ship it to the user. That’s two shipping hops you’re paying for instead of one. And because management is implemented as soon as the computer is first turned on, you can deal with many problems remotely rather than having the user ship it back to you for repair.

Enhanced Security

Zero-touch deployments can make your organization more secure in two ways: First, it pretty much guarantees that new devices are enrolled and managed from the first startup; there isn’t a gap between first use and enrollment. Second, because devices are managed from the get-go, you can immediately download all the security settings and apps you want users to have. Third, depending on how you configure that initial ADE payload, you can make its management profile unremovable, so users can’t manually opt out of having their computers under your management.

One note on that second point: At WWDC 2023, Apple announced some improvements to Automated Device Enrollment that will make it even more secure: When macOS Sonoma ships this fall, it will be possible for admins to enable FileVault and escrow a key right from Setup Assistant, ensuring that every Mac is encrypted from the get-go. Also, Apple will allow admins to set a required OS version; users will be guided through the update process before connecting the device to MDM if that version isn't installed yet.

Having users set up their own Mac computers also avoids another problem: If someone in IT sets up a device for a user, that usually means they need to know the user’s password—even though users are never supposed to divulge their password to anyone.

How to Implement Zero-Touch Deployment

The exact steps to implementing zero-touch deployments will vary depending on your device management solution, but here’s how the process works in general.

First, you need to set up Apple Business Manager. That means integrating your device management solution with it; here’s how to do that. You also need to enter your Apple customer ID and/or the reseller number of your Mac computer vendor. That latter step ensures that every device you buy is assigned to your device management solution, so when it first boots up, it knows where to look for enrollment information. Apple explains to do that how here.

Second, you need to configure Automated Device Enrollment in your device management solution. Here, for example, is how to do it in Kandji. Later, to be sure it’s working, you can navigate to Devices in the Kandji web app, then look at the Automated Device Enrollment section.

Remote management screen_shadowOnce you’ve got the pieces in place, you can start ordering devices from your vendor of choice and have them shipped directly to employees. When they turn on their devices and connect them to the internet, a screen labeled Remote Management will appear during Setup Assistant to initiate enrollment—all without you ever opening a box, typing on a keyboard, or tapping on glass.

About Kandji

Kandji is the Apple device management and security platform that empowers secure and productive global work. With Kandji, Apple devices transform themselves into enterprise-ready endpoints with all the right apps, settings, and security systems in place. Through advanced automation and thoughtful experiences, we’re bringing much-needed harmony to how IT, InfoSec, and Apple device users work today and tomorrow.

Editor's note: This story was substantially revised July 27, 2023.