© Drew Smith 2020
D. SmithApple macOS and iOS System Administrationhttps://doi.org/10.1007/978-1-4842-5820-0_8

8. Mobile Device Management

Drew Smith1 
(1)
Cincinnati, OH, USA
 

The concept of Mobile Device Management (MDM) has been around for nearly two decades, but it has become increasingly more popular in recent years due to the “bring your own device” model and the capability to now manage traditional desktop computers like Macs or Windows PCs. MDM solutions work through the Application Programming Interfaces (APIs) that the operating system vendor makes available as a means to configure, control, secure, and manage a device over the air. In this chapter, we are going to explore the various services and APIs that Apple makes available to MDM vendors that form the foundation for managing modern iOS and macOS endpoints.

An Apple MDM Primer

There are typically a handful of things that all Mobile Device Management solutions provide. Inventory management and reporting is one; remote (over-the-air) security, configuration, and management is another; and remote software deployment is the third. There are three main components that provide these capabilities on Apple products. Inventory management is handled through the Device Enrollment Program (DEP), security and configuration is handled through Configuration Profile payloads, and software deployment is enabled through the Volume Purchase Program (VPP). We will cover each of these areas throughout this chapter.

There are many third-party MDM solutions on the market today. All of the big players integrate with VPP and DEP and provide remote management using Configuration Profiles. You may have heard of JAMF, Cisco Meraki, or Addigy. These are some of the most popular MDM solutions, and each of them has unique features that differentiate them from the competition. Through macOS Server, Apple also offers a first-party MDM solution with Profile Manager. Since all of these various management solutions use the same APIs, we will use Profile Manager in this book to demonstrate the concepts of MDM, DEP, and VPP which will translate to any MDM solution you may choose to use in your organization.

Pro Tip

Since we will be discussing a number of Apple-hosted services throughout this chapter, this is a good time to introduce you to Apple’s System Status page. You can browse to this page at www.apple.com/support/systemstatus. Here you will see all of the various Apple-hosted services and if they are available or if they are having issues. Sometimes an issue with activation, DEP, VPP, or other services can be the result of a service outage on Apple’s side. This is a good page to consult when troubleshooting various issues.

Device Enrollment Program (DEP)

Apple’s Device Enrollment Program (DEP) is a service that they provide when you purchase devices directly or through participating Apple Authorized Resellers. The way that this works is when your organization purchases an Apple device, a record is created in a database that is hosted by Apple. The record includes the model information, serial number, and membership (if any) into a specific MDM server for each device. Customers interact with DEP through one of two customer portals—Apple School Manager or Apple Business Manager. These online portals allow you to look up new devices and assign them to specific MDM servers. As new devices are purchased and shipped, Apple populates the database with new device records.

Pro Tip

If you have an existing device that you want to add to your organization’s DEP database, you can do so manually in Apple Configurator. This is also useful if you purchased a device from a reseller that does not participate in DEP. You will have 30 days to remove the device from DEP before it is locked in as a device owned by your organization. While it may be tempting, it is not recommended that you add any BYOD or end-user-owned devices into your organization’s DEP database.

Device Enrollment Program has two very specific features. First, it provides a proof of purchase history for all of your Apple devices. You can look up any device by serial number and see when it was added to DEP (approximate purchase date), the make/model of the device, and the purchase order and/or account number that was used to make the purchase. This is particularly useful information for when you need to contact AppleCare and they are looking for proof of purchase validation. The second feature is the ability to assign devices to an MDM server so that you can apply Configuration Profiles during the Setup Assistant process.

As Figure 8-1 illustrates, this process is transparent to the end user. You can use DEP to assign a device to an MDM server and configure the device’s restrictions, configuration settings, and Apps through that MDM, and when the user steps through the Welcome screens and does the device activation through Apple, it contacts your MDM server and applies the required configuration settings before the user even gets to the Home Screen or the Desktop—thereby effectively managing the device without the IT staff ever having to touch it.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig1_HTML.jpg
Figure 8-1

A diagram of how DEP and MDM work together to configure new devices over the air

Volume Purchase Program (VPP)

Let’s say that you are in a situation where you need to install the Microsoft Office suite on every iPad and Mac in your organization. You want to be able to do this automatically and without end-user interaction by pushing these down from the App Store and Mac App Store, respectively. You also want to make sure that users can update the Apps when prompted using their Apple ID and not a single shared institutional Apple ID. Apple provides a solution for this scenario called Volume Purchase Program (VPP).

Apple’s VPP allows a system administrator to purchase any number of free or paid Apps from the App Store and assign a license for that App to a specific Apple ID. At any time, the license to that App can be removed from a specific user and then assigned to another user. This allows an organization to purchase a pool of licenses for any participating App and assign them to users when they need them and remove the licenses when they no longer do. When a license is removed, it is placed back into the pool where it can be assigned to another user.

Pro Tip

You can use Managed Apple IDs or personal Apple IDs with VPP. When you remove a license to the App, the user will receive a notice that the App license has been removed, and they will have up to 30 days to export the data from the App’s container or purchase a license on their own to continue using the App. After the 30-day grace period, the App will disappear from the device.

Developers must opt in to have their App available for purchase through VPP. There are sometimes VPP discounts if Apps are purchased in bulk quantities, or if you are part of an academic organization, education discounts could also apply. This is entirely up to the discretion of the App developer or publisher (iBooks).

Pro Tip

In the case of iBooks, licenses to textbooks or other books can be purchased in bulk, but unlike Apps, they cannot be assigned and then removed and reassigned to another Apple ID. Once a book is assigned to a user, it is theirs to keep and cannot be returned to the pool.

Supervision and User Approved MDM

As we already discussed, Mobile Device Management is an over-the-air solution for configuring, securing, and deploying devices to end users as well as managing the devices without IT needing to physically touch those devices. In general, this idea of unified device management is very appealing in that I can manage my macOS clients the same way that I manage my iOS devices, but it is important to note a few differences between platforms.

Device Supervision

In Chapter 5 we discussed supervision as it relates to iOS devices and Apple Configurator. Because iOS was conceived as a single-user operating system, there are not independent Standard users and an Administrator user to lock down specific parts of the OS for the sake of security and support considerations. Supervision is a way to manage organization-owned devices as a system administrator might do with an administrator account on a desktop computer. Just like we did in Apple Configurator, you can supervise an iOS device through an MDM solution and gain access to the full catalog of payloads for restricting and securing devices.

User Approved MDM

In macOS, there is no Supervision mode because it is built as a multi-user operating system. You can apply Configuration Profile payloads to a Mac client, and as long as the user is not a local Administrator, they cannot remove it. It is important to note that any user with local Administrator privileges on the Mac can remove any Configuration Profile using the Profiles System Preference. If you are using MDM to secure your Macs, be sure that your user accounts are Standard or Managed.

Pro Tip

The Profiles System Preference will only be visible once a Configuration Profile is installed.

Most of the Configuration Profiles that you will install on a macOS client will take effect as soon as they are assigned. There is one subset of Configuration Profile payloads that are special and require the end user to approve them before they will take effect. These payloads are tied to Apple’s Transparency, Consent, and Control (TCC) initiative. Specifically, these are the Privacy Preferences Policy Control payload and the Kernel Extension (kext) Policy payload.

There are two ways to install Configuration Profiles with these kinds of payloads. One is interactively on the device by double-clicking the *.mobileconfig profile and stepping through the installation and approval dialog boxes. The other is by pushing the Configuration Profile out via an MDM solution where the device was enrolled via DEP.

Pro Tip

Apple is very adamant that TCC-related payloads require the end user to approve them physically on the device. To this end, they have even disabled the ability to interact with the Profiles System Preference to approve the Profiles remotely using Apple Remote Desktop or Screen Sharing.

Here are a few payload examples that require User Approved MDM to manage:
  • Photos

  • Camera

  • Microphone

  • Reminders

  • Address Book (Contacts)

  • Accessibility

Pro Tip

Both the Camera and Microphone access can only be disabled/denied using the payload. The user must approve access to these devices whenever they are used for the first time with a specific application.

In Chapter 3 we covered the topic of third-party kernel extensions (kexts) and the need for end users to use the Security & Privacy System Preference to approve these kexts the first time they run. If our devices are User Approved, we can define and automatically whitelist these kexts to run without prompting the end user to approve them. Another way to think of User Approved MDM is that the system administrator is electing to approve these kinds of things on behalf of the end user. User Approved MDM is a topic we will continue to demonstrate in Chapter 9 as we enroll and manage devices with Profile Manager.

Pro Tip

There are no special management capabilities that you gain by supervising a macOS device. The Administrator account still supersedes Configuration Profiles on macOS as of this writing. Likewise, there is no iOS equivalent of User Approved MDM as this is a Mac-only concept.

Apple School Manager/Apple Business Manager

As mentioned earlier in this chapter, Apple School Manager and Apple Business Manager are very similar administration portals that Apple provides to organizations for the purpose of managing MDM/DEP and VPP. Apple School Manager has a few additional academic-only features like Classroom or Shared iPad options that we will not be covering in this book. I will be using Apple School Manager to demonstrate the common features of these two portals and how to use them in conjunction with your MDM solution.

Configuring Apple’s Management Portal

The first step in getting started with Apple School Manager or Apple Business Manager is creating an institutional Apple ID that Apple will use to create an institutional Administrator account. This Apple ID must be protected via multi-factor authentication and should not be tied to a single employee’s account. Once Apple grants you access to either the Apple School Manager or Apple Business Manager portal, you can use this account to sign in and begin setting things up. Figure 8-2 shows the login windows for http://school.apple.com and http://business.apple.com depending on the type of organization you belong to.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig2_HTML.jpg
Figure 8-2

The login portals for Apple School Manager and Apple Business Manager

Once you are signed into the portal, you will see something similar to Figure 8-3. Here you can manage your organization’s locations, users, devices, and content. You can create additional user accounts and give them various roles such as Content Administrator or Account Administrator privileges to assist with managing your Apple devices and user accounts.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig3_HTML.jpg
Figure 8-3

The main Apple School Manager home page

Feel free to explore and familiarize yourself with the options available under each of these headings:
  • Activity: A history of recent activity in the management portal.

  • Locations: If you are a company or school with multiple locations, you can add locations for each of your buildings and define a unique password policy by location. In an academic environment, you may want password restrictions that are different for K-6 vs. high school, for example.

  • Accounts: This is where you manage user accounts.

  • Roles: This is where you manage the permissions for various roles like site manager or staff.

  • Device Assignments: This is the area where you interact with the Device Enrollment Program database and assign devices to specific MDMs.

  • Assignment History: This is the history of MDM device assignments.

  • Apps and Books: This is where you interact with Volume Purchase Program and make bulk purchases of content to distribute through your MDM solution.

Click the Settings button in the lower-left corner of the window, and you will see the options as shown in Figure 8-4. Here you can define some of the settings for VPP, MDM, and Customer Information. The Device Management Settings button will display your active Customer Number(s) for purchases directly from Apple or Reseller IDs if purchasing through a participating third-party.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig4_HTML.jpg
Figure 8-4

Customer and institutional information

MDM Server Integration

The very first thing we are going to do is to create an MDM server record to link our server to our instance of Apple School Manager. This will allow us to assign specific devices to our macOS Server running Profile Manager and manage them.

Configuring Profile Manager And DEP
  1. 1.
    The first step is to browse to Settings in the Apple School Manager/Apple Business Manager management portal. Click Device Management Settings and then click the Add MDM Server button as shown in Figure 8-5.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig5_HTML.jpg
    Figure 8-5

    Click Add MDM Server in Device Management Settings

     
  1. 2.
    To configure the MDM server info, you need to provide a few items including a name and a public key to create a secure connection between DEP and your MDM server. Name this MDM server something descriptive. I’m going to call mineMy Company’s MDM Server.” I am going to leave the Allow this MDM Server to release devices box checked. Your screen should look similar to Figure 8-6.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig6_HTML.jpg
    Figure 8-6

    Name your server and upload a public key

    Pro Tip When your organization purchased devices, they were automatically placed in the DEP database. If your organization wants to sell or dispose of the device, Apple requires you to remove the device from the DEP database as part of the Apple School Manager/Apple Business Manager terms of service. Releasing the device is the term Apple uses for removing the device from your organization’s DEP database.

     
  1. 3.
    Next we need to get that public key from our Profile Manager instance running on our Mac server. Switch over to the Server application and click the Profile Manager service. Under the Deployment Programs section, there are a number of options as shown in Figure 8-7. Depending on the program your organization belongs to, you will want to choose either Apple School Manager or Apple Business Manager and click the Configure… button under one of those options.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig7_HTML.jpg
    Figure 8-7

    Click the Configure… button under the Deployment Program that aligns to your organization

    Pro Tip Now is a good time to check the Date & Time System Preference on your Mac server. You will need to make sure that the time zone, date, and time are all accurate before continuing, or you may run into errors configuring the secure connection to the cloud hosted service.

     
  1. 4.

    I will be using Apple School Manager, so I’m clicking the Configure… button under that heading. The very first thing the Configuration Assistant will do is remind you that you need to have access to the online management portal at business.apple.com or school.apple.com before you proceed. Click Next to continue.

     
  2. 5.
    On the next dialog box, you will be presented with a public key that can be used on the Apple School Manager site. This is the key we need to continue configuring our MDM connection. Click the Export… button as shown in Figure 8-8. Save it to the Desktop.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig8_HTML.jpg
    Figure 8-8

    Export your server’s public key

     
  1. 6.
    Next, go back to Apple School Manager and click the Choose File button under the MDM Server Settings ➤ Upload Public Key option as shown in Figure 8-9. Select the *.pem file you downloaded to your Desktop from the Profile Manager Configuration Assistant. Click the Save button after adding the public key.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig9_HTML.jpg
    Figure 8-9

    Upload the public key from your server to this section of the management portal

     
  1. 7.
    Once you click the Save button, the page will refresh, and you will have an option to download a token as shown in Figure 8-10. Click the Download Token button and save the file to your Desktop. It will warn you that downloading the token will reset any existing ones in use. Since we don’t have any existing ones, we can ignore this warning and click the Download Token button to continue.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig10_HTML.jpg
    Figure 8-10

    Click the Download Token button to your Desktop

     
  1. 8.
    Next, we need to switch back to our Mac server and finish the Configuration Assistant using this *.p7m token we just downloaded. Click Next to proceed to the dialog box where we will upload the token. Click the Choose… button to select the Token File as shown in Figure 8-11. Then click the Continue button.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig11_HTML.jpg
    Figure 8-11

    Choose the Token File you downloaded to the Desktop from the management portal

     
  1. 9.
    Once that has completed successfully, click the Done button to finish the configuration. You should now have a green dot next to the selected Deployment Program as I do in Figure 8-12.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig12_HTML.jpg
    Figure 8-12

    Apple School Manager has a green dot on my server indicating that it is running

     
Pro Tip

You should definitely make a note of when your tokens are set to expire (every 365 days) so you can renew them without causing a service outage. You should also pay attention to the updates that Apple makes to its terms and conditions for your Apple School Manager or Apple Business Manager account. These usually update when there are major new features or new operating system releases. You will need to periodically go into the management portal and agree to these new terms, or the DEP/VPP services may fail to work properly until you do.

Managing DEP Clients

Now that we have our MDM server configured, we need to add a couple of clients from the DEP database to our specific server. Because I can have multiple MDM servers in my organization, I need to manually move devices into the server I want to use. If you have one MDM server and you want to manage all of your devices with that single server, you can move all of the devices into that single server and set it up as the Default Device Assignment so any newly purchased devices automatically get assigned to this MDM server.

To do this, simply browse to Settings ➤ Device Management Settings ➤ Default Device Assignment in the Apple School Manager/Apple Business Manager and click the Edit button and select the specific MDM server for each device group and then click Apply to save changes as shown in Figure 8-13.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig13_HTML.jpg
Figure 8-13

Configuring the Default Device Assignment by product

Next let’s assign a test iPad and a test MacBook Pro to our newly created MDM server. To get started, click the Device Assignments link under the Devices heading in Apple School Manager. You should see something similar to Figure 8-14.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig14_HTML.jpg
Figure 8-14

The Manage Devices page in Apple School Manager

From this screen, you can either select devices individually by searching for them or entering their serial number, or you can upload a *.csv file to assign them in bulk. Since we only have two devices to assign, we are going to click the Search Devices link in the top-left corner of the screen and manually search for our devices by serial number. I entered my serial number for an iPad Air that I have, and it found the device in the DEP database as shown in Figure 8-15.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig15_HTML.jpg
Figure 8-15

The search device page allows me to assign a device to my specific MDM server

From this screen, I can view the order number (for proof of purchase) as well as assign it to a specific MDM server. In my case I am going to select “My Company’s MDM Server” from the pop-up menu. I can also release this device by clicking the Release Device button. I’m going to assign this to my MDM server and then click the Done button.

Apple School Manager will update the device assignment, and I can click the Done button again to exit. To confirm that my device was assigned, I can browse to Settings ➤ My Company’s MDM Server and ensure that it lists 1 iPad under the Devices section as shown in Figure 8-16. Repeat this process for additional iOS devices and at least one test Mac.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig16_HTML.jpg
Figure 8-16

Confirmation that our test device got assigned to the new MDM server

Now that we have at least one Mac and one iOS device connected to our MDM, we are all set to begin managing these devices in Profile Manager. We will explore Profile Manager in detail in Chapter 9.

Managed Apple IDs

I have touched on Managed Apple IDs a few times throughout the various chapters in this book. Managed Apple IDs are those that are created by and tied to your organization through Apple School Manager and Apple Business Manager. This allows your organization to provide each student or employee with a noncommercial Apple ID that can be used for things like iTunes U or iCloud. They cannot be used to purchase Apps or Books on the various App Stores, but you can assign Apps and Books to Managed Apple IDs using MDM as well as perform password resets for those IDs without Apple’s involvement.

The typical format of a Managed Apple ID is username@appleid.company.com or username@appleid.institution.edu. You can create these manually for each user in your organization, or you can have them automatically provisioned through an Active Directory connector. Apple provides for federated authentication using Microsoft’s Azure Active Directory. Instead of creating Managed Apple IDs for every user in your organization, you can use Security Assertion Markup Language (SAML) to connect your Azure AD to Apple School Manager or Apple Business Manager. The first time a user logs in with their AD credentials, a Managed Apple ID is created for them.

You can configure these settings in Apple School Manager or Apple Business Manager by browsing to Settings ➤ Accounts and adjust the settings as shown in Figure 8-17.
../images/492151_1_En_8_Chapter/492151_1_En_8_Fig17_HTML.jpg
Figure 8-17

Account settings for Managed Apple IDs and Azure AD

Redeeming Apps and Books with VPP

Finally, the last thing we need to configure for use with Profile Manager is Volume Purchase Program (VPP) so we can redeem and assign Apps and Books to our devices. This is similar to the process we followed to create our MDM connection to Profile Manager.

Configure VPP For Profile Manager
  1. 1.
    The first step is to sign into our Mac server and open the Server application and click the Profile Manager service. Under the Deployment Programs section, find Volume Purchase for Apps and Books and click the Configure… button as shown in Figure 8-18.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig18_HTML.jpg
    Figure 8-18

    Click the Configure… button under the VPP section

     
  1. 2.
    You will be prompted to choose a VPP token. Open Apple School Manager or Apple Business Manager and browse to Settings ➤ Apps and Books. Scroll down to the bottom section under the My Server Tokens heading and click the Download button next to your organization’s Location name as shown in Figure 8-19 to save the file to your Desktop.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig19_HTML.jpg
    Figure 8-19

    Click the Download button on the Apps and Books pane

     
  1. 3.
    Once it downloads the *.vpptoken file to your computer, click the Choose… button in the Volume Purchase Configuration Assistant and then select the VPP token file, as shown in Figure 8-20, and click Continue.
    ../images/492151_1_En_8_Chapter/492151_1_En_8_Fig20_HTML.jpg
    Figure 8-20

    Upload the VPP token file into Profile Manager

     
  1. 4.

    Once that is completed, the Volume Purchase for Apps and Books will be enabled, and we can use our MDM to deploy Apps and Books to users and devices using Profile Manager. Click Done to exit.

     

Summary

In this chapter, you gained a solid foundation of the concepts around Mobile Device Management, Volume Purchase Program, and Apple School Manager/Apple Business Manager. Now that we have configured a connection to our Profile Manager server and added a couple of test devices, we are ready to move forward with the over-the-air management of these test endpoints.

In Chapter 9, we will use the concepts we have learned to remotely configure our iOS and macOS devices using Profile Manager as our MDM.