Supporting remote users with Apple technology has become top of mind as organizations adapt to new challenges to continue their missions in business, education, and caregiving. But what if your organization can’t immediately purchase and deploy new hardware to allow your users to create, collaborate, and communicate like before? We are here for you.
Jamf recently announced that customers can enroll an unlimited amount of personally owned devices into remote management through September 2020. This lets organizations allow users some continuity, allowing them access to software and tools they need to be successful. If an organization has never supported “bring your own device” (BYOD) users of Apple technology, this may also present a new set of challenges to balance organizational needs, while respecting a user’s privacy and the technology they own.
Jamf wants to help you build BYOD programs that can balance organizational needs and user privacy. While this best practice focuses on macOS management with Jamf Pro, these considerations can also apply to managing other Apple platforms and other Jamf products.
Apple’s native approach to privacy and BYOD management
Before we dive into things here, let’s give credit where it’s due for Apple’s introduction of User Enrollment in iOS 13 and macOS 10.15 Catalina. User Enrollment is a native mobile device management (MDM) enrollment type that protects personal privacy on iOS and Mac devices, keeping an organization’s managed apps and data completely separated from a user’s personal data. This enrollment type also limits MDM capabilities so an IT admin can only erase and remove things they installed, eliminating the option of a worst-case scenario where a user’s data is accidentally erased.
Jamf customers can take advantage of User Enrollment for iOS 13 devices in both our Jamf Pro and Jamf School products. User Enrollment for macOS 10.15 Catalina is supported in Jamf School, because it leverages an “agent-less” management model adhering to Apple’s MDM specifications. For more information on User Enrollment with Jamf, please see the following documentation for Jamf Pro and Jamf School.
On macOS, Jamf Pro has a powerful agent with near limitless possibility, which can automate a myriad of workflows on your organization’s Macs. This power fuels the need to plan your macOS BYOD program deliberately and thoughtfully when using Jamf Pro. This brings up a few interesting questions:
- How do you allow users to enroll their Mac to Jamf Pro as a personal device?
- How can you target BYOD settings and content separately from your organizations’ Macs?
- And how do you know a BYOD Mac program is right for your organization and the people you support?
There are a handful of options for consideration.
8 Options for BYO Mac
Let’s take a look at eight ways you can ensure a great work-from-home experience, respect privacy on personally owned Macs, but still protect company data:
1. Don’t go it alone!
Gather stakeholders in your org to make sure a BYOD program is viable in your environment. Representatives from IT, HR, Legal, and Information Security (InfoSec) should all decide and document the scope and boundaries of how a managed personal device should be configured, taking a keen interest in user privacy and regulation requirements of handling any personally sensitive data.
Agree on a clear definition of how enrolling personal devices helps fulfill an organization’s mission, protect user privacy, and satisfy your risk and compliance requirements. Users will want reassurance before they hand over management of their personal devices to others.
2. Decide what truly needs to be managed, and define those needs
What are you looking to provide for your users? Equitable access to software and learning tools, a few productivity apps in Self Service, or access to your private network over a VPN connection? Perhaps, many of your tools are web-based and you want to simply ensure that macOS and web browsers are up-to-date and secure?
Personally-owned devices likely won’t (and shouldn’t!) go through the same enrollment and provisioning flows as organizationally-owned devices, so management goals should be clearly defined before enrollment. Note: it is quite likely that if VPN access is given, additional security settings will need to be put in place to protect access on the device.
We suggest checking with your application vendors as well, to ensure which applications can be deployed to personal devices under your existing license agreements.
3. Incentivize self-enrollment with a messaging campaign
The method you use to advertise a BYOD program is going to vary depending on your organization’s culture and communication tools. Consider using as many mediums you have available to maximize awareness within your org. Be transparent with users and give them clear incentive to want to enroll their device.
Do you have a BYOD stipend to reward participation? Can you easily solve most user needs by equipping them with a curated Self Service portal?
Consider outlining and communicating the expected behavior of User-Initiated Enrollment. Video walkthroughs can be effective or even share a link to our user experience documentation. This way you can get ahead of any help desk requests during enrollment.
4. Customize the enrollment experience
Many admins love the custom branding options available via Automated Enrollment with Apple deployment programs and you’ll be pleased to know that similar customization is also available with User-Initiated Enrollment!
Some customization best practice suggestions:
- Require LDAP or SSO authentication for User-Initiated Enrollment. This allows you to gate access and choose which group(s) of users can enroll this way.
- Create a site for “BYOD” devices, and another for “Institutional,” so users clearly see which type of enrollment path they are on. The Site they select will also be important for targeting content and grouping BYOD inventory.
- If users sign in with their organizational credentials, Jamf Pro supports displaying an End User License Agreement (EULA) for users to agree to before they can enroll. Read about User-Initiated Enrollment settings for more information.
- Once you’ve found where to edit the EULA messaging, you can use Markdown to display images and format text so it’s visually compelling and easy to follow!
5. Build “guard rails” to best protect employee privacy
The first step is to create a Smart Group that can be used to target or exclude BYOD devices from policies as needed. Since users enrolled by selecting the “BYOD” Site, devices that are a member of that site should all be personally owned. Create this Smart Group by giving it a name, select the “BYOD” Site on the dropdown menu, and leave the rest of the criteria blank. This group will then include all managed devices that are in that Site as members.
Another often-overlooked security practice is to use a Jamf Pro administrator or group accounts that leverage the minimum-required privilege set for that user’s role in your organization.
Your organization’s BYOD policy may also state something like, “IT won’t erase your device,” so create some boundaries so an administrator with access to the BYOD site only has the privileges they need. You can create a “BYOD Administrators” group in Jamf Pro to define those permissions you want to grant or disallow, then assign this group to your IT staff that need access.
6. Revisit existing Policies and Configuration Profiles
Check the Scope settings for your policies and profiles. If BYOD devices don’t need any of these items, consider using the Smart Group you created as a scoping Exclusion.
7. Look at security settings through the lens of user experience
Some security settings are straightforward and turned on by default, so managing them may go unnoticed. Requiring a passcode to log in, time intervals before screen lock or screen savers, and requiring passcode when unlocking are all commonly-managed settings that protect access to a Mac.
Are you enabling FileVault if it’s not enabled? You’ll likely want to escrow and store the recovery key in Jamf Pro in case a user forgets their own password.
How do you want to handle app patching and OS updates? The latest OS and app versions tend to be the most secure, so this is an important part of keeping a security posture. Consider having your users agree to allowing you to manage their updates.
Major OS upgrades take on other considerations. If you want the latest version of macOS Catalina, you should take into account the apps that your users own and use on Mac. For example, older, 32-bit applications aren’t compatible on Catalina. Advise your users how they can check for apps of this type before they upgrade.
8. Build trust and transparency with Self Service
Above all else, a successful BYOD program needs users to trust that management is enabling them for a common interest. Use notifications and alerts often and try to include reasons why the action is requested.
Put as many, if not all, policies in Self Service so users can take action when it’s convenient for them.
Remember, personal devices may have simultaneous use for remote work, as well as remote learning in someone’s household, so minimizing disruption is recommended.
You should also form a plan for unenrolling devices, making it as easy as possible for users. Again, Self Service can be used for a single policy that should accomplish all of your needs. Will you need to uninstall licensed applications? Remove the management framework and configuration profiles using a Jamf command? Think of the camping philosophy of “leave no trace,” and plan for a smooth exit when a user stops graciously sharing their device to help your organization.
Stay tuned for future blog content with other actionable BYOD workflows or check out our E-book on empowering a remote workforce. Managing a BYOD program may be a temporary need in your organization, or you may possibly be running one already with Jamf Pro, but we want you to know we are here for you.
What approaches to BYOD management have been successful for your organization? Share your tips or learn best practices from others on Jamf Nation.
Learn more about empowering remote workers
Read our free E-book