Part 3: Embrace native Apple technology
In our ongoing blog series, we examine how forward-thinking IT are giving users the tools they want and need to be their most productive and successful at work. After reading the first two chapters of our series, you should understand why offering a technology choice is beneficial to an organization and the practical steps for deploying Mac and iOS devices to employees. Next, we will look at security and how IT can leverage native Apple technologies to keep devices secure, without sacrificing the user experience.
Apple has spent considerable time and effort making the user experience of Mac, iPad and iPhone a pleasant one, and organizations looking to deploy these technologies as part of a choice program should strongly consider keeping that experience intact. Especially since the user experience is the main reason why many people choose Apple products in the first place.
Let’s explore some key security configurations IT can implement to ensure their deployed iOS (operating system for iPad and iPhone) and macOS (operating system for Mac) devices remain protected, without needing to bolt on additional software and interfere with the native Apple experience users expect.
Encryption for iOS and macOS
Apple has native encryption tools built into the operating system that can be managed remotely. For iOS, this is as simple as requiring a passcode. Once a passcode is set, iOS automatically turns on its AES 256-bit encryption. The method for applying a passcode policy is via Apple’s mobile device management (MDM) framework, which we discussed in part 2 of our blog series. IT can simply deploy a profile which requires their users turn on a passcode.
For macOS, Apple builds FileVault into the operating system. This is similar to BitLocker on the Windows side, except it’s included with the standard installation of macOS. IT administrators can enforce their users to turn on FileVault at any time. IT can even escrow the encryption keys in a single location, allowing access to keys only as needed. These simple measures ensure security standards without requiring additional software.
macOS enjoys far less virus threats than Windows thanks to its UNIX underpinnings. Apple maintains a virus definition list and automatically updates all Macs. This is known as XProtect, and just like FileVault, is built into the operating system and doesn’t get in the way of users. IT can enforce this setting via an MDM profile.
Since iOS relies on the App Store — which in turn relies on Apple vetting and approving apps — there have been no widespread viruses for the mobile operating system. As such. there is no need to add any anti-virus software to iOS.
Part of securing devices also means applying restrictions. Thanks to the MDM framework, Apple provides IT administrators with a clean way to turn certain features on and off depending on the use case. For example, an IT admin could disable the camera on an iPhone being used in a secure area. Or some of the consumer features, like iCloud, can easily be disabled on both Mac and iOS. These restrictions are all baked into the MDM framework, which IT can build and deploy to their users' devices.
Specifically for Mac, IT needs to consider how they want to handle user accounts. When a Mac is set up for the first time, an account is created for the local user often with full admin privileges. This is not always desired since a full admin can install any software they want, modify system settings, and even un-enroll a Mac from management. Because of this, IT can opt to restrict their users to a standard account as opposed to an admin. This setting can be enforced during the initial setup of the Mac, as long as it’s tied to the Device Enrollment Program (DEP).
Finally, IT admins will want to update settings and software once they are in the hands of users. This is where a management tool that leverages MDM can help. Keep your software up to date by tracking and deploying patches to applications and even the operating system. Run advanced reports to ensure security compliance and automate actions to be taken on devices out of compliance. Using a remote management tool, like Jamf, IT can even ensure security of devices that are lost or stolen by placing them into Lost Mode or remotely erasing the device.
By avoiding bolt-on, clunky, third-party security software, organizations allow users to get the most out of the Apple experience.
Next in the series: Resources at the ready for employees
As we continue our journey to implement user choice programs, I will take a look at new and unique ways to deliver services for users, including maintaining an on-demand app catalog and taking a tier-zero approach to support.