Apple’s latest release of MacBook Pro hardware came with the new T2 chip. The T2 chip, developed by Apple, was first introduced into Apple hardware with the release of the iMac Pro at the end of last year. The T2 chip brings some truly awesome security features for new and long-time enterprise organizations using Apple. Amongst these security features is a secure boot sequence. The default setting for this is set to “full security mode”. The big thing to note here is with full security mode selected, any software loaded at boot up (for example the OS itself) needs an internet connection and must be verified with Apple.
The last point should set alarm bells ringing for organizations deploying Apple at scale using traditional provisioning methods like booting from external drives or the network to pull down a monolithic “cloned" disk image. By the very nature of these two methods, there is no verification with Apple for the integrity of the OS; which the T2 chip requires for the secure boot sequence. So where does this leave organizations looking to manage Apple devices in a modern and efficient way?
The path to modern Apple device management
The good news is that this should not come as a total surprise since the writing has been on the wall for some time. Apple has published varying KB articles over the past couple of years regarding its stance on not recommending monolithic imaging methods. Apple instead offers a best in class deployment program, formerly known as the Device Enrolment Program (DEP) — now part of Apple Business Manager — that actually allows organizations to configure devices straight out of the box following a successful internet connection.
Aside from automated device enrollment, Apple Business Manager — when paired with a management solution — makes it easy to enforce security features, keep devices up to date and ensure company policies are adhered to.
So how can organizations who aren't currently using these programs, but have new hardware, get by? Put simple, they should enroll in the program now and speak to their Apple supplier about retrospectively enrolling devices that they have purchased. It’s all about establishing a line of trust for purchasing, so that at activation, devices can be verified that they were actually purchased by the organization configuring them. The last thing organizations should be doing is trying to reverse engineer the process and continue attempting to make old imaging techniques work. At the very least, if organizations cannot for whatever reason enroll into Apple’s deployment programs, an MDM platform should be looked at for basic management tasks, such as remote wiping, remote locking and disk encryption configurations.
With traditional imaging methods getting phased out, there are several challenges that organizations will face as they move to more modern workflows. Active Directory is a great example. Many organizations rely heavily on utilizing a directory service to deliver authentication and authorization. With more employees choosing to work remotely, does this hinder the user experience when choosing to rely on a central password for access to company assets? In short, yes.
Using MDM, it is a straightforward process to manage the local user account password settings, without the need to rely on a connection back to HQ to change a password. A slick approach is to manage local accounts on the device and secure company data that can be accessed via the cloud using an identity provider like Okta to deliver two-factor authentication.
Power of identity providers and MDM
Let’s take one of the biggest identity providers out there, Azure Active Directory (AAD) from Microsoft. Microsoft’s directory is in fact not even based on traditional LDAP attributes (natively) and offers a whole range of security features that organizations are crying out for. One such feature is the idea of conditional access for their range of Microsoft Office 365 applications (as well as others).
The idea is simple, configure certain compliance rules for devices in order to grant users access to applications. For example, configure a policy that only grants access to Outlook if your device is running the latest version of the OS. If a device does not meet compliance, access is not granted.
In a world where more information is coming from beyond the safety net of an internal network, and accessed via the cloud, this feature from Microsoft gives administrators scope to only allow access to trusted users, using trusted devices. Exclusively, customers using both Microsoft and Jamf, can take advantage of these same compliance policies and apply to their estate of macOS devices as well! With this integration, devices are managed by Jamf, compliance is checked by Microsoft, and a user-friendly remediation process is delivered via Jamf Self Service to bring non-compliant devices into compliance.
Benefits of macOS Mojave
With macOS Mojave, the installer comes equipped with exceptional automation commands in the form of “startosintall --eraseinstall”. These commands allow administrators to build remote scripts that trigger an erase of the hard drive at a click of a button. Using something like Self Service from Jamf Pro, administrators can empower the end user to perform upgrades themselves, whilst still being in control of the exact process in the background.
It is an exciting time in Apple technology. With the changes being made, many administrators are having to step in to a brave new world and implement a vastly different method of machine deployment. Having said that, if you look over the fence at what Microsoft is doing with Windows 10 and Autopilot, you can see that this change is not specific to Apple and is actually proving to be a wide-scale transformation across the industry.
Having questions about your deployment workflows? Let’s talk.
Not already a customer and want to see some of these workflows in action? Request a free trial.