SAP and Jamf Enterprise Mobility Case Study

Changing the narrative at SAP to increase productivity.

SAP is the market leader in enterprise application software, with 77% of the world’s transaction revenue touching an SAP system.
SAP uses Jamf Pro to manage more than 24,000 Macs, 16,000 iPads, 67,000 iPhones and 230 Apple TVs.
SAP uses Jamf Protect to mitigate macOS-specific threats and provide their InfoSec team with the ability to receive reporting on macOS built-in security tools.
Utilizes the Jamf Certificates SDK for all their in-house apps.
Connects users to the Mac@SAP community through Jamf Self Service.
Migrated 84,000 iOS devices from a previous MDM to Jamf Pro.

Challenging the norm to enhance employee experience

In 1972, five friends in Germany took a leap of faith. Their goal — create real-time, standardized software to redesign how companies operate. They shared office space and computer power with their customers in an effort to understand their roadblocks. It was this initial step that laid the groundwork for the company’s success.

First operational on the green and white screens of the past, SAP is now the market leader in enterprise application software, with 77% of the world’s transaction revenue touching an SAP system. They have more than 90,000 employees in 140+ countries around the globe. While SAP continues to innovate for their customers, they more recently began applying the foresight of their founders to shift their own internal narrative around employee productivity.

Recognising the need for change

SAP employees use a variety of devices, but until 2016, there wasn’t a specific focus on the company’s Mac deployment. Each Mac required a lot of manual configurations from its user. That’s when then-CIO, Thomas Saueressig, made a goal to truly offer employees device choice while ensuring their setup experience, as well as overall functionality, would be equivalent to what colleagues who utilized a Windows computer experienced.

At the time, just over 10,000 SAP employees had a Mac, but a lack of automation didn’t allow for a streamlined user experience. To fix this disparity among users, SAP IT invested in a dedicated Mac team. Their job - create feature parity with the existing Windows environment without sacrificing the typical Mac experience. Another change came when Martin Lang, vice president, IT Services Enterprise Mobility, SAP, began overseeing the mobile device management (MDM) team, in addition to his own app development team.

“We were a pure app development team before, but we were supporting Apple, Android and Blackberry — not just from an app perspective, but through a more holistic approach,” Lang explained. “I believed that if the same team that created the internal apps was also responsible for device management, it would result in a much better experience for our end users.”

There was one problem. SAP only had one internal-only Jamf Pro server. This prohibited Lang’s team from managing Mac laptops that weren’t on their internal network or connected via VPN. With the number of people using Mac devices at SAP growing, the expectations for the Mac@SAP experience also grew significantly. So they adjusted.

Part of the solution was SAP Jam, a secure communication platform that had an active Mac-user community of 2,000 members within SAP. It was the perfect forum to join their general Mac community with SAP IT technicians. They subsequently made their Jamf Pro server accessible outside the corporate network and added a Jamf Cloud distribution point, which is hosted in Amazon Web Services (AWS). These changes gave them what they needed to relaunch Mac@SAP.

Evaluating the total cost of ownership

Following IBM’s compelling total cost of ownership (TCO) report at the 2016 Jamf Nation User Conference, SAP began evaluating their own TCO metrics. Lang said while SAP employees expect a choice when it comes to the technology they’ll use in the workplace, they needed to factor in the overall total cost of ownership of the devices to ensure choice was a viable option. Their analysis showed it is.

SAP recognizes that Apple devices have a higher residual value after four years than comparable Windows devices after just three years of use. They also cited the free operating system updates. Apple provides, in addition to a fixed price for unlimited support calls with AppleCare, as substantial cost savings. Lang said they look forward to using the additional results from their analysis to additionally help guide future decisions around the technology used at SAP. In the meantime, they continue to plan for substantial growth of their Apple platform.

Experiencing growth through device choice

Currently, 24,000+ SAP employees use a Mac. Lang believes this is a result of SAP’s history of primarily offering Windows devices. But he expects to see this change as time dictates the device most employees want.

“We want to be at 30,000 Macs by the end of 2020,” Lang said, explaining that much of this growth funnels from the company’s employee-choice program. After seeing a 31% increase in the number of Mac computers at SAP in 2018 alone, there’s no sign the number of SAP Mac users will plateau any time soon. While he’s happy to see more employees choose Mac, Lang said it isn’t his job to sell Apple.

Rather, “My focus is to promote productivity and remove obstacles for users where I can. That’s why we’ll happily demo work productivity on any device and let the user choose what works best for them,” he said.

SAP uses Ariba to offer a vast internal catalog of devices. Through a series of tabs, employees can browse all available hardware (Apple and Windows), software, office supplies, memberships, SAP merchandise and even company cars. “On the Apple side, you find every device that Apple offers, from entry-level devices up to high-end devices,” Lang said.

And when employees find their device of choice, they simply click a button. After manager approvals process, phones and laptops arrive at the requestor’s office within days. SAP uses the Device Enrollment Program (DEP) from Apple — now part of Apple Business Manager — which allows users to enroll themselves within minutes; a process that gets employees up and running with their new devices easily and efficiently.

Migrating all iOS to Jamf Pro

Dissimilar to the number of Mac laptops used at SAP is the percentage of employees who utilize iOS. Today, 100% of the tablets used are iPad devices, and 90% of managed mobile phones are iPhones. And in the spring of 2019, an MDM transition, along with a renewed focus, meant exciting changes for the company’s iOS users.

On the main stage at Jamf’s 2018 Jamf Nation User Conference (JNUC), Lang made a special announcement, saying, “The only way to increase productivity at SAP is to increase the productivity of the people. With a growing number of SAP employees choosing Apple devices, SAP decided to reorganize its IT teams to create an Apple Center of Excellence team and chose Jamf because of its focus on the user experience. Jamf Pro combined with the Apple@SAP service ensures a consistent experience for Apple users.” The announcement kicked off the migration of SAP’s 84,000 iPhone and iPad devices from their previous MDM to Jamf Pro.

In April of 2019, employees received an email that explained the migration process. An accompanying video explained that while the steps they needed to take would remove all SAP apps from their device, once complete, all essential SAP apps would reinstall within Jamf Self Service, Jamf’s native app store for all SAP apps. If users opted to restore their apps at a later date, they could visit the Apple@SAP app anytime in the future.

While a significant portion of users migrated within days of the initial request, a follow-up communicaton from the Mac team reiterated the reasons behind shifting management for iOS devices to Jamf Pro. It highlighted a handful of Jamf’s benefits, including:

More secure

and more user-friendly experience

Faster login

thanks to simplified Single Sign-On

Faster native app store

for SAP apps called Self Service

The separation of business and private use

— no Apple ID required

Automatic configuration of apps

for corporate use, such as SuccessFactors, Slack, F5 VPN, and more

Automatic Wi-Fi access

and eliminates password change issues

Approximately 1,000 employees completed the migration each day. The entire deployment of 84,000 devices migrated within seven months. As for challenges that arose...“There were probably about 10 issues every day, which sounds like a lot,” Lang said. “But in the scheme of migrating 1,000 devices every day, it’s really minimal. Overall, it went very smoothly.”

And when it comes to employee reactions, Lang said, “I think people really appreciate the consistency of how everything works.” He also credits the simplistic setup process and ease of use to the impressive adoption rate of Apple devices at SAP.

Ensuring employee productivity

SAP IT continues to focus on enabling all employees to be productive anywhere by delivering innovative cloud and mobile technology. This starts the moment they enroll their iPhone. At that time, users automatically receive a handful of notable apps, including Apple@SAP. As the single sign-on solution for employees, Apple@SAP allows Jamf Pro to deliver certificates to SAP’s in-house apps, with the added security of certificates.

Upon initial setup of the devices, users can also immediately access Jamf Self Service, which provides every user with access to in-house and third-party apps and resources, on demand. “I think this is a really unique feature of Jamf — to have a native app store that is so super fast,” Lang said, adding, “I think the biggest benefit of Self Service is app discovery. This allows people to find the apps they need faster, which helps with our main goal to increase people’s productivity, no matter where they work.”

Jamf Self Service is also where users access Mac@ SAP, an app that provides employees with an extensive collection of resources that relate to the Apple ecosystem, including a vast assortment of knowledge-based articles, a list of hardware options to order and more. The community currently has 10,000+ members.

Securing Mac with a purpose-built solution

As SAP’s Mac count continued to grow, their IT and Information Security (InfoSec) teams realized that the security tool they had in place was lacking the ability to scale and could not deliver the endpoint protection their organization required for the Mac. Thankfully, Jamf offers an endpoint protection solution built exclusively for Mac so the SAP team did not need to go far to procure the right solution.

SAP expanded their Apple Enterprise Management offering with the Jamf portfolio and will begin deploying Jamf Protect to their Mac fleet this year. And Lang stresses that the decision to stick with Jamf for their Mac security was an easy one.

“Jamf Protect will protect our Macs more holistically, and at the same time, give more information to our security teams,” Lang says. “And just as important, Jamf Protect will give a better experience to our users and require less resources on our Macs than the current security solution we have in place.”

Harald Monihart, director of mobile platform engineering at SAP, echoes Lang’s sentiments and adds, “Jamf Protect not only mitigates macOS specific threats, but it also finally provides our InfoSec team with the ability to receive reporting on macOS built-in security tools.”

Prepping for a bright future

Innovation that breaks down barriers and facilitates productivity remains at the heart of SAP. One of the company’s newest apps, iOS Assist, is the epitome of this work. Designed for IT support teams, the app pulls a dashboard of important stats (devices by iOS version, supervised device model, devices with exchange, etc.) onto an iOS device.

“This uses the Jamf Pro API very heavily to bring in detailed device information from Jamf Pro,” Lang said. Once the information is accessed, IT admins can drill into each stat for more detailed information. Through Face or Touch ID, they can also access Jamf Pro and access the management commands. This makes it easy to complete a number of tasks like clearing passcodes, locking devices, etc. “I think it will change the way the support teams will interact with employees who have problems with their devices,” Lang said. “This can make these conversations friendlier.”

Whether it’s the new iOS Assist app, or one of the many additional ways SAP continues to innovate, the way they connect Jamf, Apple and their employees into a streamlined experience is a method that will surely prove its value now and well into the future.

See how you too can achieve Apple success by taking Jamf for a free test drive. Request a Trial.