Creating A Mobile Device Management Strategy For MacOS And iOS

Apple devices have been growing steadily in popularity in recent years. macOS commands around 20% of the global desktop PC market share; iOS holds around 27% of the market share for mobile operating systems globally, and the largest shares in the US and UK. One of the reasons for this increase is the adoption of Apple products amongst businesses; Macs are highly durable and typically less impacted by viruses and malware than their biggest competitor.

However, while macOS and iOS devices do offer built-in security features (such as XProtect and Gatekeeper) to protect against cyber threats, those features are meant for use on an individual basis; they don’t provide a way for IT teams to manage a whole Apple fleet. For any organization with more than a handful of Apple devices or remote workers, this makes managing an Apple fleet manually very tricky.

Because of this, we recommend implementing a strong Mobile Device Management (MDM) strategy to help you remotely and centrally identify, secure, and manage the macOS and iOS devices connected to your company’s network.

Here’s how to do it.

Asses Your Current Posture

The first stage of creating an MDM strategy is to identify all the macOS and iOS devices currently in your fleet—including unmanaged and shadow devices—, and to assess their current security posture based on the risks that are most relevant to your organization.

Doing this manually can be challenging, particularly if you have a BYOD policy or lots of remote or hybrid workers, so you may want to look into a third-party tool that can create a topology map of all your devices for you. Top tip: some MDM solutions offer this feature!

Define Your Goals

Once you know what you’re dealing with, you can establish some clear goals for your new MDM strategy. These goals might be to improve security, streamle the end-user experience, or enable your IT admins to manage devices remotely.

To prevent any disruptions to business operations, it’s important that these goals align with your overall IT management strategy, and that your MDM strategy will work alongside your existing systems and infrastructure.

Create A Clear MDM Policy 

Before you invest in a solution or start making changes to any settings, you need to define a clear policy for how macOS and iOS devices should be used at your company. It should cover both company-issued and personal devices, and it each part of the policy should be written to help you achieve the goals you set out in the previous step. 

While writing this policy, you should think about:

1. Acceptable use: Which users need to use which devices, and what activities are allowed or not allowed on devices being used for work?
2. Security baseline: What baseline level of security do you want to implement across all devices, that can be controlled in their built-in settings? Think about the use of passwords/passkeys, encryption, and screen lock timings. 
3. Lost/stolen devices: Will you enable the device’s location tracking settings? What should users do and who should they contact if their device is lost or stolen? 
4. Data access: Which resources can your users access remotely? Can all users access all resources, or will you enforce role-based access controls or least-privileged access?
5. Containerization: If your users are using their personal devices, how will you segment workplace usage and private usage on those devices? Will you set up work profiles or containers, or use some other method of app isolation?

Choose An MDM Solution

Once you’ve written your MDM strategy, it’s time to choose a solution to help you enforce it in a centralized, scalable, and consistent way.

Take a look at our shortlist of The Top 10 MDM Solutions For MacOS

To achieve this, third-party MDM tools for macOS and iOS typically work using the Apple Push Notification Service (APNS). From an administrative perspective, your team just needs to sign into a single MDM management console, from which they can enforce device configurations and security policies, manage updates, deploy applications, monitor compliance, and deprovision the device if the user leaves the company. Meanwhile, the MDM tool uses APNS as a secure channel to push all these actions to the devices in your fleet.

While most MDM tools for Apple devices work in this way, it’s important to note that not all MDM tools are built the same. So, before you start comparing tools, you should think about whether you need one that supports BYOD devices, and the level of control you need in order to comply with internal and external regulations or standards. You should also consider the level of expertise your IT team has, and how that impacts how much time they can dedicate to learning how to use the tool and what features will be most useful to them.

That said, there are some features that any team should look for in an Apple MDM tool. Let’s take a look at them.

What Features To Look For In An MDM Solution 

1. Enrollment and deployment: The solution should support Apple’s Device Enrollment Program (DEP) and Volume Purchase Program (VPP) to automatically enroll all devices in the MDM system and make sure they’re set up with the correct configurations and apps.
2. Security enforcement: The solution should support FileVault (for Mac devices) and native iOS encryption, as well as enable you to enforce password/passkey policies. Some solutions also enable you to configure web content filtering rules or data loss prevention policies, or setup Multi-Factor Authentication (MFA) via integrations with popular third-party MFA providers.
3. User profiles: You should be able to set up profiles for different user groups, based on their roles within the company. You can then use these profiles to roll out certain policies, configurations, or access controls.
4. Remote lock/wipe: To ensure the integrity of sensitive company data, you should be able to remotely lock or wipe devices in the event they’re lost or stolen.
5. Containerization: If you have a BYOD policy, you should be able to separate users’ personal and work apps on their devices. Typically, this involves creating a “work profile” or “container” on the device, in which all their work apps and company data are isolated and stored. The MDM tool then manages this container, without being granted to the rest of the apps or data on the user’s device—ensuring security, whilst protecting their privacy. 
6. Application controls: You should be able to set up allow/deny lists that define which apps users can or cannot install on their devices. Some solutions even enable you to create your own “marketplace” of approved applications. 
7. Updates: The solution should automatically carry out any macOS or iOS updates, as well as software updates. Depending on your requirements, you may want to look for a tool that’ll allow you to schedule updates out of office hours, or prevent users from accessing company resources if their devices aren’t updated.
8. Version control: The solution should prevent users from installing untested or unsupported versions of macOS and iOS.
9. Reporting and analytics: The solution should offer a range of reporting and analytics tools that enable you to track each device’s usage, health, and compliance with your MDM policy.

Best Practices For Implementing Your MDM Strategy

If you’ve made to this stage of the checklist—congrats! You’ve just designed a strong MDM strategy for your macOS and iOS device fleet! Now all that’s left to do is implement it—and, of course, we have some recommendations to help you do that as smoothly as possible. 

First, to ensure smooth adoption of your MDM policies and solution, make sure you communicate clearly with your end users about your plans. Make sure they understand the need for mobile device security and how your MDM strategy will help protect both them and the company. And finally, make sure you listen to and address their concerns around privacy—this is particularly important for users using BYOD devices, and for whom you’ll be setting up containers or work profiles. 

Second, make sure you understand the scope and limitations of your MDM strategy. The most common limitations of MDM include:

• A focus only on mobile devices, not desktops 
• A focus on device security rather than application or data security
• The need for a stable internet connection
• Potential disruption to user productivity caused by abrasive policies or intrusive updates

For your MDM implementation to be effective, you need to recognize it as being one part of a wider security strategy. So, you need to be aware of these limitations, and make sure you have other security process in place that will address any gaps that your MDM strategy and solution don’t cover—e.g., a device management and security strategy for on-premises workstations. 

Finally, you should regularly review your MDM strategy and policy, and make any necessary adjustments to improve the level of visibility and security they’re providing. Cyber risks are always evolving, so our defense strategies must evolve, too.