Apple Managed Device
Thora Buckner
Unless enrollment is automated, users decide whether to enroll in MDM, and they can disassociate their devices from MDM at any time. Therefore, you want to consider incentives for users to remain managed. For example, you can require MDM enrollment for Wi-Fi network access by using MDM to automatically provide the wireless credentials. When a user leaves MDM, their device attempts to notify the MDM solution that it can no longer be managed.
For devices your organization owns, you can use Apple School Manager, Apple Business Manager, or Apple Business Essentials to automatically enroll them in MDM and supervise them wirelessly during initial setup; this enrollment process is known as Automated Device Enrollment.
When a user removes an enrollment profile, all configuration profiles, their settings, and Managed Apps based on that enrollment profile are removed with it. There can be only one enrollment profile on a device at a time.
A configuration profile is an XML file (ending in .mobileconfig) consisting of payloads that load settings and authorization information onto Apple devices. Configuration profiles automate the configuration of settings, accounts, restrictions, and credentials. These files can be created by an MDM solution or Apple Configurator for Mac, or they can be created manually. For more information on using Apple Configurator for Mac to create and install configuration profiles on iPhone, iPad, and Apple TV devices, see the Create and edit configuration profiles in the Apple Configurator for Mac User Guide.
iPhone, iPad, Apple TV, Apple Watch, and Apple Vision Pro have no way to recognize more than one user, so configuration profiles created for iOS, iPadOS, tvOS, watchOS 10 or later, and visionOS 1.1 or later are always device profiles. Although iPadOS profiles are device profiles, iPad devices configured for Shared iPad can support profiles based on the device or the user.
2. If the device was enrolled in MDM using Apple School Manager, Apple Business Manager, or Apple Business Essentials, the administrator can choose whether the enrollment profile can be removed by the user or whether it can be removed only by the MDM server itself.
5. If the profile is installed on a supervised device manually or using Apple Configurator and the profile has a removal password payload, the user must enter the removal password to remove the profile.
An account installed by a configuration profile can be removed by removing the profile. A Microsoft Exchange ActiveSync account, including one installed using a configuration profile, can be removed by Microsoft Exchange Server by issuing the account-only remote wipe command.
Apple fits easily into your existing infrastructure, no matter how many devices you run. Zero-touch deployment allows IT to configure and manage remotely, and IT can tailor the setup process to any team. So every Mac, iPad, iPhone, and Apple TV is ready to go from the start.
Wi-Fi and Networking. Apple devices have secure wireless network connectivity built in. iOS, iPadOS, and macOS all provide the built-in security to access those wireless networks, including industry-standard WPA3-Enterprise and 802.1X. When an Apple device is used on a Cisco network, Fast Lane prioritizes the most critical business apps so that employees have uninterrupted access. And enhanced roaming capabilities ensure that iPhone and iPad remain connected as they travel across access points.
VPN. Easily configure Apple devices for secure access to your corporate network through built-in support for VPN. Out of the box, iOS, iPadOS, and macOS support the industry-standard networks IKEv2, Cisco IPsec, and L2TP over IPsec. Apple devices also support VPN On Demand, Always On VPN, and Per App VPN for facilitating connections on a much more granular basis for managed apps or specific domains. Whatever method your business chooses, data in transit is protected.
Identity Providers. The latest versions of iOS, iPadOS, and macOS support a new single sign-on (SSO) extension framework, allowing users to sign in to a corporate application once without being asked again for other apps or websites. This feature enables advanced multifactor authentication, supported by participating identity providers, whenever users sign in to a corporate resource. IT teams can also now configure authentication from cloud identity providers during initial enrollment and device setup.
Apple makes it easy to choose the right deployment option to meet the needs of your organization. Protect company information while maintaining privacy for employees who bring their own devices to work with User Enrollment. Or maintain a higher level of control on organization-owned devices with supervision and Device Enrollment.
Shared iPad allows multiple users to share devices without sharing information. When employees sign in with a company-provided Managed Apple ID, iPad loads their data, apps, and settings. So employees can pick up any device and get started.
Temporary Session enables any user to access iPad and automatically removes all data when the user signs out. The SSO extension can be used with Temporary Session to provide easy access to apps and websites. And IT can set a logout time to ensure data is removed.
Apple devices have a built-in, secure management framework enabling IT to configure settings, manage devices, and set up security features remotely over the air. IT can easily create profiles to ensure that employees have everything they need to be secure and productive. Apple devices enable IT to manage with a light touch, without having to lock down features or disable functionality, and still keep company data protected.
Whether your business uses a cloud-based or on-premise server, MDM solutions are available from a wide range of vendors with a variety of features and pricing for ultimate flexibility. And each solution utilizes the Apple management framework in iOS, iPadOS, macOS, and tvOS to manage features and settings for each platform.
MDM supports configuration for apps, accounts, and data on each device. This includes integrated features such as password and policy enforcement. Controls remain transparent to employees while ensuring that their personal information stays private. And IT maintains necessary oversight without disrupting the productivity employees need to succeed.
Every Apple product is designed with privacy in mind. On-device processing is used whenever possible, the collection and use of data is limited, and everything is designed to provide users with transparency and controls for their data.
The MDM protocol allows IT to interact with an Apple device but limits the exposure of certain information and settings. Regardless of deployment model, the MDM framework can never access personal information including email, messages, browser history, and device location.
Once devices are set up, IT can manage and protect corporate data thanks to built-in security features and additional controls made available through MDM. Common frameworks across apps enable configuration and ongoing management of settings.
IT can enforce and monitor security policies through MDM. For example, requiring a passcode via MDM on iOS and iPadOS devices automatically enables Data Protection, providing file encryption for the device. An MDM policy can also enable FileVault encryption on a Mac to secure all data at rest. And MDM can be used to configure Wi-Fi and VPN and deploy certificates for added security.
MDM solutions allow device management at a granular level without the need for containers, keeping corporate data safe. With Managed Open In, IT can set restrictions to keep attachments, documents, or pasteboard from being opened or pasted into unmanaged destinations. And on macOS, built-in security features let IT encrypt data, protect devices from malware, and enforce security settings without the need for third-party tools.
Thanks to a common framework and controlled ecosystem, apps on Apple platforms are secure by design. Our developer programs verify the identity of every developer, and apps are verified by the system before they are launched on the App Store. Apple provides developers with frameworks for features including signing, app extensions, entitlements, and sandboxing to provide even greater levels of security.
Managed Apple IDs are created, owned, and managed by the organization and are designed for BYOD and organization-owned devices. Organizations can use Apple Business Manager to automatically create Managed Apple IDs for employees. This enables employees to collaborate with Apple apps and services as well as access corporate data in managed apps that use iCloud Drive. Managed Apple IDs can also be used alongside a personal Apple ID on employee-owned devices when organizations leverage User Enrollment.
iOS, iPadOS, and macOS have a systemwide extension framework for single sign-on to make it easy for employees to sign in to corporate apps and websites. The extension framework requires support from cloud identity providers and is configurable through MDM. And for organizations using Kerberos, a first-party extension provides password management and local password sync for internal applications.
With federated authentication, IT teams can connect Apple Business Manager to Microsoft Azure Active Directory and Google Workspace (available in spring 2022), enabling employees to use their existing user names and passwords as Managed Apple IDs. Employees can access Apple services including iCloud Drive, Notes, and Reminders to collaborate using their existing credentials. And Managed Apple IDs are automatically created when users first sign in to an Apple device with their federated user name and password.
Buying apps in volume for iOS, iPadOS, and macOS is even easier with Apple Business Manager. When app licenses are no longer needed, they can be reassigned to another device or employee. You can also manage custom app licenses made specifically for your business internally or by third-party developers. And by purchasing Volume Credit, you can use purchase orders to buy content through your reseller.