Get to know Jamf Pro
Jamf Pro is a complete device management solution for IT professionals to simplify the deployment, inventory and security of Macs, iPads, iPhones and Apple TVs. Designed to automate device management while increasing end-user productivity, Jamf Pro is an enterprise mobility management tool that delights IT professionals and the users they support, delivering on the promise of unified endpoint management for Apple devices.
From touchless device deployment to application management and enterprise mobility management, the Jamf platform gives you the tools you need to maximize and customize every Apple device for every user.
Who uses Jamf Pro?
Jamf is committed to enabling IT to empower end users and bring the legendary Apple experience to businesses, educational institutions and government organizations through Jamf Pro software.
Where can Jamf Pro be deployed?
Cloud, SaaS, web-based, Mac (desktop), Windows (desktop), iPhone (mobile), iPad (tablet). You can choose between having the zero-touch experience, hands-free, or a more hands-on approach, either way, registration and deployment is guaranteed with ease.
Mobile Device Management (MDM)
The use of Apple devices in the business environment has increased considerably. As the use of Apple devices increases in businesses and education around the world, it is very important that investments in technology are maximized so that organizations can leverage Mac, iPad, iPhone and Apple TV to their full potential.
But with this growth, the IT team tends to manage a very large flow of new devices. As remote work and distance learning become the new normal, managing devices from the starting point to ongoing support is critical.
Although some of you are already very familiar with Apple, many of you are diving into Apple device management for the first time and so in this article we will help you build and master your Apple management skills.
Better understand mobile device management (MDM)
MDM allows the configuration of devices securely over the wireless network, whether they are owned by the user or the organization. MDM includes updating software and device adjustments, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and organization-owned devices can be enrolled in MDM automatically with Apple School Manager.
Most Apple devices are able to understand and enforce settings such as remote wipe or password restrictions thanks to a built-in mobile device management (MDM) framework.
Two main components in the MDM framework are configuration profiles and management commands. These components communicate with the device through Apple's PUSH NOTIFICATION service (APNS), which is kept confidential to your organization by obtaining a secure certificate from Apple. Apple's server then maintains a constant connection to devices so you don't have to. Devices communicate back to your management server and receive commands, configurations, configurations or applications that you define.
configuration profiles
Configure various settings for your Apple devices and tell that device how to behave. They can be used to automate password settings, Wi-Fi passwords and VPN settings. They can also be used to restrict things like device features like the App Store, web browsers, or the ability to rename a device. These profiles can all be specified and deployed leveraging jamf.
management commands
These are unique commands that you can send to your managed devices to take specific actions. A device disappeared? Put it in Lost Mode or send a remote wipe command. Need to update the OS? Send the command to download and install updates. These are just a few examples of the different actions you can take on a fully managed Apple device.
What does Apple offer?
Thanks to compatibility with Microsoft Azure Active Directory, it's much easier for your students and staff to access Apple's teaching and learning technologies. On iPad, everyone can find apps and services they use every day, like Google Drive and Microsoft Office. And its numerous tools for creativity allow students to express new knowledge in any way they want.
Automated device enrollment
This automated enrollment process allows you to set up any Mac, iPad, iPhone or Apple TV purchased from Apple or an authorized Apple reseller and customize each device for your users, all without ever having to touch the device. Hardware purchases are associated with an Apple Customer Number or Reseller ID and automatically enroll a device in management under an Apple management solution. Automated device enrollment allows you to provide a great zero-touch experience for end users. They simply open the box, plug in the device and get to work whether their employees are onsite or remote.
Purchase Volume of Applications and Books
You can buy and license Apple apps and books in bulk, and distribute them to individuals via Apple ID or directly to devices without an Apple ID. Applications can later be reassigned as the deployment needs to change. You can link a token (received from Apple) to your MDM solution for attribution and distribution. If you are an educational institution, your instance will be built directly within Apple School Manager.
device supervision
It is a special iPadOS, iOS and tvOS management mode where IT is granted greater control over the devices they own when enrolled via Automated Device Enrollment, User Approved MDM or Apple Configurator. A large number of management features including Managed Lost Mode, blocking apps and silently installing apps require supervision. It is recommended that corporate-owned and school-owned devices be placed in supervisory mode.
Apple IDs
It's the personal account credentials that users use to access Apple services such as the App Store, iTunes Store, iCloud, iMessage, and more. Depending on your organization's needs.
Apple School Manager
Launched in 2017, Apple School Manager is a web-based portal for IT administrators to oversee people, devices and content all in one place. Exclusively for education, Apple School Manager combines automated device enrollment and volume purchases of apps and books and other classroom management tools, such as the Classroom app, in one portal. Apple School Manager enables Managed Apple IDs and shared iPad and can be integrated with your school's Student Information System (SIS)
Apple Business Manager
It is the platform for IT teams and companies to pair with an MDM solution to automate device deployment and acquisition similar to Apple School Manager, it combines the power of Automated Device Enrollment and Volume Purchases in one central location.
shared iPad
By providing students with a personalized learning experience, the shared iPad extends the value of an iPad device. Multiple students, each with their own unique ID, can log in and out while their apps, content, and work remain intact. Shared iPad is only available to educational institutions and requires Apple School Manager.
Managed Apple IDs for Educational Institutions
Managed Apple IDs are a special type of Apple ID for students. They do not require special permission and allow you, as the IT administrator, to dynamically create and update user information. Apple Managed IDs are created in the Apple School Manager portal and can sync with Classroom data as well as your school's SIS.
Lifecycle management stages
The Apple Device Management (MDM) framework includes six key elements throughout the lifecycle of your Apple devices and will help you with the following functions:
- Deployment and Provisioning: Putting devices in the hands of end users.
- Configuration Management: Applying the correct settings to devices.
- Application Management: Ensuring the right software and applications are on each device.
- Inventory: Reporting the status of each device.
- Security: Fixing devices to organizational standards.
- User empowerment: Allow users to help themselves when they need resources and services.
From initial deployment to end-user experience, it's critical to understand, manage, and support the entire lifecycle of devices in your environment. This ensures both security and the maximized potential of your Apple devices.
Considerations for Selecting an MDM Solution
There are several MDM solutions available from various manufacturers. The most important aspects of MDM for the organization should be evaluated (including hosting options and pricing) before choosing a solution.
Tip: it is of paramount importance to select the appropriate MDM solution before of the deployment process. Changing it during deployment may require wiping and re-enrolling each device.
- On-premises or cloud hosting: An MDM solution can be hosted on a local server or in the cloud. MDM is an HTTPS-based protocol that can manage devices in all parts of the world with low impact on data traffic, which makes it suitable for cloud storage. If the organization chooses a cloud-hosted or internet-hosted solution, many of the MDM configuration steps described in this reference can be reduced considerably or eliminated altogether.
- Device compatibility: some MDM solutions have deep compatibility with specific types of Apple devices, like Mac-only computers or iPhone devices, for example, while others are cross-platform. You can choose a mix of MDM vendors so that each device type is supported by a specialized solution. With automatic assignment by device type in Apple School Manager this is simple. You can also choose an MDM vendor that supports all types of Apple devices used in your organization.
- Education-centric functionality: Some MDM vendors provide functionality designed specifically for educational environments. Make sure the MDM vendor supports solutions like Apple School Manager, Classroom app, Schoolwork app, Shared iPad, and all of the educational features present in the latest versions of Apple operating systems of the day of launch.
- Consultation and reporting services: An MDM solution can query a variety of information on Apple devices, including the hardware serial number, device UDID, Wi-Fi, MAC (Media Access Control) address, and FileVault encryption state (on Mac computers). It can also query software information such as device restrictions and version, and list apps installed on the device. This information can be used to ensure users keep the appropriate apps. iOS and iPadOS allow queries about the last time the device was backed up to iCloud and the signed-in user's app assignment account hash. On tvOS, MDM can query registered Apple TV devices for material information such as language, region, and organization.
- Seller Support Access and Policies: MDM is a critical service. The support service, services and training provided by the MDM vendor should be evaluated.
According to your criteria, you can create a list of selected MDM solutions and evaluate them with just a few test devices to determine which solution best suits your needs before making a decision. Apple School Manager allows you to connect to more than one MDM solution and assign devices to different servers as needed. For more information, see the video Choosing an MDM Solution (in English).
MDM solution network requirements
When installing a locally hosted MDM solution, you need to configure all of the following. Configure and test each one early in the process to ensure a smooth implementation. Whether your MDM solution is managed offsite or stored in the cloud, your MDM vendor can take care of many of these items for you:
- DNS: an MDM solution needs to use a fully qualified domain name that can be resolved both inside and outside the organization's network. This allows the server to manage connected devices locally or remotely. To maintain connectivity with clients, the domain name cannot change;
- IP adress: most MDM solutions require a static IP address. The existing DNS name must be kept if the server's IP address is changed;
- Configuring MDM with TLS: All communication between Apple devices and the MDM solution is encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure this communication. Do not deploy devices that do not have a certificate issued by a recognized certificate authority (CA). Check the expiration date on the certificate and make sure you renew it before it expires.
- firewall ports: To enable internal and external access to the MDM solution, certain firewall ports need to be opened. Most MDM solutions accept incoming connections using HTTPS on port 443. Both the MDM solution and the devices need to communicate with Apple's Push Notifications service. Prior to November 2020, MDM solutions used ports 2195 and 2196 with APNs; customers use port 5223. After November 2020, MDM solutions use port 2197.
Tip: Your MDM solution can store spare keys and Activation Lock bypass codes, macOS bootstrap tokens, and other important data for continued access to devices. For this reason, make sure you have a robust disaster recovery strategy for your on-premises MDM installation. It is recommended to regularly test backup and restore.
About Mobile device management (MDM)
MDM is typically a deployment of a combination of on-device applications and settings, corporate policies and certificates, and back-end infrastructure, with the goal of simplifying and improving IT management of end-user devices. In modern corporate IT environments, the sheer number and diversity of managed devices (and user behavior) has driven MDM solutions that enable consistent and scalable device and user management. The overall function of MDM is to increase the supportability, security, and corporate functionality of the device while maintaining some user flexibility.
Many organizations administer devices and applications using MDM products/services. MDM mainly deals with corporate data segregation, email protection, protection of corporate documents on devices, enforcement of corporate policies, and integration and management of mobile devices including laptops and handheld devices of various categories. MDM implementations can be on-premises or cloud-based.
Some of the main functions of MDM include:
- Ensuring that multiple user devices are configured for a consistent set of standard/supported corporate applications, roles or policies
- Updating devices, applications, functions or policies in a scalable way
- Ensuring users use apps consistently and with support
- Ensuring equipment works consistently
- Monitoring and tracking equipment (e.g. location, status, ownership, activity)
- Be able to efficiently diagnose and troubleshoot equipment remotely
MDM functionality can include distribution through the air of applications, data and configuration settings for all types of mobile devices, including mobile phones , smartphones, tablets, mobile computers rugged , mobile printers, devices POS furniture, etc. More recently, laptops and desktops have been added to the list of supported systems as Mobile Device Management becomes more about basic device management and less about the mobile platform itself. MDM tools are leveraged for both company-owned and employee-owned devices ( BYOD ) on enterprise-wide or consumer-owned mobile devices. Consumer demand for BYOD is now requiring a greater push for MDM and greater security for the devices and the business they connect to, especially as employers and employees have different expectations around the types of restrictions that should be applied to mobile devices .
By controlling and protecting the data and configuration settings of all mobile devices on a network, MDM can reduce support costs and reduce business risk. The intent of MDM is to optimize the functionality and safety of a mobile communications network, minimizing costs and downtime. With mobile devices becoming ubiquitous and apps flooding the market , mobile monitoring is growing in importance. The use of mobile device management continues to grow at a steady pace and is likely to register a compound annual growth rate (CAGR) of nearly 23% through 2028. The US will remain the largest market for mobile device management globally. Several vendors help mobile device manufacturers, content portals, and developers test and monitor the delivery of their mobile content, applications, and services. This content test is done in real time, simulating the actions of thousands of customers and detecting and correcting application bugs.