Meet Jamf Pro
Jamf Pro is a complete device management solution for IT professionals to simplify the deployment, inventory, and security of Macs, iPads, iPhones, and Apple TVs. Designed to automate device management while increasing end-user productivity, Jamf Pro is an enterprise mobility management tool that delights IT professionals and the users they support by delivering on the promise of unified endpoint management for Apple devices.
From zero-touch device deployment to application management and enterprise mobility management, the Jamf platform provides the tools you need to maximize and personalize every Apple device for every user.
Who uses Jamf Pro?
Jamf is committed to enabling IT to empower end users and bring the legendary Apple experience to enterprises, educational institutions, and government organizations through Jamf Pro software.
Where can Jamf Pro be deployed?
Cloud, SaaS, web-based, Mac (desktop), Windows (desktop), iPhone (mobile), iPad (tablet). You can choose between a zero-touch, hands-free experience or a more hands-on approach, either way, registration and deployment are guaranteed to be easy.
Mobile Device Management (MDM)
The use of Apple devices in the enterprise environment is growing significantly. As the use of Apple devices in businesses and education around the world increases, it is increasingly important that technology investments are maximized so that organizations can leverage their Mac, iPad, iPhone and Apple TV to their full potential.
But with this growth, IT teams are likely to be managing a large influx of new devices. As remote work and distance learning become the new normal, managing devices from the baseline to ongoing support is critical.
While some of you may already be very familiar with Apple, many of you are diving into managing Apple devices for the first time, so in this article we’ll help you build and master your Apple management skills.
Understand Mobile Device Management (MDM) better
MDM enables secure wireless configuration of devices, whether they are user-owned or organization-owned. MDM includes updating device software and settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and organization-owned devices can be enrolled in MDM automatically with Apple School Manager.
Most Apple devices are capable of understanding and applying settings like remote wipe or password restrictions thanks to a built-in mobile device management (MDM) framework.
Two key components in the MDM framework are configuration profiles and management commands. These components communicate with the device through Apple's Advanced Push Notification Service (APNS), which is kept private from your organization by obtaining a secure certificate from Apple. Apple's server then maintains a constant connection with devices so that you don't have to. Devices communicate back to your management server and receive commands, settings, configurations, or applications that you define.
Configuration profiles
Define various settings for your Apple devices and tell that device how to behave. These can be used to automate password settings, Wi-Fi passwords, and VPN settings. They can also be used to restrict things like device features like the App Store, web browsers, or the ability to rename a device. These profiles can all be specified and deployed by leveraging Jamf.
Management commands
These are singular commands you can send to your managed devices to take specific actions. A device is missing? Put it in Lost Mode or send a remote wipe command. Need to update the OS? Send the command to download and install updates. These are just a few examples of the different actions you can take on a fully managed Apple device.
What does Apple offer?
With support for Microsoft Azure Active Directory, it’s now easier than ever to give your students and staff access to Apple’s teaching and learning technologies. iPad provides the apps and services they use every day, like Google Drive and Microsoft Office. And its many creative tools let students express their new knowledge in any way they want.
Automated device enrollment
This automated enrollment process lets you set up any Mac, iPad, iPhone, or Apple TV purchased from Apple or an Apple Authorized Reseller and personalize each device for your users, all without ever having to touch the device. Hardware purchases are associated with your Apple Customer Number or Reseller ID and automatically enroll a device for management under an Apple management solution. Automated device enrollment lets you deliver a seamless, zero-touch experience for end users. They simply open the box, turn on the device, and get to work—whether your employees are onsite or remote.
Volume of Purchases of Apps and Books
You can purchase and license apps and books in bulk from Apple, and distribute them to individuals via Apple ID or directly to devices without an Apple ID. Apps can later be reassigned as deployment needs change. You can link a token (received from Apple) to your MDM solution for assignment and distribution. If you are an educational institution, your instance will be built directly within Apple School Manager.
Device supervision
It is a special management mode for iPadOS, iOS, and tvOS where IT is granted greater control over the devices they own when enrolled via Automated Device Enrollment, user-approved MDM, or Apple Configurator. A number of management features, including Managed Lost Mode, app locking, and silent app installation, require supervision. It is recommended that corporate-owned and school-owned devices be placed in supervision mode.
Apple IDs
São as credenciais de conta pessoal que os usuários usam para acessar serviços da Apple, como App Store, iTunes Store, iCloud, iMessage e muito mais. Dependendo das necessidades da sua organização.
Apple School Manager
Launched in 2017, Apple School Manager is a web-based portal for IT administrators to oversee people, devices, and content all from one place. Exclusively for education, Apple School Manager combines automated device enrollment and volume purchases of apps and books with other classroom management tools, such as the Classroom app, into one portal. Apple School Manager enables Managed Apple IDs and Shared iPad, and can be integrated with your school’s student information system (SIS).
Apple Business Manager
It is the platform for IT teams and enterprises to pair with an MDM solution to automate device deployment and procurement. Similar to Apple School Manager, it combines the power of Automated Device Enrollment and Volume Purchasing in one central location.
Shared iPad
By providing students with a personalized learning experience, Shared iPad extends the value of an iPad device. Multiple students, each with their own unique ID, can sign in and out while their apps, content, and work remain intact. Shared iPad is only available to educational institutions and requires Apple School Manager.
Managed Apple IDs for educational institutions
Managed Apple IDs are a special type of Apple ID for students. They don't require any special permissions and allow you, as an IT administrator, to dynamically create and update user information. Managed Apple IDs are created in the Apple School Manager portal and can sync with Classroom data as well as your school's SIS.
Lifecycle Management Stages
Apple's device management (MDM) framework includes six key elements across the lifecycle of your Apple devices and will help you with the following functions:
- Deployment and Provisioning: Getting devices into the hands of end users.
- Configuration Management: Applying the correct settings to devices.
- Application Management: Ensuring the right software and applications are on every device.
- Inventory: Reporting the status of each device.
- Security: Securing devices to organizational standards.
- User empowerment: Allow users to help themselves when they need resources and services.
From initial deployment to end-user experience, it’s critical to understand, manage, and support the entire lifecycle of devices in your environment. This ensures both the security and maximized potential of your Apple devices.
Considerations for selecting an MDM solution
There are a variety of MDM solutions available from a variety of vendors. The most important aspects of MDM for your organization should be evaluated (including hosting options and pricing) before choosing a solution.
Tip: It is of paramount importance to select the appropriate MDM solution before of the deployment process. Changing it during deployment may require erasing and re-enrolling each device.
- On-premises or cloud hosting: An MDM solution can be hosted on an on-premises server or in the cloud. MDM is an HTTPS-based protocol that can manage devices in all parts of the world with low impact on data traffic, making it suitable for cloud storage. If an organization chooses a cloud- or web-hosted solution, many of the MDM configuration steps described in this reference can be significantly reduced or eliminated altogether.
- Device Compatibility: Some MDM solutions have in-depth support for specific types of Apple devices, such as just Mac computers or iPhone devices, while others are cross-platform. You can choose a mix of MDM vendors so that each device type is supported by a specialized solution. With automatic device type assignment in Apple School Manager, this is easy. You can also choose an MDM vendor that supports all types of Apple devices used in your organization.
- Education-centric functionality: Some MDM vendors provide functionality specifically designed for education environments. Make sure your MDM vendor supports solutions like Apple School Manager, Classroom, Schoolwork, Shared iPad, and all educational features that are included in the latest versions of Apple operating systems on the day they are released.
- Consultation and reporting services: An MDM solution can query a variety of information on Apple devices, including the hardware serial number, device UDID, Wi-Fi, Media Access Control (MAC) address, and FileVault encryption state (on Mac computers). It can also query software information, such as device restrictions and version, and list the apps installed on the device. This information can be used to ensure that users maintain the appropriate apps. iOS and iPadOS support queries about the last time the device was backed up to iCloud and the hash of the signed-in user’s app assignment account. On tvOS, MDM can query registered Apple TV devices for material information such as language, region, and organization.
- Seller Support Policies and Access: MDM is a critical service. The support, services, and training provided by the MDM vendor should be evaluated.
De acordo com os seus critérios, você pode criar uma lista de soluções MDM selecionadas e fazer uma avaliação delas com apenas alguns dispositivos de teste para determinar qual solução atende melhor às suas necessidades antes de tomar uma decisão. O Apple School Manager permite a conexão com mais de uma solução MDM e a atribuição de dispositivos a diferentes servidores, conforme necessário.
MDM Solution Network Requirements
When installing an on-premises MDM solution, you need to configure all of the following items. Configure and test each of these items early in the process to ensure a smooth implementation. If your MDM solution is managed externally or hosted in the cloud, your MDM vendor may take care of several of these items for you:
- DNS: An MDM solution must use a fully qualified domain name that can be resolved both internally and externally within the organization's network. This allows the server to manage connected devices locally or remotely. To maintain connectivity with clients, the domain name cannot change;
- IP Address: Most MDM solutions require a static IP address. The existing DNS name must be maintained if the server IP address changes;
- MDM Configuration with TLS: All communication between Apple devices and the MDM solution is encrypted using HTTPS. A TLS (formerly SSL) certificate is required to ensure the security of this communication. Do not deploy devices that do not have a certificate issued by a recognized certificate authority (CA). Check the certificate expiration date and be sure to renew it before it expires.
- Firewall ports: To enable internal and external access to your MDM solution, certain firewall ports must be open. Most MDM solutions accept inbound connections using HTTPS on port 443. Both the MDM solution and devices must communicate with Apple's Push Notifications service. Prior to November 2020, MDM solutions used ports 2195 and 2196 with APNs; clients use port 5223. After November 2020, MDM solutions use port 2197.
Tip: Your MDM solution may store backup keys and Activation Lock bypass codes, macOS bootstrap tokens, and other data that is important for continued access to your devices. For this reason, make sure you have a robust disaster recovery strategy for your on-premises MDM installation. It is recommended that you regularly test your backup and restore.
About Mobile device management (MDM)
MDM is typically a deployment of a combination of on-device applications and settings, corporate policies and certificates, and back-end infrastructure, with the goal of simplifying and improving IT management of end-user devices. In modern enterprise IT environments, the sheer number and diversity of managed devices (and user behavior) has driven MDM solutions that enable consistent and scalable device and user management. The overall function of MDM is to increase device supportability, security, and enterprise functionality while maintaining some user flexibility.
Many organizations manage devices and applications using MDM products/services. MDM primarily deals with segregation of corporate data, email protection, securing corporate documents on devices, enforcing corporate policies, and integrating and managing mobile devices, including laptops and handheld devices of various categories. MDM implementations can be on-premises or cloud-based.
Some of the key functions of MDM include:
- Ensure that diverse user devices are configured for a consistent set of standard/supported corporate applications, functions, or policies
- Scalable update of equipment, applications, functions or policies
- Ensure users use applications in a consistent and supported manner
- Ensure equipment operates consistently
- Monitoring and tracking equipment (e.g. location, status, ownership, activity)
- Be able to efficiently diagnose and troubleshoot equipment issues remotely
MDM functionality may include distribution by air of applications, data, and configuration settings for all types of mobile devices, including cell phones , smartphones, tablets, mobile computers rugged, mobile printers, devices POS mobile, etc. More recently, laptops and desktops have been added to the list of supported systems as Mobile Device Management becomes more about basic device management and less about the mobile platform itself. MDM tools are leveraged for both company-owned and employee-owned devices ( BYOD ) across enterprise or consumer-owned mobile devices. Consumer demand for BYOD is now requiring a greater effort toward MDM and greater security for both devices and the enterprise they connect to, especially because employers and employees have different expectations regarding the types of restrictions that should be applied to mobile devices.
By controlling and protecting the data and configuration settings of all mobile devices on a network, MDM can reduce support costs and business risk. The intent of MDM is to optimize the functionality and security of a mobile communications network, minimizing costs and downtime. With mobile devices becoming ubiquitous and applications flooding the market , mobile monitoring is growing in importance. The use of mobile device management continues to grow at a steady pace and is likely to register a compound annual growth rate (CAGR) of nearly 23% through 2028. The US will remain the largest market for mobile device management globally. Several vendors help mobile device manufacturers, content portals, and developers test and monitor the delivery of their mobile content, applications, and services. This content testing is done in real time, simulating the actions of thousands of customers and detecting and fixing bugs in the applications.
