Apple MDM servers give you the tools to manage your employee’s Apple devices, providing remote monitoring and administration capabilities. This benefits your business by keeping data secure, allowing your IT department to operate efficiently, and making employees more productive by ensuring devices are operating correctly.
This guide offers a comprehensive overview of Apple MDM servers. It includes an explanation of their purpose and functionality and how they benefit your organization by facilitating the deployment, management, maintenance, as well as how they ensure the security and compliance of your Apple IT infrastructure.
What is an Apple MDM server?
Mobile device management (MDM) is the software tools and practices IT departments use to manage their fleets of mobile devices, including phones, tablets, and laptops (and, with remote work, these tools are often extended for use on desktop machines). MDM offers several advantages to enterprise mobility management, including remotely monitoring devices to ensure security and compliance, deploying software, updating policies, and managing users.
An Apple MDM server is the third-party MDM software you use to manage Apple iOS, iPadOS, and MacOS devices. While the Apple MDM process provides the same advantages as other MDM solutions, not all MDM platforms are compatible with Apple’s implementation, which relies on Apple Business Manager to manage and enroll devices.
Apple Business Manager and MDM
Mobile device management can be added to your organizations iPads, iPhones, Macs, and Apple TV devices using Apple Business Manager (ABM) or Apple School Manager (ASM). This is the preferred method, as it ensures the devices are properly enrolled by users, versus IT departments emailing enrollment profiles for users to install themselves.
Apple Business Manager allows you to enroll and manage devices, deploy apps and books, manage employee Apple IDs, and add MDM servers for specific device types. Without ABM, you cannot automatically deploy MDM to your Apple devices. Apple School Manager performs the same role for educational institutions, with added functionality for managing teachers, classes, and other education-specific roles.
Key features of Apple MDM servers
MDM servers provide several key functionalities to businesses and organizations that streamline the deployment and management of Apple devices. These features include:
- Automatic Device Enrollment (ADE): In conjunction with Apple Business Manager, you can ensure that devices are automatically enrolled in ABM and MDM as soon as they are unboxed and connected by the user. This prevents needing to manually unbox each device, plug it in, and update/configure it — instead, you simply add your sales information to ABM and ship devices out directly to your employees.
- Configuration management: Ongoing device management after initial setup without MDM involves recalling devices so that they can be updated or reconfigured. Over-the-Air (OTA) updates allow you to remotely keep device configurations up-to-date and consistent without having to physically interact with them.
- App management: Similarly, apps and content can be remotely managed via an Apple MDM server so that you can provide employees with access to the apps and materials they require to perform their work duties. App licenses can also be remotely managed using ABM, and the Apple Volume Purchase Program (VPP) can be utilized for the bulk purchase of apps and books.
- Security policies and compliance: Security is an ongoing concern and must be prioritized by organizations in any category and of any size. MDM solutions allow you to centrally monitor and manage all of your mobile devices to ensure that they have security policies to meet emerging threats. This is important if your business handles sensitive data or personally identifiable information (PII) for your customers, which is increasingly regulated.
- Remote wipe and lock capabilities: The monetary value of a lost or stolen device isn’t the biggest concern for most businesses — the potential for others to gain access to valuable company data or interfere with business operations is a far bigger threat. MDM that has been configured using ABM cannot be removed from a device by end users, ensuring that security policies and authentication measures remain in place and that the device can be remotely locked or wiped.
Is Apple Business Essentials an MDM replacement?
Apple Business Essentials can be added as an MDM server in ABM for Apple device management. Apple Business Essentials can fulfill many MDM roles including device management, and comes with support for businesses who rely solely on Apple devices but do not have their own IT technician or department.
When you sign up for Apple Business Essentials, it will be available as a MDM server in your Apple Business Manager account. You can use both Apple Business Essentials and a third party MDM solution in the same account (but can only use a single MDM server per device).
How to set up an Apple MDM server
Apple MDM server functionality is usually provided by your third-party MDM solution — it is not a physical server or software that you need to purchase, install, and configure yourself.
Once you have adopted an MDM platform that supports Apple Business Manager, you can add it to your ABM account and then assign it as the MDM server for your devices based on their type.
How to add iOS, iPadOS, and MacOS devices to Apple MDM
The suggested method for enrolling an Apple device in MDM is to add them to ABM — this is the only way to automatically add MDM to mobile Apple devices, and this process locks the device to your MDM platform so that if it is stolen, protections cannot be disabled or removed.
Alternatively, you can manually add the devices using Apple Configurator if you have physical access to them or email the MDM enrollment profile to your users to install themselves.
Once the MDM enrollment profile has been installed on a device, the MDM server will queue up commands to be sent to the device when it is online using Apple’s push notification service (APNS).
Best practices for managing Apple devices with MDM
There are a few Apple-specific best practices you should follow when implementing mobile device management via an MDM server in ABM or ASM:
- A device can only be assigned a single MDM server.
- You cannot change your ABM enrollment once a device has completed the Setup Assistant process.
- You can add multiple MDM servers to ABM and assign different devices for different servers. This is useful if you want to manage your desktop and laptop devices running MacOS differently to your mobile devices or if you have different departments with different MDM requirements that require different solutions.
- Consider a separate MDM configuration for BYOD users: Employees may be uncomfortable with their employer having strict control over their personal devices and only wish for control to extend to their managed work Apple ID account or certain apps, not their whole device.
- Enact user training and support, and make sure users are aware of why they are restricted and know who to contact if there is an issue they cannot resolve themselves due to these restrictions.
- Ensure your iOS devices are configured to automatically receive and install updates — end users can be reluctant to install updates themselves or may delay them.
MDM is a long term investment, so it’s important to choose the right tools
Investment in IT infrastructure management and enterprise mobility management is wasted if the selected tools do not meet your current or future requirements. Once devices have been enrolled in Apple Business Manager and with an MDM server, it becomes difficult and disruptive to change to a different platform. Rectifying technical debt spurred by choosing the wrong tools stalls progress on other IT projects and prevents your IT technicians from addressing new issues in a timely manner.
If you deploy devices from manufacturers other than Apple that run other operating systems, it’s wise to choose a single MDM platform that supports all of your devices.
NinjaOne provides an Apple MDM solution as part of our endpoint protection platform that fulfills the vital monitoring, management, security, and compliance roles that businesses require to operate fleets of Apple devices (and our platform also supports Windows, Android, and Linux devices, too). It does this from a unified web interface and has full integration with ABM for automatic device enrollment so that when your employees receive their devices, all they need to do is power them on and sign in.