According to one recent estimate, nearly a quarter of the computers now used in U.S. enterprises (with more than 1,000 employees) are made by Apple. While that’s great news for those employees (who, when given the choice, tend to choose Mac), it could be a concern for IT admins who have previously worked exclusively with Windows PCs.
If you’re one of those admins and are being asked to manage Apple devices for the first time, we’re here to tell you: Don’t fret. If you’ve dealt with Windows you can figure out Mac. Here are four essential ideas to get you started.
- You Don’t Need to Bind
- Users Come First
- It Matters Where You Buy
- Join the Community
1. You Don’t Need to Bind
When it comes to managing Windows PCs, IT has traditionally depended on binding them to a directory service such as Active Directory, which can then be used to manage those computers, authenticate users, and more. That isn’t necessary with Mac computers.
While you can bind a Mac to Active Directory, Mac devices can’t take advantage of many of the management capabilities that Active Directory offers Windows devices. For instance, Group Policy Objects (GPOs) require devices that run on Windows and are bound to an Active Directory domain. Even if you connect Mac computers to Active Directory, you won’t get the same level of control over your users and devices.
But Apple has its own take on Mac management. Admins can let users create local accounts and then use Single Sign-on (SSO) and the Kerberos Single Sign-on extension to sync local passwords with an identity provider (IdP). IT can also use a mobile device management (MDM) solution that’s built for Mac (such as Kandji), which leverages Apple’s MDM protocol to provide flexible and robust management of the company’s devices.
2. Users Come First
Microsoft and Apple have very different design priorities when it comes to the Windows and Mac platforms. One of the biggest differences: Who are they really designing those devices for?
Microsoft and vendors of Windows computers tend to put IT first every step of the way. If their devices are easy to manage and integrate in enterprise settings, the logic goes, they’ll be popular with business buyers. This gives IT a lot of leverage over users when it comes to deploying and managing Windows devices.
When you begin managing Apple devices, you’ll see that the focus is always on the user—sometimes to the inconvenience of IT. Apple wants users to always know what’s happening to their devices. For instance, in BYOD cases, users need to approve device management with administrator privileges before IT can enroll those devices or make changes to security settings. For corporate-owned and user-owned devices, users must explicitly give apps permission to access sensitive features such as the camera, the microphone, and screen sharing (including screen recording)
This might frustrate some seasoned Windows IT admins, but it’s part of what makes Apple products popular with users. If you’re new to managing Mac computers, remember that you’ll have to communicate clearly with users about the types of prompts they’ll receive and how you hope they’ll respond.
3. It Matters Where You Buy
For business use, it’s best to buy Mac computers directly from Apple or an authorized reseller (including authorized carriers), so those devices can be automatically added to Apple Business Manager (ABM) at the time of purchase. Using ABM and Automated Device Enrollment, devices can be automatically enrolled in your MDM solution.
One caveat about purchasing directly from Apple: Your CEO can’t just casually walk into an Apple Store, pick up a Mac, and expect it to be automatically enrolled in your management solution through ABM. Your CEO would need to work with that Apple Store’s local business team, which can tie the purchase to your company’s customer number, to ensure that it's added to your ABM account. Local business teams can add previously purchased devices retroactively, but it is easier to do so at the time of the initial transaction.
You can also add iPhone, iPad, and Apple TV to ABM using Apple Configurator 2. But that requires you to have possession of the device. And if there is any data on the device already, it will need to be erased and restored to factory settings.
This is, of course, different from how it works on the Windows side. You can purchase Windows PCs from any vendor and then use AutoPilot to set up and pre-configure those PCs with Windows 10.
4. Join the Community
Mac admins never have to look far to find solutions for their device management questions:
- Robust user communities form around different MDM solutions.
- The support pages of whichever MDM solution you use will be full of useful tips about device management.
- You can find plenty of great information on the Apple Developer site, including World Wide Developer Conference (WWDC) videos and documentation on just about everything you need to know about managing Mac computers.
- The MacAdmins Slack channel is highly active and extremely useful. It’s the go-to place for technical advice and camaraderie. You can sign up for free on the MacAdmins website.
As more and more companies adopt Apple devices, many Windows IT admins are playing catch-up to fit these new devices into their existing workflows. Kandji makes managing Mac a breeze. With innovation and iteration at the core of everything we do, Kandji is constantly building solutions to give you more of what you need and improve upon features you already love. With Kandji, you can be confident that your Apple fleet is in safe and secure hands from deployment to retirement.
2021.07.21: This article was updated to clarify some details in the section regarding the purchasing process.