Apple Device Management

Apple devices—Mac computers, iPhones, iPad tablets, and even Apple TVs—have a built-in framework that supports Mobile Device Management(MDM). MDM lets you securely and remotely configure devices by sending profiles and commands to the device. MDM capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices.

Apple Device Management (ADM) is the N-central MDM solution. It enables you to use MDM with your monitored macOS (10.13.2+) devices so you can configure your devices by sending configuration profiles to them directly from the N-central Dashboard. Note that this is separate from the old MDM for iPad/iPhone, which still exists in parallel.

ADM also supports Apple's enhanced macOS security framework to ensure our applications continue functioning with minimal user intervention.

Apple Device Management requires Mac Monitoring Agent 1.2.0 or higher.

Enrollment of Virtual Machines (VMs) in ADM is not tested or supported.

Before you can send profiles to devices, you must:

  1. Add a new Apple Push Certificate (or renew)
  2. Enroll devices in Apple Device Management manually
  3. Create and upload configuration profiles

After you have devices enrolled in ADM and profiles uploaded to N-central, you can Deploy and manage profiles on devices.

Permissions

Before using ADM, we recommend you review your Roles and Permissions to ensure the Dashboard users have the required access level for their role.

macOS security framework

macOS 10.13.2 or later, includes user data protections, which are managed by Apple's expanded security framework, Transparency Consent and Control (TCC), that prevent third-party applications from unauthorized interaction with the computer. Organizations can use mobile device management (MDM) to remotely manage these security preferences with Apple's Privacy Preferences Policy Control (PPPC) payload.

These enhanced Apple security changes have the following implications for our applications:

  • The security and privacy control settings defaulted to blocked. This forced end users to grant the required permissions for our applications to access the computer.
  • These privacy and security settings are not always remotely configurable through a remote assistance tool so end users must approve each request. The number of request notifications and configuration requirements can be daunting to end users. For example, the numerous requests from new software installations or requests for re-authorization on previously permitted applications after an Operating System update can be overwhelming to end users.
  • If end users do not grant the required permissions, Apple Device Management may not run or they may run but with restricted functions.

To reduce the impact of these implications on our applications, we use our Apple Device Management MDM solution, to reduce the volume of end user notifications from our software and ensure all our installed applications have the required permissions.