By Cassa Niedringhaus Posted November 19, 2019
Macs® have been making huge inroads into enterprise organizations, so it’s critical for IT admins to be able to manage them.
The rise in Mac use for business is due to multiple factors, including improved hardware, SaaS-based software, and the tight integration between iPhones®, iPads®, and Mac systems. In fact, AppleInsider reported that 100% of Fortune 500 companies are now using Apple® products to some degree. Beyond that, 78% of respondents to a Jamf survey agreed they would not be as effective in their jobs without Macs.
Mac management is no longer a hypothetical: It’s an imperative. With the release of new macOS versions — most recently Catalina — IT admins want to ensure they can continue to manage their Mac fleets, including through the use of group policies.
Challenges in Mac Management
Historically, IT admins used Windows-based IT management tools such as Microsoft® Active Directory® (AD) and System Center Configuration Manager (SCCM), but such tools did not provide the same capabilities in managing Macs systems as they did with Windows® systems.
Although it’s now a fairly straightforward process to bind Mac machines to AD through each machine’s system preferences the same cannot be said for managing machines or enforcing Microsoft’s Group Policy Objects (GPOs) on them. (Note that the user management process — provisioning, deprovisioning, Secure Token management, etc. — is not so easy.) IT organizations previously avoided or prohibited Macs, rather than trying to manage them through AD.
IT admins have come up with AD workarounds — like installing macOS® server on a spare Mac — and a new generation of Mac management tools and mobile device management (MDM) companies have sprung up to fill the AD void. Apple offers its own MDM protocol to allow “administrators to securely and remotely configure enrolled devices,” but it doesn’t provide the policy suite IT admins need to ensure proper security settings across their fleets.
Not all of these solutions necessarily provide the equivalent, comprehensive management that AD provides for Windows systems. Manual distribution is not efficient at scale. Instead, MDM or Mac system management tools are the route to take for larger organizations with more Mac systems in place.
macOS Catalina Management Solutions
The best of macOS system management solutions have a number of critical characteristics, such as the capability to control user management, ability to deploy GPO-like policies, and enablement of automation — as well as password management and multi-factor authentication.
Among the policies that are critical for IT admins include:
- Ensuring patches are deployed
- Enabling full-disk encryption (FileVault 2®)
- Ensuring screens are locked after a defined period of time
- Disabling USB ports
- Prohibiting System Preferences changes
- Setting password requirements
System management solutions ideally provide both preconfigured policies and the ability to create customizable policies. The right macOS Catalina policy solution can easily manage and deploy these security and configuration policies and more.
IT admins should not only ensure the system is configured but also make sure only the right users are properly provisioned, including that the Secure Token has been handled appropriately.
Secure Token is an Apple attribute that enables trusted users to interact with FileVault. Its release with macOS High Sierra changed IT admin workflows because it introduced a “chain of trust” on machines in which the original trusted user needed to create subsequent trusted users (and users needed to be trusted to use FileVault), but subsequent solutions have eased and automated the process of managing Secure Tokens. Whatever approach IT admins take in managing their Macs, it will need to work with Secure Tokens.
JumpCloud has the ability to deploy Policies not only to macOS Catalina systems but also Windows and Linux® systems at scale. Its cloud-based directory service provides centralized management, and you can try it out for free or schedule a free personalized demo.