Technical Guide: How to Manage macOS Systems Remotely with JumpCloud MDM
MDM in a Cloud Directory
Consolidate device security: Register JumpCloud as your MDM of choice
What is MDM?
MDM — short for mobile device management — is a service that lets IT administrators remotely manage enrolled devices. After a device is enrolled, MDM payloads are sent over the network to configure settings and perform other tasks on the device without user interaction.
IT teams use MDM to secure and manage end user devices, including laptops, smartphones, and tablets. Myriad vendors offer MDM solutions that provide remote control over end user devices, but MDM isn’t one size fits all. Giants Microsoft and Apple both allow MDM providers to exist and enable device management in their ecosystems. Some MDMs are for Android devices, others are for iOS devices, and some are a capability within more holistic IdP, IAM, or UEM platforms.
JumpCloud is in Apple’s certified MDM vendor ecosystem, offering Apple MDM via Apple’s MDM protocol and supporting deployment through Apple’s Device Enrollment Plan (DEP) for macOS workstations. This lets admins streamline and customize device setup for employees on enrolled devices and send commands managed computers.
In JumpCloud’s Directory-as-a-Service platform, Apple MDM is part of the platform’s deep system deployment and management capabilities. JumpCloud MDM simplifies work for administrators managing Macs from the ease of an all-in-one directory service that also enables them to manage and secure Windows and Linux devices, in addition to virtually every IT resource in their environment.
What are the Benefits of MDM?
IT and system administrators use MDM to ensure end user devices adhere to their organization’s security specifications, while providing remote security to devices in cases when they’re misplaced or stolen with commands like lock and wipe.
Not only does an MDM make securing devices more efficient for IT teams, it also makes onboarding easier by letting admins drop ship pre-configured devices to end users, who just need to unbox them and login to begin being productive. This is called zero-touch enrollment.
When an admin is onboarding a new employee or providing a user with a new work laptop, zero-touch enrollment lets the admin send a device that will configure itself during activation with the identity provisioned by a directory service such as JumpCloud, the appropriate security policies applied, and the appropriate apps installed for the employee without any admin interaction. The recipient of the device will use their corporate credentials to log in and then have immediate access to the resources they need. On the other end, the IT admin manages the devices and ensures it stays secure via things like conditional access policies and rich insights to troubleshoot and remediate issues.
How Does MDM Increase Security?
Security perimeters have been redefined; they no longer are around just an on-premises network. MDM software offers companies a way to enforce security in distributed and remote workplaces that may still have on-prem domains, operate entirely in the cloud, or are a hybrid of both.
MDMs are more critical to security practices with the rise of domainless enterprises, which consist of a decentralized IT infrastructure that enables users to securely access their IT resources wherever they may be from a trusted device. This type of organization relies on finding a way to leverage an MDM or other solution for remote device security and management. MDMs that are built into identity and access management platforms, or unified endpoint management platforms, are what IT teams at domainless enterprises prefer because they make it easier to govern user devices in a multitude of ways and can simplify daily workflows for admin and user.
But not every MDM offers security for heterogeneous OS environments that include macOS, Windows, and Linux. Not too long ago, to support Windows and Macs, IT admins’ only choice was to pair like Active Directory® (AD) with an additional MDM tool for macOS management, because AD only supported Windows devices. Today, admins can implement a cloud directory service that consolidates core functionality into one platform. This is what JumpCloud does: JumpCloud’s protocol-driven approach to its delivery of directory services is OS-agnostic, and from its cloud platform admins federate identities across Mac, Windows, and Linux in addition to every other IT resource via SAML, SCIM, RADIUS, LDAP, and other protocols.
JumpCloud’s Apple MDM feature equips IT admins with point-and-click remote security commands: restart, wipe, lock, and shut down. Once a JumpCloud-managed system is enrolled in Apple’s MDM, these commands equip JumpCloud admins with the ability to secure a user’s Mac in the event it’s lost or stolen, anywhere it may be.
How do I Enable JumpCloud MDM?
Get started with MDM in JumpCloud in a few steps, beginning by establishing a secure certificate-based authentication to connect Apple and JumpCloud; this lets your organization use JumpCloud as your MDM server for JumpCloud-managed Macs. Upload your JumpCloud certificate signing request to Apple followed by the resulting Apple MDM push certificate to JumpCloud. Then, you’re ready to enroll systems in JumpCloud MDM.
An optional but recommended step is to register JumpCloud as an MDM server with Apple Business Manager or Apple School Manager. This will allow you to establish a zero-touch enrollment workflow, which automatically enrolls new macOS devices in MDM and installs JumpCloud’s System Agent on the user’s device so you can immediately begin to manage it from your JumpCloud Admin Portal. Registering JumpCloud as your MDM server also prevents end users from removing their MDM enrollment profile for systems enrolled via automated device enrollment.
There are a few ways to enroll systems in JumpCloud’s Apple MDM.
The recommended enrollment method is using JumpCloud’s macOS MDM Enrollment Policy, which uses the JumpCloud System Agent to deploy your organization’s MDM enrollment profile. You can use this Policy to bulk migrate and enroll existing macOS devices to JumpCloud MDM.
Another JumpCloud Policy, the Custom Configuration Profile Policy, lets administrators upload and distribute MDM configuration profiles to JumpCloud MDM-enrolled macOS devices. Use this policy to deploy certificates, WiFi settings, kernel extensions, and much more to enrolled Macs.
Automated Device Enrollment (DEP) can be used for devices purchased and registered via Apple Business Manager. This method silently enrolls MDM on macOS devices during activation. DEP does not allow end users to remove the MDM enrollment profile from their device.
Device Enrollment involves the IT admin downloading or distributing an enrollment profile. Admins should be aware that end users can remove the MDM with this method.
Tell Me More About Apple and MDM
Mergers and acquisitions in the technology industry are common, especially for industry giants like Apple, which has acquired numerous companies over the past few decades. Apple’s 2020 acquisition of Fleetsmith, a startup that helps IT admins manage solely Apple devices, created several possible scenarios for MDM for macOS and iOS devices. This acquisition gives Apple the opportunity to extend its enterprise API base to support and expand Fleetsmith, which is good news for Fleetsmith customers (despite the not-so-good news that Apple’s acquisition of Fleetsmith disbanded Fleetsmith’s third party app catalog).
One announcement by Apple at its 2020 Worldwide Developers Conference (WWDC) defined the future of Apple MDM for all vendors that offer Mac management: the upcoming release of macOS Big Sur. With Big Sur, businesses will need an Apple MDM vendor to manage macOS devices via Apple’s official MDM protocols and APIs. For JumpCloud, this means migrating macOS policies to MDM and preparing customers to enroll their macOS systems in JumpCloud’s MDM.
What’s next for JumpCloud MDM?
JumpCloud is in lockstep with Apple and laser focused on outcomes from Apple WWDC 2020 to prepare to support Big Sur’s release. JumpCloud’s MDM for macOS management will become an even deeper offering in the platform when DEP comes out of beta. JumpCloud is also developing its Apple MDM feature to enable the industry’s most streamlined solution for zero touch DEP enrollment, and provide automated enrollment for employees on Macs so IT can automatically provision devices into MDM and the JumpCloud Agent during setup.
While JumpCloud actively develops its MDM feature — which is only one slice of the platform’s device management capabilities, and an even smaller slice of the JumpCloud’s directory services — the platform also continually converges identity and access management solutions. While these solutions have developed and function independently of one another, JumpCloud offers another way to work: IT admins in JumpCloud centralize control of their environments and manage users, devices, and access permissions from one console.
How Does JumpCloud MDM Compare to Other MDMs?
Apple MDM is one part of JumpCloud’s cloud directory service. Other vendors provide just Apple MDM, some provide Apple MDM plus a system agent, and others offer those as part of a more holistic IdP/IAM/UEM platform. More companies today seek consolidation when signing a contract to make solution integration as comprehensive and seamless as possible, and keep their tech stack simpler. Why don’t all businesses choose to consolidate Apple MDM in a UEM? Their cost: Often these expensive solutions are price prohibitive to small and medium enterprises.
While point solutions help address a specific need, like Mac security, a unified platform enables IT administrators to streamline operations in remote and on-site work environments. These platforms can provide management for more than just one OS. And, the spend on this type of platform doesn’t have to be exorbitant.
Apple MDM is a part of JumpCloud’s system management, which can be purchased for $5/user on annual licences with JumpCloud’s Build Your Own Directory™ subscription. JumpCloud-managed users get up to four unique devices that IT can govern with MDM (JumpCloud MDM is not a per-device charge).
Try JumpCloud’s MDM for Free
JumpCloud’s directory service sits at the intersection of identity, device, and access to enable IT admins to securely manage and connect users to their systems, applications, files, and networks from a central console. The platform is vendor-agnostic so administrators can control resource access across macOS, Windows, and Linux.
As an Apple MDM server, JumpCloud’s macOS security is set up to be seamless and prepared for long-term Mac management. MDM is just part of JumpCloud’s device management suite which helps companies meet compliance and provide the right user access, while ensuring admins and employees experience minimum friction in their workflows.
JumpCloud’s system management capabilities offered at no extra charge for companies on JumpCloud’s Free and Pro plan options. If you’re not a JumpCloud customer yet but would like to try JumpCloud MDM for macOS, you can set up a JumpCloud Free account for up to 10 users and 10 systems, with in-app chat Premium Support for your first 10 days in action.
Any modern device management solution should include remote software and OS update management capabilities to improve organizational security.
Modern user and device management systems should include a simple way to monitor and manage device health and telemetry.