Apple macOS High Sierra (10.13) is coming in just a few weeks, and there has been a flurry of activity on the vendor side. With all the EUC advancements of the last few years, it’s a good time to consider the current state of Mac management in the enterprise.
The current landscape
There are plenty of organizations in Mac-heavy fields that have been doing full macOS management for years, and in the San Francisco Bay area, where I live, there are plenty of born-in-the-cloud companies that have been Mac-centric from the beginning. But what’s perhaps most challenging is the broad swath of typical Windows-centric businesses where Macs represent maybe 5 or 10 percent of desktops, but continue to spread.
When the consumerization of IT hit, we lumped Macs in with smartphones and tablets. Large numbers of mobile devices warranted a quick response with EMM, but Mac growth has been slower. In many companies today Macs are still either a pain or just ignored. (Or we assume that Mac users can take care of their devices on their own, which I’ve seen to instead be not true for about half of the typical users out there.)
We’ve lived with this state for a while, so what’s changing now? EMM is mature, conditional access concepts are spreading, and Windows 10 is making us rethink desktop management. All of these concepts can help with Macs, so now is a good to bring them into the fold, too.
macOS management changes
Some of the changes in macOS resemble what we’re seeing in Windows. Traditional management (including imaging) has been the standard approach for a long time; then the Apple App Store came to Macs in 2010, followed by mobile device management in 2012. Now the Apple’s Device Enrollment Program can take care of many Mac lifecycle tasks, too.
But again, like with Windows, there’s a divide between old and new. MDM is good for device compliance, baseline security and configuration, and managing App Store apps and their in-house equivalent. However, important desktop apps like Office and Adobe aren’t in the App Store, so many companies still need a more conventional agent-based approach to fully manage their Macs.
High Sierra is adding pressure to change, too. The 19 year old HFS+ is being superseded by Apple File System, which has many new modern features, including built-in snapshots. It will be default on Macs with SSDs. However, it effectively cuts off traditional monolithic system imaging, as Apple doesn’t recommend or support it. (High Sierra also has the usual range of macOS MDM updates.)
We’re now at a point where companies will want to—or have to—use MDM and Device Enrollment Program-based Mac provisioning, in addition to other modern EUC techniques like conditional access. For folks who have managed Macs the traditional way, this certainly represents a big change. For folks that have never managed Macs before, this is a good time to get started, and they can approach them much like iOS and Android.
New Mac management support announcements
Jamf, representing a large body of long-time Mac management shops, will have a certain population of customers affected by the APFS imaging changes. (Update, September 7: Here's their white paper on APFS.) Last year at their user conference, they announced huge growth and shared a very interesting case study about how IBM deployed 90,000 Macs. I’ll be interested to see how things have followed up this year—Jamf’s next user conference is in late October.
MobileIron has supported MDM for macOS for a while, but today they’re augmenting it by announcing for several new features. MobileIron Access now supports macOS, to prevent unauthorized devices from accessing cloud resources; they’re supporting the Apple Device Enrollment Program for macOS; and MobileIron Tunnel will support per-app VPNs on macOS. In an upcoming release, they’ll also support traditional software distribution on macOS. I think the Tunnel support is interesting, because it addresses work and personal separation; it will work with App Store apps, traditional apps, and can be configured on a per-domain basis in Safari.
Last week at VMworld, VMware announced a new native Workspace One client for macOS, and Mac management was featured prominently as part of their unified endpoint management messaging in their EUC super session. AirWatch has supported macOS management for a while, but I learned at the show that they also bundle Munki (open-open source software distribution tools) into their macOS agent.
A few weeks ago, Microsoft announced that Azure AD will now support Conditional Access for macOS devices, so that only compliant, Intune-enrolled Macs can access Azure AD-protected resources.
Just a few more notes on vendor activity: Macs have always gone hand in hand with all types of desktop virtualization, and Gabe recently covered the Gabe just covered the latest in client hypervisors for Macs from VMware and Parallels. (I like the sound of Parallels Single App Mode). Another newer Mac management player is Fleetsmith—for now, they focus on companies that use G Suite, but I’ll be watching to see where else they go.
In a few months, I suspect we’ll be hearing case studies about long-term Mac organizations that moved off of monolithic imaging.
But for the rest of us, all signs are pointing to this being a good time to get started with Mac management. (Plus, there are multiple case studies that argue that even though Macs are more expensive, the TCO can be lower, since they’re more reliable and the management stack can be less expensive that what you need for traditional Windows management.)
So, do you have any plans to get started?