Autumn means Apple releases, and we looked at iOS 13 and User Enrollment back in September. macOS Catalina came out in early October, so now it’s time to focus on the state of Macs and Mac management in the enterprise.
If you’re already managing Macs, you’re probably up to speed on everything I’m going to write about. But if you’re not—and that’s probably most of us—well, there’s a lot going on. There’s been steady growth in all aspects of Mac management over the last few years, and now some newer trends are going to push things even further.
macOS Catalina management updates
The first trend to look at is the transformation of macOS itself.
The operating system is in the midst of going from an older style where everything was open and a management agent could just get in there and do anything it wanted, to a much more locked-down and secured-by-default style, similar to a mobile OS, using MDM for management.
Some of the changes that come with this can indeed be painful. When Apple closes the door on a management technique, it doesn’t get opened back up. And, Apple is good at making people keep macOS up to date.
On the other hand, Apple’s pace and strategy are quite predictable. The big updates have been coming exactly once a year for as long as I can remember, and Apple telegraphs their intentions at least a year or two in advance, both directly and indirectly. The changes usually come in chunks that can be dealt with in a year, but every now and then, they’ll push a deadline back.
The effects of this old to modern management shift are too numerous to count, but it suffices to say that we end up getting arguments about them quite a bit. One place where they do a really good job of having these conversations in a nuanced way is the Mac Admins Podcast.
This year, some of the highlights for macOS 10.15 Catalina include:
macOS’s Gatekeeper functionality now scans the contents of all apps to check for malware; all apps must be notarized; more OS resources are protected by permission controls; Activation Lock is coming to Macs with the T2 security chip; the OS is being moved to a read-only volume; and the deprecation of kernel extensions, which are being replaced by user space alternatives like the EndpointSecurity Framework.
macOS now also features new single sign-on and Kerberos integration features; and during the Automated Device Enrollment (i.e., DEP) process, the Setup Assistant can be customized, with support for modern web-based authentication.
Customers that are part of Apple’s deployment programs can see a lot more of the details in the AppleSeed for IT bulletins; Apple also publishes deployment guides, which we have linked on our EMM resources page.
Mac management vendor activity
Aside from the OS, there has been plenty of vendor activity.
First there’s Jamf, the name that’s synonymous with Mac management. In their last press release, they said that they were at 35,000 customers, with 15 million Apple devices under management. They were at 18,000 customers last year, and just under 6,000 in 2015. Impressive. I’m looking forward to returning to the Jamf Nation User Conference after attending for the first time last year, so watch out for coverage during the week of November 11.
Beside Jamf, we’ve been covering several other dedicated Mac management vendors for the last few years, and all seem to be progressing quite well. Check out our coverage of Fleetsmith, Addigy, SimpleMDM, and Mosyle.
Mac management is also a big focus for UEM players like VMware Workspace One and MobileIron. Microsoft is going the partner route, joining with Jamf; Citrix offers MDM for macOS, but partners with Addigy for deeper agent-based management.
Speaking of Microsoft, the Office suite apps can now be deployed from the Mac App Store, another step towards making Mac management more accessible.
What is the enterprise doing?
All the Apple and vendor updates are great, but what are the customers up to?
Back in the early days of BYOD mania, Macs were part of the conversation when iPhones, Android, and iPads came up. Enterprises had to deal with modern smartphones because the change was so rapid and everybody was transitioning. However, dealing with Macs was often a lower priority for the first half of this decade.
Even though plenty of shops are still ignoring Macs, looking at Jamf’s numbers, as well as the progress of all the other vendors, clearly the adoption curve is steeper now.
What’s different today? It seems that the push towards providing a better employee experience is a real effect, and providing macOS devices as an alternative to Windows is one of the ways that this has manifested.
Usually this is in the form of “choose your own device” programs, where the company decides to officially support several models of PCs and Macs, and employees can just choose to be issued a Mac. (As I noted a few weeks ago, folks bringing their own laptop into the office just never really became a thing.)
For companies that have always had a handful of unmanaged Macs around (and I think that’s most organizations), there’s something to be said for just having the mobile device administrator enroll those Macs in MDM and enforce a few basic policies.
However, full Mac management still requires an agent, knowledge of packaging apps, a strategy for security, and so on, so there’s still a decent amount of work to do to get to this level. Mac management, like desktop virtualization, is still one of those things that’s a bit niche. Just think about it—if you’re doing this, you’re the one in your IT department that’s going off to do something completely different from everybody else. As a result, the Mac admin community is really strong, and there are a lot of grass roots conferences out there. A lot of the vendors (especially the smaller ones) have really good blogs, too, because again, there’s a lot of education to do.
Finally, there are a few more effects I’ll note. While the pure-play Mac platforms are very popular, the UEM platforms have the advantage of being more integrated. You can apply policies and get the same visibility with your Mac population, and someone choosing a Mac doesn’t mean you have to go get another user license. I’ll also mention that cheaper and easier remote Windows apps could help more organizations finally officially support Macs. We’ve been talking about both of these concepts for years, but it’s worth the reminder here.
At the beginning of the year, I wrote in my 2019 predictions that device choice, including Macs, is completely possible in 2019. I think we’re going to continue covering Mac management as a major topic—it’s still transforming, and there’s still a huge addressable market.