Most Apple Mac based businesses I have seen tend not to centrally manage their Macs like companies have been doing with Microsoft Windows PCs, Active Directory, Group Policies and Powershell. Today, when companies need to pass security audits, the lack of comprehensive Mac Management can result in a significant amount of IT remediation effort.
This article will describe how to:
- Procure Apple products with the Apple E-Commerce website.
- Deploy Apps and Configure the devices with Apple Business Manager (ABM).
- How to use JAMF Now for mobile device management (MDM)
- How to use JumpCloud Directory as a Service (DaaS) to handle the ongoing management, auditing and security of the devices.
JAMF Now is a cloud based MDM tool from the people who also built the JAMF Pro (formerly Casper Suite). JAMF Pro is an enterprise solution that is much more expensive and complicated to implement than Jamf Now.
The Apple eCommerce site is found at https://ecommerce.apple.com. This site is a private version of the Apple store. Templates for system configuration can be created to make reordering easier. The website provides features to compose orders as proposals, send the proposals to authorized purchasers and place the orders for delivery to the end user. The e-Commerce website allows IT to configure/purchase new Macs online without phone calls or visits to the Apple store or the consumer Apple Online store
The eCommerce website is a little bit clunky but it works well enough to order products. The session timeouts are aggressive and also logins require two factor authentication. Another awkward UX quirk occurs when composing a proposal to be ordered. It is not possible to fill in the shipping address on the proposal so that purchasing only needs to approve. On this site you will create Apple IDs for users who are authorized as either purchasers or composers.
In 2018. Apple merged the Device Enrollment program (DEP) and Volume Purchasing Program (VPP) into a new product called Apple Business Manager (ABM). The software licenses from the Apple App Store can be managed with the Volume Purchasing features of ABM. The benefit to the VPP system is that software licenses can be managed centrally from the VPP portal so that licenses are not lost when equipment lost or stolen or given away without reformatting.
Note: Many online tutorials still refer to the old DEP and VPP tools, do not confuse these with the newer ABM tool that replaces DEP and VPP.
After a new Mac is ordered online, purchased and delivered using the E-Commerce site, the Mac will automatically be part of the ABM System and will be managed by the ABM Configuration tools. When a Mac is part of the ABM system, it ‘belongs’ to the enterprise and many more security management settings are available as compared to a consumer Mac. Many remote users can have their Mac drop shipped directly to them. No need to bring the Mac into IT dept to configure and ship. Shipping can add an extra $100 to $150 to the order as well as delays.
Note: One option on shipping is to give the user the option to pick up the Mac at a nearby Fedex location instead of shipping to their home that may result in the delivery being stolen if the user is not home.
To apply security controls we will use the JAMF Now tools and JumpCloud to deploy apps, manage security settings and manage users. We also like to use the Sophos End Point Protection on all computers, this protects the Mac’s even when they are roaming on networks outside of the corporate firewall
Getting Started – The first step is to enroll in the E-Commerce and ABM systems. You will need your DUNS number from Dunn and Bradstreet. And you should copy and paste the information from the D&B Lookup Website. Apple uses this information to verify the company. If there are fields that mismatch then the approval process takes longer. It is also helpful to work with a Business sales rep from your local Apple store to assist in getting the approvals complete, they can intervene on your behalf to clear up any verification issues.
Note: Each Apple store has a Business Department, they can help your company get setup in the E-Commerce and AMB tools
When approved Apple will send you an email with your Apple Customer Number that looks like the picture above.
The Apple Business Manager (ABM) is a completely different website from the eCommerce site with a separate login. The ABM website will allow you to push apps from the App Store to specific devices.
The ABM website also allows you to define “Managed Apple IDs” so that purchases are completed with a company managed Apple ID and not a personal Apple id. These managed apple ids have a format of firstname.lastname@example.org. This way these managed apple ids will not conflict with actual email addresses.
After creating the ABM account, there are several steps to complete.
- define busines locations.
- define accounts/users/roles
- Add the Jamf Now MDM server to the account
- Add Software licenses to the account
- Add Devices to the Account
When you create users you will specify mobile phone numbers for them to be able to use two factor authentication. As you purchase Macs on the ecommerce site, the devices will appear in the list of devices, ready for you to assign to users.
The next step is to link the ABM Site to the JAMF Now MDM servers. This is a process of generating keys on the sites and uploading the keys so that trust is established. Once the MDM link is setup, new devices will be automatically managed by the JAMF Now MDM servers. The MDM trust setup needs to be renewed annually. The devices managed by ABM have more controls than a non managed devices. Security features like remote wiping, lost/stolen tracking are available through JAMF
Sign up for JAMF Now – You can get started with a free JAMF Now account. It is free for up to three devices. The $2/month beyond that. There is a new Plus version for $4/month that allows you to push repackaged app that are not available on the Apple App store. Here is the link to signup for Jamf Now https://signup.jamfcloud.com
JAMF Now manages security through an extensive list of options that are collected into groups call Blueprints. It will take a lot of careful planning to implement blueprints so that people can still work despite restrictions. If users have been a local admin on a Mac it could be quite frustrating as security restrictions can remove features that have been part of your daily work. There are also advanced features that allow users to act as local non-enterprise users for some applications and the data is segregated.
Setup ABM Connection – After you sign up for Jamf Now the next step is to link your Jamf Now account with the ABM system. Click on Volume Purchase then follow the instructions that are quite clear. This process is exchanging keys between the Apple Business Manager and Jamf Now to establish trust.
Setup the Apple Push Notifications (APN) – The next step in the setup is enabling Apple to push notifications to JAMF now. Again, this is a clearly documented step that establishes trust between Apple Application Integration and Jamf Now.
Setup the Auto-Enrollment Connection – The next step is to establish the trust relationship between Apple ABM and Jamf Now with the Auto Enrollment configuration.
Create a Default Blueprint The Blueprints section contains a lot of options to allow management of many values and security features. If you have a corporate WiFi you can push the WiFi settings to each device automatically. You can enable File Vault II full disk encryption and JAMF Now will store the recovery key for the Full Disk Encryption. You can also do things like disable the ability to take screen shots for HIPAA compliance. So much device control is possible here. After you get comfortable with the options then you can create additional Blueprints to fine tune security settings for different types of users. The Apps section of Blueprints allows you to specify what apps from the Apple App store should be installed. Skitch and Amphetamine are shown here are apps to be automatically installed on any computer
However, there will have some feature overlaps between Jamf Now and JumpCloud. JumpCloud allows an admin to also manage WiFi SSIDs and passwords in a more elegant way by implementing Radius as a Service. If the WiFi Access points suppport radius servers, then JumpCloud’s RaaS is a more elegant solution than pushing SSIDs and passwords with JAMF Now. JumpCloud also supports man aging FileVault II and stores the encryption keys.
Setting Up JumpCloud Directory as a Service
Jumpcloud DaaS provides many features that support effective security policies without the complexity of an Active Directory Server or other LDAP server. Jumpcloud runs in the cloud and it provides the ability to manage users in Google G-Suite and MS Office 365 as well as the ability to sync with Active Directory. Creating a user in JumpCloud will push that user into these other directory systems automatically. There is a convenient Mac utility that allows the user to change the password on the local Mac user and the JumpCloud account at the same time.
JumpCloud provides SAML SSO authentication to manage access to other SaaS systems. JumpCloud also provides management and policy capabilities for Windows, Mac and Linux systems. System management provide group policy like abilities to remotely make changes to all three operating systems.
One of my favorite features is the SSH key management. Upload a user’s public SSH key to the JumpCloud user record and it will be automatically pushed to all systems that are assigned to the user. For managing SSH keys on AWS EC2 or other Linux server instances this feature is especially helpful.
JumpCloud is free for up to ten users. After that the Pro version is $12/user/month billed monthly or $9/user/month billed annually. Here is a link to the pricing page.
The JumpCloud DaaS works well with local SANs like QNAP and Synology for authentication. These low cost SANs can be configured as local file servers and as Time Machine backups for mission critical workstations/applications.
Configuring the JumpCloud SAML/SSO to authenticate users on all your other SaaS applications simplifies application logins for users. Users have a simple application portal via jumpcloud so that logging into other SaaS application is a simple click on the application icon. JumpCloud supports SAML/SSO for many SaaS apps. I have configured for Atlassian, AWS, G-Suite, Invision, Jamf Now, New Relic, Slack, SumoLogic and WordPress (mini Orange plugin). Managing users is greatly simplified, access to an app for a user if just a click on a check box. Adding Multi Factor Authentication is also a single check box for all the SAML/SSO. Removing access to an application is also a single check box. The only downside to SAML/SSO provisioning is that many SaaS vendors require the more expensive ‘enterprise’ version of their product. Hopefully, in light of security concerns vendors will move away from this requirement.
There are three types of SAML/SSO authentication
Synced Users – eg G-Suite, users managed in JumpCloud sync to G-Suite automatically via G-Suite API
Manual Provisioning – eg Atlassian. The Admin needs to login to Atlassian to create the user and assign roles initially. Ongoing authentication is handled by SAML/SSO
Just In Time Provisioning – eg AWS, no need to manually provision users in AWS, they are provisioned as needed with their own named user and roles
With these four tools, a small to midsize business can implement an elegant system to procure, deploy, manage and patch Apple devices, manage users, groups, sync with Office 365 and G-Suite, SSH keys and manage WiFi access. The cost is minimal and many hours of IT support are eliminated by having standardized, managed equipment in the hands of your users to maximize their productivity.
Getting Started with Jamf Now (37 minutes) https://www.youtube.com/watch?v=wL3kxFq7ItE
Jamf Now: Setting Up Automated MDM Enrollment via Apple Business Manager https://www.youtube.com/watch?v=5p68y9n5ES4
Jamf Now: Setting Up Volume Purchasing via Apple Business Manager https://www.youtube.com/watch?v=US2b30ZrNCI
Getting Started with JumpCloud – https://www.youtube.com/watch?v=2JKKaa8NXG0
JumpCloud SSH Key Manager – https://www.youtube.com/watch?v=kvxaYUTQsms