In many industries, Mac and Windows computers are your team's primary business tools. Over the years, however, the portability and flexibility of mobile devices like iPads and iPhones have become more and more integral to our daily work. Your team must carefully consider how to manage these devices that keep your business running and the potentially sensitive business and client information they access. It all begins with getting your devices enrolled in our Mobile Device Management (MDM) solution, Addigy.
Here are some common questions we encounter while helping organizations make decisions about supporting their Apple mobile devices.
What are the prerequisites for managing my iPhones and iPads?
Any level of Apple device management (including Macs) begins by creating a chain of trust between your organization and Apple. You'll work with our team to ensure you have the following in place:
- A verified Apple Business Manager or Apple School Manager account
- A custom Apple eCommerce storefront where you can purchase new devices
These two free accounts let Apple know that your organization exists as a purchasing/owning entity and allows devices to be purchased and treated as institutionally owned. By trusting these devices as truly belonging to your organization, Apple allows the devices to be supervised, enabling the most robust device management tools available. Reach out to your Account Manager if you'd like to set up these accounts.
What can I do with my managed iPhones and iPads?
Broadly speaking, iOS management provides a few services:
- INVENTORY TRACKING
When your devices are managed, you'll be able to keep track of them using Vision-Bot, our powerful device dashboard. You can review your managed iOS devices, take notes, and generate device reports as needed. - MDM COMMANDS
Depending on how your mobile devices are enrolled, different commands can be pushed to them. Commands range from helping users clear a passcode they've forgotten to remote locks and wipes. - APP DEPLOYMENT
Once your devices are enrolled, applications from the App Store can be deployed to them. One important benefit of app deployment is that the applications will be assigned to your device rather than to an Apple ID. This means that your users won't need to create a personal Apple ID and license applications themselves to use them - you can decide what applications should be present on your managed devices and we can ensure they get delivered. - MANAGED SETTINGS
One of the most valuable things MDM platforms provide is the ability to deploy managed settings to your devices. These settings can include WiFi and VPN settings, passcode policies, auto-lock settings and more. Apple also allows supervised devices to utilize powerful Restrictions payloads, that can help keep your devices secure.
There are three different levels of device management available for Apple mobile devices:
- Supervised (most powerful)
- Unsupervised
- BYOD (least powerful)
To learn about the functional differences between these three enrollment types, click here.
How do I go about enrolling my devices?
The preferred way to enroll your devices is through Apple's Automated Device Enrollment process. In this workflow, you purchase new devices through your custom eCommerce storefront, the devices automatically register with your Apple Business Manager account, and your iPhones and iPads will automatically enroll in management when they're being set up the first time. This seamless workflow makes the enrollment process effortless and secure.
If you have mobile devices already in use and already registered with your Apple Business Manager, we can collaborate with you to ensure those devices are assigned to the correct MDM (Mobile Device Management) server in Apple Business Manager. Once assigned correctly, the mobile devices must be erased - during setup, they'll then go through the same Automated Device Enrollment workflow outlined above. If the devices are not in Apple Business Manager yet, we can help you use Apple's Configurator app to erase and add them.
If you're unable to erase your mobile devices during the enrollment project, it's possible to temporarily enroll your devices as "unsupervised" - this means the devices will not be subject to all the same powerful management capabilities as supervised devices but can serve as a temporary step until the device can be properly supervised. A guide on enrolling devices as unsupervised can be found here.
What about employee-owned (BYOD) devices?
Many organizations opt to enroll BYOD devices as unsupervised - it affords a good deal of management capabilities on the devices while not stepping over that line of marking them as "organizationally owned". That said, for an even lighter touch, Apple offers an enrollment type called "User Enrollment", colloquially called "BYOD Enrollment". This enrollment type was designed to preserve user agency and privacy as much as possible - it severely restricts the actions that can be taken on a device and the amount of information that can be requested about that device. It also requires each device to be registered with your Apple Business Manager via a Managed Apple ID.
This enrollment type is not seen very often due to the significantly truncated management capabilities it offers. If you have questions about exploring this option, please reach out to your Account Manager.
We have an existing MDM for our mobile devices, like Mosyle or Intune. What should we do?
Our team can help you migrate your devices from an existing MDM to Addigy. Migrations can take many forms, depending on whether your devices are currently supervised or not. To add your devices to Addigy in a supervised state, it will be necessary to erase them. Different organizations navigate this in different ways. Sometimes, having the organization replace existing devices with new, supervised ones can present a low-friction migration pathway. Other organizations will erase and supervise devices as they change hands between employees. Or it could make sense to configure Automated Device Enrollment so that new devices are supervised, but enroll your existing devices in production as unsupervised for limited management capabilities until devices can be conveniently erased. We can collaborate to find a migration path that will work for you.
When should we hold off on managing our devices?
At present, there may be a few instances in which we may recommend holding off on enrolling and managing your devices:
- INTUNE CONDITIONAL ACCESS
At present, Addigy (Ntiva's Apple MDM) does not have a way to integrate with Microsoft regarding compliance-based conditional access controls. If your organization has complex Conditional Access requirements regarding device compliance states controlling access to your organization's Microsoft/Azure resources, we may recommend keeping those devices enrolled with Intune. Addigy's development team has indicated that support for this is coming soon, but we don't have a set date for when it will be available. - CO-MANAGED IT
Ntiva is unable to grant you or your users access to Addigy itself. While your iPhones and iPads are managed by Ntiva, you'll reach out to our support desk when management changes need to occur, like deploying new applications or configuring managed settings. If your workflow absolutely requires a member of your team to sign into Addigy and make the change themselves, you may benefit from managing your devices in-house.
Comments
0 comments
Article is closed for comments.