On April 21, 2022, Apple made an announcement that screwed many of its business customers:
The company was shutting down Fleetsmith, its in-house Mobile Device Management (MDM) solution for Macs.
MDMs are essential IT tools for businesses. They help admins automate device setup, updates, patching, security, and other management tasks for company-owned devices.
With Fleetsmith shutting down, I have been on a hunt. A hunt for the perfect Mobile Device Management (MDM) solution for Macs.
Spoiler alert: there isn’t one. There aren’t even any good ones.
Let me warn you, there may be a few paragraphs that are a rant about Apple and MDMs. Bear with me, this is an intricate problem with no good solution and I have been at it for months now.
Why is an Apple MDM important for cybersecurity?
MDM solutions help IT admins automate device setup, updates, patching, security, and other management tasks for company-owned devices. Even small businesses can have dozens or hundreds of devices to keep track of.
With an MDM you can:
- Simplify bulk enrollment out of the box
- Apply policies
- Publish content and presentations on devices
- Allowlist and blocklist applications
- Publish enterprise applications
- Push network configurations and security settings
- Schedule recurring tasks such as reboot, lock/unlock and dynamic policy application
- Schedule alerts for battery compliance and data usage compliance
- Manage BYO devices without compromising on user privacy
- Gain intelligent and full fleet visibility across your environment
In short, the 3 main reasons you need an MDM are:
- Enhanced security
- Reduced costs
- Gained efficiency
The benefits of a solid MDM go beyond staying compliant with frameworks and regulations.
MDMs will keep your business data protected and ensure that your company retains control over its confidential information. You can remotely lock and wipe all data in case the mobile device is stolen or lost.
It helps you automate security measures and reduce reliance on your employees. You can push updates and settings automatically and uniformly. By automating these tasks, it eradicates the risk of human error in manual tasks.
Automated Inventory Management. MDM will ensure that all devices follow a baseline standard.
You can have centralized control over policies, applications and additional functions. You can ensure disk encryption is on, AV is on, capacity of the devices is being monitored and most importantly, the end user cannot turn these things off.
Apple MDM: Why so difficult?
Let’s be honest, Apple’s conspicuous lack of attention to MDM capabilities on their devices is appalling. Does Apple not understand the business use of their products? Or do they not care about their business customers? They seem to have made it as difficult as possible to achieve good security and efficient management.
The techie-security person in me appreciates how tightly Apple locks things down but as the IT manager of such devices, it makes me want to pull my hair out in frustration.
Comparing the configurable options between Windows (Intune or Group Policy) and Macs (any MDM) is just sad. Mac businesses have so much less control over the devices that they own.
It’s not the MDM companies’ fault. They can only turn on and off the API switches that Apple graciously decides to make available. Apple is the one limiting their capabilities.
I have some specific bones to pick:
Find My Mac
Apple doesn’t give users/admins power to turn “Find my Mac” on through an MDM. So there is no way for an IT Team to track the laptop if it is lost.
IT Apple ID
Creating an Apple ID for IT use has been an issue.
When you create an Apple ID, Apple requires your date-of-birth and a phone number.
The DOB could be the founding date for your company, so it’s not a big deal. (Though it begs the question, will they give out an Apple ID to a human 2 or 5 year old too?)
The phone number is the real issue. You don’t want to associate your Company’s Apple ID – the primary ID used on each laptop to centralize management – to be associated with one (1) employee’s phone number. This creates a single point of failure.
Managed Apple IDs
Managed Apple IDs could help solve many problems, but they are very limited in their functionality. Many features such as App Store, Find My Mac, iCloud Mail, Keychain, iMessage, and FaceTime are disabled for managed accounts.
While most of these features are less important for business purposes, the disabling of the App Store and Find My Mac is not ideal. The end user cannot download anything from the app store, forcing them to download software elsewhere off of the Internet. And nobody can figure out where the device is, in case it is lost.
Permitting end users to set up and use their own Apple IDs is not ideal either. It makes it much more difficult to wipe and redeploy the Macs used by former employees. This specific issue caused me personally a big headache. Setting up the App Store and Find My Mac using the employee’s corporate email basically locked the device to that Apple ID and their phone number.
A proper MDM with good business device management capabilities would solve a lot of these issues. Microsoft/Windows shops don’t have this problem, they can close your eyes and pick Intune. Mac businesses, however, don’t have that good fortune.
Fleetsmith: the sad Apple MDM story
Fleetsmith was Apple’s solution to my rant above – or at least it tried to be.
Fleetsmith started as an independent Mac MDM and was relatively well-liked by its users. Apple acquired the company in June 2020. It was a piece of the jigsaw that fit and made us think it was part of Apple’s continued expansion in the enterprise space. It made us dream that the situation was only going to get better.
Then, less than two years later, they abandoned it and announced that Fleetsmith was closing shop.
It left a lot of organizations scrambling for a replacement, Fractional CISO included.
Even if you are not looking for a replacement, the best time to look for an MDM solution is now.
There are plenty of Mac-compatible MDM solutions out there. Sadly, the choice isn’t “which is the best Mac MDM” – it’s “which is the least bad Mac MDM?”
Apple MDM Security
MDMs are installed on every user endpoint in an organization, potentially giving them access to tons of sensitive data. Their security is critically important to consider.
The level of access MDM solutions have to your devices and data is very high:
- Wiping lost or stolen mobile devices
- Detecting unusual data usage patterns
- Installing and uninstalling apps
- Managing app versions
- Update apps
- Monitoring app behavior
- Limiting users to downloading authorized apps only
- Locking down devices
- Remotely debugging and wiping devices.
You need to be able to trust that your MDM will deliver secure updates and timely alerts, and it is of utmost importance that the solution you pick meets your security needs and standards.
Apple MDM Solutions Evaluated
For months now I have been testing and evaluating solutions in the Apple MDM market. There were five MDM solutions that I gave in-depth evaluations to:
Most of these solutions offer similar features. The key differences are in their management dashboards, the catalogs of applications they offer for easy deployment on devices, and their cybersecurity posture.
Common Apple MDM Features:
- They link with Apple Business Manager and Apple Store (ecommerce.apple.com)
- They provide Zero touch deployment
- They provide the ability to remotely lock and wipe devices
- They let IT teams grant access permissions to specific users and receive automated alerts.
- They allow organizations to enroll new devices on the platform and configure policies in compliance with industry regulations.
- They let IT Admins filter devices by policies or asset information, export data and view installed applications on a centralized platform.
Addigy is an MDM designed to help organizations manage the deployment, configuration and performance of all Apple devices across the organization. Their off-the-shelf options are good for basic setups.
When it comes to their own security, Addigy’s Internet-facing infrastructure did not look as tightly-managed as we would like.
Additionally, when we were evaluating them, they did not support MFA. As MFA was one of our requirements, we decided against using them. We would have given them further evaluation if they had MFA at the time.
In my limited experience, customer support seemed good enough.
They are scalable, it is a multi-tenant Apple device management solution, so if you need multi-tenant functions, go for this one.
“No more than $6 per month per device,” as advertised by Addigy. Although in the fine print it says, “(Minimums apply)” which would indicate that it could be MORE than $6 per month per device if you don’t have the minimum number of devices.
Kandji is a well-designed Apple design management platform that can efficiently manage your device’s lifecycle. It seems like it is easy to set up, they have a responsive support team and good documentation. They have sensible features (I really like the rotate FileVault Keys) and a custom migration agent for your environment.
My final thoughts are: I’m not entirely convinced with their cybersecurity program, but they are a relatively young company and may seek to improve it further. Hopefully they will.
$399 a month is the minimum spend.
Up to 100 devices – $399/mo, up to 200 devices – $799/mo.
Mosyle calls itself an “Apple Unified Platform for Business and Education.” (It’s another way of saying MDM). They do appear to be more focused on the education market.
It brings together Internet Privacy & Security, Identity Management, Application Management and Endpoint Security.
Mosyle’s biggest appeal is their pricing. At $0 for the basic plan and $5.50/device/year with no monthly minimum, they are the most budget friendly option. However, they lack good documentation and customer support.
Their Basic Plan is free
JamfPro and JamfConnect
Jamf is a comprehensive solution and could be a great enterprise product. Apple itself uses JamfPro to manage their employee’s devices.
They have another product called JamfConnect that attempts to simplify the process of account creation and streamline authentication and identity management. While Connect would make enrollment easy, in its attempt to go passwordless, it forces a slightly controversial password practice of synching your laptop password with your Google Workspace/Microsoft password.
Password reuse is a practice best left avoided. We were not impressed with this connection.
If you have a small fleet, Jamf’s pricing model is likely overkill.
JamfPro: $86/yr for Mac and $40/yr for iOS devices for a minimum number of users. JamfConnect: $24/yr for a minimum number of users.
Apple Business Essentials
Apple Business Essentials is a new solution that Apple has made available to small businesses (only in the US for now) to help them manage their Apple devices.
Sadly, it is a newer and more naive solution compared to others and doesn’t support a lot of features that others do. It will give you basic MDM functionality and makes it easy to deploy App Store apps, but it cannot deploy scripts. Custom apps – those not found in the App Store – have extra hoops to jump through for deployment, including an app review by Apple.
Apple Business Essentials Pricing:
$2.99/user/mo for one device per user.
$6.99/user/mo for up to three devices per user.
Other Apple MDMs of Note
There are many other MDM solutions for Mac businesses out there. The five listed above are the ones I explored in-depth. The following three are ones that I looked at but did not evaluate in-depth:
Hexnode is a hybrid MDM solution with multi-OS support. If you have a mixed fleet, this may be a good solution for you.
JumpCloud was originally an Open Directory Platform. They have since ventured into the MDM space. If you are already using JumpCloud in some capacity, this platform may be a sensible choice for you.
Meraki Systems Manager is Cisco’s MDM solution. I would have liked to evaluate them further but frankly, I had trouble getting in touch with them to demo their product.
There is no Good Apple MDM Choice
A common refrain of our internal MDM discussion has been this: Most industries have one or two reliable leading products, like Coke or Pepsi. Then, there are many more niche products like Dr. Pepper, Shasta, or RC Cola.
Take the e-commerce market. Amazon is the obvious “Coke.” EBay and Walmart could make competing claims for “Pepsi,” while Wayfair, Overstock, and Etsy round out the market with their unique flavors.
Meanwhile, the Apple MDM market is so underdeveloped that it doesn’t even have a product that we consider to be its RC Cola.
Apple’s business customers are dramatically underserved in this area, and IT managers for Mac businesses will have a lot of work on their hands until it gets better.
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.