Listen to PodcastPt 1 Pt 2
Like podcasts? Find our full archive here or anywhere you listen to podcasts: search Community IT Innovators Nonprofit Technology Topics on Apple, Spotify, Google, Stitcher, Pandora, and more. Or ask your smart speaker.
Need enterprise-level support for an Apple environment?
Need to support some Apple devices in a Windows environment?
Learn answers to your questions on Mac support for nonprofits!
Community IT CTO Matt Eshleman and Galen Wenger, Director of Technology Solutions, address your options when supporting Apple products at your nonprofit. Community IT has a lot of experience supporting Macs, both all-Mac managed support and supporting those staff members who can’t do without their Mac for work, even in an office full of Windows users.
But supporting these scenarios can be complicated! And it can be hard to find an MSP who can manage your Macs. Learn from your peers as this recorded webinar takes a trip out of Microsoft and Windows and into the world of Apples.
Community IT supports over 600 Macs among our clients; about 10% of our clients have some Mac support or all-Mac support. We’ve gained a lot of experience over the years in the slightly different approach necessary with Mac environments at the enterprise or individual level.
As with all our presentations, this webinar on Mac support for nonprofits is appropriate for an audience of varied IT experience.
Community IT is proudly vendor-agnostic and our webinars cover a range of topics and discussions. Webinars are never a sales pitch, always a way to share our knowledge with our community.
As the Chief Technology Officer at Community IT and our resident cybersecurity expert, Matthew Eshleman is responsible for shaping Community IT’s strategy around the technology platforms used by organizations to be secure and productive. With a deep background in network infrastructure, he fundamentally understands how technology works and interoperates both in the office and in the cloud.
Matt holds dual degrees in Computer Science and Computer Information Systems at Eastern Mennonite University, and an MBA from the Carey School of Business at Johns Hopkins University.
Matt is a frequent speaker at NTEN events and has presented at the Inside NGO conference, Non-Profit Risk Management Summit and Credit Builders Alliance Symposium. He is also the session designer and trainer for TechSoup’s Digital Security course. He had fun interviewing Galen in this webinar about Mac support for nonprofits and discussing the many options and scenarios with you.
Galen Wenger is the Director of Technology Solutions at Community IT specializing in Windows Server administration, workstation lifecycle management, and Google Apps. He joined Community IT in April 2009 after two years of providing technical support in a university setting. Galen has a B.A. in Philosophy and Theology from Eastern Mennonite University. He is a Microsoft Certified IT Professional: Enterprise Administrator and Google Apps Certified Deployment Specialist. Galen lives in Lancaster, PA, where he co-leads an organization encouraging community engagement and spends his free time writing.
Johan: Good afternoon and welcome to the November, 2021 Community IT innovators webinar. Thank you for joining us for today’s webinar on supporting Macs at your nonprofit. Apple’s Mac computers, and especially MacBooks and iMacs, are popular among nonprofit organizations. However, managing Macs effectively in a business environment presents a number of challenges.
Today we’re going to share our insights and lessons learned from our experience of supporting over 600 Mac computers at our nonprofit clients.
My name is Johan Hammerstrom. I’m the CEO of Community IT and the moderator for this webinar series. The slides and recording for today’s webinar will be available on our website and YouTube channel later this week. If you happen to be watching this recording right now on Youtube, please consider subscribing to our channel to receive automatic updates when we post new webinar recordings. Throughout the webinar, we invite you to use the Q&A panel or chat window to ask questions and we’ll do our best to respond.
Now, before we begin, we’d like to tell you a little bit more about our company. Community IT is a 100% employee-owned company. Our team of 40 staff is dedicated to helping nonprofit organizations advance their missions through the effective use of technology. We’re technology experts and we’ve been consistently named a top 501 managed services provider by Channel Futures and it’s an honor that we received again in 2021.
Now, it’s my pleasure to welcome our chief technology officer, Matthew Eshleman and our director of technology solutions, Galen Wenger and I invite them to introduce themselves. Good afternoon.
Matthew Eshleman: Hey, good afternoon, Johan. It’s great to be back here again with another one of our technical topics for our webinar. Really looking forward to the conversation that we’re going to have today to talk about how best to support the Mac OS at your nonprofit organization. If you notice, the very front first picture in the webinar is a picture of our team and clients. There are Macs in the foreground and so that’s not just window dressing or props. We actually do support a large number of Mac devices and look forward to sharing what we’ve learned and also looking forward to getting some input from you.
As Johan mentioned, please feel free to chat in any questions that you may have and for those of you that submitted questions in advance, we’ll get to most of that during today. So I’m really happy to be joined by my colleague Galen Wenger who really helps to drive a lot of this platform management here at Community IT. Galen?
Galen Wenger: Thank you, Matt. It’s a pleasure to be here today. As Director of Technology Solutions here at Community IT, I have been involved in Mac administration since 2007 and have been with Community IT for about 13 years now. I have been involved in a push over the past few years to really make us a top tier Mac management service and I’m happy to be here to share what we’ve learned.
Matthew Eshleman: Great. Well, in terms of what we’re going to talk about today, we’ve already given away a little bit. At Community IT, we do support largely a PC environment, but have a significant Mac support presence.
We’ll talk about some of the
- best practices that we’ve found and developed in terms of how to best manage Mac devices,
- what policies to include, and then
- how to approach that and then finally,
- we’ll talk a little bit about tools and administration, and have a discussion about some of the options that are available there.
So before we launch into it, love to just get a sense for where the audience is at today. So Johan, if you want to launch our first poll in terms of how familiar you are with Mac OS use and support. So go ahead and chat that in. We’ll leave this open for a moment or two and then share the results with all the participants.
Matthew Eshleman: So are you not at all familiar, coming to this new? Maybe you’re like Galen, you’re an expert. Maybe you have something to share or maybe you’re kind of in the middle. I’d probably put myself in the middle. I’ve got a cursory knowledge and understanding but would be in the middle somewhere. All right. Great.
Well, looks like of the folks attending today, most of you are quite familiar. So there’ll be some takeaways, some lessons learned for you. If you’re somewhat familiar, I think we’ll be able to get you up a notch or two. So thanks for responding to that.
So let’s first talk a little bit about some of the terminology. So I don’t know, Galen. Maybe I can take the first one, but then you can take the rest.
It’s helpful to understand: Apple is the company. They make the Mac. The Mac runs Mac OS. That’s the operating system of Apple computers. It would be separate from the operating system that runs on the iPad and iPhones, which would be iOS.
Galen: That’s right and so moving along, the M1 is one of the bigger developments in the past few years for Macs.So over the past couple decades, Macs were running on power PC processors, and they switched to Intel which is the same processor that most Windows computers run and over the past couple years now, they’ve been switching, and really the past year they’ve been switching to their own internally designed processor.
You may have heard M1 is the name of the processor. Apple Silicon is the term that gets bandied about a lot and it’s a great processor, great hardware. We’ve been very impressed here at Community IT. It does really well with power management. So for your laptops, that’s how you get that really long battery life. It does have some architectural technology changes in the backend that affect how you manage devices as well. So it’s definitely in play.
Moving along, Apple Business Manager is a service that Apple has for organizations where you can manage purchasing, enroll your devices through Apple.
So the device is associated with your organization and not just whichever user has the device.
You can do management of organizational identities that manage Apple IDs.
You can also do a managed purchasing of app store apps and content. That could be acquiring free apps or paid apps.
You can then distribute to devices probably through your MDM. Mobile device management is a linchpin for a lot of what we’re talking about today. It’s service that you can use to push down configuration settings and content to devices that allow you to manage them, support the users on those devices. It is really a kind of essential element of Mac management at this point.
Over the years, Apple has had a couple different methods for managing Macs. But within the past couple years, it’s really become necessary to use an MDM and that MDM is tightly integrated with the operating system which enables it to manage the device.
Endpoint Security Framework
The last item here, endpoint security framework. This is kind of an internal term. What we’ve seen in Mac OS for the past few years and from Apple in general, is a strong focus on privacy and security on the privacy side of things. That means that there are now identified privacy permissions within Mac OS to control things. Like: Can this application access my microphone? Can this application look at my camera? Can this application read files in my downloads folders? These are all various settings that are usually controlled by the user.
In an organizational context, we may want to manage those settings for our users, so that if we deploy a backup application, that backup application is then actually able to access the data.
So that’s one aspect of it where your MDM can control those privacy preferences and then another piece of that would be kernel and system extensions. That’s another key necessary feature where if you’re deploying security software or maybe file sharing software, that’s going to interact with the operating system on a low level.
Apple has a process that you have to go through to be able to allow that application to run. That process can be somewhat onerous, particularly for the end users and so that’s something that we want to be able to control. In our experience, working with various organizations, a big part of Mac management is leveraging control of those endpoint security features.
Matthew Eshleman: Galen you have touched on some of the things that are necessary to support Macs, it is a bit of a different support model. As a managed services provider Community IT supports 140 different organizations. We’re supporting well over 6,000 nodes, at this point and in general, for the Windows world we have a very device centric view, so we can push down things to devices.
But in the Mac world, it doesn’t work quite that way; it’s very much a user-centric model.
I was wondering if you’d talk a little bit about that user-centric model a little bit more and some of the other things that are unique to supporting Macs, particularly from a centralized perspective.
Galen: Absolutely. So, on that user centric model, thinking about us as just individual people, maybe using an iPhone and a Mac. We’re signed in with our Apple ID, both places, we get our iMessage both places. That user account centric access to the data and some of the features is something that Apple does very well.
As we translate that into an organizational context, we see that the end user maintains a higher level of control and account access. On the Mac side, it’s not necessarily what we may be familiar with if we come up through Windows device management. It’s not enough just to make sure the device has the applications installed on it and is ready to go. The user is still going to be a part of this.
Another aspect would be providing any level of screen sharing remote support. Apple actually does not allow an organization to pre-approve entirely a remote support application that can access the screen. At the end state the user is still going to have to approve that within the operating system before we can connect. That’s great for privacy, but I know for our help desk at Community IT, it can be challenging, especially if the person who needs assistance isn’t very familiar with Mac OS. We have to guide them through that approval process before we can even share the screen and really get to the matter at hand.
Another key aspect that also comes from Macs’ presence in the consumer world is that Mac isn’t really great for enterprise change management, or maybe the small midsize business change management, in terms of letting folks know some of the new features that are coming in advance, as well as some of the changes in the operating system that may affect how software works.
Apple is well known, perhaps notorious for doing these big landmark releases and dropping the changes right on release day of the information that’s available, as opposed to providing better insight months in advance on what those changes are going to be. That can affect things like your endpoint security software. We’ve definitely had challenges where there will be a late breaking change in the operating system that requires our endpoint security vendor to make a quick software change that we then need to quickly deploy. If we don’t, there are various negative impacts from performance impacts, maybe the endpoint security agent stops working. We’ve had to sometimes change remote support vendors, for example, because they couldn’t keep up with the changes within the operating system and it’s a constant drumbeat of changes. Every six months to a year, it seems like we’re adapting to the platform.
And so some of these changes, they’re great. But still, we’re constantly learning, constantly adapting on the different tool sets.
Similarly, it’s the rare tool that can do both Windows and Mac administration very well, and we’ve definitely had better success by having a separate tool set. On our Windows side we have various device management and enterprise security tools that work really well there. And then we have an entirely separate tool set for Mac and that Mac tool set is actually probably changing more quickly over time as the Mac platform changes. We pick the best of breed tools at that moment.
Then the last piece, our experience is if we really want to have a high end end user experience that’s helping guide users through things like enrollment of their brand new device, operating system upgrades, maybe some refinement or fine-tuned application deployment. We often find ourselves using the Mac OS scripting languages. Those of you who are familiar with this often bash a little Python thrown in there. These are different languages than what we use for device management on the Windows side. It can be a little bit of a barrier in that even with the best MDM solutions out there, we still find ourselves dropping into doing some light coding to really make everything work together.
Matthew Eshleman: The other thing it’s helpful to realize or understand, combined with some of that change management, Apple’s less than proactive communication around changes in the operating system is that the current Mac OS is basically N+2 or N-2, depending on how you look at it: Apple’s going to support the most current operating system and then the previous two versions.
I’m always reminding myself that it’s 10.15 – Catalina, and then there’s 11 – Big Sur and then just released is Monterey, which has the OS designation of 12. It’s interesting to see the different naming conventions on the OS version side, and also to see how Apple is supporting and providing updates to those systems.
It’s important for folks who are managing the devices to keep up to date with those version changes. In a way, people tend to have a view that I’ve got this eight year old MacBook and it’s great, and it still works. But if it’s not running one of these versions of software, it’s likely not getting the most current security updates. It’s possible that, unless you’re on the most current version, Apple isn’t even providing complete security updates for some of the older versions. So there’s an article I’ll chat out that came out here in the last week or so that involves some security research about the timing and release of some of those security patches in the Mac or in the Mac OS. PSA: Apple isn’t actually patching all the security holes in older versions of macOS.
Galen: Yeah, that’s a great point and I’ll add to that, one of the challenges on the management side is that Catalina and Big Sur in particular were rather disruptive upgrades for us to push out. There were a lot of changes around those privacy preference controls and around those kernel and system extensions. So those security features at least initially broke a lot of software and we had to, in some cases, wait for our endpoint security software. One of our clients had to wait on the upgrade until it was supported, and so it’s definitely a balancing act, and Apple doesn’t help out there by the selective patching of the prior release.
What to Manage
Matthew Eshleman: So now moving into talking specifically about what to manage and what we have found to be the most helpful. I’d also love to pause here and get a sense from the attendees of how many Macs are in your organization. So if we can get the poll up, we’ll get a sense of: less than 10%, maybe a quarter to a half, more than half or, all Mac. I’ll be curious to see where the data comes in. Don’t let me skew your results, but we generally see organizations that are predominantly Mac and then organizations that have one or two that they need to support. That’s generally been what we’ve observed. I am curious to see if that is shifting.
We’re maybe seeing a little bit of a shift with more organizations adopting Macs, in part due to the M1 chip. The prices are coming down. Computer shipping logistics is a nightmare right now and Apple has seemed to avoid most of that, so we are seeing pretty quick turnarounds in ship dates. The cost is pretty good.
For the MacBook Air the pricing is not bad compared to comparably equipped Windows computers. So I’m curious what the audience has got here. So we’ve got that bifurcation there, use all Mac, or you’re supporting one or two and trying to figure out what to do and some folks in the middle.
So that’s interesting to see the relationship. At Community IT generally speaking, the devices that we are supporting are largely Windows. Almost 90% with about 11% in the Mac OS realm. There has been a growing number of Mac computers that we’re supporting over time. That’s led us to provide the best support and automation for Mac devices, leading us to choose a dedicated Mac MDM tool.
Some traditional tools are used by organizations like us to support Windows computers. It’s another world to support Macs. Special attention goes into the support tools as well.
On those special controls, Galen, if you could talk a little bit about what we like to see deployed or managed or configured as part of that Mac support? Maybe talk about how that’s different from what we see and do in the Windows world.
Galen: Yeah, absolutely and to put a finer point on what you’re mentioning there, on the Windows side of things for device management, we’re still very much in a world where we install a management agent.
Just a piece of software, it’s installed by an administrator or process and then it’s able to take on all the various actions on the operating system. For our tools that had been the model for Mac as well and with the changes in the security framework on Mac OS, it’s just not a viable option. We can put an agent on there, but it won’t be able to do anything unless it’s an MDM behind it. So that mobile device management, where you are in the operating system, actually assigning your device to this management server is just absolutely necessary. It makes all the rest of this possible.
So let’s talk about the controls that we have. First, one could have a healthy debate, local admin users, our experience has generally been that Mac OS users are generally a little more self-sufficient than the general population on Windows. There’s probably a lower risk of unintended actions. Be it drive-by malware or installing something you didn’t mean to install, on Mac than Windows. That’s not to say that Mac doesn’t have malware. It does, and it’s worth having a great endpoint security agent on them as well. But also, in a Mac OS environment, you’re much less likely to be joined to a directory. So be that your traditional on-premise active directory is something like Azure AD. There are a couple third party solutions they can use to try to tie in your Mac local device with a cloud directory.
But in general, you’re using local accounts. Our experience has been, it mostly makes sense to use local administrator users. We will use standard user accounts. So the difference there, standard users don’t necessarily have the ability to install apps while administrators do.
We’ll generally have administer-users unless there’s an overriding concern that really requires a standard user. Last item on that, having a local admin end user helps make the updates and upgrades process go a little bit smoother as well.
Moving long, FileVault Recovery Key. First of all, implicit in that is you’re encrypting your devices with filevault. That’s supplying device level hard drive encryption so that if the device is taken, those bits are encrypted and can’t be accessed easily. So it’s important to have a filevault recovery key set and escrowed into your mobile device management solution.
One thing that we’ve seen is: Mac has previously supported both a shared recovery key, they called it institutional; as well as a personal recovery key, which is one that is individual to the device. Now they’re just saying, just one key per device and you need to escrow it into your MDM. So that’s another important thing.
It’s important to have OS level updates and third party updates to make sure that your apps and your operating system stay up to date. One thing that’s been really hard on Macs recently is managing those updates. With some of the changes that Apple has made in their platform, the traditional methods that we had to deploy those updates are no longer working. We’re hopeful that Mac OS, Monterey, that’s already been released, will be deployed to our clients in the next few months.
We’ll be able to have more fine grade control about controlling when exactly updates happen. But for right now, we’re having to leverage our end users to get folks on board to install those updates.
Then those last two pieces, it’s really important that we’re able to control the privacy preferences to make sure the apps work for our users, as well as make sure that the various security solutions that we’re installing have the approval within the kernel and system extensions that they need to run.
Matthew Eshleman: Yeah. So then in making all that happen, we’ve talked a lot about MDM and MDM and MDM, and that’s the key element of that. So MDM is this element that’s built into the Mac OS operating system, and then is able to be leveraged by these tools that can register as a mobile device management platform. That is different from the agent based support platform that many organizations have traditionally used. There’s a lot of different tools out there to do this.
If you Google “Mac MDM support,” or “Mac management,” you’re going to get a lot of different options for that and some of them are really good. Again, if you are managing just the computers in your organization and need lightweight inventory and configuration, then solutions like the Kandji and those are geared towards those type environments.
The big player is there in the middle: Jamf as having a lot of sophistication and capability and API integration with other tools. Okta comes to mind as being able to integrate some workflow so that your device registration can be passed from Jamf into Okta. But those are really all Mac management tools.
We’ve also got Workspace ONE here. That’s a VMware product that combines Mac and Windows management into a single MDM platform. In the same way, Microsoft Intune or endpoint manager also combines the ability to manage both Mac and Windows devices from a single platform, with the caveat that the Mac management isn’t as robust as it is in some other platforms.
And then we have the solution up top which is Addigy, which is built for managed service providers like us that need to have what’s called multi-tenancy. The ability to securely manage discreet clients so we can leverage some economies of scale and not have to rewrite things for each individual organization. There are a lot of different options for Mac management and there may even be more coming. Galen, you were talking about some changes that Apple is making potentially to provide some of these services, as well.
Galen: That’s right. So while Apple has supported MDM within iOS and Mac OS for a while, they haven’t had their own. They bought one last year Fleet Smith, and it just came out, in the past week, that they’re doing a beta now of an Apple mobile device management solution targeted at small and midsize businesses. That is basically a rebranded Fleet Smith, along with some iCloud storage and a couple other add-ons there. We’ll see how great it is, but in general, it shows some intentionality from Apple in supporting Macs and the enterprise and organizations, and that’s really valuable.
There have been times in the past where it felt like Macs were more focused on the consumer market, not as focused on the business and organizational market and we definitely see now that Apple is continuing to focus on this environment.
One other thing I’ll mention here, looking at these different options, there are some great solutions out there that come in at different price points and at different feature sets. The big one that comes up in conversations with some of our clients is Intune. “Can we just do Intune for everything?” Intune’s fantastic on the Windows side and Intune does have the necessary bits to be the device management provider for Mac, but it’s not going to provide you with the kind of turnkey Mac management that you see in some of these other solutions. You’re far more likely to have to rely on other, third party and open source tools to build your configurations and make it all work and it’s going to be feature deficient compared to many of the other tools here.
Some people do use it and use it to great effect. But one of the other challenges that we see when we come in and see a client has their own Mac MDM, some are really being used well. But often, they have the capabilities there and the technology, but it’s a lot of work and configuration expertise it can take to really make it sing. So it can be a challenge and in those cases, maybe a better option is to work with a service provider, or get in one of these MDMs. It’s a little lower on the sophistication and a little more turnkey.
Matthew Eshleman: Yeah. So with that in mind, what went into our decision to pick Addigy when we were looking for these kinds of solutions.
Galen: Yeah, a big one was the multi-tenancy. Most of those solutions that we displayed before are targeting single, individual organizations and if you are working with Macs in an individual organization, check out one of those other tools, they’re fantastic.
What Addigy provides us is the ability to have multiple clients in a single management environment where we can build configuration packages, applications, and then deploy them out across multiple organizations at the same time. That’s really how we’re able to deliver efficient service and make sure that we’re delivering the best possible experience to all the organizations that work with us.
I would say, one of the questions that we get from folks who have done a lot of Mac support in the past is, “Why aren’t you using Jamf?” Jamf is the legacy big player and can do it all. If Jamf had an MSP multitenant option, maybe we would be.
Addigy is a newer solution. It’s one that’s really had some great active development and we found it to be a very reliable solution and one that – short of some special Jamf specific integrations like, Okta – Addigy can do everything that the Jamf can do. So, we’ve been happy to partner with them and look forward to continuing with them.
Matthew Eshleman: Yeah, if you just want to chat in, if you are in that category of being a hundred percent Mac shop, chat in the tool that you’re currently using and what you like about it, or maybe what you don’t like about it. I’d really be curious to hear about it.
I would tag onto the benefits of Addigy some of the other additional integrations that it provides some remote support tools: interactive remote support so you can get access to an end user’s desktop; help them install some software; figure out why their printer isn’t working; or whatever that happens to be.
That capability is not available out of the box with the Mac OS. You need a third party tool. That’s something that we’re able to get through Addigy: a way to provide remote support to those managed devices. It goes beyond just being able to inventory the device, make sure that we get all the attributes about the hardware, the warranty information, if we can, and the filevault escrow. Also being able to provide remote support, push down configurations, deploy software, do all of those additional tasks that need to be done in order to have a well-supported and well-managed environment.
Specifically about that, this is our best practices, or our roadmap for how we support Mac devices at our clients. This is the same if you have one computer, or if you have 50. The process is the same.
Things are changing a little bit, particularly related to that first line where we have “Purchase computers through ABM.” That stands for Apple Business Manager. Galen talked about that at the beginning. If you’re in the Windows world, this could be considered analogous to Autopilot. It’s a way to automatically associate a device with an organization and then push a configuration.
You can purchase computers from Apple, or from different vendors and as long as they can register your purchase with your Apple Business Manager account, and you have an MDM solution set up, that purchase will automatically be associated with your organization and get your MDM profile pushed to those devices.
So that’s fantastic and it’s great if you can do that right off the bat. You can apply for an Apple Business Manager account. There’s no additional cost associated with that, but it’s something you do need to do in advance.
There is one change. It used to be that the only way you could do this was at the beginning or at the purchase through an approved vendor. If you bought a device through some other channel, or if the purchase didn’t get registered through the device enrollment program, you were kind of outta luck and you weren’t able to do that automated enrollment. It does look like that is changing.
Apple is now providing a way to do manual enrollment of devices in your MDM platform after they’ve been purchased. That’s a really good change that Apple has made in order to support some of that. I’ll go ahead and chat that link out, if you’re curious to read a little bit more. But, do you want to talk a little bit more about that enrollment process and what happens onboarding new devices?
Galen: Yeah, absolutely. It’s fantastic that Apple’s moving to support post-purchase enrollments. It does look like you would need an IT administrator who would need physical presence with the device. So you aren’t going to be able to enroll that device if you’re shipping it directly to a remote user. I would still encourage you, if you’re able to, have your purchase device registered with Apple Business Manager through Apple or through an Apple authorized reseller. From there, if your device is enrolled in Apple Business Manager, then it gets automatically assigned to your mobile device manager. When whoever’s doing that initial setup at the computer, one of those screens along with picking your time zone and whatnot is going to say, “You’re being assigned to your organization’s device management solution.” From there, you can pick what you want to do additionally, to enroll that device.
And so in an ideal scenario, your device management solution is pushing down the applications that they need, the configurations that they need, and so, within an hour of getting that device turned on, it has everything that the end user needs to do their job.
As we mentioned before, we do side with creating a local admin user account, both for the end user and for creating an IT administrative account. It’s going to be useful if there’s a user departure, or if you just need access to that device. Particularly if you have filevault on there, it’s going to be useful to have an IT administrative account.
Along with deploying software, deploying management configurations is going to be big. The configurations that you need to deploy are often going to be defined by the applications, particularly the management security applications that you’re using.
So if you’re using an antivirus or EDR tool, or if you’re using some file collaboration tools that maybe help you view your cloud files locally, or maybe you’re using an endpoint backup tool, those tools more likely than not will require you to define permissions. You want to push those down in advance of installing that software so that software is going to work well. We have a workflow, in some cases we’re able to actually display a splash screen to the user who’s receiving that device, so they know each step of the process what’s going through.
So let’s say, you’ve got the device enrolled. You’ve got it configured through your MDM. It has the software they need. Maintaining it from there, you’re going to need to update regularly for security updates. Quite frankly, for the past year, we’ve really been leveraging reporting and then some end user notification to encourage the end users to install those updates.
We’ve seen a lot of security update and vulnerability concerns on both the Windows and Mac and iOS side this year and it really drives home that being able to turn around those security updates on a timely basis is really important. That’s something where you want to be keeping an eye on your device. We looked at the major versions of 1015, 11, 12. It’s not just that, you look at that next number to see are they actually running a version that has the most recent security updates?
And then from there, our general practice at this point is to defer those major OS upgrades. So going from 1015 to 11, or 11 to 12, for three to six months, and we feel that this is a good enterprise best practice.
That’s not to say that we don’t already have some Monterey devices in the mix. Depending on your organization, what your Mac purchasing is like, you know as soon as that new operating system comes out, it’s what the new devices shift with and you can’t downgrade it. To some degree, there’s always going to be some of the latest operating system version in the mix.
Why do we want to wait? A big reason is again, application compatibility and particularly for your business enterprise applications. That’s where you’re going to see some of the biggest challenges: your endpoint security agent, your file collaboration tools, your backup tools. They often need at least a couple months to really make sure not only that they support the operating system, but that they support it well.
I mentioned previously the Catalina and Big Sur upgrades, last year’s upgrade and the one before that, were really disruptive for some of our users and for our folks who did upgrade early, there was some early adopter pain there. Maybe that’s all right for your organization, but if your focus is on stability, defer those upgrades for a few months until you’re able to test and validate it, and then you can roll it out.
Matthew Eshleman: That’s a good distinction to make between those major OS version updates, which are coming out about once a year, and the security updates, which are coming out about every other month.
You may not need to necessarily go to the most current version, but you do need to make sure that those security updates are coming out. As Galen said, we are seeing security vulnerabilities being exploited in the Mac OS world. We are seeing the need for endpoint security tools to be deployed in a way that maybe we didn’t five years ago where we thought, it’s secure. It’s not a big threat profile. That has certainly shifted over the last several years.
As we look to talk about the lessons learned that we have, we’ll chat out a link. We have a case study on our website of how we approached Mac support for a mid-sized organization.
To highlight here at the very beginning, you do need an official MDM tool to manage Macs, not an RMM, not just a support agent, but a full-featured MDM. I saw there was one attendee that was using Meraki’s system manager, which is another MDM that has the benefit of being free for up to a hundred users with community-based support. So yeah, we’ve seen that in the mix as well, but you need a tool like that if you’re going to manage your Macs.
Galen has talked about it a bit already that change management is tricky. Microsoft, which really plays in the enterprise space, has insider programs, has a long lead time, publishes roadmaps of what’s going to be changed and then communicates that well in advance. The Mac changes aren’t often as clearly published to the vendors and they’re kind of dropped on the users in a pretty short timeframe. That can have a bit of an impact on you and on the supportability.
The other thing that Apple gets dinged for a little bit is there’s not an officially published formal support schedule. Whereas, Windows will say, “We’re going to support Windows 10 through 2025,” or whatever, that’s well-published in advance. There’s a little bit of mystery to what’s being patched, when it’s going to be patched and that information is not always readily available. It’s important to go into that and keep up to date with things.
Life cycle replacement is still appropriate. At Community IT, a three to four year replacement cycle is appropriate for all end user computing devices. It doesn’t matter if they’re Mac or a PC. If you’ve got that eight year old Macbook that’s still running, hey, that’s great. But let’s make sure that as a standard practice, you’re in the habit of replacing devices and keeping them updated.
Everything in your environment should be on one of those most recent three operating system versions. Especially with the shift into the Apple Silicon, it’s unclear just how far back Apple’s going to go in keeping older operating systems up to date.
The final lesson learned is it’s very much more of a user centric approach. As Galen mentioned, we are reliant a lot on the end user to initiate changes, whether to process an update or the security update, but it’s a lot more end-user driven than in the Windows world where we can do a lot of automated management in the backend.
Galen: Yeah. Matt, if I could just say one thing on change management, if you’re thinking, we’ve presented the problem that change management is rougher than on the Windows side, but what do I do about that? I would say, focus on your key software vendors on the Mac side and make sure that you are in the loop. Read the release notes or their email notifications. The Apple release notes on Mac OS are not going to necessarily identify the user impacting changes that may show up in a security update. But your device management solution, your anti-virus EDR, not Microsoft office, but some of the other more specialized software, that’s the stuff where you’ll find out about a late-breaking change that I’m going to have to adjust my management profile or prepare my users for an alert they may receive when this update happens.
Q and A
Matthew Eshleman: Yeah, that’s great. Well, we have a little bit of time for questions and I see one that came in. I’ll read that and if there’s others we can certainly take them as well.
There was a question about advice for people on using personal Apple IDs for corporate owned Macs, versus corporate Apple IDs. Does it make a difference? Galen, what would you say about how to handle that Apple ID management?
Galen: Yeah, that’s a great question. In the small to midsize business space, you’re probably still seeing a lot of folks using personal Apple IDs, just because there wasn’t really a great option otherwise. Apple has been doing a better job within the past year or two rolling out a managed Apple ID solution through the Apple Business Manager.
It allows you to basically register, reserve your domain name with an Apple Business Manager and then handout IDs to users that are tied to the organization. So, that really helps with software purchasing, if we’re doing app store purchases, as well as making sure that the organizational data stays with the organization. That Apple ID can tie into Azure ID for single sign on, I believe maybe Okta as well. I’m not positive on that one.
I will say we found, the transition can be challenging. If you have been using Macs in your organization for a while, there are probably some personal IDs with your organizational domain name out there that as part of that migration process, they’re going to have to be moved to a new personal email address. There is a process for that, but it can be a little disruptive for users and so it’s something to plan ahead on and consider it through. If you’re able to have the bandwidth for that change, it’s one that pays dividends in the long run, having those managed Apple IDs.
Johan: We do have a few questions. Let’s see, another question just got submitted. We definitely encourage you to ask questions and I do have some questions that were submitted before the webinar that I’ll ask you in just a second. But one was just asked: for the Microsoft Office suite particularly, applications like Outlook and Excel, what sorts of differences do you see functionality-wise between the Microsoft Windows version and the Mac OS version?
Galen: Well, take a brief historical view. It’s much better feature parity than it was five and definitely 10 years ago. In my experience, and other folks in the panel, feel free to weigh in, there’s definitely some UI (user interface) changes and it’s probably more on the subtle level at this point, but some of the configuration options and buttons are in different locations.
We’ve seen more recently that as Microsoft has shifted the UI in Office apps over time, those changes landed on Mac first. If you’re in a support role for your organization, you may find that how I do things on the Mac side is changing more quickly than on the Windows side. In actual features, some of the real fine grained controls on Outlook can sometimes be more challenging or not quite possible on the Mac side. But those issues are far fewer than they were before. I don’t personally know of any Excel or other application limitations at this point. Again, I’m sure there’s some subtle stuff in macros and so on, I would think maybe that would be an area that you’d run into.
Matt, do you have any additional thoughts?
Matthew Eshleman: I’m not a Mac user, so I don’t have a lot of insight there. I do know our COO primarily uses a Mac and has done lots of really impressive stuff with power BI, which is all out of the Mac world. So the feature parity is much improved and I don’t have a lot of specifics about differences between those two platforms.
Johan: I can weigh in. I have a Windows machine at work, but a Mac at home and I use it for some volunteer work that I do and use Excel in particular in Windows and in the Mac. I much prefer Excel in Windows and it’s simply my personal preference.
I do a lot with pivot tables and it’s set up differently in the Mac OS version. It’s not any less feature rich. You can do everything. It just has a different feel to it and so that’s something to keep in mind. But our CFO, for many years, did all kinds of advanced Excel work on a Mac. That really blew my mind that you could do that much. So it works. It’s just a question of what you’re used to.
One of the questions that’s come up several times has to do with iOS devices. A lot of organizations that have macroS devices, also have iOS devices. How much of what you’ve talked about today in managing Mac OS devices through MDM can be applied to iOS devices, both in terms of concepts, as well as specific solutions?
Galen: Yeah, that’s a great question. On the MDM side, most or all of the MDMs that can do Macs can also do iOS devices and so you are able to register your Macs, your iOS devices in the same device management solution. What we’ve said about doing a managed purchasing for Macs and tying that into Apple Business Manager also applies to iOS. If you’re looking at a holistic strategy that’s including mobile devices, looking at a solution that includes both is great. The actual process or what you go through in terms of the management can be a little more varied depending on your use case.
We see that in a lot of organizations in the small and mid-size range, on the iOS side, they’re probably pushing out to some key security settings. I want to make sure we have Passcode on here and the device encrypted, and maybe I’m pushing my VPN profile on there, that sort of thing.
Not as many are doing application assignments. So you can push down appstore apps through your Mac MDM and through Apple Business Manager. When I think about the device management tool set and our solution, Addigy, there’s a lot of reactive remote support tooling to the Mac OS environment that doesn’t really apply to iOS. iOS is more just, hey, I’m pushing down the app’s configurations and getting back some basic inventory and configuration information. But yeah, definitely recommend it.
Some of what we’ve also said around security updates applies to iOS, as well. At least having visibility, that base level inventory, even if you aren’t really pushing down some update management settings, I’ve encouraged that. Know whether your users are several versions behind on their iOS updates. That’s important.
Matthew Eshleman: I would just echo that. For me, the big driver between corporate and personal devices is what you’re going to be able to deploy to them. On corporate owned devices, that full MDM enrollment, where you have the management profile installed, and you can push down things to the device makes a lot of sense in the corporate world.
For personal owned devices you need to be really clear and I’ll make a pitch for our cybersecurity roadmap of starting with policy and making those decisions at an organization level of what you’re going to do from the policy side. Download the Cybersecurity Readiness for Nonprofits: Community IT Innovators Playbook for free to learn about our framework, or take the 10 minute Cybersecurity Assessment Self-Quiz to learn where your organization stands in terms of cybersecurity risks and ROI.
I do think it’s important that organizations are clear about which devices are accessing their data and what happens to it. That can be addressed through MDM profiles.
If you’re in the Office 365 world, there’s also a mobile application manager where you can actually manage the applications that people are accessing, not the device themselves. There’s a distinction there in how much can be done on device management. But again, I would certainly echo the fact that security updates are key and it’s really important to keep things up to date. We’ve seen a lot of things in the press about zero day vulnerabilities exploiting various weaknesses in the iOS environment to allow adversaries to take over a device or get access to contacts, messages and that kind of thing. Making sure that your device is not jailbroken and you’re updating it on a regular basis is a really important security practice.
Johan: Great. Yeah that’s very good advice. So for organizations that are Google centric, maybe they use Google Workspaces for their identity management and productivity suite, then they have a lot of Chrome books that they manage in their environment. Do any of these recommendations change for more Google centric organizations? Can they manage Macs in the Google administrator utility? Do you have any specific advice for people who are in Google?
Galen: Yeah, great question. I, unfortunately, can’t speak directly to the capabilities of managing Macs in the Google Workspace environment. To a more general take, having a dedicated Mac MDM as a general rule really provides a much greater level of control and manageability. I know there are some capabilities there for iOS but, especially if you want to be able to deploy apps and that sort of thing, I would probably look at having a third-party tool. Beyond that, we do see Mac only organizations probably erring a little more towards the Google Workspace world instead of the Microsoft world on some of the collaboration tools and they work very well together. It’s a good pairing. Matt, do you have anything to add?
Matthew Eshleman: Yeah, there is some built-in capability to do Mac OS management in the Google console. I’m not sure how far down that extends. For a lot of these tools, like Kandji and Mosyle, you can do a base level amount of stuff with a lot of different platforms. The question really goes whenever you’re developing your requirements. If you need a little bit more sophisticated control, if you need more support capabilities, then you’re probably going to be pushed into some of those third party tools like Jamf or Addigy, that have that capability to do more than just a base level of control and configuration management.
Johan: Great. Well, we’re basically at time. Before we go, we want to just let you know that this is our last webinar for 2021.
Our next webinar will be in January, and it’s one of our most popular: our annual nonprofit tech trends. We get our technology experts for a roundtable discussion of what we see coming up in technology and particularly in nonprofit technology for the coming year. So keep an eye out. The reminder for that or the registration link is going to go out in about a month and we would love to have you join us on Wednesday, January 19th at three o’clock for that discussion. Thank you for joining us today. We appreciate your time and your attention and wish you a happy Thanksgiving and a great rest of November. Take care.