Welcome to part-2 of the AIO guide for managing the Apple platform with Microsoft Intune.
MDM lets you manage devices securely and wirelessly, even if you don't own them. This means you can set up profiles and commands for the device so that you or your organization can get the most out of it. Mobile Device Management (MDM) is a system that helps you manage your mobile devices. iOS, iPadOS, macOS, and tvOS have built-in MDM support. This MDM framework and protocols allow you to control software updates and device settings, monitor compliance, and even remotely wipe or lock down the devices to ensure that devices are following your organisation's policies. Devices can be enrolled in Intune automatically, or users can enrol themselves.
How is a device enrolled?
To use the device with an MDM solution, the mobile device management solution first needs to enrol/register the device with it. This sets up a profile that links the device to the MDM solution. User enrollment allows users to enrol their own devices (personal devices), whereas Apple's automated device enrollment allows the corporate-owned devices can be enrolled automatically enrolled in MDM.
During this process, the profile is downloaded and installed on the device. In the case of ADE, it is automatically installed, and for BYOD, the user downloads the profile to install it.
The MDM solution uses the Apple Push Notification service (APN) to communicate with the device. These APNs maintain persistent communication with devices across both public and private networks.
The device checks in with the MDM server to see if any new commands or updates are waiting for it. Suppose there are; the device downloads and processes the commands. The MDM solution can then send push notifications to the device to install new apps. Declarative device management (DDM) is a new way of managing devices using the MDM protocol. Declarations are payloads representing policies the MDM server defines and sends to devices. There are four types of declarations: configurations, assets, activations, and management.
Declarative device management automatically updates the server with new data from the device.
Device enrolment types
MDM solutions allow companies to enroll devices into their systems in three ways:
User Enrollment is intended for BYOD, in which the user owns the device rather than the organization. The four steps in enrolling these devices are:
- Service discovery: The device identifies itself to the MDM solution and provides the necessary information to allow the MDM solution to manage the device. In addition, the MDM solution can use the device's information to manage the device's security, user data, and settings.
- User enrolment: An identity provider receives the user's credentials and authorizes enrollment permission in the MDM system. The MDM system can then use the credentials to access the user's device and manage the user's settings.
- Session token: A session token is given to the device to continue to be authenticated. This token keeps track of the device's authenticated state so that subsequent requests can be handled correctly.
- MDM enrolment: The MDM administrator sends payloads to the device that will be used to enrol the device. These payloads will help the device to register with the MDM server properly, and will provide the necessary information for the MDM server to manage the device.
Managed Apple IDs are required for user enrollment. Employees can access specific Apple services through their employer's owned and operated Apple services. When a user removes an enrolment profile, all of the user's configuration profiles and associated settings are deleted. All managed apps that were based on that enrollment profile are also deleted.
To enrol a personal device in User Enrolment, users can create an account or use an enrolment profile.
Organizations can use device enrollment to allow users to enrol devices into Microsoft Intune manually. From there, they can manage several features of the device. When a user removes an enrolment profile, all configuration profiles, their settings and Managed Apps based on that enrolment profile are removed with it.
Automated Device Enrolment (ADE)
ADE is designed for devices that are owned & managed by the organisation. This system makes it easy for devices to be registered and tracked so that they can be used by the organisation effectively. With Automated Device Enrolment, organisations can configure and manage devices from the moment they are taken out of the box. This saves time and hassle, making it easier to get devices up and running.
The user can remove the MDM enrollment profile, but this can be restricted so that the device remains as supervised. With Auto Advance enabled in MDM, organisations can automatically order new Mac computers and deliver them to their office with just a quick plug-in to an Ethernet port and some power. To use auto-advance enrollment, make sure that you meet all the below requirements:
- The MacBook's serial number is in ABM.
- It must have Automated Device Enrolment settings configured in Intune.
- It should be plugged into a power source.
- Active Ethernet connection.
- The device should be able to access Intune services internally or over the internet.
We've covered a lot of information today, so let's take a moment to recap. I hope you've found this information helpful. In the next section, we'll move on to more complex topics. First, we discussed how the devices are enrolled. Then, we looked at MDM communication with devices with a quick view of DDM. Finally, we discussed different types of enrollment, and you can take advantage of them. Now that we've covered all the basics, let's move on to more complex topics. In the next section, we'll discuss Apple Business Manager, Apple School Manager & Apple Business Essentials.