-
Deploy Apple devices using zero-touch
Discover how Apple's system administrators remotely deploy Apple devices to their teams, ensuring a zero-touch deployment. Learn how to configure the setup experience, control and manage devices effectively, and discover practices around security and management.
Resources
Related Videos
Tech Talks
WWDC20
-
Download
My name is Jason Cary and today we'll be talking about deploying Apple devices using Zero-touch. Within this session we'll review remote deployment and management practices by looking at Apple's internal Zero-touch deployments. We'll start with set up and infrastructure components, review how we deploy devices to our users, confirm how we identify and secure our users, and share how we distribute content to ensure users are able to perform their duties as efficiently as possible. Before we dive into the technical details, let's take a second to reminisce. IT admins of the past were involved in every aspect of the hardware provisioning process. Fortunately the days of device imaging and sitting with users for hours on end are long gone. Our Zero-touch enrollment solutions allow efficient provisioning of devices for thousands of employees worldwide. New devices are dropshipped from our supply chain directly to our users without IT needing to touch each device. Our goal is to have our users online and productive within minutes, not hours, of unboxing their new device, and to provide our users with a positive device setup experience. Let's look at the macOS Catalina's setup process for the Macs we're deploying today which will be updated to Big Sur after it ships later this year. As a user boots their new device for the first time Setup Assistant activates and begins the device enrollment process. Within our Zero-touch model, we have customized the Setup Assistant process to be more efficient. We've removed several Setup Assistant screens and options to provide an optimal experience to our users. Devices are automatically enrolled in our device management solution during the first boot, which allows us to push critical applications and security settings to the device during the initial setup process. One of the most important setup steps is to have the user create a local user account and a secure password. This is where a specific account name and password restrictions can be enforced. I'll talk about several of these settings later on. Users self configure various settings to their preference including Light and Dark Mode within macOS. At the conclusion of the device enrollment process Setup Assistant completes the remaining device setup tasks and brings the user to their desktop screen. When the user arrives at their desktop screen, applications required to complete their duties as well as critical security settings are already installed and enabled on the device. Through the use of Apple Business Manager and our device management solution, our team has achieved an astounding ratio of 20,000 managed devices per MDM admin. Recently in response to the ongoing health pandemic Apple sent many of our employees home from their normal brick and mortar locations to perform their job functions remotely. As a result of this quick decision and the prompt actions that were taken, many of our employees were unable to take their primary workstations with them. Apple dropped shipped each of these particular employees a new Mac device to their home in a very short time frame. Our users were able to power on their new devices and quickly become productive thanks to Zero-touch device management. Without these capabilities, the quick pivot would not have been possible and affected employees would have been idle for an extended amount of time, impacting their work and Apple's ability to continue to support our customers. Let's dive into our Zero-touch environment setup and infrastructure components. So how does this technology work? A remote management solution is made possible by Apple Business Manager, the Device Management framework with a third party device management solution, and core technologies in iOS, iPadOS, macOS, and tvOS that enable management of certain features. Starting with the purchase, the device details are sent to Apple Business Manager through Apple's Reseller API. Each Apple Business Manager account is configured with a default MDM target which allows the device to be assigned to an organization's preferred MDM server. Devices are purchased through the reseller channel. Each reseller partners with Apple to obtain access to our Reseller API. Upon a device being purchased, the Reseller API performs data validation to ensure sales notification data is accurate and unique. Multiple device details are included in the Reseller API transaction including serial number, purchase order details, date of purchase, and more. Checks can also be performed to validate the device is not currently enrolled with another Apple Business Manager account.
Once verified, the device purchase record is transferred into Apple Business Manager.
Pending receipt of the sales transaction into Apple Business Manager, the device is added to a specific Apple Business Manager account based on the Reseller ID provided. A device is associated with its intended MDM server based upon the previously mentioned Apple Business Manager assignment.
Multiple MDM targets can be configured for a single organization. Communication between the MDM server and the device is established during the device setup process using APNs including the device receiving its initial configuration instructions, the MDM is then able to apply pre-stage profiles to the device. Devices may be manually assigned to an MDM service which is not the default MDM target for your organization. Such assignments should be completed prior to the user receiving their device. As of macOS 10.15.4, and and iOS 13.4, APNs also now supports proxy configurations.
Apple is making it easier for organizations to communicate with the Apple Push Notification service on proxy networks. APNs allows communication from MDM to your devices. Organizations need to allow communication from their network to APNs. Apple Push Notification Service traffic will now use a web proxy when it is specified in a proxy auto configuration or PAC file.
This new feature will provide improved support for a default deny networks typical in regulated industries as all Internet bound traffic must traverse a proxy that is configured by a PAC file. APNs traffic is encrypted and cannot be inspected. APNs proxy support will provide full MDM functionality on proxy enabled networks. Work with your network teams for how your devices discover the PAC URL automatically or via a configuration profile.
Data traffic traversing APNs cannot be inspected. So the communications remain secure without the threat of being intercepted. Let's look at an example of an MDM profile in macOS Catalina. Apple's management approach has always been to make it really simple for businesses to centrally manage their Apple devices with MDM. The process is fully secure, streamlined, and easy for the user. And it is transparent so that users know everything that happens to their device including how it is setup and what has been deployed to it. In this way users are a part of the process and have a role to play whether each device is enrolled in Apple Business Manager or not. So what can MDM do? Here are just a few examples. Through the use of configuration profiles you can enforce passcodes, restrict various settings, or organize apps in the dock. You can also configure macOS devices to automatically connect to an enterprise Wi-Fi network, setup email accounts, install applications, and enforce encryption with FileVault. The last step in deploying macOS in a Zero-touch solution is getting your infrastructure ready. macOS supports a wide range of standard technologies for everything from networking to accounts and identities. Most of these are the same standards that companies already support for iOS devices. As a result, IT teams only need to configure a few additional things to do basic integration and support key infrastructure.
There will be additional considerations as you build your own remote management environment. Infrastructure components may vary based upon your organization's needs.
The first significant decision that needs to be made is whether the environment will be on premise or cloud based. Utilizing multiple MDM environments allows MDM administrators to push and test new settings without the risk of impact to production users and devices. A good multiple environments set up includes production, disaster recovery in a geographically separate location from your production environment, test, and development. For on premise environments, containers or virtual machines can be used for low processing needs such as web servers and application servers. High computing needs such as database transactions should be properly sized to ensure efficient processing of such requests. The use of bare metal servers may be beneficial for resource intensive functions. You should install and enable firewalls and access control list at each layer of your solution. Load balancers may be beneficial for larger organizations to balance management traffic from your users, however they may not be necessary for smaller implementations and organizations.
Let's talk now about deployment.
Our Zero-touch solution allows devices to be dropshipped from the supply chain directly to our users. Remember your organization might choose to skip certain aspects of the normal Setup Assistant process to streamline the device setup process. Each device is automatically enrolled into MDM upon Setup Assistant running during the first boot. Users receive a custom MDM enrollment notification screen during Setup Assistent which confirms their enrollment. In our case a self-service application is automatically installed on the device. Commonly used applications including a Single Sign-On SSO authentication client are automatically pushed to each device upon MDM enrollment. Additional applications such as corporate and contact center tools are also made available to the user via a self-service portal to install at their convenience. You should intentionally decide which apps are automatically pushed and which you allow the user to install for themselves. Some apps may be best pushed automatically, but not all. Local admin rights are provisioned for our users. User experience is greatly enhanced and fewer issues occur when users are provided local admin rights to their device.
Measures should be taken to ensure devices are properly secured based on your organization's needs. There are many different types of payloads that can be built and deployed to manage devices using an MDM solution. All these different payloads allow different settings in macOS to be set by administrators and are fully customizable to your organization's business and security needs. Apple pushes a number of payloads to our users devices via our internal MDM solution. Corporate and business critical applications are automatically installed upon MDM enrollment. Mail and Calendar settings are also auto configured upon the user logging in to our Single Sign-On application.
Additionally VPN and our internal wireless network are also configured automatically for our users allowing them to go online and become productive immediately after MDM enrollment. Identifying all users connecting to Apple's network and using Apple tools is extremely important. Numerous security measures and settings are used to identify users and secure their devices from compromises. User information is pulled by our MDM solution through the SSO authentication client. Functionality will depend on the identity provider being used but most LDAP integrations will support these identification functions.
We have the ability to scope MDM profiles, policies, applications, and settings based on LDAP groups and user roles. You may use one of a number of identity providers and your full identity solution can take advantage of many of the built in user identification functions depending on availability within your MDM. Where such functionality does not exist within your MDM, custom scripts can be used to perform additional identification functions. For more on enterprise identity and authentication, please see this year's identity session.
We've implemented numerous industry best practice security settings as well as setting specific to our own needs and internal security requirements. These settings ensure our users, their devices, and the data they access remains safe and secure. Settings in gray are common baseline security settings. Some or all of the listed settings may be beneficial to organizations setting up their own Zero-touch solution. Settings listed in white are specific settings put in place by Apple to further protect our users, their devices, and the data being accessed. As we utilize very sensitive customer data to support our customers, additional settings are needed to ensure the data remains safe. If a device is found to be out of policy, lost or stolen, or if an employee leaves the company, an MDM server can take action to protect corporate information in a number of ways. A device must have a network connection to receive these commands. An IT administrator can end the MDM relationship with a device by removing the configuration profile that contains MDM server information, including the accounts and settings the MDM was responsible for installing. IT can also keep the MDM configuration profile in place and use MDM to remove only this specific configuration profiles and provisioning profiles they want to delete. This approach keeps the device managed by MDM and eliminates the need to re-enroll once it is back within policy. Both methods give IT the ability to ensure that information is only available to compliant users and devices and that corporate data is removed without interfering with the user's personal data such as music, photos, or personal apps. To permanently delete all media and data on a device, MDM can remotely wipe a Mac. If a user has lost their device, IT can also choose to send a remote lock command to the device. This process locks the device and requires a password created by the administrator to unlock and resume use of the device. Providing our users with the necessary applications to perform their duties is essential to the success of our business operations. Device based app management allows us to distribute apps directly to our users devices with Apple Business Manager and MDM. And the process to get devices up and running is easy, whether they're assigned to a specific user or not. We use VPP and MDM to assign and distribute apps directly to a device instead of requiring the user's Apple ID. This includes installing apps on macOS devices without first configuring an Apple ID or sending an invitation to a user. If your organization has a large number of devices, you may benefit from enabling macOS content caching, which locally caches apps, operating system updates, and other content from Apple.
Several new features are forthcoming in macOS Big Sur which will further enhance app distribution. One of the key new features is managed apps. Managed apps will empower users to install their previously used apps via their Apple ID. Managed apps will also provide IT admins with the ability to lock important applications to prevent those apps from being removed or used maliciously. For additional details on new features within macOS Big Sur, please see these related sessions and the previously mentioned identity session. Let's review. Zero-touch enrollment is a real thing and will make your life much easier. User experiences are significantly improved through user friendly approaches to common problems. Hardware deployment can be a hands off efficient process for users and admins alike. The sky is the limit with security settings. They can be customized based on business needs, user roles, DS groups and other criteria. There is no one size fits all approach to device management use what works best for your organization and your goals. Start small and expand your device management solutions and complexity over time. Zero-touch enrollment allows efficient provisioning of devices to users without the need for IT to touch or configure each device. And finally, the ability to unbox and go provides a great user experience.
Thank you very much for attending this session. I hope you enjoy the rest of your WWDC 2020 experience.
-
-
Looking for something specific? Enter a topic above and jump straight to the good stuff.