Eugenio Marongiu - Fotolia

Apple mobile device management guide

Apple builds mobile device management capabilities into its devices and offers tools such as Profile Manager and Configurator to give IT even more control.

For Apple, the name of the mobile device management game is simplicity. The capabilities in iOS let IT administrators control users' devices, defend against threats and lower operating costs with as few hoops to jump through as possible.

To deliver on this promise of simplicity, Apple lets IT admins manage and secure both corporate and user-owned tablets and smartphones through the cloud or with on-premises deployments. And starting with iOS 7, Apple gives admins the power to enroll user devices in mobile device management (MDM), instead of relying on users to do it themselves.

Take a look at Apple mobile device management tools, including the Profile Manager and Apple Configurator to see how well the company delivers on its promise of simplicity.

What is Profile Manager?

Profile Manager, an OS X server-based application, allows IT admins to configure and enforce policies on Macs and iOS devices through user profiles. Admins can use Profile Manager to track how much data and bandwidth each device uses and to keep an eye on application licensing and VPN connections. IT can also enable user self-service for tasks such as password management. Admins can also prevent users from working with certain iOS features, such as iCloud and AirDrop, and remotely lock or wipe devices.

On the negative side, Profile Manager does not offer support for non-iOS mobile devices.

How do users get configuration profiles and what can the profiles do?

Apple's configuration profiles are XML files so users can easily install them on their devices with a USB, email attachment or website link or IT admins can install the profiles themselves on a user's device by connecting the device to a remote server with the iOS MDM protocol.

With Apple mobile device management, simplicity is the name of the game.

Once a device is enrolled, IT admins can lock or wipe data, reset passcodes, install apps and more. They can also divide profiles into smaller sections so they can deliver a specific group of existing settings to another user or device. The profiles also separate work and personal data with app-level capabilities that allow IT to decide who can share corporate data and with what apps. They can also push apps, content and accounts to devices. If a device is no longer enrolled with MDM, all of the enterprise information is automatically erased. Users don't have to worry, though, because the wipe does not touch their personal data.

What is Apple Configurator?

Apple Configurator is free to download from the Mac App Store, and admins can configure up to 30 different devices at once with it. Apple Configurator has three options. First is Prepare, which is where admins actually create the configurations for each device and apply them to devices.

The next option is Supervise. When Supervise is on, IT has complete control over the device, which is ideal when devices are shared among multiple users. Last but not least, Assign allows admins to, as the name suggests, assign supervised devices to users. They can also backup user profile data so users can access their data the next time they use a shared device.

What MDM features are built into Apple devices?

Apple's built-in MDM frameworks allow admins to manage user accounts and gather device usage information.

The Device Enrollment Program (DEP), which applies to devices qualified organizations purchase directly from Apple, adds to the existing Apple mobile device management foundation without requiring any third-party products. If they choose to use third-party MDM product or rely on Apple's built-in MDM frameworks, admins can use DEP to automatically enroll user devices. IT admins simply create a DEP account and preconfigure the device settings so when users activate their devices for the first time certain applications are restricted and others are installed. The DEP also automatically sends any existing profile information to the user's device.

How  can admins take control of the data itself?

With a good MDM product, IT admins can deliver data access to specific users and apps while limiting access for other users and apps and encrypt data at rest on a device and in motion between devices. Managed Open In helps admins take things a step further by ensuring corporate data stays safely within IT-approved apps. To get the most out of MDM and Open In admins can pair them together to whitelist certain apps for use and blacklist any apps they consider to be dangerous.

Next Steps

Apple MDM in the healthcare industry

Incorporate Apple Configurator into larger MDM strategy

How MDM compares with MAM

Dig Deeper on Apple iOS in the enterprise