Apple device monitoring—9 things you need to know
Mac monitoring is still seen as something of a weird science by many MSPs, but it is going to be a growing issue if you continue to ignore them. We’re increasingly seeing unmonitored Apple devices on our networks, and the harsh reality is, if you’re not monitoring these devices on your customers’ networks you’re not only creating risk, you’re also missing out on a potential revenue stream.
Here are nine things you need to know to get started managing the Apple devices on your customers’ networks:
1. Why bother adding Apple support?
It’s a revenue boost for you. In the second quarter of 2022, Apple shipped 15.3% of all PC units in the U.S. according to Statista, and that percentage is likely to continue to grow, with some expecting that figure to get as high as 25% in the next three to five years. Are you really going to turn that down, and give that money to somebody else?
The consumerization of IT over the past decade has meant that employees are choosing Apple products as their personal devices and your customers are recognizing that employee efficiency is improved when they get to use the devices that they prefer. As an MSP, you need to be able to handle that and assist your customers by supporting those devices.
2. What happens if I don’t want to support Apple devices?
The most obvious answer here is customer loss. And I can say this as an MSP that has taken business away from other MSPs because I supported Apple devices.
On multiple occasions I’ve had customers come to me and say: “We like our MSP, but they’re really bad at the Apple support and our Apple users are unhappy. We really want somebody to help them, but we really just want one vendor that can do everything. Can you do you both?” And we win the business. So that absolutely is going to happen.
Beyond that, you’re leaving your customer open to risk. If you’ve got a bunch of Apple devices sitting there completely unpatched, then you’re creating a vulnerability. Even if you say it’s the customers responsibility to ensure those devices are protected, you’re the one that is going to be dealing with the aftermath if they have a breach due to one of those devices.
3. So where do you begin with monitoring Macs?
You need to be monitoring the same things for Apple devices as you are for Windows devices. So, you need to be monitoring alerts; you need automations to fix some of those alerts for you; you need remote access; you need backup; and you need security—so things like EDR and DNS filtering.
Everything you deploy for Windows, you need to deploy for the Apple devices you need to manage.
4. What do I need to know about Macs?
OK, so some parts of managing Apple products is going to be a little different to what you’re used to with Windows. At its core this boils down to a consumer vs business approach. Every Apple product is a consumer-first device right out of the box. In other words, it doesn’t belong to a company, it belongs to the user of that device, so you have to re-provision it somehow to work in a business setting.
Probably the biggest mistake we see our partners make is that they put Apple devices on business networks when they are still consumer owned. So, you really have to take time to provision them properly for business from the beginning.
This either means that you need to wipe the device and set it up as a business device, or you need to order your Apple devices through an Apple Business Manager (ABM) account (we’ll talk more about that shortly). Once this is done you can then enrol them in device management.
5. What does Apple device management let me do?
When your Apple device is business owned, you can use device management to push down configurations that the user can’t override. For example, Macs have a built-in firewall that is turned off by default. As an MSP you can turn it on, but if the user has some problem and you’re delivering poor support, they can just simply switch it off. Will they turn it back on when they’re done? Probably not. And this is going to leave you with an exploitable vulnerability. However, if it’s enrolled in device management and it’s a business-class machine, you can push down a configuration that says the firewall should stay on, and the end user then can’t turn it off.
On top of this, if someone uses their Apple ID and creates an activation lock on their device, and then they quit and you don’t know their Apple ID and password, all of a sudden you’ve got a brick. You’ve got to go to an Apple Store and spend a considerable amount of time proving you own the device in order to get them to reset the activation lock. However, if it’s enrolled in device management, it’s already known as a business owned device and you can override that activation lock immediately.
Also, unless you’re planning to have users patch their own machines (which we wouldn’t advise) Apple patch management is done through device management. So device management is going to be central to an MSP’s life when it comes to managing Apple devices.
6. But Macs don’t need virus protection, do they?
They certainly do. The old “security by obscurity” is very outmoded thinking. And if you don’t believe it, why do you think Apple has a new anti-malware solution built into the operating system with XProtect? Also, the iPhone is getting a Lockdown Mode, which lowers its attack surface so there are fewer vectors through which an attacker can get into an iOS device.
There’s also an argument to be made that Microsoft is more secure than Apple, because they’ve been dealing with security threats forever, so they’re more practiced in it. Apple, on the other hand, is a little late to the game, and even they admit they’re not happy with the security of macOS compared to iOS.
So, you definitely still need the protections.
7. Do I need a separate Apple-only toolset?
Sometimes, maybe. But in reality, it’s going to add more cost when it should basically be doing the same thing that your Windows RMM platform is already doing.
Apple-only tools tend to be more expensive. They’re total addressable market is around 13.5% of all PCs (as of Q3 2022), so they have to increase their price—it’s supply and demand. For example, Jamf Business Class is currently $13/device (30th Sept. 2022). On top of the direct cost, there’s also the soft cost of having to train techs on two systems.
Having one RMM platform that can manage both Windows and Mac devices is likely to always be more cost effective.
8. So, what is Apple Business Manager?
If you buy your Apple devices through an Apple Business Manager (ABM) account, they automatically come provisioned as a business-class machine. The issue here for MSPs is that they cannot open an ABM account on behalf of the customer, the customer needs to get their own. But when it’s done this way, devices can be instantly enrolled in device management and the agent can be pushed straight down to them.
Another thing that ABM does is manage App Store purchases. So instead of having each user log into the App Store and buy their own copies of the apps they need for work. The company can buy them inside ABM and then the MSP can use device management to push the apps down to the individual device.
9 What about Apple Business Essentials?
Apple recently brought out Business Essentials, which takes ABM and adds built-in device management, alongside some other stuff like free Apple Care Plus for hardware repairs and priority support. While it includes some good stuff, it’s still an early venture into the device management market it lacks some of the more advanced management capabilities of other solutions as well as facing questions around its scalability and the efficacy of iCloud compared to more established solutions.
These nine things will help you start to demystify Apple device management. N‑able™ RMM platforms offers MSPs to monitor, manage, and help protect Mac devices on their customers’ networks, all within a single dashboard. Find out more here.
Brian Best is Senior Product Manager at N‑able
© N‑able Solutions ULC e N‑able Technologies Ltd. Tutti i diritti riservati.
Il presente documento viene fornito per puro scopo informativo e i suoi contenuti non vanno considerati come una consulenza legale. N‑able non rilascia alcuna garanzia, esplicita o implicita, né si assume alcuna responsabilità legale per quanto riguarda l’accuratezza, la completezza o l’utilità delle informazioni qui contenute.
N-ABLE, N-CENTRAL e gli altri marchi e loghi di N‑able sono di esclusiva proprietà di N‑able Solutions ULC e N‑able Technologies Ltd. e potrebbero essere marchi di common law, marchi registrati o in attesa di registrazione presso l’Ufficio marchi e brevetti degli Stati Uniti e di altri paesi. Tutti gli altri marchi menzionati qui sono utilizzati esclusivamente a scopi identificativi e sono marchi (o potrebbero essere marchi registrati) delle rispettive aziende.