macos Sierra Technical Training

Transcription

1 macos Sierra Technical Training August 2017

2 Contents Introduction 4 Prepare 6 Consider an Apple Readiness Review 7 Consider training and certification 7 Establish your deployment strategy 7 Establish corporate policies for Mac computers 8 Define the Mac lifecycle 10 Define your software update strategy 15 Decide on your app distribution 17 Assess your environment for deployment 19 Consider a pilot 23 Obtain an MDM solution 24 Consider joining MDM to Active Directory 25 Prepare to join Mac computers to Active Directory 25 Enroll in Apple Deployment Programs 26 Set Up 30 Enroll devices in MDM 30 Assign Mac computers to an MDM server 31 Configure a Mac 33 Set up a user self-support site 39 Execute a test plan 39 Deploy and Manage 40 Deploy devices 40 Manage security 41 Manage devices 45 Manage the self-support site 48 Exercises 49 Appendix A: macos Security 102 Introduction 102 App security 103 Sandboxing 103 Mandatory access controls 103 Enhanced quarantining 104 Memory and runtime protection 104 Gatekeeper 105 Authorization and authentication 105 2

3 AuthPlugins 105 Access permissions 106 Appendix B: Join Open Directory and LDAP 107 Open Directory 107 LDAP 110 Appendix C: System Imaging 112 Disk images 112 Installer packages 112 Installer 113 Create installation packages 113 Create system images 117 Appendix D: Wireless Specifications 121 Appendix E: Resources and Support 125 Training 125 Apple programs 125 Lease and trade-in 126 Support 126 Documentation 126 Third-party MDM solutions 127 3

4 Introduction This guide shows you how to integrate Mac computers into your company s existing network. By following the prepare, set up, deploy, and manage phases, you'll quickly get employees up and running on a Mac. Each phase is covered in a section in this guide. Links to more resources are located in the Resources and Support appendix. Prepare Set Up Manage Deploy Consider Apple Readiness Review Consider training and certification Establish deployment strategy Define corporate policies for Mac Define Mac life cycle Define software update strategy Establish app distribution strategy Assess environment for deployment Consider pilot Obtain MDM solution Enroll devices in MDM Assign Mac to an MDM server Configure devices Set up user self-support site Execute test plan Deploy devices Manage security Manage devices The Prepare section teaches you how to establish your deployment strategy, assess your environment, and join Apple Deployment Programs. The Set Up section covers setting up your services to handle the deployment phase. The Deploy and Manage section covers how to give Mac computers to users and how to provide ongoing maintenance and management. To complete this training, first read the Prepare, Set Up, Deploy, and Manage sections to learn the technology. Then complete the exercises in the Exercise section. Note: The scenario for this training is a minimal-touch deployment of 500 or more Mac computers. System imaging was widely used for deployment before the Device Enrollment Program (DEP) and mobile device management (MDM) existed. But today, DEP and MDM enable minimal-touch deployments. Minimal touch is the easiest way to deploy large numbers of Mac computers. 4

5 Introduction The exercises use the Profile Manager service of macos Server 5.3 or later. If you have a different MDM solution, you can use that instead. To complete the exercises, you need the equipment and information listed below. If you don t have these things, you can follow along with the exercises to learn how to proceed after you do have what you need. For the Caching and Profile Manager services: A Mac running macos Sierra The Mac local administrator account name and password macos Server 5.3 or later A minimum of 25 GB available disk space Wired Ethernet connection - Broadband connection (for the Caching service) - An additional Mac running macos Sierra, to confirm a user s experience Many organizations use Active Directory services to centralize user identification, authentication, and authorization. You can easily integrate Mac computers into Active Directory. The optional exercises for Active Directory require the following services and equipment: Access to a running Active Directory server Windows Server 2008 R2 SP1 or later Active Directory Domain Services Active Directory user name and password An Active Directory Administrator account with join (bind) privileges 5

6 Prepare The first step in any deployment is to consider your existing environment. You must prepare your network and set up any necessary systems. After you complete this section, you ll be able to: Describe Apple Readiness Review Describe Apple training and certification offerings Choose a deployment strategy Define corporate policies for Mac computers Define the Mac lifecycle Define your software update strategy Establish your app distribution strategy Assess your environment for deployment readiness Create a Mac deployment pilot Obtain an MDM solution Enroll in Apple programs 6

7 Prepare Consider an Apple Readiness Review Note: An Apple Readiness Review may not be available in your region. Please contact for pricing and more information. An Apple Readiness Review is an onsite technical evaluation of your IT infrastructure conducted by senior-level Apple engineers. They will show you how Mac computers can integrate into your existing environment and policies. During this review, an Apple Professional Services engineer provides these onsite and remote services: IT infrastructure assessment Hands-on mentoring 4 hours of remote consulting Immediate feedback A formal readiness report Followup for knowledge transfer Next steps plan Consider training and certification If you have never used Mac computers before, you should explore the following technical training and certification programs provided by Apple. Apple Training: Learn everything you need to know to master macos and related technologies. Our expert Apple Certified Trainers teach the Apple-approved curriculum and complement it with their industry knowledge and experience. Apple Certification: Demonstrate your knowledge of Apple technology, and make macos certification part of your career path. Get to Know Your New Mac: This training helps you set up your Mac and learn about some of its great features. Mac Integration Basics 10.12: If you want to integrate Mac computers into an existing Windows or other standards-based network, you can take this training. It guides you through setting up your Mac to take full advantage of network services such as directory services, file sharing, printing, , and more. macos Support Essentials 10.12: A 3-day course that describes the best ways to support macos Sierra users. The course includes lectures and hands-on exercises that provide real-world experience. Establish your deployment strategy Evaluate deployment strategies and choose one or more that are best for your organization. Corporate ownership of Mac computers is the most common approach for deployment. Some organizations may also want to deploy employee- 7

8 Prepare owned Mac computers. For the exercises in this training, we re assuming corporate-owned devices. Here are some more deployment strategy examples: Mac computers are issued as the standard personal computer to all employees or to an entire group or division. Mac computers are deployed as part of a choice program for all employees or subsets of employees. A large enterprise deploys Mac computers to corporate headquarters first, and later deploys them to its regional and international locations. A medium-sized organization owns a substantial number of Mac computers. IT decides to manage those computers. A large company with several hundred Mac users on its executive, marketing, and engineering teams decides to offer Mac computers as a choice to all employees. A government agency has many Mac computers. It decides to refresh them and deploy them as a choice for remote employees. A medium-sized company offers Mac computers as a standard to all employees. Establish corporate policies for Mac computers Start your corporate policy development by establishing general policies that cover the majority of Mac users at your company. Then, if necessary, develop more policies for subsets of users, with more fine-grained settings. Design configurations. Set user-specific customizations, such as mail accounts. Establish group policies, such as deploying software that s specific to a particular business unit. Update existing corporate policies to incorporate the use of Mac computers. Some core policies remain the same across all platforms, such as password complexity and rotation requirements, screensaver timeouts, and acceptable use. Some policies use different terms for similar functionality. Resist the 8

9 Prepare temptation to port your policies directly from Windows to macos. Consider the need the policy addresses, then decide if that policy should be enforced on Mac computers. If so, then understand how it would be implemented. If your corporate policy mandates a technology that s specific to one platform, reframe the policy to address the underlying issue. For example, every business needs to protect corporate data if a Mac is stolen. Rather than mandate that each computer use BitLocker to encrypt an entire disk, mandate that corporate data be encrypted at rest. This requirement can be easily accomplished using FileVault. FileVault full-disk encryption uses XTS-AES-128 encryption with a 256-bit key to help prevent unauthorized access to the information on your startup disk and other volumes. If your corporate policy mandates the use of antivirus software, you can update it to take advantage of the macos Gatekeeper feature. With the most secure Gatekeeper setting, users can install only signed and sandboxed apps from the App Store. A second setting enables users to install apps from the App Store and apps that have a Developer ID. Developers can get a unique Developer ID from Apple and use it and Xcode to digitally sign their apps. You can enforce Gatekeeper use with your MDM solution to prevent user override. 9

10 Prepare Define the Mac lifecycle Establish your purchasing strategy Do you want to buy or finance your Mac computers? When you finance, you get Apple products and business upgrades with minimal up-front investment. Financing can cover Mac computers, services, accessories, AppleCare, and third-party products. Read more about financing your purchases on the Apple business financing website. If you buy Mac computers through an Apple Authorized Reseller or carrier, contact them to make sure that they participate in the Device Enrollment Program (DEP) and that your purchases are linked to that reseller s DEP Reseller ID. If you buy Mac computers directly from Apple, make sure each purchase is linked to your Apple Customer Number. Ask your Apple representative to verify your customer number for use with DEP or to set up purchasing options and establish a customer number. Visit the Apple Direct Customer Agreement webpage for more information. Establish your self-support strategy Many organizations find that Mac users require minimal support from IT. To encourage self-support and increase its quality, you can develop self-support tools. Examples include developing a robust Mac support webpage, offering self-help forums, and providing onsite tech help bars. MDM can provide support information and enable users to perform support tasks like these from a selfservice portal: Installing software Offering self-help and training videos Obtaining organizational templates, documents, and software updates Adding printers Adding virtual private network (VPN) and 802.1X (port-based Network Access Control) configurations Performing simple IT tasks, such as checking disk integrity Decide whether or not to use a managed service provider Some organizations contract with a managed service provider (MSP) to provide technology support and maintenance for a fixed cost per computer or user. For 10

11 Prepare example, support could include networking equipment, security, servers, help desk, , and software installation and updates. If you currently have a service-level agreement (SLA) with an MSP, does it cover Mac computers? After the terms of the contract have ended, what are the processes for you to receive access to manage your own infrastructure again? Identify IT resources that are available to support Mac computers Many companies discover that supporting Mac computers is so easy that they can support a large number of them per help desk technician. Can you train existing IT resources to support Mac computers? You might not need to create more positions devoted to supporting them. Integrate Mac computers into ticketing or IT service management system Establish a ticketing system for service requests. If you don t already have a formal ticketing system for service requests, evaluate and establish one now. Ensure that Mac support personnel have access to the system. Establish your support strategy Business Support: All the topics, resources, and contact options you need for business. AppleCare OS Support: Three tiers of support for Apple OS integration, migration, and advanced server operation. AppleCare Protection Plan: Most Apple hardware comes with a 1-year limited warranty and up to 90 days of complimentary telephone technical support. To extend your coverage, buy the AppleCare Protection Plan. AppleCare for Enterprise: From 24/7 phone support to priority onsite repairs, you ll get personalized help from experts who can keep your IT operations running smoothly. Apple Self-Servicing Account (SSA) program: For organizations that would like the convenience of repairing their own products. Program participants are authorized to repair only the products they own or lease. A minimum combined installed base of 1000 Apple products is required. Program participants have access to Global Service Exchange (GSX). Some MDM solutions integrate with GSX to import information such as purchase date, warranty expiration date, and AppleCare ID warranty reference number. Define your Mac lifecycle policies When your company decides to sell, recycle, or donate a Mac to other users, you should define and communicate the steps that users and the IT team should take. For example, who will back up the Mac? Who should disable certain features on it? Who will erase the hard drive? When a Mac in your business reaches the end of its use, will you give it to another user or recycle it? Define the user login experience When users in your company log in to their Mac computers, what experience will they have? Will they share a Mac? Must they log in to network-provided services? What kinds of accounts do they need? After you define the user login experience, you can manage it with MDM. 11

12 Prepare By default, Mac provides several local account types that a user can configure from the Users & Groups pane of System Preferences. Administrator Standard Managed with Parental Controls Sharing Only Group If you create a managed administrator account, you can hide it in the Users & Groups pane of System Preferences so that Mac users don t interfere with it. You can remotely change passwords for managed administrator accounts by using MDM. To add your MDM server to your DEP account With MDM, you can set up mail and other user accounts automatically. Depending on the MDM solution you use and its integration with your internal systems, you can prepopulate account payloads with a user s name, address, and certificate identities for authentication and signing. A federated identity links a user s electronic identity and attributes that are stored across multiple distinct identity-management systems. A user s federated identity is linked to their single sign-on (SSO), in which a user's single authentication ticket, or token, is trusted across multiple IT systems or organizations. SSO is a subset of federated identity management, because it relates only to authentication and is understood on the level of technical interoperability. With SSO, a user provides authentication information once and receives a ticket to access resources for as long as the ticket is valid. SSO enables users to maintain secure access to resources without being asked for credentials every time they request access. SSO also increases daily app-use security by ensuring that passwords are never transmitted over a network. In computer security, Kerberos is an industry-standard protocol created by the Massachusetts Institute of Technology to provide authentication over a 12

13 Prepare network. Kerberos is the strongest password-based authentication scheme available to clients. macos supports Kerberos, and if you have Active Directory, Kerberos is probably already being used. To join macos Server to Active Directory using Directory Utility To join Active Directory using Terminal To verify connectivity to Active Directory When you integrate a Mac into an Active Directory environment, it prioritizes Kerberos for authentication activities. You can prohibit the use of other authentication protocols such as Microsoft s NT LAN Manager, Digest, and Basic without affecting Mac computers or services provided by your MDM solution. When a user logs in to a Mac using an Active Directory account, the Active Directory domain controller automatically issues a Kerberos Ticket Granting Ticket (TGT). When a user attempts to use services in the domain that supports Kerberos authentication, the TGT generates a ticket for that service without requiring the user to authenticate again. If a policy is set to require a password to dismiss the screensaver, macos attempts to renew the TGT after successful authentication. To properly support Kerberos, both forward and reverse Domain Name System (DNS) records must be accurate for Kerberized servers. System clock time is also important, because clock skew must be less than 5 minutes for any servers and clients. The best practice is to set the date and time automatically in macos using a Network Time Protocol (NTP) service, such as time.apple.com. To verify your address and enable two-step verification Any app that supports Kerberos authentication works with SSO. This includes many of the apps built into macos, such as Safari, Mail, Calendar, and Messages, as well as services like file sharing, screen sharing, and secure shell (SSH). Many third-party apps, such as Microsoft Outlook and Skype for Business, support Kerberos too. With an MDM solution, you can configure the following types of accounts: Calendar Contacts Exchange Web Services (EWS) Google Jabber LDAP Mail Subscribed calendars VPN 802.1X To create or edit configuration profiles Apple devices support digital certificates and identities, which gives your organization streamlined access to corporate services. You can use certificates in many ways. For example, Safari can check the validity of an X.509 digital certificate and establish a secure session with up to 256-bit AES encryption. This validity check involves verifying that the site s identity is legitimate and that communication with the website is protected to help prevent interception of personal or confidential data. You can also use certificates to guarantee the 13

14 Prepare identity of the author or signer and to encrypt mail, configuration profiles, and network communications. Apple devices include a number of preinstalled root certificates from Certification Authorities (CAs), and macos validates the trust for these root certificates. You can use these digital certificates to securely identify a client or server, and to encrypt the communication between them using the public and private key pair. A certificate contains a public key and information about the client (or server), and it is signed (verified) by a CA. To install certificates If macos can t validate the trust chain of the signing CA, the service encounters an error. A self-signed certificate can t be verified in macos without user interaction. To view the current list of trusted root certificates in macos, go to the Apple Support webpage. A certificate and its associated private key are known as an identity. Certificates can be freely distributed, but identities must be kept secure. The freely distributed certificate, and especially its public key, are used for encryption that can be decrypted only by the matching private key. The private key part of an identity is stored as a PKCS #12 identity and (.p12) file and encrypted with another key that s protected by a passphrase. An identity can be used for authentication, such as 802.1X EAP-Transport Layer Security (TLS), signing, or encryption (such as S/MIME). macos uses two certificate and identity formats: Certificate:.cer,.crt,.der, X.509 certificates with RSA keys Identity:.pfx,.p12 You can manually distribute certificates to Mac computers. When users receive a certificate, they double-click it to open Keychain Access and review the contents. If the certificate matches expectations, users select the desired keychain and click the Add button. Most user certificates are installed in the Login Keychain. When an identity certificate is installed, users are asked for the password that protects it. If a certificate s authenticity can t be verified, it s shown as untrusted, and the user can decide whether to add it to the Mac. If a certificate was issued from a CA whose root isn t in the trusted root certificates list, macos won t trust the certificate. This is often the case with enterprise-issuing CAs. You may need to establish trust with the root certificate and intermediates in the chain for multitiered public key infrastructures. You can configure enterprise trust in a single configuration profile. You can update the profile as needed without affecting other Mac services. macos supports three ways to deploy certificate identities with configuration profiles: PKCS #12 identity certificate Simple Certificate Enrollment Protocol (SCEP) Active Directory certificate 14

15 Prepare If the identity is being provisioned from the Mac on behalf of the user or Mac, it can be packed into a PKCS #12 file (.p12 or.pfx) and protected with a password. If the payload contains the password, the identity can be installed without prompting the user for it. Using the SCEP, macos places the certificate signing request (CSR) directly on an enrollment server. With this technique, the private key remains only on the Mac. By configuring the AD Certificate payload, macos places a CSR directly with an Active Directory Certificate Services-server issuing CA through Remote Procedure Call (RPC). You can enroll machine identities using the credentials of the Mac computer s object in Active Directory. Users can supply their credentials as part of the enrollment process to provision individual identities. Using the ADCertificate payload, administrators have more control of private key usage and the certificate template for enrollment. As with Simple Certificate Enrollment Profile (SCEP), the private key remains on the Mac. To associate services with a particular identity, configure an ADCertificate, SCEP, or certificate payload, then configure the desired service in the same configuration profile. For example, you can configure an ADCertificate payload to provision an identity for Mac, and in the same configuration profile, you can configure a Wi-Fi payload for WPA2 Enterprise EAP-TLS using the device certificate that results from the ADCertificate enrollment for authentication. When you configure a Mac with MDM, it can use your existing certificate systems. A Mac can obtain certificates through SCEP or an Active Directory Certificate Authority for a computer or user identity. A Mac supports the Online Certificate Status Protocol (OCSP) and Certificate Revocation List (CRL) protocol to check certificates status. You can send a certificate as an attachment in an or host it on a secure website. Users can download the certificate from the secure website. You can use MDM to view and remove certificates that a Mac installed. If you remove a certificate that s required for accessing an account or network, a Mac can t connect to those services. To remove an installed certificate: 1. Open Keychain Access. 2. Search for the certificate. 3. Select the certificate. 4. Delete the certificate from the keychain. Define your software update strategy To protect your users and their data, take a comprehensive approach to keeping Mac computers up to date. Update quickly, and upgrade as soon as you ve determined that your workflow is compatible with a major new version of macos. Some MDM solutions enable employees to manage certain functions themselves. For example, they can run routine maintenance tasks on their Mac or install software that you make available to them in a self-service app. 15

16 Prepare Evaluate macos prerelease versions You can test a prerelease version of macos. Prerelease testing allows you to identify app compatibility issues and notify Apple developers about them so they can be addressed before the final release. Install beta macos software only on Mac computers that you use for development and testing or on computers that you can erase if necessary. As a member of the Apple Developer Program, your company can use beta software to start integrating the latest Apple technologies into your apps so they ll be up to date when macos becomes available to the public. Individual users can join the Apple Beta Software Program. Install software updates as soon as they are available macos updates often contain security updates. They are usually released in response to a specific, known security problem. Applying these updates is essential. By default, macos periodically checks for updates, downloads newly available updates in the background, and notifies users when the updates are ready to be installed. macos also automatically installs system data files and security updates as soon as they're available and enabled. If a Mac is enrolled in DEP, you can use MDM to force a software update. Install app updates as soon as they are available Updating apps from the App Store is secure. Apps from the App Store are reviewed by Apple and signed to ensure that they haven t been tampered with or altered. By default, a macos user doesn t need to have an administrator password to install or update apps from the Mac App Store. You can use MDM to force Mac computers to update managed apps. Upgrade macos when a new major release is available You can give users the choice to upgrade to the latest version of macos when it s available. macos upgrades are distributed through the App Store and performed by the macos installer app, which uses code signatures to ensure the integrity and authenticity of the installer and its packages before installation. Consider the Caching service Consider enabling the macos Server Caching service to supplement your MDM solution. This service can speed up Apple software downloads that are distributed over the Internet by storing local copies of the software on your server. icloud caching stores the files users have in their icloud accounts, such as Pages or Numbers documents. icloud cached data is encrypted so users data is secure. macos Server includes built-in support for caching the following software: 16

17 Prepare itunes To start the macos Server Caching service To select a volume for caching To set the cache size or delete all cached content To set the cache for clients connecting from all networks or local subnet To set the cache for clients connecting from certain networks - itunes and later (macos and Windows versions) macos - macos updates - Mac App Store apps and updates - Other software updates distributed by Apple (including updates to itunes for macos and printer drivers) - GarageBand downloadable content - icloud data caching (photos and documents) Note: In a production environment, use separate servers for MDM and caching. Decide on your app distribution Digital transformation happens with apps from Mac App Store apps that solve everyday challenges to custom apps that deliver unique functionality and redefine workflows. The best place to begin is the Mac App Store, and you can take a shortcut to success by encouraging users to find solutions to everyday challenges. Then use your internal app catalog to promote those apps to others so they can benefit too. To enroll in VPP To install a VPP service token in your MDM server Identify the apps that are helpful for your users and decide how to distribute them. MDM and the Volume Purchase Program (VPP) give you lots of power and options for automatically installing apps. Many MDM solutions enable you to create an internal app catalog to promote apps that users can install on their own when needed. Create custom apps Creating your own in-house apps that solve specific business challenges is a powerful and flexible way to deliver lasting business value, and it may be faster than you think. Select apps from Apple and third-party providers Every Mac comes with a set of apps, including Pages, Numbers, and Keynote. Your users probably need more apps, too. Apple may distribute more apps through the App Store, or they may be available directly from third-party providers. Apps from the App Store are sandboxed to restrict access to data stored by other apps. System files, resources, and the kernel are shielded from the user s app space. If an app needs to access data from another app, it can do so only by using the application programming interfaces (APIs) and services provided by ios and macos. Apps from the App Store must be signed by Apple to ensure that they haven t been tampered with or altered. 17

18 Prepare Apps from outside the App Store, such as Microsoft Word, are normally signed with an Apple-issued developer identity. A digital signature lets you validate that the app is genuine and hasn t been tampered with. Gatekeeper, found in System Preferences, prevents users from downloading and installing apps that aren t signed with an Apple-issued developer identity. You can use MDM to prevent a user from overriding default Gatekeeper settings. Assign apps You can assign apps, including app updates, even if the App Store is disabled. You can assign the apps you buy through VPP to devices or users in any country where the app is available from that country s App Store. Before you deploy your Mac computers, decide what apps you want to install on them and if you want to assign apps to users or devices. You might need to distribute more apps to users. At the same time, you should control how apps connect to internal resources or how data security is handled when a user transitions out of the organization. Decide if you will deploy more apps to users or if you will enable them to request apps through a self-service portal. If necessary, you can disable the App Store for users, but you can still use MDM to assign App Store apps and allow updates to them. Distribute VPP apps to devices Mac computers must be enrolled in your MDM solution to participate in managed distribution through VPP. MDM pushes a command to the Mac, instructing it to pull an app from the Mac App Store. The MDM server doesn t store apps. Anyone who uses that the Mac has access to that app. You can reassign an app to a different Mac. VPP apps that you assign to a Mac may be automatically removed when a user unenrolls their Mac from MDM. Apps don t automatically reinstall after a user restores their Mac from an itunes or icloud backup. 18

19 Prepare Assess your environment for deployment Ensure that your physical network is ready What is your current Internet bandwidth? Is your Wi-Fi infrastructure running the latest firmware code? For Mac computers that will use Ethernet, do you have enough active Ethernet ports available? What is the status of your current network security? To acquire an APN certificate Ensure communication with Apple services Mac needs access to your network and Internet services for setup and configuration. To use DEP, Mac must also access Apple activation servers. For ongoing management, MDM relies on the Apple Push Notification service (APNs). APNs is the centerpiece of Apple's remote notifications feature. It is a secure service for app developers to propagate information to Mac. APNs servers use load balancing, so Mac doesn t always connect to the same public IP address for notifications. You should configure firewalls and proxies to allow Mac unfiltered access to the ports listed below on the entire /8 address block, which is assigned to Apple. Mac needs a direct, unproxied connection to the APNs servers on these ports: TCP port 5223 to communicate with APNs TCP port 443 for Mac activation and after for fallback (Wi-Fi only) if Mac can t reach the APNs on port 5223 For more information, see the list of TCP and UDP ports used by Apple software products. If Mac still can t access Apple activation servers or APNs, see what to do if you aren t getting Apple Push notifications. Do you plan to host your MDM solution on your corporate site behind a firewall? Consider that client Mac computers must communicate with your MDM server even when they are remote and may not have an established VPN connection. If your network uses 802.1X port-based network access control, can your Mac computers use Wi-Fi before you bind it to Active Directory and obtain an 19

20 Prepare appropriate certificate? Consider creating a provisioning network that allows access only to your MDM solution and Apple s servers. Ensure that your Wi-Fi network is ready macos takes advantage of wireless technologies because macos supports multiple standards, including ac. Confirm that your Wi-Fi networks at all your sites support Mac computers. Think about access-point placement and power so that you can achieve effective coverage, roaming, and capacity. You can configure settings for wireless networks, security, proxy, and authentication using configuration profiles that are pushed to Mac computers through MDM. Apple devices support Wi-Fi Protected Access 2 (WPA2) Enterprise to provide authenticated access to your enterprise wireless network. WPA2 Enterprise uses 128-bit Advanced Encryption Standard (AES) encryption, so user data is protected over a Wi-Fi network connection. You can also use WPA and WPA2 Enterprise authentication at the macos login window, so a user logs in to authenticate to the network. You can integrate Apple devices into many RADIUS authentication environments. Mac computers support a wide range of 802.1X wireless authentication protocols. The macos Setup Assistant supports 802.1X authentication with user name and password credentials using TTLS or PEAP. For more information on wireless specifications, see Appendix D, " Wireless Specifications." Evaluate your VPN infrastructure to ensure that users can securely and remotely access corporate resources. Consider VPN On Demand so that a VPN connection is initiated only when needed. Ensure that your network infrastructure is set up to work correctly with Bonjour. Bonjour is Apple s standards-based, zero-configuration network protocol. Bonjour enables devices to find services on a network automatically, and it enables features like AirPrint, AirPlay, and AirDrop. Some apps also use Bonjour to discover other devices for collaboration and sharing. 20

21 Prepare Use the Programs and Resources Review Checklist to evaluate your environment and learn about available resources. Ensure that Exchange is configured correctly Configure Microsoft Exchange so that it works with Microsoft Outlook or Mail correctly. Mail can communicate directly with your Exchange Server using EWS, which enables use of your mail, calendars, contacts, notes, and tasks simultaneously. Mail supports basic and certificate-based authentication for EWS. If your organization currently enables EWS, you already have the services to support Mac computers with no additional configuration. If your Exchange server does not use EWS, see if an IMAP connection to the server is available instead. If you don t use Exchange, Mail also works with standards-based servers, including IMAP, POP, SMTP, CalDAV, CardDAV, and LDAP. Using EWS, Mail supports the following Exchange features: Wirelessly creating and accepting calendar invitations Viewing an invitee s calendar free and busy information Creating private calendar events Configuring custom repeating events Showing the week numbers (which week of the 52 weeks in a year) Receiving calendar updates Keeping tasks in the Reminders app up to date Viewing and editing delegated calendars Calendar attachments and structured location support Mail can search an Exchange account with specific predicates (dates, sender, subject). Exchange draft folders can sync, and Mail filters can search through smart mailboxes and flagged content. Push is also supported. If a cellular or Wi-Fi data connection is available while mobile, Exchange automatically delivers , tasks, contacts, and calendar events to Mac computers. Mac users can set automatic reply messages for when they re unavailable and select an end date for the replies. macos retrieves contact information from your Exchange Global Address List (GAL) when you search Contacts and when you begin to enter addresses. Mail and Calendar support the following Microsoft Exchange versions: Office 365 Exchange Server 2016 Exchange Server 2013 Exchange Server 2010 Exchange Server 2007, SP 1 Update, Rollup 4 Mac computers also retrieve contact information when you search for contacts or when you begin to enter an address in Microsoft Outlook. 21

22 Prepare macos supports the Autodiscover service of Exchange Server 2007 or later. When a user manually configures an Apple device, Autodiscover uses the user s address and password to determine the correct Exchange Server information. Auto setup requires enabling the Autodiscover service of Microsoft Exchange Server. If Autodiscover isn't enabled on the Exchange server, users are asked to enter the internal and external server addresses manually to set up their user accounts. If they don't know the server addresses, they should contact the Exchange administrator. For more information, read Autodiscover service on the Microsoft website. If you use Microsoft Exchange, verify that everything is up to date and configured to support all users on the network. If you use the cloud-based Office 365, be sure that you have enough licenses to support the Mac computers that you ll connect. To configure your network for MDM Configure your network for MDM When you install an MDM solution, you must configure your network. If your MDM solution is externally managed or hosted in the cloud, your MDM vendor may help configure your network. An MDM server must use the same fully qualified domain name (FQDN) that can be resolved from both inside and outside your network. An FQDN lets the server manage devices, whether they re connected locally or remotely. To maintain connectivity with clients, don t change this domain name. Most MDM servers require a static IP address. The existing DNS name must persist if the server s IP address is changed. To enable both internal and external access to the MDM server, certain firewall ports must be open. Most MDM servers accept inbound connections using HTTPS on port 443. Both the MDM server and the Mac must communicate with the APNs. The MDM server uses TCP ports 2195 and 2196 with APNs. Clients use port For more information about services and ports, see these Apple Support webpages: TCP and UDP ports used by Apple software products If you aren't getting Apple push notifications Communications between macos clients and the MDM server are encrypted with HTTPS. You need a TLS, formerly Secure Socket Layer (SSL), certificate to secure these communications. Don t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires. 22

23 Prepare Consider a pilot A well-executed pilot is a good place to start for any successful Mac deployment. Your internal IT team, an Apple Authorized Reseller, Apple Consultant, or your Apple account team can help you plan and implement a successful Mac evaluation. This is also a good time to identify user demand, define your use case, and write a business plan. Conduct a pilot 1. Develop your Mac pilot charter. Include these items: Success factors Milestones Implementation-team: roles and responsibilities 2. Select a team to evaluate the pilot and eventually deploy the Mac computers. The evaluation may include these metrics: User satisfaction Support costs Productivity benefits App compatibility Security needs Other technical impacts 3. Assess your environment. An assessment helps determine which employee roles are best suited for Mac computers and your eventual deployment strategy. Conduct an employee workflow analysis. Conduct an app compatibility evaluation. 4. Choose pilot participants. Consider employees who meet this criteria: They request a Mac and seem like a good fit, based on your app compatibility evaluation and employee workflow analysis. They may use macos full time. 5. Develop a Mac lifecycle management strategy. 6. Develop a user support strategy. 23

24 Prepare 7. Obtain Mac computers for the pilot. 8. Test your Mac integration, security, and deployment methods. 9. Implement the pilot. 10. Track the pilot. 11. Analyze the pilot. 12. Make the decision to move forward with a deployment. Obtain an MDM solution MDM (mobile device management) is an industry term for administering mobile devices. MDM is usually implemented with the use of a third-party solution that has management features. With MDM, you can easily deploy and manage large numbers of Mac computers and automatically set up and configure many devices. You don t need to handle each Mac individually. You can also push apps directly to Mac computers. Employees can personalize company-owned Apple devices by adding their own apps. MDM enables you to securely enroll devices in the corporate environment, wirelessly configure and update settings, monitor policy compliance, deploy apps, and remotely wipe or lock managed devices. If you currently manage ios devices, you can manage Mac computers in much the same way. macos provides built-in management features that you can enable and control with third-party MDM solutions. Many third-party MDM solutions are available to support different platforms, such as macos, ios, Windows, and Android. Each solution offers different management consoles, features, options for training, certifications, support, and pricing. Before you choose a solution, choose which management features are appropriate for your environment. Your Apple Authorized Reseller can help you decide which solution is best for your organization. You can host your MDM solution on a server at your site or in the cloud. MDM is a lightweight, HTTPS-based protocol that enables you to manage devices anywhere in the world with low data-traffic impact, making it well suited for cloud hosting. Configuring a cloud- or Internet-hosted MDM solution may require fewer, or simpler, steps than those described in this training. Some MDM vendors offer enhanced support for Mac enrollment and managed distribution. For example, some vendors enable you to import multiple tokens for Apple Deployment Programs. Having multiple tokens associated with purchasing apps is helpful if you have multiple administrator accounts. Having multiple MDM tokens enables you to have separate enrollment settings for different sets of devices. Some MDM vendors offer tools for auditing and for integrating with Active Directory and LDAP directories. 24

25 Prepare These are some of the third-party MDM solutions: Jamf Pro from Jamf VMware AirWatch Systems Manager from Cisco Meraki Filewave Consider joining MDM to Active Directory If you use Active Directory, consider joining your MDM solution to Active Directory. Joining your MDM solution to Active Directory has two main benefits: You can restrict enrollment to authorized Active Directory users. You can associate Mac with an Active Directory user. Then you can apply management to Mac computers that are associated with an Active Directory user or group. If you don t join your MDM solution to Active Directory, you can still manage devices and device groups and join users Mac computers to Active Directory. Prepare to join Mac computers to Active Directory Mac computers offer native Active Directory integration. This means that users can use the same Active Directory credentials to log in to their Mac computers that they use with other computers and services. When a Mac is fully integrated with Active Directory, it offers an environment in which you and users benefit from the following features: Users can use the same credentials to authenticate to secured resources. User must follow your organization s domain password policies. Users benefit from SSO access to Active Directory resources through Kerberos. Users can request and be issued user and machine certificate identities from an Active Directory Certificate Services server. This is especially useful if your network requires 802.1X authenticated network access. Users can automatically navigate a Distributed File System (DFS) namespace and mount the appropriate underlying Server Message Block (SMB) server. Consider Enterprise Connect If you use Active Directory, consider buying the Enterprise Connect app. It provides Microsoft Active Directory integration for Mac computers that aren t domain bound. It also enhances Active Directory integration for Mac computers that are domain bound and have users who log in with Active Directory accounts. You can use MDM to install and configure Enterprise Connect on a Mac. Enterprise Connect is driven by network state changes. When a state change occurs, Enterprise Connect checks to see if your corporate network is available. If it is, Enterprise Connect gets a TGT, checks the password expiration, and re- 25

26 Prepare mounts disconnected shares, if needed. Enterprise Connect is also triggered by wakes from sleep and similar occurrences. It provides the following features: A built-in Kerberos client that ensures that your users have a Kerberos TGT. Account management that enables you to notify your users, through Notification Center, when their Active Directory passwords are about to expire. Users can change their Active Directory password in Enterprise Connect. The ability to mount network shares, including your Active Directory network home, SMB or AFP shares. Configuration profile support, which enables you to use your MDM solution to distribute a configuration profile to configure Enterprise Connect. The ability to run optional scripts when your corporate network is detected, after Enterprise Connect completes its connection process, and upon a successful password change. Enterprise Connect runs these scripts as the currently logged-in user, not with root user privileges. After you buy Enterprise Connect, an Apple Professional Services engineer visits your company for 2 days to configure, test, and validate it for your environment. consultingservices@apple.com for pricing and information. Enroll in Apple Deployment Programs If this is your first time enrolling in an Apple Deployment Program, you can enroll your organization through the Deployment Programs online form and get help streamlining your deployment. While you prepare, learn what each program offers and enroll in the programs that make sense for your organization. For more information, visit these webpages: Apple Deployment Programs Help Apple Deployment Programs: Upgrade account to access all programs Apple Deployment Programs have two main types of accounts: program agent and administrator. Program agent account You can create only one program agent account, and you use it to set up all other accounts. You ll be asked to create a dedicated Apple ID for administering the program and to provide basic information about your business. This account, associated with this Apple ID, can t already exist or be used in the App Store. You should also create a group address for the Apple ID so that the ID is assigned to more than one person. 26

27 Prepare To enroll in DEP To create a DEP administrator account If you ve already enrolled your business in VPP for Business, you can use that same Apple ID to enroll in DEP. The person who has the program agent account must have the signing authority to enroll on behalf of your business or institution. If you don t have that authority, you must walk a person who does through the process of creating an agent account, then creating an administrator account for you to use. The person with the agent account is responsible for agreeing to the terms and conditions for each program you access within the Apple Deployment Programs. The agent account can also set up more administrators for your organization. After you submit your enrollment application, Apple will review it. You ll either be notified when verification is complete or contacted by Apple if more information is needed. Administrator accounts You should have at least one administrator account. How many administrator accounts you create depends on how many programs you ll use and how your deployments are structured. To define Enrollment Settings and Setup Assistant Options You can add more administrators to help with tasks such as assigning devices to MDM servers. You can also permit administrators to create and manage other administrators. You can give the following permissions to administrator accounts: To use DEP to manage the association of devices to MDM solutions To use VPP to buy apps in volume and distribute apps to devices and users To add and edit other administrators 27

28 Prepare Device Enrollment Program The Device Enrollment Program (DEP) provides a fast, streamlined way to deploy organization-owned Mac computers that you buy directly from Apple or from participating Apple Authorized Resellers. DEP enables you to skip steps in Setup Assistant, a utility that asks you for setup details such as your Apple ID. Using DEP and MDM, you can automatically configure each Mac as needed for your employees. DEP is available to qualifying businesses that buy Apple devices directly from Apple or from participating Apple Authorized Resellers. Volume Purchase Program With VPP, you can easily buy any app from the App Store in volume, then distribute it from the App Store to employees in your company. And if employees leave, you can easily reassign their apps to new users. You can assign apps including app updates to devices and users, even if the App Store is disabled. 28

29 Prepare MDM solutions integrate with VPP, and you can use them to distribute apps to Mac computers and to users in any country where the apps are available. For devices to participate in managed distribution through VPP, they must be enrolled in your MDM solution. After you assign an app to a Mac, the app is pushed to that Mac through MDM. Anyone who uses that Mac has access to that app. You can reassign an app to a different Mac when necessary. Apps don t automatically reinstall after a Mac is restored from an itunes or icloud backup. You can specify that the VPP apps that you assign to a Mac are automatically removed when a user unenrolls the Mac from MDM. Here s how VPP works: 1. Enroll in VPP using your Apple Deployment Programs agent account. The steps vary, based on whether or not you are already enrolled in an Apple Deployment Program. See Apple Deployment Programs Help for instructions. 2. Set up program administrators who assign Mac computers to MDM and buy and distribute apps. A program-specific Apple ID is created for these administrators. A VPP token can be used by only one MDM server at a time. If you install your VPP token on a second MDM server, your license may be revoked on the original MDM server. If you are testing multiple MDM solutions, you can create a VPP account for each MDM and make separate purchases for each MDM. 3. Buy Mac computers directly from Apple or from an Apple Authorized Reseller. Confirm that the purchase is processed so your Mac computers will be eligible for DEP. To buy apps through VPP: a. Log in to the VPP store. b. Search for the apps you want to buy. c. Enter the quantity you want. d. Complete the transaction with a corporate credit card or with VPP Credit from an Apple Authorized Reseller that you ve bought using a purchase order. 4. You can distribute apps through your MDM solution. Apps distributed to a user this way aren t shared with family members, even if the user has a Family Sharing account with icloud. If you install in-house apps, they must be self-contained in the Applications folder and installed through an Installer flat package signed with a valid distribution certificate. If you previously assigned VPP apps to users, some MDM solutions silently migrate from per-user VPP assignments to per-mac VPP assignments. If your employees use apps that include in-app purchases, assign the apps to users (not devices). Refer to your MDM solution s documentation for more information. 29

30 Set Up During the setup phase, you enroll your devices in your MDM solution, configure them, set up a self-support site, and write and execute a test plan. Enroll devices in MDM You can use MDM to securely enroll and manage multiple corporate-owned Mac computers and ensure that employees have access to corporate resources. Before you enroll corporate-owned Mac computers in MDM, they should be enrolled in DEP by Apple or by your Apple Authorized reseller when you buy them. You can then assign DEP-enrolled Mac computers to enroll in your MDM. Choose one MDM that new Mac computers are assigned to, or assign Mac computers to your MDM manually. These Mac computers can then become automatically enrolled in MDM during user setup. You can enroll Mac computers running OS X 10.9 or later. After the Apple operating system versions are verified, at least one of the following conditions must be met to enroll devices in DEP: The devices were ordered after March 1, 2011 and were bought directly from Apple using your enrolled and verified Apple customer number. The devices were bought directly from a participating Apple Authorized Reseller and linked to that reseller s DEP Reseller ID. The date of eligibility is determined by your participating Apple Authorized Reseller, but the date can t be before March 1, If an employee decides to opt out of MDM, or if the Mac falls out of compliance, corporate configurations, settings, and access to resources are removed. After you enroll a Mac in MDM, you can initiate an MDM policy, query, or command. The Mac receives notification that there was an administrative action through the APNs. The Mac then contacts the MDM to receive and process the MDM policy, query, or command. User accounts When you associate a Mac with a user, you increase the level of management and capabilities for the Mac and the user. The association is in place no matter which user logs in to that Mac. If multiple people log in on the same one, don t associate a user with it. To associate a Mac with a user, your MDM must be able to access the directory service that your organization uses. A directory service provides a central repository for information about Mac users and organizational resources. User accounts that are available to your MDM server give users access to services provided by the server. A user account contains the information needed to prove the user s identity for services that require authentication. This is typically the combination of username and password, but some services also accept a Kerberos service ticket or a user s public key infrastructure (PKI) 30

31 Set Up certificate. A user account also provides a centralized place to store a user s contact information and other data. You can store user accounts in various directory nodes, such as the Active Directory service (local network users). Assign Mac computers to an MDM server Before your users can enroll Mac computers in DEP, you must assign them to your MDM server in the DEP portal. Then when a user receives a Mac, they use the Setup Assistant to enroll the Mac in DEP and associate it with their corporate network user account. To assign devices to your MDM server in DEP After an order ships, you can search for the order number in the DEP portal and use it to assign devices to an authorized MDM server. For example, when you place an order for 5,000 Mac computers, you can use the order number to assign all devices or a specific number of devices to an existing authorized MDM server. You can assign devices in three ways: By serial number By order number Using a comma-separated values (CSV) file Select Serial Number and assign Mac computers by their serial numbers to your MDM server in the DEP portal. This makes sense if you have only a few Mac computers physically with you and they are easy to erase. You can search for serial numbers using the search field in the top of the website window. 31

32 Set Up Select Order Number and assign Mac computers by their order number. You can do this if you use a single MDM server for an entire Mac deployment or a single order, and the Mac computers are still in their original packaging and are going directly to users. Order numbers show the vendor. For example, orders bought from Apple appear as Order number Apple Inc. (Direct). Orders you buy from a participating Apple Authorized Reseller or carrier appear as Order number Name of reseller. After an order ships, search for the order number and use it to assign devices to an authorized MDM server. For example, when you order 500 Mac computers, you can use the order number to assign all or a specific number of them to an existing authorized MDM server. Upload to the DEP portal a CSV file that contains only the serial numbers you want. Do this when you need a specific group of users devices to be managed by a specific MDM server. You can also download a CSV file for a specific order number, split the file into smaller files, upload those CSV files, and assign them to specific MDM servers. 32

33 Set Up Configure a Mac After a Mac is enrolled in MDM, you can initiate a policy, query, or command to it. macos receives notification of your action through the Apple Push Notification service so it can communicate directly with its MDM server over a secure connection. With a network Wi-Fi connection, Mac computers can receive APNs commands anywhere in the world. APNs won t transmit confidential or proprietary information. Prepare configuration profiles An MDM solution can apply policies and settings using configuration profiles, which are XML files created by your MDM solution that enable you to distribute configuration information to Mac computers. These profiles automate the configuration of settings, accounts, policies, restrictions, and credentials. They can be signed and encrypted to help increase the security of your systems. A configuration profile contains one or more payloads. A payload is a collection of settings to be delivered to a Mac. For example, a configuration profile can contain a Login Items payload. It can contain settings for apps, files, and folders that will open at login and for network volumes that will be mounted at login. The name of the payload may be different depending on your MDM solution. 33

34 Set Up The image below shows some sample configuration payloads. To create Device Groups You can create configuration profiles for users, devices, groups of users, or groups of devices. Your MDM solution tailors the payloads depending on which user, device, user group, or device group you choose. You can install two basic profile categories on Apple devices: User Device User profiles contain individual user or user-group settings, such as account names and passwords. A user configuration is for one person. Users identify themselves with a short name or user ID when they log in. A user profile applies 34

35 Set Up to every user who logs in to a Mac that s associated with that user, so don t associate a user with a Mac that will be shared. Device profiles contain individual Mac or device-group settings, such as directory bindings, Energy Saver, and restrictions. A device configuration profile is for an individual Apple device. A Mac is identified by a MAC address (Ethernet ID), serial number, or unique device identifier (UDID). You can assign most payloads to both user and Mac configuration profiles. Some payloads are available only to Mac profiles, such as Energy Saver settings, and you can t assign them to a user configuration profile. Other payloads, such as Web Clips settings, are available only to user profiles. You can t assign Login items settings to a device configuration profile on a Mac. You can assign Web-Clip settings, but they'll be ignored. You can assign most payloads to both user and device configuration profiles. A profile that you create for a user or user group is applied at the user level; one that you create for a device or device group is applied at the system level. Although you can create a configuration profile that contains all payloads for the organization, you should consider creating separate profiles that let you perform these actions: Enforce policies when you grant access Provide updates to settings that change frequently Users generally can t change configuration profile settings, except for their passwords. If you configure a user account using a configuration profile, you can remove the account only by deleting the profile. Configuration profile and payload planning helps reduce complexity. Keep these facts in mind: A configuration profile can have more than one payload. A device can have more than one configuration profile. In macos, you can combine user profiles with device profiles. If you have multiple profiles that contain similar payloads with different settings, the resulting behavior may be undefined. Some payloads can have more than one unique payload. For example, a Certificates payload often involves more than one certificate, and a VPN payload may involve more than one VPN setting. If you want to manage only macos devices or users of macos devices, focus on macos payloads, then decide if your management should be at the device or user level. After you prepare your infrastructure, your users can configure their Mac computers. Employees can take them out of the box and start using Setup Assistant to activate the device and configure basic settings. 35

36 Set Up When employees use Setup Assistant, they ll be asked about Apple ID. Every employee needs an Apple ID to use Apple services such as FaceTime, imessage, the itunes Store, the App Store, the ibooks Store, and icloud. Employees who don t already have an Apple ID can create one when they go through Setup Assistant. You can use a configuration profile to skip the Apple ID screen during Setup Assistant. And remember, you can assign apps to a Mac. When employees use Setup Assistant, they ll be asked about enabling icloud. They can use icloud Desktop & Documents to share content easily among their Apple devices. If your security policies don t allow data to be stored in icloud, you can use Restrictions to disable services such as icloud Drive and icloud Keychain. Read the icloud security and privacy overview to learn more about security mechanisms used by icloud. After a user completes Setup Assistant, a Mac automatically installs configuration profiles and apps that you ve specified. Provide security macos has layers of advanced security technologies to help protect your systems, apps, and data. You can use MDM to deploy the following security practices to help keep your Mac computers safe: Turn on a firewall to prevent other machines from accessing services. Set Mac to lock the screen after an inactive period. 36

37 Set Up Require a password after a specified amount of time after sleep or the screen saver begins. Restrict which apps are allowed to open. Disallow AirDrop. Restrict services allowed in the share menu. Enforce password policy for local accounts. The password policy has options such as a minimum passcode length and minimum number of complex characters. You can encourage users to: Delete outdated files with the Secure Empty Trash command. Use Password Assistant to create strong passwords for local utilities, such as Users & Groups. Use the Sharing system preference to turn on file sharing only when it s really needed, and turn if off as soon as possible. Keep the Guest account disabled. Do not allow the Guest account to connect to shared folders. macos supports IPv6, proxy servers, and split tunnelling. macos works with many authentication methods, including password, two-factor token, digital certificates, and Kerberos. 37

38 Set Up Secure access to private corporate networks is available in macos using established industry-standard VPN protocols. If your organization supports one of these protocols, you don t need more network configuration or third-party apps to connect Mac computers to your VPN: IKEv2 Cisco IPSec L2TP over IPSec macos supports SSL VPN from popular VPN providers. You can configure VPN manually or by using configuration profiles. For more control over VPN, consider using these functions: Per-App VPN Device-wide VPN VPN On Demand Per-App VPN lets each app that s managed by MDM communicate with the private network using a secure tunnel and excludes nonmanaged apps from using the private network. You can configure managed apps with different VPN connections to further safeguard data. For example, a sales quote app and an accounts payable app could use different data centers. To use Per-App VPN, an app must be managed by MDM and use standard networking APIs. After enabling Per-App VPN for any VPN connection, you should associate that connection with the apps using it to secure the network traffic for those apps. IKEv2 is supported by the IPSec client. For more information about Per-App VPN support, contact third-party SSL or VPN vendors. Per-App VPN provides secure networking for internal-use apps and it preserves the privacy of personal Mac activity. With device-wide VPN, client processes can potentially pass traffic across the routes that a tunnel provides. When you segregate traffic at the app level, you can separate personal data from organizational data. This way, you ensure that corporate data always flows over a VPN connection, and other data such as employees personal apps from the App Store doesn t. 38

39 Set Up To streamline the connection in environments where certificate-based authentication is used, macos features VPN On Demand. It lets Mac computers automatically establish a connection as needed to connect to specified domains. It requires certificate-based authentication and works regardless of the protocol used. Configure VPN On Demand through MDM in a configuration protocol. VPN On Demand rules allow you to accomplish the following: Recognize when a Mac is connected to an internal network and VPN isn t necessary. Recognize when an unknown Wi-Fi network is being used and require VPN for all network activity. Require VPN when a DNS request for a specified domain name fails. Join services If you re providing services such as VPN, Mail, Calendar, Contacts, and Messages, you can use the Profile Manager service to create a default configuration profile that sets up devices to use those services. Using this configuration profile ensures that every user who receives the profile has all the settings necessary for each configured service. This saves you time and effort when you troubleshoot. Set up a user self-support site If your deployment plan involves users providing some of their own support, set up a self-support site that includes these elements: Mac setup instructions Software update instructions Organizational policies Security best practices Help desk instructions Execute a test plan If you ve been successful in setting up everything you need for your users, write and execute a test plan to make sure everything works before you deploy Mac computers to users. Test these items: Device configuration App and content distribution Joining (binding to) Active Directory Share connectivity Printer connectivity 39

40 Deploy and Manage After you decide how you ll deploy your Mac computers and they re in the users hands, you must maintain Mac computer security, manage content, and maintain your self-support portal. Deploy devices Ship devices directly to users You can order the devices from Apple, configure the management settings, and have the devices shipped directly to a user s office address. After the Mac is unboxed and activated, the Mac enrolls in your MDM and management settings, and apps are ready for the user. The process is simple. You enroll in DEP, log in to the deploy.apple.com website, link one or more MDM servers to the DEP account, and then associate specific devices to one of the MDM servers. You can then preconfigure the devices and assign them to users through MDM. After a Mac is activated, any MDMspecified configurations, restrictions, or controls are automatically installed. If you ship devices directly to users, make sure you also distribute device instructions and help desk policies. Ship devices to warehouse for kitting and barcoding If you must attach items to, or include them in, Mac kits before users receive them, ship the Mac computers to a warehouse or staging area. There you can attach items like an inventory or barcode label, user instructions, or a protective 40

41 Deploy and Manage case. You can also include instructions and help desk policies in the kits. After you complete kitting and barcoding, you can distribute the devices to users. Encourage users to use Setup Assistant After users connect to the Internet, Setup Assistant guides them through the basics of setting up, including setting their language and region preferences. During this process, Mac computers that are enrolled in DEP can be automatically enrolled in MDM. You can configure DEP-enrolled Mac computers to skip certain Setup Assistant screens, such as Terms and Conditions, Apple ID sign-in, and Location Services windows. You can manage many settings upon initial configuration through MDM. And you can decide whether or not users will have full administrative privileges over their Mac computers. Allow users to personalize their Mac computers Enabling your users to personalize their Mac computers with an Apple ID can increase productivity because users choose the apps and content that will be the most helpful in accomplishing their tasks and goals. An Apple ID is an identity that people use to log in to various Apple services such as FaceTime, imessage, the itunes Store, the App Store, the ibooks Store, and icloud. These services give users access to a wide range of content for streamlining business tasks, increasing productivity, and supporting collaboration. icloud enables users to automatically sync documents and personal content such as contacts, calendars, documents, and photos and keep them up to date between multiple devices. Users can also use Find My Mac to locate a lost or stolen Mac. You can disable services (such as Photo Stream, icloud Keychain, icloud Drive, and backup) through restrictions that you enter manually on the Mac or set through your MDM. Manage security Secure hardware Even when Mac data is secured, you should encourage users to follow these guidelines: Do not leave a Mac in plain sight. For example, don t leave Mac in a bag in the front seat of a locked car. If you work at a coffee shop, don t leave Mac on the table when you get up to use the restroom. Take Mac with you when you leave a customer's conference room for lunch. Manage firmware passwords All computers have firmware to control low-level hardware. You can add a firmware password to the startup process so that the Mac restricts access to data stored on it. Firmware passwords don t provide encryption on the startup volume. 41

42 Deploy and Manage The Extensible Firmware Interface (EFI) is the hardware base layer for Intelbased Mac computers. It contains the link between the low-level hardware and macos. The EFI determines which partition or disk to load macos from and whether a user can enter single-user mode. If you're a software developer or IT professional, you can use this mode to help you isolate startup issues, because it shows you the details of the start up. But instead of finishing the startup and bringing you to the default macos login screen, it gives you a text terminal that you can use for troubleshooting. You can create an EFI password to prevent users from accessing single-user mode, loading unapproved partitions or disks, or enabling target disk mode at startup. Using target disk mode, you can share files between two Mac computers that are connected through their FireWire, Thunderbolt 2, USB-C, or Thunderbolt 3 (USB-C) ports. With target disk mode, one Mac appears as an external disk on the other Mac. This enables you to browse and copy files. You can use target disk mode when you need high transfer speeds or if the display on one of your Mac computers isn't working and you must get files from it. The macos Recovery partition includes the Firmware Password Utility, which you can use to enable an EFI password. Secure guest accounts If your corporate policy permits users to turn on Find My Mac, you should set a Security & Privacy payload in your MDM solution so that FileVault is automatically turned on for managed devices. FileVault encrypts the data on your startup disk so that unauthorized users, apps, or utilities can t access your information. When users turn on Find My Mac, a guest account is enabled on the Mac. Guest access works with the Find My Mac feature of icloud to help users find their Mac computers if they lose them. They can locate their Mac if someone finds it, logs in as a guest, and then uses Safari to access the Internet. If FileVault is turned on, guests can only use Safari and can t access the encrypted disk or create files. So your users can let other people use their Mac computers temporarily as guest users without giving them to access your corporate data. Manage certificates To push MDM configuration profiles to devices, configure your MDM server to use the APNs. You can use your MDM solution to get the APN certificate. Make sure your firewall allows the APNs. It uses TCP ports 443, 2195, 2196, and The entire /8 address block is assigned to Apple, so it s best to allow this range in your firewall settings. Before you add an MDM server to your DEP account, get the public key certificate file (ending in.pem or.der) from your MDM vendor for each server you want to add. See your MDM vendor documentation for information about getting the server s public key certificate. Server tokens expire after 1 year and must be replaced. Depending on the MDM vendor, you may or may not get an expiration warning. When a token is due to expire, sign in to Apple Deployment Programs, regenerate and download a new token for the MDM server, and transfer that token to the MDM server for 42

43 Deploy and Manage immediate installation. See your MDM vendor documentation for information about how to do that. Secure Bonjour Bonjour is a protocol for discovering file, print, chat, music sharing, and other services on IP networks. Bonjour responds to service inquiries from other computers and gives information about available services. Users and apps on your local network can use Bonjour to quickly determine which services are available on your Mac, and you can use it to determine which are available on theirs. Some apps can share data such as contact information, photos, and music. When these apps share data, they use Bonjour to let other network users know what you re sharing. This easy exchange of information makes service discovery convenient but possibly risky. Aside from the information exchanged by Bonjour, network services pose a security risk because of the potential for implementation errors that could allow remote attackers to access your system. Bonjour mitigates these risks by sandboxing. If you can t trust all the services on your local network, don t use Bonjour. When you use Bonjour, follow these guidelines: Connect only to secure, trusted local networks. Verify that Network preferences enables only required networking connections. This restriction reduces the chance that you ll connect to a nonsecure network. Verify that a service is legitimate and not spoofed. IP spoofing is the deceitful practice of sending Internet Protocol (IP) packets with a false address that hides the sender s identity. If you connect to a spoofed service, you might download malicious files. Maintain firewalls Use configuration profiles to configure Mac firewalls so they comply with your corporate security policies. You can configure the following settings: Enable Firewall. Allow or deny incoming connections for individual apps. Block all incoming connections except those required for basic Internet services, such as DHCP, Bonjour, and IPSec. Enable stealth mode: Don t respond to or acknowledge attempts to access Mac from the network by test apps like ping that use Internet Control Message Protocol (ICMP). 43

44 Deploy and Manage Ensure that users follow best practices for security Your users can do a lot to protect their equipment. As part of your plan to secure managed Mac computers, encourage your users to follow these best practices. You can also post these best practices on your self-support site. Encourage users to set up Find My Mac. If their Mac ever goes missing, they can use Find My Mac to help get it back. Tell your users they can sign in to icloud.com or the Find My iphone app to see their missing device on a map, play a sound to help them find it, use Lost Mode to lock and track it, or remotely erase their personal information. Before they can use Find My Mac, they must enable it in icloud System Preferences on the Mac. Direct your users to Set up Find My iphone on all your devices for instructions. Ensure that users are using Password Assistant. They should occasionally change their passwords to protect their privacy. Password Assistant suggests a secure password that varies the length and characters. If your company policy mandates that users should use a firmware password, enforce that policy. It prevents a Mac from starting up from any device other than the startup disk. If users forget their firmware passwords, they must bring the Mac to an Apple Retail Store or Apple Authorized Service Provider to be unlocked. 44

45 Deploy and Manage Ensure that users run only necessary sharing services. Users must follow corporate policies when they share information and files or when they share remote access to their Mac computers. macos provides several features for sharing services. You can use the MDM Restrictions payload to restrict the services that are available in the Share menu for apps. Ensure that users have FileVault installed on their Mac computers. FileVault encrypts information and encodes the data on the startup disk so that unauthorized users, apps, or utilities can t access information. You can turn on FileVault by default for users through MDM. If you don t, you should ensure that users turn on FileVault. They will need a local administrator account to do so. Manage devices 45

46 Deploy and Manage A managed Mac can be administered by the MDM server through a set of specific tasks. These include querying devices for information and initiating security commands that allow you to manage devices that are out of policy, lost, or stolen. When you manage Mac with an MDM server, you can change configuration settings automatically without user interaction, lock or wipe a Mac remotely, or clear the passcode lock so users can reset forgotten passwords. With MDM you can also perform these tasks: Lock Mac with a password. Rename a Mac. Request AirPlay mirroring. Remove a Mac from MDM. Install macos update if a Mac is DEP enabled. Some MDM solutions enable employees to manage certain functions themselves, including running routine maintenance tasks or installing software. Query devices An MDM server can ask Mac computers for information. For example, an MDM server can ask a Mac for its serial number, MAC address, macos version, or installed apps. This information helps ensure that users maintain the appropriate set of apps and settings. Remove a Mac from MDM Only you can remove a DEP-enrolled Mac from MDM; a user can't. To remove a DEP-enrolled Mac 1. Go to the Profile Manager management portal. 2. Select Devices. 3. Select the Mac. 4. Click Remove (-). 5. Confirm removal. The management profile and configuration profiles that were installed by MDM are removed from the Mac. Manage inventory You can view information about users and devices using an administration portal. For example, you can select a device in the Device list and click a tab in the Device pane to view these types of information: 46

47 Deploy and Manage About Settings Activity About displays information about a user, device, or group, such as software version, security settings, restrictions, installed apps and their version number, device group assignment (if any), and certificates that are installed on a Mac. This information is updated each time a user or Mac contacts your MDM solution. Settings shows settings installed on a Mac. Activity shows recent activity between a Mac and your MDM solution. Use this information to confirm that a Mac has the latest settings or has responded to your task requests. You can also use DEP to download a CSV-formatted text file of your device inventory. The CSV file lists the serial numbers of devices that are assigned to your DEP account. Manage devices remotely Your company s existing remote management solution might work with Mac. Some MDM solutions offer screen-sharing features for enrolled Mac computers. Another option is Apple Remote Desktop, available from the Mac App Store or VPP. Use Apple Remote Desktop to remotely control Mac computers, offer realtime online help to users, and automate your IT workflows. Rename devices After devices are assigned to your DEP account and MDM server, they are listed as placeholder devices. In the MDM administration portal, the name of the placeholder device is included in the Device list. The name of the device shows the model type, and the user name is populated with the device serial number. You can rename the device using the Rename task in the Device pane in your MDM solution. Reassign devices You can reassign a Mac to a new user when an employee leaves the company. If a Mac is already assigned and enrolled in DEP, you can erase and restore macos. A Mac automatically reenrolls in MDM when a new user starts it. The MDM configuration profiles configure settings for the new user, apply corporate policies, and deploy appropriate software. You can also remove the old user account from the Mac and create a new user on it. When you reassign it to a new user, you retain the installed apps and configuration profiles. Lock or wipe devices Lost Mode locks a Mac with a passcode so that others can t access that user s personal information. You can use MDM to send a Lock command to a Mac. Do this when you believe a Mac is lost or stolen. 47

48 Deploy and Manage When a Mac receives a Lock command, it installs an EFI passcode then restarts immediately. Only a user with the passcode can bypass the start-up screen and continue starting macos. Lock Mode works best when you implement it with FileVault. Users who turn on Find My Mac in icloud preferences can lock and track their Mac computers. See icloud: Lock and track you device using Lost Mode for more information. You can remotely wipe a managed Mac using your MDM solution. Do this when you believe you will not retrieve the Mac. Manage the self-support site If you have an optional self-support site, keep it up to date: If you offer Mac setup instructions, update the instructions when a new version of macos is available. If the site enables users to install apps, update the apps when new versions become available. When organizational policies change, make the new policies available. Update help desk instructions with graphics, figures, and steps that reflect the current look of macos and apps. 48

49 Exercises Use these exercises to practice what you learned in the Prepare, Set Up, and Deploy and Manage sections of this guide. Configure your network for MDM 1. Verify DNS connectivity. a. Open Network Utility. b. Select the Ping tab. c. Enter the DNS server IP address. d. Select Send an unlimited number of pings, or enter the number of pings. e. Click Ping. 2. Verify the MDM server static IP address. a. Open Network Utility. b. Select the Ping tab. c. Enter the MDM server static IP address. d. Select Send an unlimited number of pings, or enter the number of pings. e. Click Ping. 3. Verify that the Firewall ports required by MDM are open. a. Open Network Utility. b. Click the Port Scan tab. c. Enter the MDM server IP address. d. Click Scan to scan all ports on the MDM server, or enter a range of ports to scan. e. In the returned port list, verify that the required ports are open. 4. Check with your MDM server administrator to verify that your server is configured with TLS. 49

50 Exercises Now that you have verified that your network is ready for an MDM server, you can set up your server connection to your central directory service (Active Directory). Join macos Server to Active Directory by using Directory Utility 1. Obtain the following equipment, software, connections, user names, and passwords: A Mac running macos Sierra Local administrator account name and password macos Server 5.3 or later Wired Ethernet connection Active Directory domain name The user name and password of a user who has permission to join (bind to) Active Directory 2. Open macos Server. 3. Choose Tools > Directory Utility. 4. Click the lock icon in the lower-left corner of the pane. 5. Enter your administrator account user name and password to unlock the lock icon. 6. Click Services. 7. Select Active Directory. 8. Click the pencil in the lower-left corner of the pane, or double-click Active Directory to edit Active Directory settings. 50

51 Exercises 9. Enter the Active Directory domain name. This is the DNS hostname of the Active Directory. 10. If necessary, change the computer ID. The client computer ID is the name of the computer object in Active Directory. This is automatically populated with the local hostname of the Mac by default. 51

52 Exercises 11. To specify advanced settings: a. Click the disclosure triangle. b. Set options in the User Experience, Mappings, and Administrative panes. 12. Click Bind. 13. Enter the user name and password of a user who has permission to bind Mac computers to Active Directory. The user doesn t need to be an administrator user; you can assign domainjoining privileges to any user. If Mac is creating the object in Active Directory, the user needs to have Read and Create All Child Objects permissions on the container specified. By default, macos Sierra is set to create the object in the Computers container, but you can use any container or organizational unit. If the object already exists, the user must be a 52

53 Exercises member of the group that can join the account, as specified in Active Directory Users and Computers. 14. Click OK. In the Users & Groups pane, a green light appears next to the domain if the network accounts are accessible. Your MDM server is now joined to your Active Directory domain. You can also perform this task from Terminal. Join Active Directory using Terminal 1. Open Terminal. 2. Enter dsconfigad -preferred ads01.pretendco.com -a computername domain pretendco.com -u administrator -p "password" The example specifies a preferred server (ads01.pretendco.com) for Directory lookups and authentications. If the server isn t available, it will failover to other servers. Define these variables: computername is the Mac name that you want to join to Active Directory. domain is the domain you want to join. administrator is the domain administrator who has joining and unjoining rights. You must enter the password for the administrator. You can also use the dsconfigad command to set more administrative options. For example, in Terminal, you enter this command: dsconfigad -alldomains enable -groups domain admins@pretendco.com, enterprise admins@pretendco.com When you uses the dsconfigad command in a script, you must include the clear-text password used to join to the domain. Typically, an Active Directory user with no other administrator privileges is responsible for joining clients to the domain. This user name and password pair is stored in the script. The script usually securely deletes itself after joining so that this information no longer resides on the disk. There is little advantage to using command-line scripts to join Active Directory instead of configuration profiles. After you join your MDM solution to Active Directory, test the connection to make sure it works. Verify connectivity to Active Directory 1. Ensure that you have the following equipment, software, connections, user names, and passwords: 53

54 Exercises A Mac running macos Sierra The Mac local administrator account name and password An active VPN connection, so you can access secure networks. Active Directory is usually accessible only on secure networks. A properly working DNS Access to the Active Directory server. Check with your Active Directory administrator or ping the Active Directory IP address. Server hardware running Windows Server 2008 R2 SP1 or later Active Directory Domain Services Active Directory user name and password Authority to join Mac computers to Active Directory and the organizational unit 2. Open Terminal. 3. Enter dig -t SRV _service._protocol.domain The domain information groper (dig) command tests that the Mac can read the proper DNS records. 4. Ensure that the macos network settings are correct and that the DNS you specified returns service record information for your Active Directory forest. After you verify your connectivity to Active Directory, set up the Caching service. Start the macos Server Caching service 1. Obtain the following equipment, software, connections, user names, and passwords: A Mac running macos Sierra The Mac local administrator account name and password macos Server 5.3 or later A minimum of 25 GB available disk space Wired Ethernet connection A Broadband connection (for updates) 2. Open macos Server. 3. Select Caching in the sidebar. 54

55 Exercises 4. In the Caching pane, turn on the Caching service. 5. To take advantage of the Caching service immediately, restart your devices. Devices learn of the Caching Server over time. However, when you restart devices, they can use the server immediately. After you start the Caching service, select a volume for caching. Select a volume for caching 1. In the macos Server Caching pane, click Change Location. 2. Select a storage volume. 3. Click Choose. The Caching service stops temporarily while it copies the existing cache to the new location. 55

56 Exercises Now set the cache size and try deleting content. Set the cache size or delete all cached content 1. In the macos Server Caching pane, use the Cache Size slider to adjust the caching size limit. 2. Click Reset to delete cached content. 3. If you re sure you want to proceed, click Reset again. Now set the cache for Mac clients that connect from all networks or the local subnet. Set the cache for clients that connect from all networks or the local subnet 1. In the macos Server Caching pane, click Edit Permissions. 2. Click the Cache content for clients connecting from pop-up menu. 56

57 Exercises 3. Choose one of the following options: All networks: The Caching Server registers with Apple to serve clients from any network. Only local subnets: The Caching Server determines the IP range of its local network and registers to serve only clients from that range. This automatically includes the Private Networks group. 4. When you finish the configuration, click OK. Now try setting the cache for Mac clients that connect only from certain networks. On larger networks, ensure that Caching Server receives requests only from clients that are nearby. You can specify ranges of client addresses that your server is best positioned to serve and optionally make your server exclusive to those clients. Set the cache for clients that connect from certain networks 1. In the Server app Caching pane, click Edit Permissions. 2. Click the Cache content for clients connecting from pop-up menu. 3. Choose only some networks. 4. Click add (+) to add the IP addresses for the network. 5. Choose Create a new network. 57

58 Exercises 6. Enter the IP address group name, a starting IP address, and an ending IP address. Classless Inter-Domain Routing (CIDR) allocates IP addresses and IP routing. You can enter an address range in CIDR notation (for example, /16) in the Start IP Address field. The ending address is automatically entered. 7. Click Create. 8. Click OK. 58

59 Exercises 9. Confirm the updated Caching service settings. After you configure the caching service for advanced networks, configure permissions for peering (the exchange of data directly between caching servers). Share data with other caching servers 1. In the Server app Caching pane, click Edit Peering Permissions. 2. Click the Share content with other caching servers connecting from: popup menu. 3. Choose one of the following: All networks: The Caching server shares data with other caching servers from any network. Only local subnets: The Caching server shares data with caching servers within the IP range of it's local network. This automatically includes the Private Networks group. Only some networks: The Caching server shares data with specified networks. 4. Click OK. Before you enable Profile Manager, configure network and certificate settings for macos Server. To set up Profile Manager as an MDM service, set up these tools first: Open Directory APNs Device management 59

60 Exercises Start the Profile Manager service 1. Be sure the macos server has the following: A static IP address A fully qualified domain name A location that is not on an isolated network 2. Open macos Server. 3. Log in if required. 4. Click Profile Manager in the sidebar. 5. In the Profile Manager pane, turn on the Profile Manager service. 6. Click the Configure button next to Device Management (if it is not already enabled). 7. If you re prompted to enable Open Directory, complete the setup assistant. 8. If you re prompted, select the SSL certificate to use to encrypt data between Profile Manager and users devices. You can use the existing self-signed certificate. If you already configured your server with another certificate, you can select it now. 60

61 Exercises 9. Click Done. After the Profile Manager service completes startup, you can perform these tasks: Set up the APNs. Enroll your company in DEP. Access the Profile Manager Administration Portal at mydevices. Acquire an APN Certificate 1. Open macos Server. 2. Select your MDM server in the server sidebar. 3. Click the Settings tab. 4. Select Apple Push Notifications (APN). 61

62 Exercises 5. In the Apple Push Notifications dialog, provide an organizational Apple ID and a password for that ID. Don t use a personal Apple ID or one that you use to buy apps. You need this Apple ID to renew your certificate every year. 6. Click Get Certificate. 7. Click OK. 8. Set a reminder for the APN Certificate expiration date. Now you re ready to enroll in DEP. Enroll in DEP 1. Ensure that you re using a supported browser: Safari or later on macos Internet Explorer or later on Windows Google Chrome or later 2. Go to Apple Deployment Programs. 62

63 Exercises 3. Choose your country or region in the lower-right corner of the window. Not all programs are available in all countries and regions. 4. Click Enroll Now. 5. Click Enroll to the right of Device Enrollment Program. 6. Enter and review your information. a. In the Your Work field, enter an address for the agent account. You can t associate the address with an existing Apple ID or one you used for the Mac App Store, itunes Store, or icloud. b. In the Verification Contact Work field, enter a valid address for someone at your company who can verify the account with Apple. 63

64 Exercises 7. Click Next. 8. Check your for a message with the subject line Enroll your Organization in Apple Deployment Programs. 9. Note your temporary password. The program agent account will receive notifications about the progress of your business s acceptance in DEP. 10. Ensure that mail filters allow mail from all apple.com domains. Now verify your address and enable two-step verification. Verify your address and enable two-step verification 1. Click the Sign In link in the mail message This opens Apple ID. 2. Enter the address and temporary password. 3. Change your password. 4. Answer the three security questions. 5. Check your for a message with the subject line Verify your address. 6. Click the Verify link to verify your address. 7. Go to Apple ID. 8. Click Manage Your Apple ID. 9. If you need to, sign in with your new password. 10. Click Get Started under two-step verification in the Security section. Two-step verification may require up to 3 days to appear. Use a recovery key if you forget your password or lose access to your trusted devices. If 64

65 Exercises you forget your password and don t know your recovery key, you can t use your account. 11. Follow the instructions to enable and verify two-step verification. 12. Click Enable Two-Step Verification. 13. Click Done. 14. Sign out from Apple ID. You ll receive an when two-step verification is enabled. Use the DEP administrator account to assign devices and create pointers to MDM servers. You can also let administrators create and manage other administrators. For security, use a new, unused Apple ID for administrator accounts. Create a DEP administrator account 1. Use the DEP agent account to create an administrator account. 2. Go to Deployment Programs. 3. Sign in using your Apple ID. 4. Select Admins in the sidebar. 5. Click Add Admin Account. 6. Enter a name and work address. 7. Select Device Enrollment Program. 8. If this administrator manages the VPP account, select Volume Purchase Program. If this administrator manages other administrators, select Create & Edit Admins. 9. Click Add. The first time an administrator signs in, the administrator must perform these tasks: Verify their address Enable two-step verification on the Apple ID website 65

66 Exercises Agree to the terms and conditions in the Administrator Terms and Conditions agreement Now that you have created your DEP agent and administrator, add your MDM server to the DEP portal so that you can assign devices to your MDM server. Add your MDM server to your DEP account 1. In macos Server, select Profile Manager in the Services list. 2. Select Device Enrollment Program. 3. Click Next, then Export. The default name of the file is DeviceEnrollmentPublicKey.pem. Use the exported file to upload to your DEP account. 4. Go to Deployment Programs. 5. Log in to your DEP account with an agent account or administrator account. 6. In the sidebar, select Device Enrollment Program. 7. Select Manage Servers. 8. Click Add MDM Server. 9. Enter your MDM Server Name. 66

67 Exercises The server name doesn t need to match the MDM service hostname, but the names should relate. 10. Select Automatically Assign New Devices if you want devices you buy in the future to automatically be assigned to this MDM server. You can t automatically assign devices you bought before you add this server to your DEP account. 11. Click Next. 12. Click Choose file. 13. Locate and select the public key file to upload your MDM server Public Key. 14. Click Next. 15. Click Your Server Token. You can now download and install your server token in Profile Manager. 16. Click Done. 17. In macos Server, click Choose. 18. Choose the Server Token downloaded from the Deployment Programs website. The server token name starts with the name of your server followed by "_Token_" and information such as the date. It s in the default Downloads folder. For example: pretendco.com_token_ t z_smime.p7m 19. Click Continue. The Profile Manager server is now associated with the DEP account and configured with your MDM server token. The token expires in 1 year and must be replaced annually by repeating this process. You need a server token replacement if the Apple ID password that you used to set up the DEP server changes. 67

68 Exercises 20. In your browser, refresh your DEP account server list to view available MDM servers. When you assign devices to the MDM server in DEP, your MDM automatically creates placeholders for the devices until they are enrolled. This way, you can populate Mac records and groups with profile settings before you distribute them. When you enroll the matching Mac, it assumes the identity of the placeholder record. If you remove the Mac from management or delete the record from the MDM, a placeholder created by DEP remains. Assign devices to your MDM server in DEP 1. From a browser window, log in to your DEP account. 2. In the sidebar, select Device Enrollment Program. 3. Select Manage Devices. 4. Select an option under Choose Devices By: Serial Number: Manually enter serial numbers. Order Number: Look up the order number. 68

69 Exercises Upload CSV File: Upload a CSV file containing serial numbers. You can manage only serial numbers that were verified by previous orders in DEP. When you look up order numbers, your DEP account order numbers are displayed. To assign all past orders, select All available. 5. In the Choose Action area of the pane, select Assign to Server. This is the default. 6. Select a server from the Choose MDM Server menu. The MDM servers that you added to your DEP account are listed. 7. Click OK. The devices are assigned to the selected MDM server. Immediately after you assign devices to your MDM server, they are available for management. Now you can configure device enrollment settings in your MDM service. In the Program Manager administration portal device list, you can display the list of Mac computers that you assigned to the MDM server. The computers show as placeholder devices because they aren t configured and enrolled in the MDM service. When a device or user no longer needs an app, you can use MDM to revoke and reassign it to a different device or user. Enroll in VPP After you enroll your business in DEP, you can use that same program agent account to enroll in VPP. 1. Go to Deployment Programs. 2. Sign in using your existing DEP agent account. 3. Click Enroll next to Volume Purchase Program. 4. Enter and review your information. 69

70 Exercises 5. Click Next. 6. Check your for a message with the subject line Your Enrollment is in Review. 7. Continue to check your for more messages requesting more information or informing you that your business is approved. When your business is approved, you ll receive an from Apple Deployment Programs with the subject line You re Approved. Then you can do the following: Manage administrators (requires two-step verification). Buy apps using your account. Download a managed distribution token so you can assign apps using an MDM solution. Before you complete the enrollment process, agree to the following: Apple Device Enrollment Program Agreement macos Software License Agreement 8. Go to Deployment Programs. 9. Sign in using your existing Device Enrollment Program agent account. 10. Follow the two-step verification process. 11. Review the agreements carefully and accept the terms and conditions. You must agree to all agreements before you can use DEP. 12. Click Get Started to start using VPP. You can review, download, or print any of the agreements by selecting Terms and Conditions in the sidebar. After you enroll in VPP, you must install a VPP service token on your MDM server to distribute apps to your enrolled MDM devices. 70

71 Exercises Install a VPP service token in your MDM server 1. Go to Deployment Programs. 2. Click Get Started next to VPP. 3. Sign in using your program agent account. 4. Click to go to the Business Store. 5. Enter the Apple ID used for the DEP agent account or the administrator account. 71

72 Exercises 6. Click Sign In. 7. Choose Account Summary from the menu. 8. Click Download Token. 72

73 Exercises The token is downloaded and saved to the Downloads default folder. 9. Open macos Server. 10. Select Profile Manager in the sidebar Services list. 11. Select Volume Purchase Program. 12. Click Choose. 13. Choose the VPP token downloaded from the VPP Account Summary website. The server token file format includes the Apple ID followed by.vpptoken. Here's an example: stoken for By default, the.vptoken file is in the Downloads folder. 14. Click Continue. 73

74 Exercises 15. Click Continue. 16. Click Done. Use the Profile Manager administration portal to configure and distribute settings and assign them to enrolled devices. Access the Profile Manager administration portal 1. Open macos Server. 2. Log in to the server, if required. 3. Click Profile Manager in the Services sidebar list. 4. In the bottom of the Profile Manager pane to the right of Profile Manager, click Open in Safari. 74

75 Exercises 5. When Profile Manager opens in your web browser, log in with your administrator account. 75

76 Exercises The Profile Manager administration portal is a website where you manage app assignments, configure settings for devices, manage enrolled devices and device groups, manage users and user groups, and execute or monitor tasks on enrolled devices. Device groups enable you to assign profile settings to specific device groups. For example, use device settings when you separate Mac computers into imac, MacBook Pro, and Macbook Air groups, or when you separate Mac computers into business units. Create device groups 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Click Add Device Group or click Add (+) at the bottom of the Device Groups pane. 76

77 Exercises 4. Enter a device group name. 5. Click Add (+) at the bottom of the Device Group pane. 6. Select Add Devices. 77

78 Exercises 7. In the Add Devices window, click Add All. 8. Use the search Filter to locate devices that you want to add to this device group. 9. Click Add Results. 10. If you are adding a few devices, choose the devices and click Add next to the device name and description. 11. Click Done. 12. Click Save to apply the group members changes. After you create a device group and add members to it, define enrollment settings and Setup Assistant options for the device group. These settings are applied to the device group members when each Mac connects to the MDM server for the first time. 78

79 Exercises Define enrollment settings and Setup Assistant options 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the Device Group name in the devices list. 4. Click the Settings tab. 5. Select the following enrollment settings: Prompt User to Enroll Device: During the Setup Assistant process, prompt the user to enroll the Mac computer in the MDM service. Do not allow user to skip enrollment step: Forces the user to complete the enrollment to continue using Setup Assistant. This setting is for ios devices. Prevent unenrollment: Prevents users from removing the MDM service on ios devices. If a user has a local admin account in macos, they can override this setting. Require credentials for enrollment: Automatically associates a user with the managed device. This setting allows Profile Manager to automatically apply user and user group settings along with device and device group 79

80 Exercises settings. This setting prevents unauthorized access to devices during the Setup Assistant process and makes a wiped device useless to unauthorized users. When a user is required to provide credentials for enrollment, the user must enter credentials for a directory user. During the Setup Assistant process, your MDM service must verify the user credentials with a directory service such as Profile Manager or Active Directory. In the next step, you can provide the user with the option to set up a local Mac account. 6. Select the options that you want to appear in Setup Assistant. For this exercise, choose the following options: Location services Apple ID Terms and Conditions File Vault Registration macos Account Setup Assistant Options - Create an administrator account: The user creates an administrator account on the Mac. - Create a standard account: The user creates a standard account on the Mac. You must also create a managed administrator account. - No option to create an account: The user logs in on the Mac using their directory user name and password. You must also create a managed administrator account. - Managed macos Administrator Account: If you create a managed administrator account, choose to show or hide that account in the Users & Groups pane of System Preferences. - Unlike a regular administrator account, you can change a managed administrator account s password remotely. 80

81 Exercises 7. Click Save. Use the Profile Manager administration portal to manage configuration profiles and create device groups for controlling profile distribution. Users and groups from enterprise directory services, such as Active Directory, appear in Profile Manager if the MDM server is properly joined. Create or edit configuration profiles 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the Device Group. 4. Click the Settings tab. 5. Click Edit. 8. Select a payload in the list. 9. Click Configure. 10. Edit the settings for the payload. 11. Click OK. You can configure multiple payloads for a single configuration profile. 12. Click Save to update the profile settings. 13. Click Save again to commit the changes to the database. If you save settings for an automatic push profile, an APN is sent to devices. 81

82 Exercises Mac users configure most settings in System Preferences. By limiting access to System Preferences, you can restrict users from changing Mac behavior and reduce the number of potential help tickets you receive. Limit access to System Preferences 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click the Settings tab. 5. Click Edit. 6. Select Restrictions in the macos payload list. 7. Click Configure. 8. In the Preferences tab, select Restrict Items in System Preferences. 9. Select specific System Preferences items to enable or disable the items. 82

83 Exercises You can choose to Select All or Select None to enable or disable all items. If you disable items, users can still access third-party System Preferences panes. 10. Click OK. 11. Click Save. Now use the Profile Manager administration portal to disallow access to macos apps. Restrict users to open only specified apps 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click the Settings tab. 5. Click Edit. 83

84 Exercises 6. Select Restrictions in the macos payload list. 7. Click the Apps tab. 8. Select Restrict to restrict which apps may open. 9. Click Add (+) in the Allow Folders section. 84

85 Exercises 10. Enter /Applications in the Directory Path field. 11. Click OK. 12. Click Save. When you create configuration profiles, you can decide if a user can remove them or not. In Profile Manager, the default removal setting allows a user to delete their user profile and enables any administrator to remove any device profile. The Authorization feature secures profile removal because it forces users to enter a profile password before they can edit a profile. The Never removal setting indicates that you can t remove a profile. You must wipe the Mac to remove the profile. Change profile removal rules 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click the Settings tab. 5. Click Edit. 85

86 Exercises 6. Select General in the macos, ios, and tvos payload list. 7. Select Never from the Security settings menu. Select Never so that this device group can never remove the profile. 8. Click OK. 9. Click Save. Use the VPN payload to configure how Mac connects to your corporate network through VPN, including necessary authentication information. Configure this payload to push out automatically so that users receive a configured Mac. Define VPN settings 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click the Settings tab. 86

87 Exercises 5. Click Edit. 6. Select VPN in the macos and ios payload list. 7. Click Configure. 8. Provide a name in the Connection Name field. 9. Get the connection settings from the vendor, if you don't already have them. 10. Select a connection type from the Connection Type menu. 11. Enter settings as required to connect to the VPN. 12. Click OK. 87

88 Exercises 13. Click Save. Use the Passcode payload to specify whether a passcode is required to use a Mac, the passcode characteristics, and how often the passcode must be changed. Define passcode policies 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click the Settings tab. 5. Click Edit. 6. Select Passcode in the macos and ios payload list. 7. Click Configure. 88

89 Exercises 8. Specify passcode length or the number of days after which the passcode must be changed. 9. Click OK. 10. Click Save. You can join a Mac to Active Directory with a configuration profile. Join Active Directory 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click the Settings tab. 5. Click Edit. 6. Select Directory in the macos payload list. 7. Click the Configure button. 89

90 Exercises 8. Configure the following settings: Directory Type: Choose Active Directory Server Hostname: Enter the hostname of the directory server that the client devices will join when the profile is installed. User Name: Enter the directory server user name. Password: Enter the directory server administrator password. Client ID: (optional) Enter the directory server client ID. If no client ID is provided, the computer name is used as the client ID. Organizational Unit: (optional) Enter the directory server organizational unit 9. Specify advanced settings for the User Experience, Mappings, and Administrative panes, if necessary. 10. Click OK, then click Save. Now edit configuration profile settings to preconfigure an exchange account. Configure EWS 1. Log in to the Profile Manager administrator portal. 2. Select Users from the Library. 3. Select a user from the Users list. 4. Click the Settings tab. 5. Click Edit. 90

91 Exercises 6. Select Exchange in the macos and ios payload list. 7. Click Configure. 8. Provide the user's Exchange account information. Account Name: EWS account name. Connection Type: Select Exchange Web Services. User: User with optional domain (for example, user or domain\user). Password: (optional) Account password. Internal Exchange Host: Microsoft Exchange Server name. Internal Server Path: (optional) Internal exchange host server path. External Exchange Host: (optional) Microsoft Exchange Server name. External Server Path: (optional) External exchange host server path. Allow Mail Drop: Select option if Mail Drop is allowed for this account. 9. Select Use SSL for Internal Exchange Host and the External Exchange Host. 10. Click OK, then click Save. 91

92 Exercises At times, you won t have a payload or checkbox to configure or manage a setting or service. When this occurs, define custom settings to deploy a profile that manages the settings you need. Use custom settings to disable AirDrop 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click Edit. 5. Select Custom Settings in the macos payload list. 6. Click Configure. 7. Enter the Preference Domain name. Use the format: com.company.application. For example: com.apple.networkbrowser. 8. Click Add Item to add a key value pair for the Property List Values. 92

93 Exercises 9. Rename the initial key DisableAirDrop. 10. Choose Boolean from the Type menu. 11. Select Value. 12. Click OK. 13. Click Save. EAP-TLS authenticates clients to a network using a user name, password, and certificate. macos supports 802.1x EAP-TLS connectivity. Configurations are imported using a configuration profile (.mobileconfig file) that you create in your MDM solution. Create a configuration profile for 802.1x 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click Edit. 5. Select Network in the macos, ios, and tvos payload list. 93

94 Exercises 6. Click Configure. 7. Choose Wi-Fi or Ethernet from the Network Interface menu. 8. For Wi-Fi connections, enter the Service Set Identifier (SSID) and select Dynamic WEP in the Security Type menu. 9. In the Network Security Settings section, click the Protocols tab. 10. Select PEAP in the Accepted EAP Types. 11. Select Use Directory Authentication. 12. Click OK, then click Save. Use the Certificates payload to add certificates and identities. You can specify the PKCS1 and PKCS12 certificates you want to install. Add corporate and other needed certificates to authenticate Mac access to your network. Install certificates 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 94

95 Exercises 3. Select the device group from the Device Group list. 4. Click Edit. 5. Select Certificates in the macos, ios, and tvos payload list. 6. Click Configure. 7. Enter a Certificate Name. 8. Click Add Certificate. 9. Locate the certificate and click Choose. 10. Enter a passphrase to secure the credentials. 11. Click OK, then click Save. This sets the trust anchor for the certificate being deployed. Use the Active Directory Certificate payload to set authentication information for Active Directory Certificate servers. Active Directory Certificate servers bind Mac to a private key that is stored in a directory server. This payload lets Mac use the stored key for service encryption and authentication. 95

96 Exercises Configure an Active Directory certificate 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click Edit. 5. Select AD Certificate in the macos payload list. 6. Click Configure. 7. Provide the required Active Directory certificate information. Description: Certificate-request description, as shown in the certificate selector of other payloads such as VPN and Network. Certificate Server: Certificate server network address. Certificate Authority: CA name. Certificate Template: Certificate template name, usually Machine or User. Certificate Expiration Notification Threshold: Days before certificate expires and expiration notifications start. RSA Key Size: CSR RSA key size. 96

97 Exercises Additional Information: Settings that prompt users for credentials or user names and passwords. If you leave these settings blank, users are prompted for their Active Directory user name and password. 8. Click OK, then click Save. Use the Printing payload to specify which printers users can print from and whether or not to apply footers to printed pages. Manage printing 1. Log in to the Profile Manager administrator portal. 2. Select Device Groups from the Library. 3. Select the device group from the Device Group list. 4. Click Edit. 5. Select Printing in the macos payload list. 6. Click Configure. 7. Click Add (+) in the Printers List section. A list of printers that are installed on the Profile Manager server is in the Add Printers window. If the printer you need isn t listed, install it on the Profile Manager server. You can do this in System Preferences > Printers & Scanners. 97

98 Exercises 8. In the Add Printers window, click Add All. 9. Use the search Filter to locate printers that you want to add to the printers list. 10. Click Add Results. You can also select printers and click Add next to the printer name and description. 11. Click Done. 12. Select more options, if necessary. You can select options if you allow users to modify the printer list or if you allow printers to connect directly to a user's Mac. 13. Click OK. 14. Click Save. Use System Preferences to repurpose or reassign a Mac. 98

99 Exercises Reassign a device to a new user 1. Log in to the Mac as an administrator. 2. Open System Preferences > Users & Groups. 3. Unlock the account, if necessary. 4. Select the user in the User list. 5. Click Remove (-). 6. Select an option for the user account home folder: Save the home folder in a disk image: The disk image is saved in the Deleted Users folder (in the Users folder). Don t change the home folder: The home folder remains in the Users folder. Delete the home folder: The user s home folder is deleted. If the Mac was backed up to a network server, a copy of the user s home folder is there. 7. Click Delete User. Depending on the home folder size, it may take a few minutes to delete the user s account. 8. Create a new user account on the Mac. 9. In the Profile Manager administration portal, verify that the Mac is assigned to the new user. Alternatively, you can use Disk Utility to erase the disk and reinstall macos. Then, after a new user starts up the Mac, the user can use the Startup Assistant and the Mac will reenroll in MDM. You can use the Profile Administration portal to wipe a Mac. Wipe a Mac 1. Log in to the Profile Manager administrator portal. 2. Select Devices from the Library. 3. Select the Mac to wipe from the Devices list. 4. In the Device pane, click the cog wheel icon to open the action pop-up menu. 5. Choose Wipe. 99

100 Exercises 6. Enter a lock passcode. The passcode is used when the Mac is wiped and restarted. 7. Click Wipe. The Mac is wiped and all data is lost. When you wipe a Mac, it immediately restarts to a PIN pad. Only the passcode entered in Profile Manager can unlock a Mac. 8. Confirm that the wipe is completed in the Completed Tasks section of Profile Manager. 100

101 Exercises After setting up payloads for your Mac computers, verify that the configuration profile is installed and that you can manage your devices remotely. Verify DEP and MDM functionality 1. Start up a Mac that is assigned to your MDM server in your DEP account. 2. Select a language, region, or country code. 3. Connect the Mac to an Ethernet or Wi-Fi network. If the Mac can connect to your DEP account, it is redirected to your MDM service. You ll see a notification stating, "Your organization will automatically configure your device." 4. Authenticate using the user name and password setup for the Mac. After successful authentication, the Mac is enrolled in MDM. Setup Assistant proceeds as you defined. 5. After Setup Assistant finishes, verify the management settings. 6. Open System Preferences. 7. Click Profiles. 8. View the profiles that you applied to the Mac. 101

102 Appendix A: macos Security Introduction macos is built with multiple security layers so that your Mac can securely access network services and protect important data. macos also provides security through passcode and password policies that you can establish and enforce with MDM. If a Mac falls into the wrong hands, you, or a user, can use a remote command to erase all information. Providing a secure computing platform for Mac involves the following: Methods that prevent unauthorized Mac use Protecting data at rest, even when a Mac is lost or stolen Networking protocols and the encryption of data in transmission Enabling apps to run securely without compromising platform integrity These capabilities work together to provide a secure computing platform. A Mac has safety built right in. At Apple, security and privacy are fundamental to the design of all our hardware, software, and services. We protect our customers privacy with strong encryption and strict policies that govern how all data is handled. For more information, visit Apple s Privacy page. Many security features and technologies built into macos work in the background and don t require user management. macos security services are built on two open-source standards: Berkeley Software Distribution (BSD): A form of UNIX that provides fundamental services, including the macos file system and file access permissions Common Data Security Architecture (CDSA): Provides many security services, including more specific access permissions, user identity authentication, encryption, and secure data storage The macos kernel is built from BSD and Mach. Mach is a kernel developed at Carnegie Mellon University to support research into distributed and parallel computing operating systems. Mach is one of the earliest examples of a microkernel, but not all versions of Mach are microkernels. Mach derivatives are the basis of the macos operating system kernel. BSD provides a user and group identification scheme and enforces access restrictions on files and system resources based on user and group IDs. Mach provides access by controlling which tasks can send a message to a Mach port. BSD security policies and Mach access permissions are an essential part of security in macos and are crucial to enforcing local security. 102

103 macos Security App security Apple apps shipped with a Mac are signed by Apple. This signature means that macos can verify an app s integrity and the app developer s identity. Third-party software developers can also sign their apps for macos. After a developer signs their app, they submit it to Apple. Apple reviews the app before it is made available on the App Store. macos uses checksums, which are part of the signing process, to determine if an app was modified. Signing dramatically reduces the number of Keychain dialogs presented to users because macos can validate the integrity of apps that use Keychain. For managed preferences, macos uses signatures to verify that an app runs unmodified. The app firewall uses signatures to identify and verify the integrity of apps that are granted network access. Sandboxing Sandboxing helps ensure that apps do only what they re intended to do. It does this by restricting which files and networks are accessible to apps and whether the apps can open other apps. Here are examples of apps and programs that are sandboxed: All apps in the App Store macos apps that communicate with the network: mdnsresponder (Bonjour s underlying software) and the Kerberos Key Distribution Center (KDC) macos built-in apps: App Store, Messages, Calendar, Contacts, Dictionary, Font Book, Photo Booth, Quick Look previews, Notes, Reminders, Game Center, Mail, and FaceTime Programs that routinely take untrusted input: Arbitrary files or network connections such as the Quick Look and Spotlight background daemons Safari built-in PDF viewer and plugins: Adobe Flash Player, Silverlight, QuickTime, and Oracle Java Mandatory access controls macos uses mandatory access control (MAC) policies to prevent unauthorized apps from opening. In computer security, MACs limit access to or operations on an object or target. MACs aren t visible. And, MACs can t be overridden. MACs restrict access to macos resources as determined by a special sandboxing profile provided for each sandboxed app. This means that even processes running as root can have extremely limited access to macos resources. 103

104 macos Security MACs help to enable Managed Preference in macos Server. MACs also allow files within Time Machine backups to be deleted only by programs related to Time Machine. For example, no one can delete files that were backed up by Time Machine from Terminal. Enhanced quarantining Apps that download files from the Internet or receive files (such as mail attachments) from external sources use enhanced quarantining to provide protection against malicious software, such as Trojan horses. When an app receives an unknown file, it adds metadata (quarantine attributes) to the file using Launch Services functions. Files downloaded using Safari, Mail, and Messages are tagged with metadata indicating that they re downloaded files. The metadata also includes the URL, date, and time of the download. This metadata is propagated to downloaded archive files (such as ZIP or DMG files) so that all files extracted from the archive are tagged with the same information. Download Inspector uses this metadata to prevent dangerous file types from being opened unexpectedly. The first time a user tries to open an app that has been downloaded, Download Inspector inspects the file, displays a warning asking whether to run the app, and displays the information on the date, time, and location of the download. Users can continue to open the app or, if they don t recognize or trust the app, cancel the attempt. The file and its contents are also inspected for malicious software (malware). If malware is detected, a dialog appears with the name of the malware threat contained in the file. The dialog warns the user to move the file to the Trash or eject the image and delete the source file to prevent damage to the Mac. Malware patterns are continually updated through software updates. Memory and runtime protection macos memory and runtime protection prevents specific software types from exploiting memory allocation or execution methods that can force a processor to execute arbitrary code from another process s memory area. macos has the following 64-bit protection features: no-execute stack: Certain stack memory areas are marked as nonexecutable. no-execute data: Certain data words in memory can t be executed. no-execute heap: Certain heap memory areas are marked as non-executable. In macos, no-execute stack is available for 32- and 64-bit apps. For 64-bit processes, macos provides protection from code execution in both heap and stack-data areas. 104

105 macos Security macos also uses library randomization, which uses shifting memory locations for macos processes each time a Mac starts up. Potential attackers can t depend on key system processes running in known memory locations, so it s difficult for them to compromise macos. Gatekeeper Gatekeeper works with the macos quarantining system and app signatures to prevent apps from an unknown source from opening. By default, Gatekeeper allows apps from the App Store and identified developers to open without warning. Any unsigned app from an unknown developer won t be allowed to open unless the user intervenes. This additional notification layer prevents the casual use of untrusted apps. You can modify Gatekeeper settings in your MDM solution. You can manage the security assessment policy subsystem in Terminal with the spctl command. Authorization and authentication Authorization Services defines a programming interface that facilitates finegrained control of privileged operations, such as accessing restricted areas of macos and self-restricted parts of an app. Authorization determines permissions and verifies an identity. For example, macos authenticates a user who enters a unique password. Authentication is often a step in the authorization process. Some apps and macos components perform their own authentication, and authentication uses authorization services when necessary. AuthPlugins AuthPlugins control access to a service or app. Preinstalled macos AuthPlugins are in /System/Library/CoreServices/SecurityAgentPlugins. AuthPlugins, their associated rules, and authorization rights for users are defined in the /etc/ authorization rights database and are queried by the Security Server. The Security Server is a daemon running in macos that implements several security protocols, such as encryption, decryption, and authorization computation. When an app requests authorization rights from the security server, the security server checks the /etc/authorization rights database to determine how to authenticate. The security server requests user interaction through the security agent, if necessary. The security agent then prompts the user to authenticate with a password, smart card, or biometric reader. Then the security agent sends the authentication information back to the security server, which passes it back to the app. 105

106 macos Security Access permissions An important aspect of computer security is the granting or denying of access permissions. A permission is the ability to perform a specific operation, such as gaining access to data or to execute code. Permissions are granted at the level of folders, subfolders, files, and apps, and for specific data in files, for app capabilities, and for administrative functions. macos controls permissions at many levels, including the Mach and BSD components of the kernel. To control permissions for networked apps, macos uses networking protocols. macos also uses an access control mechanism known as mandatory access controls. Mandatory access controls are policies that set security restrictions created by the developer, and they can t be overridden. This approach is different from discretionary access controls, which permit users to override security policies according to their preferences. Mandatory access controls aren t visible to users, but they re the underlying technology that helps enable several important features, including sandboxing, managed preferences, and extensions. 106

107 Appendix B: Join Open Directory and LDAP Open Directory A directory service provides a central repository for information about computer users and resources in an organization. Open Directory makes it possible to consolidate and maintain network information easily in a directory domain, but this information has value only if app and system software processes running on network computers access the information. Open Directory can access information in one or several directory domains. A directory domain stores information in a specialized database that s optimized to handle many requests for information and to find and retrieve information quickly. Open Directory can access directory domains for the following kinds of directory services: Lightweight Directory Access Protocol (LDAP), an open standard common in mixed environments of Mac, UNIX, and Windows computers. LDAP is the native directory service for shared directories in macos Server. Local directory domain, the local directory service for macos and OS X Server 10.6 or later. Active Directory, the directory service of Microsoft Windows 2000 and 2003 servers and later. Network Information System (NIS), the directory service of many UNIX servers. BSD flat files, the legacy directory service of UNIX systems. Apple Open Directory enables users to access multiple services and servers with one user name and password. Open Directory is the directory services implementation built into macos Server. It includes a shared LDAPv3-based directory domain along with a number of schema extensions that use registered Object Identifier (OID) space through Internet Assigned Numbers Authority (IANA). It also includes the Apple Password Server and Kerberos 5. Each component is integrated using the modular Directory Services subsystem. The Kerberos service running in Open Directory allows users to authenticate with their Open Directory credentials to any service running on any server. The services must be kerberized and the server that the services are running on must be bound to Open Directory. You must join (bind) a Mac to an Open Directory master or replica before it can access information in Open Directory. Binding configures the LDAPv3 plug-in and allows the Directory Service daemon to access user, group, computer, and 107

108 Join Open Directory and LDAP authentication information in Open Directory. You can join Open Directory using any of these tools: Network Utility System Preferences Directory Utility (for custom binding) The macos Server app Before you configure Profile Manager, you should configure the Open Directory server. Set up Open Directory from the macos Server app 1. Get the organization name and Admin address. The organization name helps users recognize your Open Directory server. 2. Create a password for the Directory Administrator. 3. Select Open Directory in the Server app sidebar. 4. Turn on Open Directory. 5. Select Create a new Open Directory domain. Depending on your network requirements, you can select "Join an existing Open Directory domain as a replica" or "Restore Open Directory domain from an archive. 6. Click Next. 108

109 Join Open Directory and LDAP 7. Enter a password and verify it. By default, Directory Administrator is listed as the Name and diradmin is listed as the Account Name. 8. Click Next. 9. Enter your organization name and the Admin address. 10. Click Next. 109

110 Join Open Directory and LDAP 11. Confirm the directory server settings. 12. Click Set Up. Open Directory is now available and you can use it to store user and Mac records. LDAP LDAP is an open, vendor-neutral, industry-standard app protocol for accessing and maintaining distributed directory information services over an IP network. Directory services enable user, system, network, service, and app information sharing. LDAP is used to supply that information which is stored in a database to clients and servers. LDAP is also used to define how clients create, query, and update information in directory services. LDAP is used in most directory services systems, including Microsoft Active Directory. Using the LDAPv3 Directory Service plug-in, macos supports joining any directory service that supports LDAP. In macos, you can configure LDAP using any of these tools: System Preferences 110

111 Join Open Directory and LDAP Directory Utility Terminal macos Server In LDAP, a schema is a set of rules about how data is stored in a directory service. Depending on the schema, you may have to provide custom mappings of directory service data in macos with data in your directory service. Directory Utility provides templates. It also enables you to complete the following tasks: Create new templates for easy migration between hosts Map to commonly used schemas Map attributes through a special record stored in the directory service Join macos to your directory service When you join macos to your directory service, you can select from three binding types based on your security needs and LDAP server configuration settings. You can use SSL to encrypt communication for all three binding types: Simple binding Trusted binding Kerberos binding When you configure simple binding, you configure macos to look up directory service information with minimum configuration and security. Using a simple bind between a Mac and an LDAP server tells the macos directory service framework to use an LDAP server as a potential location to find information for simple directory lookups or for account information supplied at the login window. A simple bind tells directory services that a directory domain exists and that it should pull user and computer information from this directory service if the search policy is configured. If you configure macos with trusted binding, a server must authenticate itself. This is a more secure binding option. If you configure macos with Kerberos binding, you provide digital signing and encryption of all packets. This is the most secure binding option. 111

112 Appendix C: System Imaging System imaging enables you to start up a client Mac computer long enough to install software from a system image or to restore the system state of a running Mac. Imaging often includes packaging software for distribution. macos has several tools for creating and distributing installation packages. To create a system image, you should know about disk images, installer packages and the tools for creating and distributing them. Disk images A disk image is usually made by creating a sector-by-sector copy of the source medium, thereby replicating the structure and contents of a storage device independent of the file system. Depending on the disk image format, a disk image may span one or more files. There are several types of disk images. To create a system image for a Mac, you must know about these types of disk images: System image Network boot image A system image is a file with a.dmg extension that contains the contents and structure of a disk volume or of a hard disk drive. A system image acts like a mountable disk or volume. You copy a system image onto a drive to restore a system state. A network boot image is also called a network disk image or an installation image. It starts up the client Mac long enough to install software from the system image. The client Mac computer can then start up from its own hard disk. A network boot image is a folder with a.nbi extension and is a bootable network volume that contains a.dmg disk image file. Installer packages In macos, you can deliver new software, updates, and collections of documents with installer packages. For example, app developers use packages to build installers for their software. Apple uses packages to provide macos or app upgrades through Software Update. Administrators use packages to deploy small changes, such as binding to a directory service, to client Mac computers. An advantage of creating installer packages is that you can create customized system images. You can create an image with preinstalled software by combining a system image with installer packages. An installer package has a.pkg file extension and contains everything you need to customize an installation: Payload: The files that are installed. Scripts: Perform specified actions that can run before or after the payload is installed. 112

113 System Imaging Information for macos: Information about how macos should interpret an installer. Licensing documents: For the software Other information: For example, README files. A meta installer package is a set of installer packages that s distributed in one file with a.mpkg extension. The meta package typically provides a list of checkboxes you can use to choose which packages or components of a larger installation framework are installed. Installer Installer is an app included in macos that extracts files from installer packages and installs them on macos. Installer handles authentication, checks that packages are valid, and allows the developer to run custom scripts at several points during the installation. Installer opens when you open an installer package or installer meta package file. You can configure Installer to display a custom welcome message, software licenses, or a readme file. Many app installers come bundled as standard Apple packages. If an app installer is already a package, you may not need to build your own installer packages. Vendors who distribute packages often have a process for preparing a package for deployment (such as instructions on embedding license keys). You may want to contact the vendor to save time, minimize the amount of user input required to install a package, and avoid unintended consequences. Create installation packages Become an identified developer With Gatekeeper, users can choose to install software from the App Store or from identified developers. If your installation package isn t signed with a Developer ID certificate issued by Apple, it won t open on a Mac. 113

114 System Imaging Only Apple Developer Program members are eligible to request Developer ID certificates from Apple and use them to sign apps or installation packages. You can enroll in the Apple Developer Program as an individual or as an organization. If you re enrolling your organization, you ll need an Apple ID as well as the following to get started: A D-U-N-S number Legal entity status Legal binding authority Your organization must have a D-U-N-S Number so that Apple can verify your organization s identity and legal entity status. These unique nine-digit numbers are assigned by Dun & Bradstreet and are widely used as standard business identifiers. Your organization must be a legal entity so that it can enter into contracts with Apple. As the person enrolling your organization in the Apple Developer Program, you must have the legal authority to bind your organization to legal agreements. You must be the organization s owner, founder, executive team member, senior project lead, or have legal authority granted to you by a senior employee. When you enroll in the Mac Developer Program, you become the primary contact for Apple and can sign legal agreements. Whether you enroll as an individual or as a company, you re the team agent and responsible for creating Developer ID certificates. If you enroll as a company, you can add individuals to your team, but only the team agent has permission to create Developer ID certificates. These certificates are owned by the team and not by an individual. 114

115 System Imaging You also need Xcode to sign your packages. It includes everything you need to create great apps. It provides you with a unified workflow for user interface design, coding, testing, and debugging. Ensure that your installation package can be installed 1. Enroll in the Apple Developer Program. 2. Obtain a Developer ID certificate. 3. Before you distribute an installation package, sign it using a Developer ID certificate. 4. Thoroughly test the end-user experience on a Mac. Choose a way to develop your installation package You can create packages in several ways: Create installation packages using a macos snapshot: Snapshot-based installer packages are great if you re new to building installation packages. But you can inadvertently capture extraneous data if the software changes between your snapshots. To avoid this, always review the files and folders you want to install when you create a snapshot and remove those that aren t required. Create installation packages using Terminal: Use the pkgbuild command to build a macos installation component package from on-disk files. You can install an installation package on its own, but the best practice is to use the productbuild command to put the installation package into a product archive. If you have an existing installer package, use the productsign command to sign the package. - Create installation packages using Xcode: You can edit your Xcode project settings anytime, but some settings are necessary during development. Others are recommended when you distribute your app for beta testing and required when you submit your app to the App Store. Read Configuring Your Xcode Project for Distribution for more information. - During development, your app must be provisioned and code signed to use certain app services and to run on a Mac. If you assign a bundle ID and team to your project, Xcode creates the necessary certificates, identifiers, and profiles for you in your developer account. You can enter this information using the project editor, or as needed, when you add app services and open your app. - Before you distribute your app for testing or to the App Store, provide the required information about your app; for example, set app icons to pass itunes Connect validation tests. - Before you upload your app to itunes Connect, verify your build settings and set the copyright key for Mac apps. Create installation packages with third-party products: Some third-party products have compelling features for creating installation packages. 115

116 System Imaging - With Jamf Pro, you can inspect a Mac and create an installer package for each app that s installed on it. Creating installer packages this way enables you to install specific apps instead of a monolithic image. - AirWatch is the enterprise mobility platform that keeps your users productive and simplifies management and security for IT. - Systems Manager from Cisco Meraki unifies management and control of thousands of mobile and desktop devices in the secure, browser-based Meraki dashboard. Support your organization s mobility initiatives by seamlessly onboarding new devices and automating application of security policies. - FileWave's products and features provide a comprehensive solution throughout the life cycle of imaging, deployment, management, and maintenance. Install installation packages To install an installation package, double-click its icon in the Finder. The Installer app opens and guides you through the installation steps. You can also install packages with Terminal, Apple Remote Desktop, or third-party patchmanagement software. Track installed installer packages During installation, Installer creates a receipt that contains the installation package resources and a list of the files, permissions of each file, each file size, and a checksum. The receipt doesn t contain the files that are installed, so receipt files are small. Use the pkgutil - - pkgs command in the receipts database to list the receipts for installed packages. The pkgutil command can also list the files installed by a package. (An app is a bundle of files, so the file list can be lengthy.) Shown below is an example of the tail end of the output from the command. You can see that the pkgutil - - pkgs command lists the installation package ID and not the installation package filename. 116

117 System Imaging Create system images Create a system image, complete these tasks 1. Locate or create a system image source. 2. Log in and start up the Mac from an appropriate location. 3. Choose the tool you want to use to create the system image. 4. Create the system image. 117

118 System Imaging Locate or create a system image source You can locate or create system images from three primary sources: The App Store A preconfigured Mac An existing system image You can download and install macos from the App Store. If you download and install macos from the App Store, a valid macos image source appears in the source pop-up menu. You can duplicate a preconfigured Mac. The Mac you use as the source for the system image should contain the files you want to deploy but no system history or Mac-specific data. To build a system image like this, remove machinespecific data and user account information that was used during setup. Ensure that these tasks occur during the installation or after the deployment: Rebuild the Local Key Distribution Center (LKDC). Bind to a directory service. Rename the Mac. You can build a system image by combining an existing system image with one or more installation packages. Log in and start up the Mac from an appropriate location To create a system image, you must meet these requirements: You must have a valid macos image source or volume. You must be logged in as an admin user. You can t create a system image of the startup disk you re running on. You must start up from a volume other than the one you re using as the system image source. For example, you could start up from an external hard disk or a second partition on a client Mac hard disk. You can t create a system image on a volume over a network. Choose the tool you want to use to create the system image You can use three tools to create system images: System Image Utility Disk Utility Terminal System Image Utility prepares and creates a system image simultaneously. It also automatically creates a macos Restore partition. You can find it in /System/ Library/CoreServices/Applications. With System Image Utility, you can create and customize three network disk image types: NetBoot NetInstall NetRestore 118

119 System Imaging NetBoot starts up a client Mac to a version of macos that is located on a server. This is done in a completely diskless boot environment or by using a disk in the client Mac to cache macos. NetInstall takes the logic and options built into Installer and moves them into a startup system image that you can use for networked Mac computers. NetInstall images are good for installing a clean version of macos over a network, even when the disk drive was completely erased. You can customize the installation process with easy-to-use Automator actions that perform tasks before or after macos installation. If you use Automator actions, NetInstall users see the same user interface they would see if they were using the macos Installer on their local Mac drive. Here are some Automator actions you can use: Repartition hard drives. Edit macos installation choices. Bind Mac computers to directory services. Rename Mac client computers. Install more software packages. NetRestore images Mac computers using a prebuilt system image (also called a prepared disk) with block-copy Apple Software Restore (ASR). When you create NetRestore software package sets, you have options. For example: Create a system image from an existing Mac. Create a system image programmatically with a custom software package set. Choose a system image that is located on a web server or Apple file server. Use multicast ASR to enable arbitrary sourcing of ASR images. Disk Utility Verifies your Mac computer's startup disk (volume) without starting up from another volume. If Disk Utility discovers issues that require a repair, start up from your macos installation DVD and use Disk Utility on that disk to make repairs. (You can't repair your startup volume while your Mac is started from it.) Disk Utility is in /Applications/Utilities. By default, when you use Disk Utility, you can create a system image of up to 256 GB on a volume. To create a larger system image on a volume, set defaults with the defaults command before you create a system image. With that command, you can create an image on a volume of up to 512 GB. The following example shows the creation of a larger system image on a volume: defaults write com.apple.frameworks.diskimages \ hfsplus-stretch-parameters -dict \ hfsplus-stretch-threshold \ hfsplus-stretch-allocation-block-size 4096 \ hfsplus-stretch-allocation-file-size Terminal enables you to use the ASR utility and the hdiutil verb to manipulate system images. Use ASR to apply a disk image to a selected partition or mount point on a file system. You can use ASR to create system images from a disk. 119

120 System Imaging ASR can read an image locally or from a server through HTTP or its own multicast uniform resource identifier (asr:// URI). By default, when you use the hdiutil verb, you can create a system image of up to 256 GB on a volume Using ASR, you can restore an image on a volume in two ways: Copy content file by file Block copy content Copy content file by file to create a system image if you want to control exactly what goes into it. A block-copied system image doesn t go through the macos filesystem, so it s faster to deploy. Typically, a block-copied system image is limited only by the drive or network-connection speeds. You must calculate the checksum of the system image and reorder files within the system image before you deploy it. Create and scan a system image 1. Mount a drive called macos on your Mac. The drive should include a system image of a clean macos Sierra installation. 2. Create a system image of the macos drive. 3. Name the system image SierraImage.dmg. 4. Put it in the Desktop folder: hdiutil create -srcfolder /Volumes/macOS ~/Desktop/ SierraImage.dmg 5. Use ASR to scan the system image. In the following example, the asr utility is used with the imagescan verb to calculate the checksums of the system image contents and store them in the system image. The checksums ensure that the restore processes occur properly. The imagescan verb also reorders files so that you can multicastdeploy the system image. asr imagescan --source ~/Desktop/SierraImage.dmg Use - -filechecksum with the imagescan verb to calculate checksums on each file. Use - -nostream with the imagescan verb to calculate checksums on each file and bypass file reordering. 120

121 Appendix D: Wireless Specifications IEEE is a set of media access control and physical-layer specifications for implementing wireless local area network (WLAN) computer communication. It operates in a broad range of frequency bands, including 900 MHz and 2.4, 3.6, 5, and 60 GHz. The specifications were created by and are maintained by the Institute of Electrical and Electronics Engineers (IEEE). The purpose of the specifications is to increase data throughput. For more information on standards, visit IEEE Wireless Local Area Networks. The a specification mandates that a wireless network supports a maximum theoretical bandwidth of 54 Mbps and uses the 5 GHz frequency band. The 5GHz frequency band is much less crowded than the 2.4 GHz frequency band. 5 GHz channels don t overlap. The 2.4 GHz frequency band was introduced in the b specification. The 2.4 GHz band is split into 11 to 14 (depending on the country) overlapping, 20 MHz channels and operates at a maximum throughput of 11 Mbps. Overlapping channels can cause interference when more devices join a network. In the 2.4 GHz band, there are only three nonoverlapping channels (1, 6, and 11). It s best to use nonoverlapping channels when you configure wireless routers. 121

122 Wireless Specifications The g specification upgraded throughput to 54 Mbps. With faster Internet connections and more devices using wireless technology, n was created to increase data throughput to speeds up to 600 Mbps. The n specification supports 2.4 GHz and 5 GHz with the same channels as in the a, b, and g specifications. It also includes these advantages: Multiple input, multiple output (MIMO) to increase radio link capacity to exploit multi-path propagation Channel bonding (wide channels), where two or more network interfaces are combined for increased throughput The MIMO radio system reduces the impact of interference from objects in the surrounding environment, which can interfere with and reflect radio waves that are transmitted from the access point to the client and vice versa. MIMO specifies multiple antennas and advanced algorithms to capture data arriving at different times and potentially out of order. 122

123 Wireless Specifications Channel bonding is a computer networking arrangement in which two or more network interfaces are combined for redundancy or increased throughput. In the specification, channel bonding combines two adjacent channels in the 5G Hz spectrum to form 40 MHz channels. This doubles throughput ac technology includes the beamforming antenna array. Beamforming, or spatial filtering, is a signal-processing technique used in sensor arrays for directional signal transmission or reception. Most base station antennas emit an equal and constant Wi-Fi signal in all directions, but the beamforming antenna array is smarter: It knows where an ac device is on the network. A base station using ac targets its signal to that device, so the Wi-Fi signal is stronger, clearer, and faster. 123

124 Wireless Specifications With support for 802.1X, you can integrate Mac into a broad range of RADIUS authentication environments. macos supports 802.1X wireless authentication protocols, including these: IKEv2 EAP TLS EAP TTLS (MSCHAPv2) EAP FAST EAP AKA PEAPv0: EAP MSCHAPv2, the most common form of PEAP PEAPv1: EAP GTC, less common and created by Cisco LEAP 124

125 Appendix E: Resources and Support Training Get to know your new Mac: For new Mac users. This training helps you set up your Mac and learn about some of its great features. Mac Integration Basics 10.12: If you want to integrate a Mac into an existing Windows or other standards-based network, this training is for you. It guides you through setting up your system to take full advantage of network services such as directory services, file sharing, printing, , and more. macos Support Essentials 10.12: macos Support Essentials is a 3-day course that describes the best ways to support macos Sierra users. The course includes lectures and hands-on exercises that provide real-world experience. Apple Training: Unleash the technical guru in you. Learn everything you must master about macos and related technologies. Our expert Apple Certified Trainers teach the Apple-approved curriculum and complement it with their industry knowledge and real-world experience. Apple Certification: Differentiate yourself and your business. Demonstrate your depth of knowledge of Apple technology, and make macos certification part of your career path. Apple programs Device Enrollment Program: This program provides a fast, streamlined way to deploy your corporate-owned Mac or ios devices, whether you bought them directly from Apple or through participating Apple Authorized Resellers. For more information, read the Apple Deployment Programs Device Enrollment Program Guide. Volume Purchase Program: This program lets you lets you buy world-class apps that are great for business. Buy content in volume from the VPP store and equip your entire workforce with innovation. For more information, read the Volume Purchase Program Guide. Developer Enterprise Program: Get tools and resources to transform your mobile workforce with enterprise-class ios and Mac apps, distributed seamlessly and securely within your organization. Join the program and get everything you need to start distributing proprietary in-house apps to your employees. 125

126 Resources and Support Lease and trade-in Lease: For qualifying businesses, leasing equipment often means paying less over time than you would for an initial cash purchase. Trade-in: The Apple Renew program lets you recycle any Apple device at any Apple Store or online. Your device will be recycled responsibly or used again. Support Business support: All the topics, resources, and contact options you need for business. AppleCare OS Support: Three tiers of support for Apple OS integration, migration, and advanced server operation. AppleCare Protection Plan: Most Apple hardware comes with a 1-year limited warranty and up to 90 days of complimentary telephone technical support. To extend your coverage, buy the AppleCare Protection Plan or AppleCare+. AppleCare for Enterprise: From 24/7 phone support to priority onsite repairs, you ll get personalized help from experts who can keep your IT operations running smoothly. Self-Servicing Account Program: The Apple SSA program is for institutions and businesses that would like the convenience of repairing their own products. Program participants (Self-Servicers or SSAs) are authorized to repair only the products they own or lease. Documentation Programs and Resources Review Checklist: A checklist to help you prepare your organization to scale and support Mac. With valuable programs, Apple has helped many organizations deploy, manage, and support Apple technology with ease within their existing infrastructure. Use this checklist to evaluate your environment and learn about available resources. macos Deployment Reference: Available from the ibooks Store at no cost. Read about new ways to deploy your Apple devices. Using Apple Deployment Programs (for business) with an MDM solution gives you greater flexibility and control over your deployments. 126

127 Resources and Support macos Server Help: With macos Server, small organizations and workgroups without an IT department can take full advantage of the benefits of a server. A nontechnical user can easily set up and manage macos Server for a group. Other users in the group can automatically configure computers using macos and ios devices such as iphone, ipad, and ipod touch to get services from macos Server. macos Server Tutorials: Learn about sharing files, managing devices, hosting websites, and more. Mac OS X manual pages: Manual (man) pages come with macos. They are a form of software documentation. You can open a man page in Terminal with the man command. Profile Manager Help: Use Profile Manager to configure and distribute settings to Apple devices. You can use Profile Manager to quickly configure large numbers of devices with the settings and apps that your organization requires. macos Support Essentials 10.12: This is the official curriculum of the macos Support Essentials course and preparation for Apple Certified Support Professional certification. This book is for support technicians, help-desk specialists, and ardent Mac users. It takes you deep inside macos Sierra. You ll find in-depth, step-by-step instruction on everything from installing and configuring macos Sierra to managing networks and system administration. Third-party MDM solutions Third-party MDM solutions are available to support different management consoles, features, and pricing. Before you choose a solution, decide which management features are best for you. Your Apple Authorized Reseller can help you decide which solution is best for your organization. These are some of the third-party MDM solutions: Jamf Pro from Jamf VMware AirWatch Systems Manager from Cisco Meraki FileWave 2017 Apple Inc. All rights reserved. Apple and the Apple logo are trademarks of Apple Inc., registered in the U.S. and other countries. 127