Hello, and thank you for joining us today ! My name is James Bainter and I am a Solution Architect here at CompuCom.
We are going to go over some options on how to manage Macs in your environment.
But before we dive in, I know many have questions about the new operating systems that were announced at the World Wide Developer’s Conference. iOS 9 and OS X El Capitan should drop this fall and every time a new OS comes out, most IT departments scurry around to see if anything will break. This is especially true for those who have custom built in house apps.
The best way to stay up on all of the new features and changes is to enroll in the Apple Developer Enterprise Program.
This is tailored for entities who distribute in house apps to their employees, versus the one geared towards app developers who distribute to consumers.
For $299 a year, it gives you a heads up on upcoming features and the ability to test your apps with the latest SDK’s and tools.
Like most Apple Enterprise programs, make sure you have the legal authority to bind your organization to legal agreements and your organizations D-U-N-S® number.
https://developer.apple.com/programs/enterprise/enroll/
If you do not need to test in house apps, but would like to test out other features ahead of time, join the new Apple Beta Software Program. Keep in mind that whatever devices you use for this, you may have to erase, reinstall or restore from time to time. It will be a test unit, so you may want a 2nd device for this purpose.
Many of you already utilize CompuCom in some capacity. But you may not know the big picture, of all the things we can do.
For example, we can augment your company’s IT staff, fill in any gaps to ensure coverage for the entire lifecycle of your devices.
From cradle to grave, we can help with procurement, deployment, maintenance and even disposition at the end of the lifecycle.
We can do it all turn key, or pick and choose a la carte from a cafeteria style menu.
But today, we are going to focus on the management of your devices. And specifically, your Macs.
You may have a few floating around your organization and just want to get a handle on them before they grow.
You may also be looking at adding Apple devices as a company standard, which has been a growing trend.
But Macs are different than your PC desktops and laptops.
It is possible to use the same tools to manage all devices, but that is usually in situations where the management is very light.
For robust features and functionality, you will probable have to utilize more than 1 tool to really manage them.
Apple helped enterprise customers by introducing the Device Enrollment Program, or DEP.
You can still take advantage of purchasing through a reseller like CompuCom and therefore enjoy the convenience of using PO’s instead of a credit card while utilizing DEP. As long as your reseller has gone through the process and obtained a DEP ID, which CompuCom has.
Your company just needs to enroll in DEP as well, then add CompuCom to your DEP portal. If you already have an MDM, you can put that information in and are ready to start ordering DEP enabled devices. Once taken out of the box and turned on, they will check in and see that they belong to your company and start the enrollment process. Your MDM can then start pushing configuration profiles, apps policies etc.
We have helped our customers through this entire process, so we can easily help you as well.
We have been doing all of the things that Apple’s Device Enrollment Program addresses for years. It was a manual process for us, but we did that for our customers, saving them a lot of time and frustration, and money.
Now with DEP, we can still asset tag, custom kit, stage and deploy across the country, now with less overhead. This saves our customers money.
Plus, we can still augment your staff and help with configuration profiles, manage devices, handle compliance policies and remediate issues for the end user. That frees up your IT staff to focus on propelling the business forward, we can handle the day to day management.
So what tools can be used by your staff, or that CompuCom can handle as a managed service?
For some situations, we have seen Centrify as a perfect fit for our customers.
Their strength is when you have issues binding Macs to Active Directory. Out of the box, Macs do fine with AD.
So, though you may not want to admit it, the problem may be in the infrastructure. Often DNS is the culprit or some other growing pain from mergers and acquisitions that have occurred over time.
Centrify acts as a translator fluent in AD and Mac. You make policy in AD as usual, Centrify translates and speaks Apple to the Macs to carry out what your intention was.
Your Macs and iOS devices can just be objects in AD that you can enforce policy on.
Another big task that Centrify tackles is identity management.
We have moved beyond dealing with on premise device management and extended out to cloud services and mobile devices.
Active Directory is not able to accommodate all of these new changes by itself.
Centrify extends your AD to handle cloud and mobile challenges, all without exposing your directory.
Your AD remains back on premise behind your firewall.
We can have a more detailed conversation and presentation on Centrify if you request one.
Another option: Many MDM, or Mobile Device Management solutions have evolved and now refer to themselves as Enterprise Mobility Management, or EMM. These tools extend beyond phones and tablets and take advantage of Apple’s Configuration Profile feature to tackle OS X. If you are already used to doing this with iOS, it really is not a stretch to start managing OS X laptops and desktops this way.
It can accommodate basic configuration and policy enforcement, and may be more than adequate for your Mac management needs.
The top EMM’s include things like Content Management and Application Management in addition to management of the actual devices.
This was a great add on to what Apple enabled via it’s MDM features.
You can take content that you want to share and push it out with these tools. It allows for permissions and policies to be enforced on the content.
You can restrict what app or apps can open a document or document type.
Of course you can pull the content back as well.
Similar features are available to app management too.
Now if you want full management of Mac computers….
… if you want the king of Mac management, you have to look at JAMF software’s Casper Suite.
It can handle all of the things you are used to doing to your PC’s.
Things like Imaging, configuration, inventory, remote access and remediation using scripts and much more.
You can do all of the things the EMM or MDM guys can do to a Mac, but a heck of a lot more.
We have found open source tools like DeployStudio promising, but only if you have dedicated resources to implement and maintain. The cost in human resources might out weigh the cost of a robust professional suite like Casper.
I think one of the most important differences between an MDM and the Casper Suite is the ability to image Macs and deploy those images.
None of the EMM or MDM solutions do that, so you really need to assess whether that is necessary or not.
Just because you used to image machines in the past with your PCs does not mean you have to with your Macs.
But if your use case has you imaging your PC’s, slip streaming updates to the image etc… and you need to do that with your Macs, then JAMF is definitely the one to pilot.
Over the years, people have gone from the monolithic image, where you setup a device the way you want it, copy the entire hard drive image and use that to image other machines.
That is a cumbersome and a resource intensive method of imaging.
Thin Imaging is in.
It’s faster and less resource intensive.
The ultimate goal with image creation is getting each device to a known/good state. The process needs to be repeatable, automated, and is quick and efficient. We can break an image down into three parts: the base OS, the software, and the settings.
If we look at a deployment of new machines, we already have an OS on the device. So what we do in thin imaging is just lay down the apps and the settings.
If we buy another batch 6 months later, it may have a different OS version or because the hardware changed, a monolithic image with a previous OS probably won’t work on the newer machine.
But with thin imaging, we don’t care. We still have to keep up with changes that may occur as the OS version changes and be sure to test them. You don’t want any apps to break or settings not be compatible.
We recommend that you layer technologies that work together to give you the best workflow and the most robust set of tools.
We often utilize Apple DEP, VPP and JAMF’s Casper Suite to simplify device enrollment, content distribution and ongoing management.
By doing so, it allows you to preconfigure the device enrollment process, customize the user setup experience, and distribute content to devices without even taking the devices out of the box.
Using these tools, you decide what steps users will take when they set up their devices. You can also assign content to users so that the content becomes available as soon as the users registers.
Additionally, when you assign apps to users, your organization retains ownership of the apps so that you can revoke and reassign them to new users at any time.
You can integrate Apple DEP and VPP into the Casper Suite so that they all work seamlessly together.
With JAMF’s Self Service option, IT can off load some of it’s tasks to end users. We have seen where some companies just have the devices enroll via DEP when the end user gets their new device and powers up. The unit checks into the customer’s JAMF server, configuration profiles get pushed down and that’s it! They then allow the end user to utilize the self service portal to install any other software.
If you have any Bring Your Own situations, you can bypass the DEP step but still invite users to enroll. They get self service and can install software etc. If they leave, it all gets pulled back.
Best practices dictates that you should not have your end users using an admin account. By default, the first time you setup a Mac, that is the account type. Many organizations have the admin account, but then setup the end users account for their daily use. But what if an update comes up, or they need to install a printer or other software? You need admin rights to do those things.
That is towards the top of the list of most frequent help desk tickets.
But, you CAN make it so users do not need admin rights to install from Self Service.
For example, say a user accidentally deletes a printer. They do not need to bug the help desk since they do not have admin rights.
With self service, they don’t need those credentials to install the printer in their self service portal.
And IT dictates what printers are available to which users.
So you can stay compliant with security policies, but free up help desk or significantly reduce the number of desk side visits by utilizing this powerful feature in the Casper Suite.
From the beginning, JAMF focused on Mac management from the ground up. That is all they do. They have day one compatibility when new OS versions come out. They work closely with Apple to stay up on any changes and participate in giving feedback, bugs etc.
You can see all of the in depth robust capabilities of the Casper Suite.
To accomplish all of that,
Here are the components in Casper Suite that illustrate the architecture.
The Recon Suite is a web- based, cross-platform inventory solution for those who need to know what’s on their network.
Composer is the package-building utility that makes simple snapshot and drag-and- drop package creation quick and easy.
The Imaging Suite takes the pain out of the management and deployment of images.
Casper Admin is the management interface that your staff or CompuCom does all of the daily chores from.
At the heart is the JSS, or JAMF Software Server. This is another area CompuCom can help with, whether you want an on premise instance or a cloud based SaaS type model, we can help.
We can install your JSS in a virtual machine delivered within a preconfigured hardware server that you just plug in and power on. You can give us the IP address etc., so it is all ready to go.
I call it JAMF in a Box, but can’t get permission to actually advertise that one…. Too corny ?
If you want to help comparing and finding the right fit for you, don’t hesitate to contact us. We have gone as far as in depth onsite assessments with detailed reporting for our customers. We have implemented pilot programs and followed through to implementation of full mobility strategies.
We can answer help desk calls, help assess and design a game plan for a project, or repair a broken Mac, we have the credentials. Our staff consists of various Apple certifications as well as the 3rd party tools we have covered. Most of our 10,000 + employees are on the service side of our business. We do not farm everything out to others, like our competitors do.
This gives you better pricing, but more importantly a trusted chain of command and efficiency you can not have when dealing with multiple entities.
Depending on the scope of help you want, we can provide a Program Manager who will oversee your account.
We have many clients where a PM “lives” onsite and is your interface to the rest of the CompuCom team.
This allows us to really keep in tune with what is going on and help with response times.
Of course on the proactive side, we look at the tools in place to nip issues in the bud, before they become problematic.
Our team can consult, help integrate, provide on-going management, deal with break/fix repairs or hot swap programs and then at the end of the lifecycle, we can help dispose or reclaim devices.
We can do this as part of a refresh program that is strategic and keeps downtime to a minimum.
With that, I thank you so much for taking the time to attend today.
If you ever have any Apple questions, just remember Apple@CompuCom.com
That will distribute to our entire Apple team, including myself.
Thanks again!