Choose a mobile device management solution

What is mobile device management (MDM)?

iOS, iPadOS, macOS and tvOS have a built-in framework that supports mobile device management (MDM). MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they’re owned by the user or your organisation. MDM capabilities include updating software and device settings, monitoring compliance with organisational policies, and remotely wiping or locking devices. Users can enrol their own devices in MDM and organisation-owned devices can be enrolled in MDM automatically using Apple School Manager.

How does MDM work?

After the enrolment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage and configure apps and books purchased through Apple School Manager. Users can install apps themselves, or apps can be installed automatically depending on the type of app it is, how it’s assigned and whether the device is supervised.

What is supervision?

Supervision generally denotes that the device is owned by the organisation, which provides additional control over its configuration and restrictions.

For more information, see About Apple device supervision in Apple Platform Deployment.

Considerations when selecting an MDM solution

There are many MDM solutions available from a variety of third parties. You should evaluate which aspects of MDM are most important to your organisation — including hosting options and pricing — before you choose a solution. The tips below can help with your decision.

• Locally hosted or cloud-hosted: An MDM solution can be hosted on a local server or in the cloud. MDM is a lightweight HTTPS-based protocol that can manage devices anywhere in the world with low data-traffic impact, making it well suited for cloud hosting. If your organisation chooses a cloud-hosted or internet-hosted solution, many of the MDM configuration steps described in this reference can be considerably reduced or eliminated entirely.

• Device support: Some MDM solutions are built with in-depth support for specific Apple device types — for example, just Mac computers or iPhone devices — while others offer cross-platform support. You can choose a mix of MDM vendors so each device type is supported with a specialised solution. Automatic assignment by device type in Apple School Manager makes this simple. Or choose an MDM vendor that supports all Apple device types used across your organisation.

• Education-centric functionality: Some MDM vendors offer functionality designed specifically for education environments. Make sure your MDM vendor supports solutions such as Apple School Manager, Classroom, Schoolwork, Shared iPad, and all the education features introduced with the latest versions of Apple operating systems on the day of the launch.

• Query and reporting services: An MDM solution can query Apple devices for a variety of information, including hardware serial number, device UDID, Wi-Fi, Media Access Control (MAC) address and FileVault encryption status (for Mac computers). It can also query for software information, such as device version and restrictions, and list the apps installed on the device. This information can be used to ensure that users maintain the appropriate apps. iOS and iPadOS allow queries about the last time a device was backed up to iCloud, and about the app assignment account hash of the logged-in user. In tvOS, MDM can query enrolled Apple TV devices for asset information such as language, locale and organisation.

• Vendor support access and policies: MDM is a mission-critical service. You need to evaluate the support, services and training your MDM vendor provides.

Based on your criteria, you can create a shortlist of MDM solutions and set them up on a trial basis with just a few test devices to evaluate which solution best meets your needs before making a final decision. Apple School Manager allows you to connect with more than one MDM solution and assign devices to different servers as needed. For more information, see the video Choosing an MDM Solution.

Network requirements for your MDM solution

When installing and configuring your MDM solution, consider how you’ll configure the network, Transport Layer Security (TLS), infrastructure services, Apple services and backup.

When you install a locally hosted MDM solution, you need to configure all the following items. Configure and test each one early in the process to ensure a smooth deployment. If your MDM solution is externally managed or hosted in the cloud, your MDM vendor may handle many of these items on your behalf:

• DNS: An MDM solution must use a fully qualified domain name that can be resolved from both inside and outside the organisation’s network. This lets the server manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.

• IP address: Most MDM solutions require a static IP address. The existing DNS name must persist if the server’s IP address is changed.

• Configure MDM with TLS: All communications between Apple devices and the MDM solution are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires.

• Firewall ports: To enable both internal and external access to the MDM solution, certain firewall ports must be open. Most MDM solutions accept inbound connections using HTTPS on port 443. Both the MDM solution and the devices must communicate with the Apple Push Notification service. Prior to November 2020, MDM solutions used ports 2195 and 2196 with APNs; clients use port 5223. After November 2020, MDM solutions use port 2197.