Choose a mobile device management solution
What is mobile device management (MDM)?
MDM lets you securely and wirelessly configure devices, whether they’re owned by the user or your organization. MDM includes updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and organization-owned devices can be enrolled in MDM automatically using Apple School Manager.
How does MDM work?
After the enrollment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage, and configure apps and books purchased through Apple School Manager. Users can install apps themselves, or apps can be installed automatically depending on the type of app it is, how it’s assigned, and whether the device is supervised.
What is supervision?
iPhone, iPad, iPod touch, Mac, and Apple TV devices can be supervised. Supervision generally denotes that the device is owned by the organization, which provides additional control over its configuration and restrictions. Supervision is recommended for organization-owned devices.
iPhone, iPad, iPod touch, and Apple TV devices become supervised by:
Using Apple Configurator 2
During this process, the device is erased and all data is lost.
Enrolling the device in an MDM solution and selecting supervision as part of the enrollment process
Mac computers can be supervised if they:
Are running macOS 10.15 or later and:
Appear in Apple School Manager
Are enrolled in an MDM solution linked to Apple School Manager.
Are running macOS 11 and the enrollment in MDM is user-approved.
Are upgraded to macOS 11 and the enrollment in MDM was user-approved.
The following devices can be supervised:
iPhone, iPad, and iPod touch with iOS 5 or later
Apple TV with tvOS 10.2 or later
The following devices are supervised automatically when enrolled in Apple School Manager:
iPhone and iPod touch with iOS 13 or later
iPad with iPadOS 13.1 or later
Apple TV with tvOS 13 or later
Mac computers with macOS 10.15 or later
Important: If the user knows the passcode, iPhone and iPad devices that aren’t supervised can have configuration profiles removed, even if the option is set to Never in the General settings. Configuration profiles for Mac computers can be removed using the
profiles command-line tool or System Preferences if the user knows an administrator’s user name and password, unless the devices appear in Apple School Manager.
Considerations when selecting an MDM solution
There are many MDM solutions available from a variety of third parties. You should evaluate which aspects of MDM are most important to your organization—including server platform support and pricing—before you choose a solution. The tips below can help with your decision.
Important: It is vitally important to select the appropriate MDM solution before your deployment. Changing mid-deployment may require you to erase each iPad and reenroll them.
Locally hosted or cloud-hosted: An MDM solution can be hosted on a local server or in the cloud. MDM is a lightweight HTTPS-based protocol that can manage devices anywhere in the world with low data-traffic impact, making it well suited for cloud hosting. If your organization chooses a cloud-hosted or internet-hosted solution, many of the MDM configuration steps described in this guide can be considerably reduced or eliminated entirely.
Device support: Some MDM solutions are built with in-depth support for specific Apple device types, for example just Mac computers or iPad devices, while others offer cross-platform support. You can choose a mix of MDM vendors so each device type is supported with a specialized solution, or choose an MDM vendor that supports all Apple device types used across your organization.
Education-centric functionality: Some MDM vendors offer functionality designed specifically for education environments. Make sure your MDM vendor supports Apple School Manager, Classroom, Schoolwork, and all the education features introduced with the latest versions of Apple operating systems the day of the launch.
Query and reporting services: An MDM solution can query Apple devices for a variety of information, including hardware serial number, device UDID, Wi-Fi Media Access Control (MAC) address, and FileVault encryption status (for Mac computers). It can also query for software information, restrictions, and list the apps installed on the device.
Vendor support access and policies: MDM is a mission-critical service. You need to evaluate the support, services, and training your MDM vendor provides.
Based on your criteria, you can create a shortlist of MDM solutions and set them up on a trial basis with just a few test devices to evaluate which solution best meets your needs before making a final decision. Apple School Manager allows you to connect with more than one MDM solution, and assign devices to different servers as needed. For more information, see the video Choosing an MDM Solution.
Network requirements for your MDM solution
When installing and configuring your MDM solution, there are important considerations for configuring the network, Transport Layer Security (TLS), infrastructure services, Apple services, and backup. If you’re using a cloud-based MDM solution, most of these considerations are automatically handled by your MDM vendor.
When you install a locally hosted MDM solution, you need to configure all of the following items. Configure and test each one early in the process to ensure a smooth deployment. If your MDM solution is externally managed or hosted in the cloud, your MDM vendor may handle many of these items on your behalf:
DNS: An MDM solution must use a fully qualified domain name that can be resolved from both inside and outside the organization’s network. This lets the server manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.
IP address: Most MDM solutions require a static IP address. The existing DNS name must persist if the server’s IP address is changed.
Configure MDM with TLS: All communications between Apple devices and the MDM solution are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires.
Firewall ports: To enable both internal and external access to the MDM solution, certain firewall ports must be open. Most MDM solutions accept inbound connections using HTTPS on port 443. Both the MDM solution and the devices must communicate with the Apple Push Notification service. Prior to November, 2020, MDM solutions use ports 2195 and 2196 with APNs; clients use port 5223. After November 2020, MDM solutions use port 2197.
Note: You must add at least one MDM server to Apple School Manager before you can begin assigning devices.