Intro to device management services in Apple Business
Overview
iOS, iPadOS, macOS, tvOS, visionOS, and watchOS have a built-in framework that supports device management. A device management service lets an organization securely and remotely configure devices by sending configurations, profiles, and commands to the device, whether the user or your organization owns it. It also allows the device to asynchronously apply settings and report status back to the device management service without constant polling. This is ideal for performance and scalability. Declarative device management gives organizations more confidence that devices are in the desired state and that essential data is kept secure, even without internet connectivity. And from a user perspective, it provides a much more responsive experience. Capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices.
You can assign devices to a device management service to designate which services should be used for Device Enrollment and Automated Device Enrollment. Assigning a device management service doesn’t affect a current enrollment of a device. The difference between the two enrollment methods are as follows:
Device Enrollment: Devices are enrolled by the user after they complete Setup Assistant.
Automated Device Enrollment: Devices appear at Setup Assistant.
You can also assign devices to a service automatically by platform, per device on the device page, a bulk action, and with Apple Configurator for iPhone.
Based on your criteria, you can create a short list of device management services and set them up on a trial basis with just a few test devices to evaluate which solution best meets your needs before making a final decision. Apple Business allows you to connect with more than one device management service, and assign devices to different services as needed.
Before you begin
Before you link to an external device management service, review the information below:
Security: Every external device management service you create needs to be known to Apple and requires secure authorization using a two-step verification process. The verification process involves creating and installing a device management service token on your device management service. The certificate encrypts the token. For information about how to transfer the token, see your device management service’s documentation.
Certificates: Before you add an external device management service, get the public key certificate file (ending in .pem or .der) from your device management service developer for each service you want to add. See your device management service’s documentation for information about getting the service’s public key certificate.
Note: You can’t upload more than 250 public key certificate files.
Names: When you name each external device management service, you don’t need to use the fully qualified domain name. For example, you can choose a name based on a specific building, location, room, or job function (but you can’t use the same name for multiple services). You also can’t name your services Unassigned or Reassigned.
Device support: Some device management services are built with in-depth support for specific Apple device types, for example—just Mac computers or iPhone and iPad devices—while others offer cross-platform support. You can choose a mix of developers so each device type is supported with a specialized solution. Automatic assignment by device type makes this simple. Or choose a developer that supports all Apple device types used across your organization.
Query and reporting services: A device management service can query Apple devices for a variety of information, including hardware serial number, device UDID, Wi-Fi, Media Access Control (MAC) address, and FileVault encryption status (for Mac computers). It can also query for software information, such as device version and restrictions, and list the apps installed on the device. This information can be used to ensure that users maintain the appropriate apps. iOS and iPadOS allow queries about the last time a device was backed up to iCloud, and about the app assignment account hash of the logged-in user. In tvOS, a device management service can query enrolled Apple TV devices for asset information such as language, locale, and organization.
Vendor support access and policies: A device management service is a mission-critical service. You need to evaluate the support, services, and any training your device management service developer provides.
Network requirements for your device management service
When installing and configuring your device management service, consider how you’ll configure the network, Transport Layer Security (TLS), infrastructure services, Apple services, and backup.
When you install a locally hosted device management service, you need to configure all of the following items. Configure and test each one early in the process to ensure a smooth deployment. If your device management service is externally managed or hosted in the cloud, the developer may handle many of these items on your behalf:
DNS: A device management service needs to use a fully qualified domain name that can be resolved from both inside and outside the organization’s network. This lets the service manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.
IP address: Most device management services require a static IP address. The existing DNS name needs to persist if the server’s IP address is changed.
Configure with TLS: All communications between Apple devices and the device management service are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires.
Firewall ports: To allow both internal and external access to the device management service, certain firewall ports need to be open. Most device management services accept inbound connections using HTTPS on port 443. Apple devices need to be able to connect to specific ports on specific hosts:
TCP port 443 during device activation, and afterward for fallback if devices can’t reach APNs on port 5223
TCP port 5223 to communicate with APNs
TCP port 443 or 2197 to send notifications from the device management service to APNs
Note: Your device management service may host Activation Lock escrow keys and bypass codes, macOS bootstrap tokens, and other unique pieces of data important to continuity of device access. For this reason, make sure you have a robust disaster recovery strategy for your on-premises device management service. It’s recommended that backups and restores be tested regularly.
Additional management of devices
Supervision generally denotes that the device is owned by the organization, which provides additional control over its configuration and restrictions. There are various ways that organizations can supervise devices; some types vary by platform. See About Apple device supervision in Apple Platform Deployment.