Intro to device management services in Apple Business
Overview
iOS, iPadOS, macOS, tvOS, visionOS and watchOS have a built-in framework that supports device management. A device management service lets an organisation securely and remotely configure devices by sending configurations, profiles and commands to the device, whether the user or your organisation owns it. It also allows the device to asynchronously apply settings and report status back to the device management service without constant polling. This is ideal for performance and scalability. Declarative device management gives organisations more confidence that devices are in the desired state and that essential data is kept secure, even without internet connectivity. And from a user perspective, it provides a much more responsive experience. Capabilities include updating software and device settings, monitoring compliance with organisational policies and remotely wiping or locking devices.
You can assign devices to a device management service to designate which services should be used for Device Enrolment and Automated Device Enrolment. Assigning a device management service doesn’t affect a current enrolment of a device. The difference between the two enrolment methods are as follows:
Device Enrolment: Devices are enrolled by the user after they complete Setup Assistant.
Automated Device Enrolment: Devices appear at Setup Assistant.
You can also assign devices to a service automatically by platform, per device on the device page, a bulk action and with Apple Configurator for iPhone.
Based on your criteria, you can create a short list of device management services and set them up on a trial basis with just a few test devices to evaluate which solution best meets your needs before making a final decision. Apple Business allows you to connect with more than one device management service and assign devices to different services as needed.
Before you begin
Before you link to an external device management service, review the information below:
Security: Every external device management service that you create needs to be known to Apple and requires secure authorisation using a two-step verification process. The verification process involves creating and installing a device management service token on your device management service. The certificate encrypts the token. For information about how to transfer the token, see your device management service’s documentation.
Certificates: Before you add an external device management service, get the public key certificate file (ending in .pem or .der) from your device management service developer for each service you want to add. See your device management service’s documentation for information about getting the service’s public key certificate.
Note: You can’t upload more than 250 public key certificate files.
Names: When you name each external device management service, you do not need to use the fully qualified domain name. For example, you can choose a name based on a specific building, location, room or job function (but you can’t use the same name for multiple services). You also can’t name your services Unassigned or Reassigned.
Device support: Some device management services are built with in-depth support for specific Apple device types, for example – just Mac computers or iPhone and iPad devices – while others offer cross-platform support. You can choose a mix of developers so each device type is supported with a specialised solution. Automatic assignment by device type makes this simple. Or choose a developer that supports all Apple device types used across your organisation.
Query and reporting services: A device management service can query Apple devices for a variety of information, including hardware serial number, device UDID, Wi-Fi, Media Access Control (MAC) address and FileVault encryption status (for Mac computers). It can also query for software information, such as device version and restrictions and list the apps installed on the device. This information can be used to ensure that users maintain the appropriate apps. iOS and iPadOS allow queries about the last time a device was backed up to iCloud and about the app assignment account hash of the logged-in user. In tvOS, a device management service can query enrolled Apple TV devices for asset information such as language, locale and organisation.
Vendor support access and policies: A device management service is a mission-critical service. You need to evaluate the support, services and any training your device management service developer provides.
Network requirements for your device management service
When installing and configuring your device management service, consider how you’ll configure the network, Transport Layer Security (TLS), infrastructure services, Apple services and backup.
When you install a locally hosted device management service, you need to configure all of the following items. Configure and test each one early in the process to ensure a smooth deployment. If your device management service is externally managed or hosted in the cloud, the developer may handle many of these items on your behalf:
DNS: A device management service needs to use a fully qualified domain name that can be resolved from both inside and outside the organisation’s network. This lets the service manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.
IP address: Most device management services require a static IP address. The existing DNS name needs to persist if the server’s IP address is changed.
Configure with TLS: All communications between Apple devices and the device management service are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiry date and make sure to renew the certificate before it expires.
Firewall ports: To allow both internal and external access to the device management service, certain firewall ports need to be open. Most device management services accept inbound connections using HTTPS on port 443. Apple devices need to be able to connect to specific ports on specific hosts:
TCP port 443 during device activation and afterward for fallback if devices can’t reach APNs on port 5223
TCP port 5223 to communicate with APNs
TCP port 443 or 2197 to send notifications from the device management service to APNs
Note: Your device management service may host Activation Lock escrow keys and bypass codes, macOS bootstrap tokens and other unique pieces of data important to continuity of device access. For this reason, make sure you have a robust disaster recovery strategy for your on-premises device management service. It’s recommended that backups and restores be tested regularly.
Additional management of devices
Supervision generally denotes that the device is owned by the organisation, which provides additional control over its configuration and restrictions. There are various ways that organisations can supervise devices; some types vary by platform. See About Apple device supervision in Apple Platform Deployment.