Open in app

Sign in

Write

Sign in

How to choose the right Apple MDM (+bonus questions for vendors)

Jon Xavier
Fleetsmith
Published in
9 min readJan 31, 2019

By Jon Xavier

Choosing a device management provider can be tough. It’s a big purchase that has a huge impact on how the IT team will operate going forward, but vendors don’t always make it easy to try it before you buy it. No matter what you choose, long contracts and substantial upfront setup mean you’ll need to stick with what you choose for some time, even if it turns out it isn’t perfect for your needs. With so much on the line, you want to be confident you’ve got a good decision-making criteria based on the things that actually matter.

We get it, and we want to make this as easy as possible, no matter who you end up going with. What follows is some advice on choosing a device manager, based on the experiences of our team both in shopping for a device manager as IT professionals and building one at Fleetsmith.

Although there are a lot of factors to base this choice on, we’ve tried to boil this down to 5 main areas which we’ve found most meaningful with regard to customer satisfaction, and where there’s the most variance between products on the market.

We’ve also included some example questions to ask each vendor that tease out some of these differences. You may not agree with everything we say here, but hopefully this perspective will be useful to you as you work toward a decision.

Total Cost of Ownership

Device management is central to the operations of the IT team, as well as the safety and security of the organization as a whole. So it makes sense to not skimp on it. But let’s be real here — cost still matters.

That being said, it’s not always as simple as making a direct comparison on sticker price. It’s true many providers have moved to per-device pricing, typically in the $7-$9 per device range. But some of them also offer per-employee pricing, which might represent a cost break for companies that need to manage a large pool of devices that aren’t assigned to an employee, like conference room units. Even if a vendor looks cheaper on a per-device basis, you should also be aware that some require you to purchase a minimum number of devices. For a small company that doesn’t have expectations of rapid growth, this is often a big unnecessary expense.

Different device types are often charged differently as well — mobile devices might be a reduced cost, or else thrown in as a part of the normal device license. Depending on the makeup of your device fleet, it will make sense to think long and hard about how these permutations will affect the cost you pay.

Cost isn’t simply limited to the fees you pay to your vendor, either. Depending on the vendor and the implementation, there can be various external costs related to set-up and maintenance. Some solutions have an onerous initial deployment that will require either budgeting a significant amount of your IT department’s time or hiring an outside consultant to pull it off successfully. Others are complex enough that your staff will need special training and certifications to effectively manage them, which also implies an ongoing training cost as the team grows and changes. If you opt for an on-premise solution, you will also need to consider server infrastructure and maintenance in your cost analysis.

There’s also one other thing you should consider: startup fees. Many vendors charge a “jumpstart” fee at signup, and these can be substantial. Especially for a smaller installation, it can easily equal the cost of licenses for your first year. So it is important to factor this into your cost analysis.

Getting started

Once you’ve chosen a device manager, your first task is going to be enrolling your fleet. There are various factors here that affect how this goes, but probably it will be trickier than you expect.

During your initial deployment, you will most likely need to gather a list of all of your outstanding devices, map them to the employees that control them, and then get those employees to install the device manager. Depending on how this is set up, it can be more or less work. If the device management product has an integration with Apple’s Device Enrollment Program (DEP), getting existing devices enrolled is a one-time project after which new devices will come with everything set up for you right out of the box.

Either way, this process will entail a certain amount of manual work, because Apple doesn’t allow MDM profiles to be installed without having an end user click through a prompt to accept. This is very strictly enforced — Apple even put processes in place to detect and reject automated clicks generated through scripts. A modern, well-designed device management product will anticipate this workflow and give you an easy way to track which devices have been managed and which are outstanding.

One final question about deployment is whether the device management solution requires that an agent be installed locally on the machine, or if it can manage the device solely through an MDM profile. Having a local agent gives a much deeper level of control than an MDM profile alone, but the local installation might not be right for some use cases, particularly in Bring Your Own Device situations where the company wants to regulate employee devices that it does not own.

Features and Integration

It’s impossible to go into every possible feature you might want in a device manager here. Which features are important is going to depend on the makeup of your fleet, which software your employees use, your security threat model, and the other elements of your IT toolkit. There are a few core functions every company needs a product to do well — setting up new devices, pushing out software updates, enforcing security and compliance items, fleet visibility and inventory — but beyond that it quickly becomes hard to generalize.

The most thing important when assessing vendors on features and integrations is to first have a clear picture of how you want to use device management. It’s very easy to get distracted by the sheer amount of features available to you. Like many things, however, IT software functionality tends to follow the 80/20 rule — the bulk of the value you get from a solution is going to come from a small subset of features. That does not mean that the other features are irrelevant. It’s nice to have options, after all. But it does mean that getting this core feature set right is going to be far more meaningful in the long run than having a product that checks every conceivable box.

So ask yourself: What are the main problems you are trying to solve? What are the most common tasks that will cause your team to interact with the device manager? What can’t you live without? Answering these questions gets at the core feature set you should be using as a basis for comparing vendors.

Automation

Patching and enforcement are a core use case for device management software, so many solutions have this functionality. That doesn’t mean they’re all the same, however.

Most device management companies provide the functionality to deploy and patch software across the entire device fleet. This is extremely useful, because keeping software up to date is one of the most important things you need to do for security and compliance. Even with such a tool, however, packaging is a significant amount of ongoing maintenance work, since you have to monitor for updates, test them when they’re released to ensure compatibility, package them for distribution to your devices, and then message the update to employees if it is the sort that will disrupt productivity. There are aftermarket ways to automate this workload, such as by integrating your device manager with the popular open source software installation manager Munki. Yet this itself requires some extra work to set up and maintain, and might not be an option depending on your team’s technical skill and capacity.

An advanced device management solution like Fleetsmith gives you this kind of automation for free right out of the box. Software can be deployed from a pre-configured and packaged catalog from within the manager itself, and from that point on it will patch and update itself automatically. This saves hundreds of hours of work each year over manual patching. Even if you have the ability to set up outside automation through something like Munki, putting everything together in one system is more efficient and creates fewer points of failure. So the level of automation each solution provides natively should be something you take into account.

Security

Obviously, security is something that needs to be top of mind for most IT purchases, but for device management it’s especially important. With few exceptions, your device management system is going to have the highest level of privileges on your devices. You cannot afford for something so fundamental to be the weak link in your security.

You might assume that the gravity of what device managers are charged with would result in a high level of security being standard across the entire industry. You’d be wrong.

While it’s true that most solutions can be implemented securely, many are not secure by default, and the amount of work it takes to get them there varies. The most secure device managers will be built in such a way that its difficult or impossible to set them up in an insecure way — at Fleetsmith, we call this “secure by design.”

You should ask potential vendors about common security gotchas like the encryption, data storage policies, certificate management, password policies, logging, and whether they have performed penetration testing. Ask whether they are secure by default, or if additional steps are necessary to secure their product beyond the default installation. If so, ask if they can provide a guide to securing the product so you can compare potential solutions with a clear idea of how much work is involved.

Questions to ask potential vendors

Security

  • When was the last time you had a security audit? Did you pass?
  • What’s your web security score on ____?
  • Do you have an agent? How do you secure communications between it and the server?
  • What are your policies around storage and management of customer data?
  • Does your staff receive training in common operational security practices as a part of their employment (anti-phishing, data handling, password security, etc.)
  • Do you have clients in industries with high compliance requirements like banking, healthcare, insurance, or computer security? Can you provide a testimonial from them?
  • Is your product secure in its default configuration, or are additional steps required to secure it? Do you have a security guide/whitepaper that you can provide?

Deployment

  • How long, from start to finish, will it take to deploy your product out to my entire fleet?
  • How many staff do you suggest that I devote to the deployment project?
  • Do you support the Apple Device Enrollment Program through Apple Business Manager or Apple School Manager integration?
  • What does the process of enrolling existing devices look like?
  • Does your product help me reach my employees guide them through the enrollment process for their devices?
  • Do you integrate with any Identity Providers(IdPs)?
  • Do you provide views which show me how many of my devices have been enrolled and which devices have not?
  • What does the process for reprovisioning a device look like?
  • Can I automatically set up user accounts, change OS settings, deploy and configure apps, and encrypt devices as a part of deployment?

Management

  • Can I install apps and packages through your product?
  • Can I configure apps within your product, or just deploy them as-is to devices?
  • When a new version of an app I have installed comes out, do you surface this proactively or do I have to do my own monitoring?
  • Can you whitelist kernel extensions and TCC permissions so that end users don’t need to click through this prompt?
  • When a software vendor releases an update, do you automatically package, test, and deploy that to my fleet for me?
  • How many clicks do I need to upgrade my entire fleet to macOS Mojave?
  • Are there any deployments that would require me to write a script?

Insights & Intelligence

  • Is it free?
  • Does it proactively alert me to issues, or will I have to manually set up my own alerts?
  • What kinds of things can I monitor through your product?
  • Do you support logging?

Pricing

  • Can I choose whether to do monthly or annual billing?
  • Is there a minimum number of devices I need to buy?
  • Is there a “jumpstart” fee and if so, how much is it?
  • Do you offer/require a certification to use this product and if so, how much does it cost? How many certified people should I have on staff?
  • How many free devices do I get for my pilot?
  • Is there a time-restriction on my pilot?

Originally published at blog.fleetsmith.com on January 31, 2019.

Security
Knowledge Base
Apple
Mac
It

--

--

Fleetsmith
Fleetsmith

Published in Fleetsmith

17 Followers
Last published Apr 22, 2019

News, insights and information from Fleetsmith, the modern approach to Apple device management for forward-looking IT teams

Jon Xavier
Jon Xavier

Written by Jon Xavier

353 Followers
1.1K Following

Former tech journalist, now tech company marketer. Keeping it tight in a world full of looseness. Member DSA SF.

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams