Apple device management considerations for MSPs

Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is considered a number one skilled within the supply of know-how companies, with broad expertise in each know-how and enterprise.

In this video, Sobel discusses remote monitoring and management (RMM) software with Jason Dettbarn, founder and CEO of Addigy Technology, a supplier of Apple device management platform for MSPs. They discover the variations between Apple OS and Windows management approaches.

Transcript follows under. Minor edits have been made for brevity and readability.

Dave Sobel: Obviously, speaking to anyone who’s within the RMM [software] house is fascinating for me proper now. But I need to take a fast second [for you to] inform me a little bit bit in regards to the Apple view of the market, the Apple house. Oftentimes, after we take into consideration RMM merchandise, we at all times discuss ones which were on the Windows facet for a very long time, however there’s different ecosystems. Tell me about what is going on on within the Apple facet of issues.

Jason Dettbarn: Yeah. The Apple device management enterprise has been in BYOD [bring your own device]. I believe [BYOD] has been the best way most individuals have absorbed it for the previous couple of years. But within the final two or three years, it is blown up. Every group, from each enterprise to SMB, has a very good variety of Macs. Typically, for our MSP companions, they’re often test writers. They’re those within the boardroom. And we have to guarantee that [the Apple technology is] being managed as greatest as potential. There’s a number of progress inside the Apple house, particularly with the most recent Apple M1 systems which might be on the market.

Apple OS vs. Windows management approaches

Sobel: We’re each engineers by background, so we will take a little bit little bit of that [perspective into this discussion]. My understanding is the Apple method could be very totally different from the Windows method in the best way gadgets are managed. Apple is much extra targeted on what I’d time period ‘configuration and coverage management enforcement’ than what Windows does, which is extra like automation management and execution. Is my notion proper?

Dettbarn: You are spot on. This is the primary interview the place anyone’s requested me that exact query. When we return in time to when Addigy began, the one approach you could possibly handle a Mac was you needed to have an agent on the device and also you needed to handle it by that mechanism, which gave you a fairly open palette for the way you [could] do issues. For us, it was about configuring the device and delivering a service.

But two years in the past, Apple mentioned, ‘If you are going to have full management of this device, you are going to should have it enrolled in an MDM, mobile device management.’ Well, each MDM that was constructed at the moment was designed for a cellphone, not for a pc, the workhorse of a company.

So, it is that fruits the place each MDM you are going to have a look at is about configuring the device and that is one leg of that stool. But it is [also] about delivering the perfect expertise for the top person, the perfect safety, and ensuring the system is at all times in compliance. [Those areas are] what we actually targeted on.

Sobel: Okay. It’s that architectural distinction, which is extra of a alternative, proper? Because significantly if I’m eager about this from an Apple perspective — and by the best way, I’m a Mac person myself — the Apple, the Mac OS, was managed by way of an agent-style method. Apple, being Apple, put [the] sledgehammer down and mentioned, ‘No, you are going to change this fashion and transfer to a configuration method.’ But these are all engineering choices that theoretically would even be paralleled over on the Windows facet, if that’s the case chosen, appropriate?

Dettbarn: Correct. We’re not specializing in Windows in any respect, however that is one thing that you simply’re seeing with Windows Autopilot, with [Microsoft] Intune, and with the ability to present that automated out-of-the-box provisioning, which could be very related in Apple’s MDM fashion. So, it is the identical form of piece that’s being introduced over to the Windows facet.

The factor that is been missing on the Apple facet is identification. Remember, they nonetheless have that consumerized view, the place the top person logs in with their very own credentials and so they approve software program to run or not run. That’s the place you actually need the MDM. If you need safety software program to run, you then want an MDM to not solely to deploy however bless it to do its job on the device. Otherwise, the person has the complete management over if that software program goes to be [allowed to] do its job or not.

Sobel: Okay. Now, you introduced it up, and I need to ask [about] Intune. I’m tremendous intrigued with that method. How do you consider Intune? Competitor? Complementary? Coopetition? How does Intune match into your ecosystem?

Dettbarn: Absolutely complementary. We work quite a bit with Intune. It’s about looking for methods, in a partnership perspective, that we will fully align there. We’re not absolutely there but on a technical perspective, however [Intune’s] Apple MDM has a handful of operations it will possibly carry out. It cannot do patching. It cannot deploy software program instantly onto the machine. There’s a number of gaps there, and [Intune] goes to be very, very targeted on the Windows stack itself. We consider it is extremely, extremely complementary.

RMM safety dangers

Sobel: Okay, that is smart. Everyone is aware of I’ve been very essential of this know-how house lately due to the truth that I believe it is grow to be a vector of assault greater than a management software.

Now, a few of my pondering can be that switching to a configuration method truly minimizes that [attack vector] as a result of, reasonably than working code, you are implementing configuration, that are totally different threat ranges.

Tell me your tackle the risk of [RMM software] being an attack vector. You can take into consideration your individual [software] on this context. What’s your tackle being an assault vector now?

Dettbarn: I believe there’s a number of approaches to that general. You’re precisely proper. Forrester’s paper simply got here out a few weeks in the past, and so they actually [focused] on the safety of a Mac. I believe a number of that’s branding, the place there has simply not been an amazing quantity of gadgets on the market. Apple does a really, superb job of attempting to remain on prime of safety with the Mac itself, however they clearly are distracted from the top person and that identity and access management of gadgets.

My level is that it actually comes right down to being able to maneuver as a cloud vendor. If we have now an issue at a safety stage, we will deal with that in a short time from a cloud perspective. We keep the identification entry supervisor for the top person, and also you construct these layers of controls at a multitenant stage. I fully hear what you are saying, and it is solely going get more difficult on the Apple facet. But from an engineering perspective with MDM, there may be completely no approach to offer any safety and management with out doing MDM itself. And then you actually need to go above and past that, as a result of you need to make sure that the system is at all times in compliance and stays in compliance.

Configuration-based management

Sobel: So, my working idea is {that a} configuration-based method to management — which means implementing a set of insurance policies at least versus attempting to guard each endpoint — is the technique we should be shifting to as management corporations. It’s the one approach to get to zero trust, the place we’re not an assault issue. Am I proper, or am I improper?

Dettbarn: You’re completely proper. So, on the interior IT facet of the home on Windows, it is in regards to the person itself. When [users] sit down in entrance of any laptop, solely as soon as they’ve logged in they get what they want on that machine. Period. That’s been nice.

On the MSP facet of Windows, we truly simply targeted on the device itself. It was all in regards to the device, device, device.

And that is truly the place Apple is at, in a approach, which is an issue, which is, ‘I can configure the device [but] I do not know who’s on it.’ For instance, for those who take the serial quantity off of a pc, you may put that right into a VM and provision that configuration management with out something so far as safety for the system itself. It’s a serial-number spoofing. It’s not superb.

We have to guarantee that [when] you place a pc out of the shrink wrap in entrance of an finish person, sure, each MDM can do zero-touch [provisioning], however can it be certain that when that person logs in, they’ll get simply what they should be doing as a result of they’re in an engineering division or finance division? If they change roles, in the event that they transfer out of the group, it is about specializing in the person and the way that ties to the device itself for what they want.

How cloud companies slot in

Sobel: Okay, I really like that. So, you mentioned this: The method had been endpoint management with out representing the person. I believe one of many issues I’ve advocated for is that we have to have the idea of a person inside these management platforms.

Let’s lengthen that one step additional then. How does cloud companies match into your imaginative and prescient of management? Because once more, we’re nonetheless speaking at a device stage right here, however now we all know that there is this different part that we have now to handle. It was like an electronic mail server was a device [and] now it is not. Now it is a set of [cloud] companies. How do companies match into your imaginative and prescient of management?

Dettbarn: It’s collective. So, we’re a Google group. [Google is] our IdP [identity provider]. Anything we purchase and use has to tie into Google with MFA [multifactor authentication]. That is the bottom. We should have that. If not, it would not match into our IT group. I believe that is how most massive inner IT organizations roll.

Back within the early days — I got here from CA Technologies — these instruments turned extra commoditized and in a position to ship that energy with out the complexity. I believe we’ll see this on the SMB facet. We have to offer SMBs that functionality so all their cloud utilities have that IdP, after which the distributors that they select additionally should tie in correctly to these organizations.

Let’s use your zero-trust state of affairs. IT has owned the credential facet of the home. One factor I’ve at all times checked out sooner or later is that it is actually HR. HR is all that issues. We can see sooner or later, whether or not it’s BambooHR — that is a buyer of ours — or Workday or others: You sit in entrance of a pc; you do not have a password but; [and] we establish and validate that you’re who you say you’re with one thing higher than a password and MFA. That sees your entire group, your entry to all of your instruments. And your standing at an HR stage is what dictates every part. But IT has owned that [function] as a result of HR did not have the infrastructure. But it takes a number of time for these adjustments to maneuver by organizations for my part.

Sobel: Yeah, however I believe with what we’re seeing is that that transfer is occurring actually quick due to the push to the cloud. I do know, on the present, I harp consistently about, ‘Oh, be within the enterprise worth. Be within the enterprise worth.’ Your assertion of, ‘Well, that moved from IT to HR’ is that it is moved from a technical part to a enterprise perform. For these listeners, that is what I imply. You should be over on the enterprise facet of this as a result of that is an HR perform.

Dettbarn: Exactly. I used to be within the on-premises facet of the home, at CA, Kaseya, and many others. You’re managing 10 totally different variations of software program on the market over years, and also you can’t be as fast to deploy safety based mostly enhancements. I look again, and you’ve got to have the ability to do a cloud perspective. Even as a founder, I perceive how my clients are utilizing my product, how we will make it higher, the place there are issues. It’s terribly necessary to have that and be capable to tie into the best instruments inside your group.

Why SMBs lag in migrating management programs to cloud

Sobel: I’m going to provide you one final state of affairs, and we’ll poke at it, as a result of I need to know your pondering on this.

I’m engaged on a number of pondering round what the SMB of the long run appears to be like like, and even the SMB of the current. One of my hottest items on my YouTube channel is a bit referred to as, “If I was starting an MSP today.” The apparent [parallel] that I’m eager about is, ‘If I’m beginning an SMB as we speak.’ If we’re beginning an SMB as we speak — I’ve began one lately — you test the checkboxes for cloud service after cloud service after cloud service, proper? My accounting is within the cloud, my commerce system is within the cloud, my line of enterprise is within the cloud — every part. Check, test, test, test, test. That looks as if a really trendy method.

And then we have now this entire house of digital transformation, which is attempting to get folks which were round some time to appear like that.

But my take right here is that the management of these programs targeted on the SMB has taken a very long time to even get traction. What’s your tackle that assertion? Am I proper, and why is it being held up? Why have we not moved towards that on the pace I believe we’d need?

Dettbarn: I imply, [my take is] not very provocative. It’s folks, generally. I believe you have in all probability predicted — everyone has predicted — that the iPad was going to take out the Mac, or [similarly the] Surfaces and every part else. There’s an inevitability to these issues, no less than as being a central hub for your computing expertise. But we’re gradual to vary as finish customers and particularly as operations groups.

At the top of the day, HR is rarely going to totally personal the keys to the fortress. They’re going to have the programs in place and handle it, however IT will nonetheless personal it.

The main distinction is individuals are a disruptive issue, the place adjustments are exhausting.

Where Apple management instruments ought to go subsequent

Sobel: Last query then. So, you are on this house that’s getting a newfound consideration, the group at massive being each clients and IT suppliers. I at all times hold this magic wand on my desk, and if I hand you the magic wand and say, ‘You can wave it on these which might be utilizing your know-how and also you [can have them] do one factor in another way,’ what wouldn’t it be?

Dettbarn: That’s an fascinating one. I believe it begins with a few Apple instruments, generally, after which I’m going to speak about one factor that I believe we could not see eye to eye on. But I’m going to the touch on it anyway.

So, the primary half is utilizing Apple Business Manager and identification instruments. Apple Business Manager provides you that skill to provision that device out of the field. It offers the very best stage of safety, and extra so when you have an issue with the device, you may actually hit a button, wipe it and rebuild it. Most of our clients use it, however they have to get their very own finish customers on board with it and enroll. That’s key No. 1. It’s not an enormous facet of it.

The subsequent piece is automation. This is that matter that I do know might be a little bit fascinating. But the best way I have a look at it [goes] again to the early days of Addigy itself. We took a DevOps approach of doing issues. Administrators themselves, they need to get issues fastened and get them accomplished. We take that engineering method that a number of organizations do with DevOps. With Netflix, they’ve a [chaos engineering] utility referred to as Chaos Monkey that they run randomly to take down infrastructure. They should go set that infrastructure again up turnkey. We need to have the ability to guarantee that there may be that stage of automation that ensures that issues get provisioned the best approach, but additionally [addresses] the repetitive remedial duties that individuals are doing on a relentless foundation.

I believe it is actually necessary to have a look at automation not as a flip of a change, as a result of that is inconceivable, however as a tradition of attempting to drive extra pace with the way you do issues. And it would not have to really be fully fixing an issue. We’re the one monitoring, remediation-based software inside the Apple house. If we have now an issue on a machine, perhaps we won’t absolutely repair it. But if I take a snapshot of the disc and check out the processes working, and that is logged in a ticket that I have a look at a day later, I’ve received all this related data I can use. And perhaps I can evolve my automation, and we will get sure facets higher for the end-user expertise and for the scalability of the MSP.

Sobel: I do not disagree with it, however I’ll let you know that that will likely be a very exhausting want to give to the genie.

Dettbarn: It’s a tradition. Little by little. I do know it is a exhausting factor, however when you will have a tradition in a crew the place they will chip away at that over time, it actually adjustments the best way you ship IT.

About the writer

Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the guide Virtualization: Defined. Sobel is considered a number one skilled within the supply of know-how companies, with broad expertise in each know-how and enterprise. He owned and operated an IT answer supplier and MSP for greater than a decade, and has labored for distributors reminiscent of Level Platforms, GFI, LogicNow and SolarWinds, main group, occasion, advertising and product methods, in addition to M&A actions. Sobel has acquired a number of business recognitions, together with CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro’s 20/20 Visionaries and MSPmentor 250.

Related Posts