Apple's enterprise IT pitch: Management, security, identity
Apple took a rare public slot at Jamf's JNUC event to summarize its approach to meeting the needs of enterprise IT while enabling the consumer-simple user experiences every employee-choice scheme tells us people want.
Management, security, and identity - Apple's approach to enterprise IT
Jeremy Butcher, head of Apple education and enterprise product marketing, spoke to the Jamf JNUC crowd, sharing improvements introduced at WWDC this year that he sees as a good representation of Apple's work.
For years, Apple's mission has been to deliver the best possible user experience with as little friction as possible. Ultimately, an employee should be able to open the box, login, automatically be enrolled in enterprise systems, and start using the device.
For the most part, Apple and MDM providers such as Jamf have already achieved this. The tools available to IT empower increasingly complex setups, including the automation of time-consuming tasks, such as monitoring and approving third party software updates.
Securing the user experience
But securing that process isn't a one-strike game, it's a succession of multiple evolutions taking place over time and reacting to - or, indeed, at times predicting - security events.
Industry professionals recognize that one of the consequences of the pandemic has been a recognition that traditional perimeter security protections simply aren't robust enough to handle endpoints in complex deployments. In response, security intelligence is increasingly moving to the device, and given the vagaries of bandwidth, will likely become device- rather than cloud-dependent. We saw evidence of that move with Jamf's ZecOps acquisition.
When it comes to its platforms, Apple is assembling building blocks to support both the toughest available security and best possible user experience.
Interestingly, Butcher conceded that in some places Apple has "room to improve," though it is making "great progress" in others. He discussed four key enhancements made at WWDC as evidence of this attempt.
What Apple introduced at WWDC
At WWDC 2022, for example, Apple introduced:
Declarative Device Management: Now available across all Apple's platforms, devices protected by this technology can monitor themselves, let the MDM system know if a change is applied at the endpoint, and respond more swiftly to changes deployed by IT. The idea is that admins have a much better picture of what is going on with a device and can apply any required policies quickly. It also hints at an approach to security that makes the Mac, iPhone, or iPad more self-aware. Apple calls this tech, "the future of MDM."
Managed Device Attestation: Announced at WWDC 2022, Managed Device Attestation uses the Secure Enclave inside Apple products; when a device attempts to connect to MDM or other services it must also confirm it is a legitimate request from a legitimate device. The idea here is that the device itself becomes a proof point (or not). It also introduces the concept of continuous authentication, which will become a fundamental pillar of Apple's future approach to management and security.
SSO for Mac: Apple at WWDC introduced platform SSO (Single Sign On) at the macOS login. This seemingly simple technology is perhaps also the most visible implementation of Apple's attempt to make set up as simple as possible - open your Mac, login, and, because your password is backed up by an ID provider, you get the best of twin worlds: the additional protection the ID provider brings, alongside the full security architecture of the Mac, including data protection and biometric access, such as Touch ID.
The company also extended user enrollment single sign on at WWDC, enabling users to enroll in an MDM service - including on personal devices - by signing into both their Managed Apple ID and ID provider's SSL app with a single login. Sign once, and it's done. Apple also now supports OAuth 2.0 authentication.
Where this is going
A host of additional platform improvements introduced at WWDC also reflect the core tenets of Apple's approach. Things like the new endpoint security and network extension APIs, federated authentication for Google Workspace, and Rapid Security Response all reflect the company's focus on management, security, and identity.
At the same time, smart card support for iPhones and iPads and the network requirement when setting up a managed Mac show the company is actively identifying and securing commonly used attack vectors.
Beyond this, Apple's new IT Training and certifications system is designed to plug the knowledge gaps created as the number of enterprises deploying Macs, iPads and iPhones grows. "We really want to make sure our products are the best, not only for users but also for IT," Butcher told the audience of Apple admins.
Please follow me on Twitter, or join me in the AppleHolic's bar & grill and Apple Discussions groups on MeWe.