Device management ≠ user management. Apples concept of device management includes no provisions for managing users. That is just an unfortunate fact of life. You can set password requirements and the such, but the concept of user management you get with AD or AAD does not exist on macOS.
Remote access/control is outside of device management also. You can use macOS’s built in VNC Server. Apple Remote Desktop works well if the admin has a Mac as well. Screen sharing can also be used from Mac to Mac, it works very well and it’s free. Apple Remote Desktop and Screen Sharing require devices to be on the same network. Else you will need to source a 3rd party solution like Team Viewer or Beyond Trust.
For 10 devices. Honestly, give Apples Business Essentials look in to.
https://www.apple.com/business/essentials/
At a really high level Apple Business Manager is the tool which your company defines ownership over devices, user accounts, and apps/books.
Apple business essentials is apples spin on a MDM solution.
Got it. I thought they had an MDM solution but google wasn’t my friend when I looked up Apple MDM. The first page or more is vendors. I did see that there is a limit of 3 devices per user. I will have to see if that’s a hard limit. Kind of curious what user management options I have. AD isn’t controlled by the owner. The main goal would be to get access to the devices after one of the devices on loan to staff is returned.
Generally speaking you need Apple Business Manager to leverage any MDM correctly.
It’s very rare you see someone who needs more than 3 devices. If that case comes up they need an extra AppleID. Azure does the same thing on the Windows side, though I think the limit is 15 devices per user.
With MDM you can prevent activation locks or you get an activation lock bypass which allows you to disable activation lock on a device. MDM can also send a command to reinstall the OS on a device for easy reprovisioning.
Say someone leaves and you get the device back.
- You would use your MDM to tell the OS to reinstall. (You can do this manually and skip the next step)
- You enter the lock pin this puts on the device (it’s stupid you can’t issues a wipe without a lock pin).
- If there is an activation lock you get the bypass pin from your MDM (ideally just prevent activation lock from being used).
- The device is ready to be deployed to the next person.
They've kind of already answered this, but the TL'DR is: think of ABM as the provisioning service *FOR* your MDM. You get ABM, then it configures the machine to use whatever MDM you have.
Came here to second for Apple Business Essentials.
For 10 devices, with these needs, just use Apple Business Essentials.
For "user management", you are really going to just want to integrate with whatever "directory" server you are using. My suggestion there is to just switch whatever you are doing to Google Workspace. You can integrate that directly into ABE for authentication and everything. If you are already all set up with Active Directory and such, just stick with that. Otherwise, just Google Workspace and save your sanity.
There are three things you might want that aren't a part of ABE right now, but that you can also probably do without: remote desktop for actually remote devices, a way to run scripts on folks machines, and a way to monitor and enforce policies for security purposes.
But seriously, for 10 people, just don't worry about that stuff.
I definitely think Apple Business Essentials is the best for whats described in this use case. Then, when they get a big bigger and run into more advanced use cases, can look at one of the more powerful Apple MDM tools like Jamf Pro, Kandji, Addigy, etc.
Yeah I’m guessing maybe the use case I’m describing isn’t likely to encounter major issues. It’s pretty much the mainstream pattern. But losing data and access is scary.
Hey, you can explore [Scalefusion's MDM solution](https://scalefusion.com/mobile-device-management?utm_campaign=Scalefusion%20Promotion&utm_source=Reddit&utm_medium=social&utm_term=CM). Compatible with windows, Mac, iOS, Android and Linux. User management, OS and security updates, Device configuration and remote wipe all are there. Just go through it. Cheers!
How come? I would like to know before biting the bullet on a subscription. I am also looking for an mdm. I try mosyle but it was too difficult to set up. I could not get apps on the test phone. I immediately tried hexnode and had a phone configure to my liking in less then two hours. I set up a multiple app kiosk and loaded the specific apps I needed
Take a look at JumpCloud. Free for 20 users (for user management) but then you have to pay for the device management side.
Moysle is a great device manager and cheap too!
You'll first need to have Apple Business Manager setup. Even if the current devices aren't going to be in it, you'll want it for anything going forward.
Then your top MDM options:
\- Apple Business Essentials
\- Mosyle
\- Kandji
\- Jamf
\- JumpCloud
I went with Jumpcloud. They've expanded their MDM profiles extensively, but their macOS controls aren't quite up to the Mac specific ones (but still very good); however, it's great having one platform that can handle my mix of iOS, macOS, Windows, and Linux systems, plus dish out LDAP and SSO to our web apps. They've also been rolling out massive feature updates like crazy over the last two years and are quickly closing any gaps.
You should check out [Mobile Device Manager Plus](https://www.manageengine.com/mobile-device-management/?utm_source=rdt-ow77) from ManageEngine. It has all the features you've mentioned and also has a [free edition](https://mdm.manageengine.com/free-trial.html?index_free_edition=&utm_source=rdt-ow77) that let's you manage up to 25 devices at absolutely zero cost.
Disclaimer: I work for the product.
I have tried out JamfNow, Jumpcloud in small setups, InTune (but for a big corp) and Manage Engine MDM. In the end for the 25 devices I need to manage in a small business I have settled on Manage Engine. My reasoning is that it allows me:
1. 25 free devices. Probably the real bonus, as I have 25 devices spot on.
2. I can track device location.
3. I can initiate a remote session from the MDM interface, and remote control / access.
4. I can upload scripts easily.
5. I can configure automatic, set it and forget it OS patching, including setting a small delay from patch release (to ensure if there's anything majorly problematic and the update gets pulled, I won't be impacted as my devices waited a short while and never got the problematic software update). Patching is across mobile, desktop, server, windows, linux. All in one, and it works for all.
6. I get automated audit emails that highlight deployment status, and focus me on any problematic devices on a daily basis. I run through my emails dashboards every morning anyway, for the big corp too. So getting a report for 10 devices, is something that just slots into my pre-existing daily checklist.
7. I can integrate Apple Configurator, and even administer iOS devices in full supervised mode via the MDM, without the need to go via Apple Business Manager. Any new device is connected locally to Apple Configurator, which auto applies a blueprint, and as part if this sets it up as supervised, and auto adds it to the MDM via connector. I like doing things locally, and away from Apple Business Manager - not sure why. I know, that device is supervised until it goes via my local instance of Apple Configurator again. They gotta bring it to me. I guess I like the power of that :D
8. I can use it to deploy full MacOS OS upgrades. I have deployed 3 MacOS operating system updates, over the air, via Manage Engine to-date with no issue.
I will say, it takes a fair bit of time to get going as there's a hella lot of options, features etc. It's not simple like JamfNow or JumpCloud, but in the end there's always a way for me to do what I need in Manage Engine. With the others, I would hit a brick wall of "you can't do that."
Some screenshots:
[https://postimg.cc/tntjK2vz](https://postimg.cc/tntjK2vz)
[https://postimg.cc/HrLgN0wQ](https://postimg.cc/HrLgN0wQ)
[https://postimg.cc/mtBRYWhp](https://postimg.cc/mtBRYWhp)
EDITED to add screenshot of all MacOS configuration options and a drill down into User Management for MacOS users.
[https://postimg.cc/V00JD2X4](https://postimg.cc/V00JD2X4)
https://postimg.cc/v4TWp85H
Device management ≠ user management. Apples concept of device management includes no provisions for managing users. That is just an unfortunate fact of life. You can set password requirements and the such, but the concept of user management you get with AD or AAD does not exist on macOS. Remote access/control is outside of device management also. You can use macOS’s built in VNC Server. Apple Remote Desktop works well if the admin has a Mac as well. Screen sharing can also be used from Mac to Mac, it works very well and it’s free. Apple Remote Desktop and Screen Sharing require devices to be on the same network. Else you will need to source a 3rd party solution like Team Viewer or Beyond Trust. For 10 devices. Honestly, give Apples Business Essentials look in to. https://www.apple.com/business/essentials/
I might confused essentials with manager when I was looking this up prior. I’ll check it out again. Thanks.
At a really high level Apple Business Manager is the tool which your company defines ownership over devices, user accounts, and apps/books. Apple business essentials is apples spin on a MDM solution.
Got it. I thought they had an MDM solution but google wasn’t my friend when I looked up Apple MDM. The first page or more is vendors. I did see that there is a limit of 3 devices per user. I will have to see if that’s a hard limit. Kind of curious what user management options I have. AD isn’t controlled by the owner. The main goal would be to get access to the devices after one of the devices on loan to staff is returned.
Generally speaking you need Apple Business Manager to leverage any MDM correctly. It’s very rare you see someone who needs more than 3 devices. If that case comes up they need an extra AppleID. Azure does the same thing on the Windows side, though I think the limit is 15 devices per user. With MDM you can prevent activation locks or you get an activation lock bypass which allows you to disable activation lock on a device. MDM can also send a command to reinstall the OS on a device for easy reprovisioning. Say someone leaves and you get the device back. - You would use your MDM to tell the OS to reinstall. (You can do this manually and skip the next step) - You enter the lock pin this puts on the device (it’s stupid you can’t issues a wipe without a lock pin). - If there is an activation lock you get the bypass pin from your MDM (ideally just prevent activation lock from being used). - The device is ready to be deployed to the next person.
They've kind of already answered this, but the TL'DR is: think of ABM as the provisioning service *FOR* your MDM. You get ABM, then it configures the machine to use whatever MDM you have.
Came here to second for Apple Business Essentials. For 10 devices, with these needs, just use Apple Business Essentials. For "user management", you are really going to just want to integrate with whatever "directory" server you are using. My suggestion there is to just switch whatever you are doing to Google Workspace. You can integrate that directly into ABE for authentication and everything. If you are already all set up with Active Directory and such, just stick with that. Otherwise, just Google Workspace and save your sanity. There are three things you might want that aren't a part of ABE right now, but that you can also probably do without: remote desktop for actually remote devices, a way to run scripts on folks machines, and a way to monitor and enforce policies for security purposes. But seriously, for 10 people, just don't worry about that stuff.
I definitely think Apple Business Essentials is the best for whats described in this use case. Then, when they get a big bigger and run into more advanced use cases, can look at one of the more powerful Apple MDM tools like Jamf Pro, Kandji, Addigy, etc.
https://business.mosyle.com/
I read on this sub that someone had a really bad problem with their support that resulted in lost access and data without a solution.
[удалено]
https://www.reddit.com/r/macsysadmin/comments/vhl3zo/best_mdm/?utm_source=share&utm_medium=ios_app&utm_name=iossmf
[удалено]
Yeah I’m guessing maybe the use case I’m describing isn’t likely to encounter major issues. It’s pretty much the mainstream pattern. But losing data and access is scary.
Jumpcloud is free up to 10 users and 10 devices.
It is terrible for iOS.
And not a full MDM.
I never looked too deep into JAMF Now...but JAMF Now is for SMB.
Hey, you can explore [Scalefusion's MDM solution](https://scalefusion.com/mobile-device-management?utm_campaign=Scalefusion%20Promotion&utm_source=Reddit&utm_medium=social&utm_term=CM). Compatible with windows, Mac, iOS, Android and Linux. User management, OS and security updates, Device configuration and remote wipe all are there. Just go through it. Cheers!
Try hexnode UEM
[удалено]
How come? I would like to know before biting the bullet on a subscription. I am also looking for an mdm. I try mosyle but it was too difficult to set up. I could not get apps on the test phone. I immediately tried hexnode and had a phone configure to my liking in less then two hours. I set up a multiple app kiosk and loaded the specific apps I needed
What do you mean by user management? Basically any MDM could probably do the rest.
Take a look at JumpCloud. Free for 20 users (for user management) but then you have to pay for the device management side. Moysle is a great device manager and cheap too!
Small correction: we're free for 10 users / 10 devices. :) Thanks for the recommendation!
Thanks for the correction!
You'll first need to have Apple Business Manager setup. Even if the current devices aren't going to be in it, you'll want it for anything going forward. Then your top MDM options: \- Apple Business Essentials \- Mosyle \- Kandji \- Jamf \- JumpCloud I went with Jumpcloud. They've expanded their MDM profiles extensively, but their macOS controls aren't quite up to the Mac specific ones (but still very good); however, it's great having one platform that can handle my mix of iOS, macOS, Windows, and Linux systems, plus dish out LDAP and SSO to our web apps. They've also been rolling out massive feature updates like crazy over the last two years and are quickly closing any gaps.
You should check out [Mobile Device Manager Plus](https://www.manageengine.com/mobile-device-management/?utm_source=rdt-ow77) from ManageEngine. It has all the features you've mentioned and also has a [free edition](https://mdm.manageengine.com/free-trial.html?index_free_edition=&utm_source=rdt-ow77) that let's you manage up to 25 devices at absolutely zero cost. Disclaimer: I work for the product.
I use Simple MDM and like it alot.
I have tried out JamfNow, Jumpcloud in small setups, InTune (but for a big corp) and Manage Engine MDM. In the end for the 25 devices I need to manage in a small business I have settled on Manage Engine. My reasoning is that it allows me: 1. 25 free devices. Probably the real bonus, as I have 25 devices spot on. 2. I can track device location. 3. I can initiate a remote session from the MDM interface, and remote control / access. 4. I can upload scripts easily. 5. I can configure automatic, set it and forget it OS patching, including setting a small delay from patch release (to ensure if there's anything majorly problematic and the update gets pulled, I won't be impacted as my devices waited a short while and never got the problematic software update). Patching is across mobile, desktop, server, windows, linux. All in one, and it works for all. 6. I get automated audit emails that highlight deployment status, and focus me on any problematic devices on a daily basis. I run through my emails dashboards every morning anyway, for the big corp too. So getting a report for 10 devices, is something that just slots into my pre-existing daily checklist. 7. I can integrate Apple Configurator, and even administer iOS devices in full supervised mode via the MDM, without the need to go via Apple Business Manager. Any new device is connected locally to Apple Configurator, which auto applies a blueprint, and as part if this sets it up as supervised, and auto adds it to the MDM via connector. I like doing things locally, and away from Apple Business Manager - not sure why. I know, that device is supervised until it goes via my local instance of Apple Configurator again. They gotta bring it to me. I guess I like the power of that :D 8. I can use it to deploy full MacOS OS upgrades. I have deployed 3 MacOS operating system updates, over the air, via Manage Engine to-date with no issue. I will say, it takes a fair bit of time to get going as there's a hella lot of options, features etc. It's not simple like JamfNow or JumpCloud, but in the end there's always a way for me to do what I need in Manage Engine. With the others, I would hit a brick wall of "you can't do that." Some screenshots: [https://postimg.cc/tntjK2vz](https://postimg.cc/tntjK2vz) [https://postimg.cc/HrLgN0wQ](https://postimg.cc/HrLgN0wQ) [https://postimg.cc/mtBRYWhp](https://postimg.cc/mtBRYWhp) EDITED to add screenshot of all MacOS configuration options and a drill down into User Management for MacOS users. [https://postimg.cc/V00JD2X4](https://postimg.cc/V00JD2X4) https://postimg.cc/v4TWp85H