Apple DEP + MDM are the future of Mac setup and security
In late 2017, Apple introduced the new T2 chip, which is a customized silicon chip built for Macs. Like the T1 used in the 2016 and 2017 MacBook Pro, the T2 performs specific security-related functions. On the MacBook Pro, the T1 provides a secure enclave for processing and encrypting fingerprints for Touch ID. It also prevents hackers from accessing the microphone and FaceTime HD camera. According to Apple, the new T2 chip enables a deeper level of security by including a secure enclave coprocessor that provides the foundation for new encrypted storage and secure boot capabilities.
These two features are particularly relevant to enterprise users. First, the new secure boot capabilities have eliminated the previous NetBoot framework for deploying Macs in the enterprise. In fact, Apple has announced that NetBoot will no longer be supported when using devices with T2 chips. (In a nutshell, NetBoot is a method that system admins use to boot Macs from a network volume into an IT-trusted macOS image. Now that MacBook Pros will be included in the T2 chip ecosystem, NetBoot is effectively dead.)
In its place, administrators will be able to use the Apple Device Enrollment Program (DEP) and a mobile device management (MDM) solution like MobileIron to set up and manage large groups of Macs. DEP enables admins to automate MDM enrollment and simplify initial device setup. With DEP and MDM, devices can be activated, supervised, and managed without any user intervention.
This is actually good news for both IT admins and mobile employees. The combination of DEP and MDM gives users a seamless, out-of-the-box experience from the moment they power on their new devices. IT admins can automatically configure every new Mac with all of the configurations, security policies, and apps on the fly, but without the need for custom images.
In addition to secure boot, the new T2 chip also provides a built-in hardware encryption engine that encrypts all of the data stored on the SSD with a unique security key on each Mac. This means that all of the data on a Mac can only be read by that Mac, even if the SSD is removed. This adds another layer of security for enterprise data.
Many enterprises have embraced DEP and MDM approach to managing iOS devices. Now they are extending it to their Mac deployments. Have you? If not, watch this video to understand how DEP and MobileIron enable a seamless, native device experience with simplified enrollment and single sign-on (SSO).