MobileIron UEM for macOS? You bet!

As we continue to build out our use cases for the macOS platform, we’re seeing more and more MobileIron customers interested in moving Macs off of their current management product.  Instead, they want to secure and manage them using the same MobileIron UEM platform that they count on to support Android, iOS, and Windows 10. For our customers, the ability to consolidate the number of tools they leverage on a daily basis, while at the same time drive down costs, is a win win! MobileIron UEM covers many use cases aimed at optimizing security, as well as improving usability for admins and users alike. Our extensive set of capabilities spans the complete macOS endpoint lifecycle - from provisioning… all the way through end-of-life. In this blog, I’ll highlight the value we bring to the table in each of these phases.


Ask any IT admin how much they enjoy provisioning devices for new users using outdated legacy models and they will likely respond  with the “eyeroll of disdain.”  And for Windows shops tasked with provisioning Macs for new hires, whether in support of a BYOD program or new CYOC program, the eyeroll likely be paired with a deep sigh. The good news is that MobleIron UEM makes this super easy! We support Apple Business Manager (formally referred to as DEP), which enables a hands-free over-the-air provisioning of macOS and iOS devices. This is a huge time saver for IT, and enables users to become productive in a flash. In addition to Apple Business Manager, MobileIron supports Apple’s Apps and Books (formerly referred to as the Volume Purchase Program or VPP), which makes license assignment and management a breeze. Both device enrollment and Apps and Books are now available via the Apple Business Manager portal. MobileIron UEM also supports provisioning alternatives for macOS endpoints including enrollment via a web browser (iREG), in-app enrollment through our Mobile@Work client, and enrollment using Apple Configurator 2. The common thread here? Streamlined, time-saving, and simplified enrollment with lots of flexible options for a busy admin to take advantage of.  End-users are sure to be pleased with how easy it is to on-board their Macs too!





MobileIron offers many flexible  options to help you create and push configurations to Macs. For example, you can leverage certificates with our on-board CA (Certificate Authority) to ensure that users’ Macs are configured with access to corporate Wi-Fi and VPN. Create labels and device groups, as well as set restrictions to more easily manage your user base. The same trusted policy engine we use to create and enforce policies on other OS’s also applies to macOS, so we can be certain that the device is operating according to the rules your IT department has specified.

MobileIron UEM can also be used to create Office 365 accounts for your Macs. Push OS updates, and if necessary, delay them by up to 90 days to better accommodate your users’ work schedules and ensure compatibility with the apps you have deployed.Also, it’s important to note that our on-device Mac Agent enables use of custom scripts that you can execute to push additional settings like adding printers and other configurations that may not be available in the modern MDM protocol stack.




Security & Control

Data loss prevention (DLP) for Macs requires admins to have control over numerous  critical settings. This enables more robust policy creation and monitoring, improved visibility into the Macs under management, and when necessary, the ability to take a very prescriptive set of corrective actions. MobileIron UEM provides the comprehensive set of controls and ability to set the restrictions necessary to give admins the upper hand in the fight against data loss.  Some examples of this include, setting and enforcing passcodes, ensuring that disk encryption is activated, preventing the burning of disks, restricting access to iTunes File Sharing, enabling app installation by admins-only, preventing users from self-installing apps outside the macOS app store, preventing user removal of Apple Systems Apps, and much more!

One VPN for every kind of device

MobileIron Tunnel protects network data with an innovative multi-OS per-app-vpn that not only supports Macs, but Android, iOS, and Windows 10 devices too. With Tunnel, IT admins can effortlessly configure devices with identity certificates and VPN configurations without the need to purchase another 3rd party VPN solution. The Tunnel client is deployed with MobileIron Sentry, our in-line gateway that manages, encrypts, and secures traffic between Macs and back-end enterprise systems. Last, but not least, using MobileIron Access, you can ensure that data from common cloud repositories such as O365, G Suite, Salesforce, or any service that supports SAML 2.0,  is only available to verified users on authorized Macs, and only when they are using a designated app.




Application Deployment

Our product development team has been working hard to enhance the Mac app experience for admins and users alike. For example, we’ve recently added the display of notifications while apps are being installed. Also, our robust support for Apple’s Apps and Books means that when an admin adds an app in Apple Business Manager, the app metadata will silently sync to MobileIron and the app can be deployed silently using Device based app assignment. Admins might also wish to provide a curated app catalog for their employees, which MobileIron can provide for macOS as well as all of the other operating systems we manage. Also worth mentioning is that upload and distribution of both in-house and public apps will be much faster and easier. In addition, admins will be able to set app dependencies (relationships) between multiple apps. For example, they will be able to dictate that before a particular app is installed, another app (or series of apps) must be installed first. This will help to ensure the best possible user experience, while also reducing the number of help desk calls.




Monitoring & Compliance

MobileIron UEM provides admins with the control and visibility necessary to manage Macs and ensure they remain compliant. Custom policies can be created based upon any number of device criteria, for instance, has Filevault2 encryption been applied, and a series of tiered compliance actions defined based upon the severity of the violation. Compliance actions may be as  simple as an alert being sent to the user, or if necessary a quarantine action or worst case, a device wipe. Compliance actions can be driven by apps as well. Another example of ensuring Mac compliance is to set and enforce a passcode policy. If a Mac is identified as having a non-compliant passcode, you can require that the user reset their passcode at the next login, or deny access to corporate resources. Granular compliance policies and flexible, tiered, compliance actions provide admins with the tools they need in the ongoing fight against potential data loss.




End of Life

What about a macOS device that needs to be decommissioned, be it an employee leaving the organization, or perhaps driven by a technology refresh? MobileIron UEM makes device retirement easy by enabling admins to seamlessly and remotely remove enrollment - with no touch required. The device becomes unmanaged and all UEM configurations are removed. In addition, it can be completely wiped (back to factory settings) or selectively wiped in cases where the employee owns the device and is leaving the organization. The Mac can then be easily re-enrolled and repurposed  for a new employee.




So, there you have it, a quick snapshot of some key use cases MobileIron UEM offers for Mac security and management today. I hope you found this brief overview helpful. Interested in learning more? Check out our whitepaper and gain a deeper understanding of how MobileIron enables you to secure cloud services, secure data at rest, secure data in transit and provide secure authentication. Or, if you’re ready to test drive MobileIron UEM for your macOS endpoints, request your free 30-day trial today!