A COMPREHENSIVE GUIDE

iPhone and iPad

Management
FOR BEGINNERS
 According to a recent survey, when given 2

the choice 3 out of 4 employees choose an

iOS device over an Android device.

As Apple device numbers rise in business and education environments

around the globe, it’s imperative that technology investments are
maximized so that organizations can leverage Mac, iPad, iPhone and
While some are very familiar with Apple already, many
Apple TV to their full potential. This can put a heavy burden on IT teams
that are now tasked with managing this influx of new devices.
of you are diving into iPhone and iPad hardware and
iOS management for the first time. This guide is for
the latter, and will help you build and master your iOS
management skills by providing:

Introduction to Explanation of Outline of lifecycle Insight for Overview of the

iPhone, iPad and services and management infrastructure industry-leading
iOS management programs available stages planning iOS management
for iOS devices solution

PAGE 3 PAGE 4 PAGE 6 PAGE 20 PAGE 21

 3

How MDM works

To effectively manage iOS devices and unleash their full potential, organizations require an equally
powerful MDM solution. Most Apple devices are able to understand and apply settings such as remote
wipe or passcode restrictions to the built-in framework. Two core components to the MDM framework are

Introduction
configuration profiles and commands.

to iPhone,
iPad and iOS
management Configuration profiles MDM commands

… define various settings for your Apple devices …are singular commands that you can send to
and tell that device how to behave. They can your managed devices to take specific actions.
be used to automate configuration of passcode Has a device gone missing? Put it into Lost
Both iPhones and iPads run
settings, Wi-Fi passwords and VPN settings. They Mode or send a remote wipe command. Need to
on the iOS platform. You can
can also be used to restrict items, such as device upgrade to the latest OS? Send the command to
mange both devices with
features like the App Store, web browsers or the download and install updates. These are just a few
mobile device management
ability to rename a device. These profiles can all examples of the different actions you can take on
(MDM) which is Apple’s be specified and deployed leveraging an MDM a fully managed Apple device.
framework for managing iOS. solution such as Jamf Pro.
 4
Zero-Touch Deployment Apps and Books

Apple’s automated MDM enrollment solution allows With Apps and Books from Apple (formerly

Apple services organizations of any size to pre-configure devices purchased

from Apple or an authorized Apple reseller without ever having
Volume Purchase Program or VPP) you can
purchase and license apps and books in bulk

and programs to touch the device. By leveraging the power of zero-touch from Apple and distribute them to individuals
deployments (formerly Apple’s Device Enrollment Program via Apple ID or directly to devices without
or DEP), you no longer need to be the only person receiving, an Apple ID. Apps can be reassigned as
unboxing and configuring new hardware. Instead, you can deployment needs change. You can link your
ship new devices directly to individual employees and let Apps and Books service token (received from
As Apple devices became more them unbox it. The first time the device is turned on, it will Apple) to your Apple management solution for
popular in schools and the enterprise, automatically reach out to Apple and your mobile device assignment and distribution.

questions about how to best deploy management solution to pull down relevant configurations,
settings and management.
devices at scale, how to address Apple
IDs and the purchasing of apps arose.
Apple, of course, looked to solve
these issues and introduced various
programs and services to take device Apple Business Manager Apple School Manager
management one step further, making
it easier and more cost-effective to Apple Business Manager is a web-based portal Apple School Manager is a web-based portal for IT
manage devices in bulk. for IT administrators that combines Zero-Touch administrators to oversee people, devices and content
Deployments and Apps and Books so everything - all from one place. Exclusively for education, Apple
Not every Apple device management
can be overseen from one central location. School Manager combines Zero-Touch Deployments
solution supports Apple’s programs Apple Business Manager is available to all non- as well as Apps and Books and other classroom
and services. Check with your vendor educational organizations. Organizations with management tools such as the Classroom app in one
to ensure they support these programs, existing DEP or VPP accounts can upgrade to portal. Apple School Manager enables Managed Apple
as well as the incremental changes Apple Business Manager within a few minutes, IDs and Shared iPad and can be integrated with your
Apple makes throughout the year. or organizations can sign up for the first time at school’s student information system (SIS).
business.apple.com
 5

Apple IDs Managed Apple IDs

Apple IDs are the personal account credentials users use to access Apple services Apple School Manager for educational institutions enables Managed Apple IDs for
such as the App Store, iTunes Store, iCloud, iMessage and more. Depending on the students and can be integrated with your school’s student information system (SIS).
needs of your organization, your end users can leverage their personal Apple ID on Managed Apple IDs are a special type of Apple ID for students. They don’t require
the job, or you can avoid using Apple IDs altogether thanks to the ability to deploy special permission, and they allow you, as an IT admin, to create and dynamically
Apps and Books to devices direclty without an Apple ID. If you’re an education update user information. Additionally, managed Apple IDs are created in the Apple
institution, your students will receive a different type of Apple ID (see next page). School Manager portal and can sync with Classroom data.

For businesses and government organizations, Managed Apple IDs are only used
for administrative purposes within Apple Business Manager.

Classroom App Device Supervision

An instructional tool for iPad, Apple’s Classroom app empowers Supervision is a special mode iOS and tvOS devices are placed into
teachers to streamline classroom instruction, encourage interaction and when enrolled via Apple Business Manager, Apple School Manager or
collaboration, focus student iPad devices on a specific app or webpage, Apple Configurator. Supervision gives institutions greater control over
and view student devices to check for understanding. the iOS devices they own. A larger number of management features
including Managed Lost Mode, blocking apps and silently installing apps
all require supervision. It is recommended that institutionally-owned
devices be put into Supervision mode.
 6

1 iOS deployment
and provisioning 2 Configuration
management
Getting devices into the hands of Applying the correct settings to devices.
end users.

Lifecycle
management
stages
3 App management
Ensuring the correct software and apps
4 iOS inventory
Reporting on the status of each device.
are on each device.

5 6
Apple’s device management
framework, commonly referred
iOS security User empowerment
to as the MDM framework
Securing devices to organizational Allowing users to self-help when they
includes six key elements across
standards. require resources and services.
the entire lifecycle of your Apple
devices. MDM is Apple’s built-
in management framework - From initial deployment to the end-user experience, it’s critical to understand, manage and support the
available for macOS, iOS and tvOS entire lifecycle of iOS devices in your environment. This ensures both the security and maximized potential
and aids with these functions: of your devices.
 7

1 iOS deployment and provisioning

Before configuring devices for end users, devices must be enrolled into an Apple management
solution. There are several enrollment methods available, but the two highlighted below are
recommended for enterprise and educational institutions looking for a streamlined and positive end-
user experience.

Description User Experience Supervision Best For

Providing users an out-of-box

experience. With Zero-Touch
Zero-Touch Deployment User receives shrink-wrapped Deployment you can:
with Apple Business Automatic enrollment box, and the device is
Yes–wirelessly
over the air automatically configured when • Ship devices to remote employees
Manager and Apple
turned on • Speed up the onboarding process
School Manager • Support education instituions with
iPad programs

Enrollment through a
• Shared and cart-device models, labs
Mac app that connects IT manages the setup process
Apple Configurator Yes—wired • Devices purchased through a
to devices via USB (does and hands devices to users
retailer such as Best Buy
not apply to Apple TV 4K)

Unmanaged devices currently in

Manual enrollment over User visits a specific URL to
User-initiated No the field or devices that need to be
the air configure their device
reenrolled into a new MDM server
enrollment via URL
 8

BEST PRACTICE Deploy Apps and Books with Apple Business Manager and Apple School Manager

Apps are deployed

directly to the device.
Sign up for Apps No interaction or Apple
and Books via Apple ID required.
School Manager Add your app licenses
or Apple Business to your MDM server,
Manager and add including free apps.
your MDM server to
your portal.

4
1 2 3 ? 4 5
Choose to assign apps to
either devices directly or
to a user’s Apple ID.

Find and purchase app licenses

from the Apps and Books section
of Apple Business Manager or
Apple School Manager. You will
also need to “purchase” free apps.

Invite users to participate in your Apps are linked to a user’s Apple ID

Apps and Books deployment via and are found in the Purchased tab
email or push notification. of the App Store.
 9

2 Configuration management
When it comes to configuring Apple devices, the world is your oyster. You
can personalize and tailor individual devices or groups of devices based
on the needs of your end users.

Don’t know where to start? Check

Configuration Profiles Smart Targeting out a list of MDM configuration
Define settings within iOS by creating Collect inventory details, including custom profiles here, or join the
configuration profiles. These small XML inventory attributes you define, for all of conversation on Jamf Nation.
files can be distributed to devices utilizing your managed devices to identify which
a managed solution. You can apply Wi-Fi, ones require software updates, security
VPN, email settings and more so users hardening or other management actions.
can seamlessly connect to the resources If your device management solution
they need. allows, you can build groups based on
inventory criteria and then trigger device
management tasks automatically to
specific individuals or groups. You can
also make items available on demand to
users with an enterprise app catalog.

Not all Apple management solutions offer smart targeting.

Check with your management vendor to ensure this functionality is available to you.
 10

3 App management
App fundamentals
Purchase your Apps and Books here:
Today, we are all familiar with the App Store on our iPhone, iPad and
Apple TV devices. They are the only way for consumers to get apps on For the enterprise:
their devices. Apple reviews the developer’s code to ensure security
and performance. This is one of the reasons why Apple enjoys a strong
security reputation.

Apple devices are wildly popular among consumers because of the Deploy Apps and Books with
native communication, learning and productivity tools available right out
Apple Business Manager
of the box, but the rich library of apps in the App Store are what set the
Apple ecosystem apart. With a device management solution in place to
manage your app deployments, you ensure users have the apps they
For educational institutions:
need - configured for their use case and secured for your environment.

Deploy Apps and Books with

Apple School Manager
 11

3 App management

When deploying App Store apps via Apple School

Manager or Apple Business Manager, you gain extra
security and configurations for that app. Here’s what’s
possible:

What is a Managed App? Managed Open In App Configurations

Introduced in iOS 5, managed apps differ from a Managed Open In takes the concept of managed apps Sometimes, deploying an app isn’t enough and you’d
standard app because they are flagged as being a step further by controlling the flow of data from one like to pre-customize some of the settings. This is the
owned by an organization. Specifically, managed apps app to another. With MDM, organizations can restrict premise for app configurations. App developers define
are distributed via MDM and can be configured and what apps are presented in the iOS share sheet for what settings can be pre-configured by an MDM server
reassigned by MDM. opening documents. This allows for truly native data for their app. For example, you could deploy the Box
management without the need for a container. app with the server URL pre-populated, so users only
need to enter their username and password to get the
app up and running.
 12

BEST PRACTICE Deploy Apps and Books with Apple School Manager and Apple Business Manager

Sign up for apps and books via

App licenses are automatically
Apple School Manager or Apple
ready by your MDM server,
Business Manager and add your
including free apps.
MDM server to your portal.

1 2 3 4

Find and purchase app licenses

from the Apps and Books section of Apps are deployed directly
Apple Business Manager or Apple to the device. No interaction
School Manager. You will also need or Apple ID required.
to purchase “free” apps.
 13

4 iOS inventory
MDM solutions are capable of querying an Apple device to collect a large
amount of inventory data, ensuring you always have up-to-date device
information and can make informed management decisions. Inventory can
be collected from a device at various intervals and include serial number, OS
version, apps installed and much more.

Examples of data collected with MDM

Hardware Details Software Details Management Details Additional Details

• Device Type • iOS Version • Managed Status • Profiles Installed

• Device Model • List of Apps Installed • Supervised Status • Certificates Installed
• Device Name • Storage Capacity • IP Address • Activation Lock Status
• Serial Number • Available Space • Enrollment Method • Purchasing Information
• UDID • iTunes Store Status • Security Status • Last Inventory Update
• Battery Level
 14

4 iOS inventory
Why does inventory matter?
Static Groups Smart Groups
Apply a configuration profile,
Find all iOS devices running 11.4.1
management command or app
You can’t manage what you can’t measure. The inventory data your MDM solution
collects can be used for a wide range of business needs and empower you to
answer common questions like:

1 2 3

Are all my devices secure? 4 5 6

How many apps do we have deployed? Apply a configuration profile,

management command or app
What version of iOS are certain devices
running?
Static Groups are a set of devices that are manually defined, like
a classroom or a lab. You can apply configuration profiles and
management commands to the entire group.
By leveraging inventory data, smart targeting enables you to dynamically group
devices and deploy configuration profiles and restrictions to those devices. At
Smart Groups, on the other hand, are dynamic and always
Jamf, this is referred to as Smart Groups.
changing based on inventory data. This enables you to
dynamically group devices and deploy configuration profiles and
restrictions to those devices.
 15

5 iOS security The security and privacy of devices and access to corporate resources are a top priority for any organization.
To address these worries, Apple has a number of security features built right into iOS. Coupled with an Apple
management solution, you can ensure that your devices are not only secure, but your apps and network are as well.

The Center for Internet Security (CIS) benchmark

for iOS is widely regarded as a comprehensive
checklist for organizations to follow to secure
iPad and iPhone devices. Check out our white
paper to learn how to implement the independent
organization’s recommendations.

iOS Security Features

Software Updates Secure System App Store Touch ID

Hardware Encrytion App Sandboxing Privacy Supervision

iOS Security Checklist
 16

5 iOS security
Unix is the foundation for Apple’s operating
systems, providing a strong kernel at the Apple’s deployment programs
core. Apple’s OS is built with security in
mind and have unique security settings
added. Those settings can be managed via
an MDM solution.
Management

Apple security features

Additionally, utilizing
Apple’s deployment
programs with an MDM
solution allow for even Apple OSs
more management of
those settings within
your environment.

Foundation for Apple’s OSs UNIX

 17

5 iOS security
MDM security
commands for iOS
MDM Lost Mode for iOS
By utilizing Apple’s Lost Mode with an MDM solution, you can lock, locate
and recover lost or stolen iOS devices without compromising privacy
through ongoing tracking. When Lost Mode is activated, iOS devices
receive a customized lock screen message, are disabled from use and
send the location to IT.

Software upgrades
By developing major versions of macOS, iOS and tvOS annually,
Apple has set the pace of innovation. Each year, Apple unveils new
and great consumer features, but also adds layers of security and
fixes vulnerabilities. These updates can be critical for devices used by
• Enable Lost Mode employees or students in order to protect their data. Your management
• Lock and wipe a device solution not only needs to be able to deploy updates from Apple, but also
• Remote wipe needs to quickly support (ideally on day zero) all the new management
• Update iOS features that come with them too.
• Clear restrictions and passcodes
• Remove MDM
• Restrict Autofill passwords
• Block passwords via proximity requests
 18

6 User empowerment and adoption

With the rise in self-sufficiency tools like Lyft, Amazon Prime and WebMD, today’s With enterprise app catalogs, users
workforce expects to get the tools they want, when they need them. Enterprise app have the ability to access:
catalogs meet the needs of users by empowering them with instant access to resources,
content, tier-one help and trusted apps through a single click from their device - all
• A pp Store, B2B, in-house apps
without submitting a help desk ticket to IT.
• Email, VPN and other configurations
App catalog for Mobile • E-books, guides and videos
• Web clips
• Software and OS upgrades
• Localized language support for English,
French, German, Japanese and Simplified
Chinese

Example: Jamf Self Service for iOS offers an app catalog that can integrate seamlessly into
any organization’s internal resources or corporate intranet.
 19

6 User empowerment and adoption

Benefits of on-demand app and resource catalogs.

What’s in it for IT. What’s in it for users.

• R educe help desk tickets and support • G ive end uers instant access to a full-
costs while maintaining control of your service destination of apps and resources Bonus: Third-party integrations
environment • Intuitive user interface personalized for
• A utomatically install an app catalog like local language and your environment Apple device management is just one piece of
your technology portfolio, but it’s a critical and
Jamf Self Service on any managed iPad •W
 eb clip common web services such as instrumental piece. Regardless of whether you
or iPhone HR tools, communication platforms or
use a help desk ticketing system like Service
• Integrate with directory services internal resources for an easy entry point
Now or an SSO authentication tool like Okta, your
to personalize content based on to valuable company information
Apple device management solution must integrate
department, user role, location and more • Install organization-approved apps seamlessly with your existing IT tools.
• A utomate common IT tasks, such as without IT help
password resets and system diagnostics • R eceive real-time notifications for Extend the power of your ecosystem by
for tier-zero support available apps
leveraging third-party integrations like those seen
in the Jamf Marketplace. From cross-industry
integrations to specific solutions, integrations like
these bridge IT teams and services, creating an
integrated, secure and seamless experience for
end users.

Best-of-breed MDM solutions should offer the ability to brand your app catalog to match your
existing corporate resources. This seamlessly integrates your app catalog among existing
internal properties, increasing familiarity and ease of use.
 20

More and more organizations

are moving to the cloud.
Below are just a few reasons why enterprise organizations like Eventbrite are
going cloud:

Benefits of cloud hosting

Infrastructure
planning
Server provisioning, ongoing security Backup administration and testing
and update management
Where you host your management
environment is just as important
as the management solution
you choose. Not only does cloud
hosting make upgrades a breeze, it Storage infrastructure for global Disaster recovery; offsite location
takes the added pressure of server availability

management, disaster recovery and

more off of your IT team.

Database administration, ongoing Server monitoring and response team

security and updates
 Industry-leading Apple management
Apple continues to build an interconnected ecosystem, with apps and services being
cross compatible across devices. Growing enterprise partnerships (IBM, Cisco, SAP,
etc.) and a boom in technology choice programs will only bring more Mac, iPad,
iPhone and Apple TV devices to your doorstep.

To get the absolute most out of Apple

and your technology investment, you
require a management solution that
Put our word to the
matches Apple’s intuition and has
proven from day one that helping people
test by taking a free
succeed with Apple is top priority. test drive and you’ll
By integrating with all Apple services
see why 96 percent of
As the gold standard in Apple and providing immediate support for
management and with dedication to the Apple operating systems and features,
Jamf customers stick
Apple ecosystem since 2002, Jamf is Jamf empowers you with the tools with us year over year.
the product most trusted by businesses necessary to address all support needs,
and schools that want to offer Apple and gives you the freedom to focus on
and provide a consistent management strategic tasks so you can save your Start Trial
experience across the entire ecosystem. organization time and money.