Apple in 2019: Expect more focus on enterprise identity, device ownership

Apple has done much in recent years to make it easier for IT admins to deploy, provision and manage all manner of Macs, iPhones and iPads. Here's how it did so, and what's likely to come next.

161214 apple newyork
Agam Shah

If 2018 was the year Apple revamped its relationship with enterprise users, 2019 is likely to be year the company keys in on device ownership and identity in the workplace. In fact, Apple has been signaling this kind of focus for a while with a series of moves that have shifted how it handles hardware management and lay the groundwork for the year ahead.

Those seemingly unrelated moves will allow the company to strengthen its role in handling enterprise identity regardless of device ownership, allowing it to offer IT admins more flexibility and management options down the road.

Here's what the company has done over the past couple of years:

  1. At its annual developers conference in 2017, Apple announced planned changes to several enterprise controls for its devices; instead of applying to all managed macOS and iOS systems, the controls would apply only to those in Supervised mode. (It's essentially a more stringent posture of device management intended only for company-owned hardware, not for personal phones and tablets brought to work.) At the time, Apple expected the changes to roll out in 2018 with the release of macOS Mojave and iOS 12. But implementation was pushed into 2019 at the request of developers, vendors and customers.
  2. Then, in early 2018, Apple said it was effectively shutting down its server platform - and it advised customers to transition to alternatives, including the open-source solutions some of macOS Server's features were built around. One of the most common functions has always been Open Directory, Apple's native Directory service. Although the shift doesn't mean a shutdown of Open Directory or directory services on the Mac, which also supports Active Directory and other LDAP directory services, it is a curious move. Apple is essentially deprecating its server platform while still supporting its own directory service (and in some cases - as with the company's Xsan cluster management solution - requiring it).(It's important to remember: iOS doesn't have a true directory system at all. iPhones and iPads are designed as single-user devices, although iPads integrated with Apple School Manager and the Classroom app used in K-12 schools are an exception.)
  3. Apple is working to more tightly integrate its desktop and mobile offerings. 2018 included revelations about Marzipan, a project within Apple to make it easier for developers to port applications between the two platforms. Although only a handful of iOS apps have made the jump to the Mac in Mojave, reviews haven't been exactly stellar and it seems the project has a ways to go. Still, it shows that Apple is working to ease development - and likely management - across its ecosystems.

That would have big implications for identity on the Mac.

Apple and enterprise identity: How we got here

To understand where Apple is likely headed in terms of user and device management, it helps to understand how the company got to where it is now.

When early versions of Mac OS X shipped, user account, device identification, settings, configuration data and restrictions were all stored in directory systems (either local on the machine or on the network). This approach mirrored the approach of other major operating systems, including Unix and its variants as well as Windows. Apple built a managed preferences architecture similar to Microsoft's Active Directory's Group Policy model. By default, it stored preference, user identity and computer identities in an LDAP-based system called Open Directory.

Because both Open Directory and Active Directory were based on LDAP and Kerberos, it was (and still is) possible to integrate Macs using Active Directory. The typical approach was to join Macs and Mac servers to an Active Directory environment, allowing basic user administration and authentication to leverage Active Directory while Open Directory handled the management of Macs and the environments of users. All of the needed configuration profile data for Macs and users resided in one or more directory services.

When Apple shipped the iPhone in 2007, it didn't create multi-user functionality - and it has yet to create any such capability, with the exception of the Classroom environment enabled by Apple School Manager and the Classroom app. In fact, it's never expressed any intention to do so. Even when Apple shipped the first iteration of its MDM protocol for managing iOS devices in business, there was no multi-user support, though products that leveraged it could rely on information about a user (or their device) stored in a directory system (typically Active Directory) to apply management profiles with configuration data and access restrictions. The same remains true today.

In short: Most products query a directory service (usually Active Directory) for the necessary data, but store the actual management info for the device and users outside of that directory (usually in a directory or database of their own).

Apple's MDM answer stores data in the same functional way the company's directory-based approach did for Macs - as structured XML data. Because the data isn't stored in the directory itself, it offers a more lightweight and flexible approach - something that proved enticing to other enterprise software vendors as potential integrators and partners. With the release of Mac OS X Lion, Apple rolled out that approach on the Mac, replicating all the management features of the heavier directory system in just a few years. That yielded more flexibility: any vendor offering iOS management could also offer Mac management, and do so without needing cumbersome directory integrations. That was a win for Apple and enterprises.

Apple basically reduced directory integration to its core principles: enterprise identity and authentication.

Device ownership in business has also followed an evolving road over the years. Apple's push into the enterprise, while it may have been planned, unfolded more organically.

The bring-your-own-device (BYOD) movement largely began with the iPhone in 2007. And with the release of the iPhone 3G, iOS 2 and the App Store a year later, many users began to see how their devices could handle professional work, particularly on-the-go productivity and collaboration tasks. So, naturally, they began bringing their phones into the office, sometimes choosing their own iPhones over corporate options or BlackBerrys. Apple's support for Exchange and a nascent configuration profile function in iOS 2 helped the process, but it wasn't the primary driver.

In 2010, Apple introduced the iPad - and support for over-the-air management of iOS devices using the company's MDM architecture. The iPad alone became one of the seminal BYOD devices, and the ability to configure and secure iPads via MDM made them more palatable to IT admins. (The trend also offered companies an advantage: they didn't have to pay for devices or, in many cases, service.)

Macs, on the other hand, tended to remain corporate devices, in part because of the costs involved and because it took Apple a while to integrate MDM capabilities. Managing Macs still required directory integration in a way that didn't feel entirely appropriate for a personal device. As a result, a split in ownership models (and corporate liability) developed. iMacs and Apple laptops were managed one way; iDevices were managed another.

MDM evolves with Supervision and DEP

At first, Apple offered the same MDM capabilities to both corporate- and employee-owned devices. Then, in 2012, came the concept of Supervision with the Apple Configurator utility. Supervision offered a superset of management capabilities for enterprise and education devices and wasn't intended for personal devices. In fact, it required devices be wiped before it could even be enabled, keeping IT departments from supervising devices without a user's knowledge. At first, the process required tethered supervision - the device had to be connected via USB to a Mac running Apple Configurator for the initial setup - something that didn't change until Apple introduced its Device Enrollment Program (DEP) in 2014.

Supervision and DEP, which provides over-the-air setup with the option of supervision for devices purchased by a company or school, both remain designed only for company-owned devices.

It's clear that Apple intends for all its products to be managed via MDM using an essentially vendor-agnostic approach. Since it's possible to remove directory services from Macs in an enterprise environment entirely, management and provisioning can be done by MDM with associations to the device and an MDM infrastructure with its own user management options. (A local user account can be used for access on the Mac itself.)

This has advantages, in that small organizations can proceed without needing a directory infrastructure. It also allows other solutions to be tapped for user account management rather than Open Directory, including Active Directory, Azure AD, or services like okta.

Currently, only Active Directory enjoys native support on the Mac, but third-party options could well fill the gap. NoMAD, which was acquired by Mac enterprise vendor JAMF in 2018, allows the use of alternates including okta. JAMF has announced Azure AD authentication, though it has yet to offer a timeline for release in its JAMF Connect product which utilizies the NoMAD technology.

And then there's Jump Cloud, which offers a cloud-based directory service that supports the LDAP capacity built into macOS. It delivers native Mac support without the need to manage Open Directory services running on-premise on macOS Server. (MacStadium also offers cloud-based macOS Server instances.) Think of these as "Open-Directory-as-a-Service" options.

Not surprisingly, the cloud presents a challenge for many organizations looking to manage identity as it spans multiple on-premise and cloud services, including fundamentals like directory services. But it's another option made possible by Apple's decision to disaggregate identity from Mac management (albeit tacitly). Apple is slowly opening doors for IT admins to search out and develop identity and device management structures that make the most sense for their organizations, users and device ownership models.

The identity/management conversation to come

Even as it's forcing a conversation about device ownership and identity in the corporate world, Apple is framing the question about how identity, access, management and ownership tie together. While device-level management came first for enterprise mobility management, capabilities like conditional access, app- and content-level management, and corporate licensing of mobile apps have since evolved. This means organizations now have more flexibility in designing security and access policies, deployment strategies, and mobility use cases. Simply locking down hardware - particularly devices an organization doesn't own - isn't the only option. Nor is it necessarily the best.

That's especially true when user-owned devices are being managed. As smartphones and tablets contain ever more personal data, including detailed health information, blunt force management is bound to be less appealing. Given that Apple stakes so much of its reputation on privacy, it's natural that it wants those kinds of device management discussions to occur between IT admins, human resources departments and company executives.

Ultimately, one of the big stories about Apple in the workplace in 2019 is likely to be the management flexibility it's allowing, particularly as it continues to add partners that can extend its in-house operations for enterprise customers. It is also smart for Apple to introduce these options - and these conversations - at a time when these issues are becoming core competencies at the heart of so digital transformation initiatives.

Copyright © 2018 IDG Communications, Inc.

7 inconvenient truths about the hybrid work trend
Shop Tech Products at Amazon