Apple’s App Store provides great benefits for IT teams. First and foremost, it provides a centralized location where users can find many apps available for Apple devices, making it easy for IT teams to find and deploy the apps they need.
The App Store also helps IT teams simplify the distribution of apps to specific users, especially when the IT teams leverage the powerful combination of an Apple-specific mobile device management (MDM) solution with the App Store’s Volume Purchase Program.
However, the App Store (particularly on the Mac) doesn’t solve all applications and patch management needs for companies leveraging Apple devices.
From not having critical applications, such as Google Chrome, Zoom, and others available on the Mac App Store passing by the distribution of custom applications and other installers, to detailed and effective controls about updates, IT teams need a unified, definitive, and automated solution to manage apps for all Macs, iPhones, iPad devices, and Apple TVs used at work.
Let’s start with why
By not having a unified, definitive, and automated solution to manage apps for all Apple devices used at work, companies are creating problems of different nature – ranging from productivity to security.
1. Problems with onboarding
Rather than explaining this one, let’s explore 2 scenarios and you pick the one that seems to be best.
In scenario 1, it’s the onboarding day of a new employee. The energy and excitement levels are at all-time high, and the employee can’t wait to dive right into the new role. The new hire receives a brand new M2 MacBook Air and expectations just increase as working on a new M2 MacBook Air is unquestionably more exciting than working on an PC.
The Mac is turned on and after some configuration steps, it’s ready to use. However, the magic and hype end there. The employee has no idea what apps need to be installed, so after only a few minutes in their new role, the employee is already having their first call with IT.
After some time, the IT team sends a list of general apps the employee needs to download. But when the employee tries to install the apps, they realize that an Apple ID is required. The employee has no idea what Apple ID to use so they decided to try their personal Apple ID. To their surprise, several apps on the general list IT provided simply don’t exist at the Mac App Store. But how? Another call to IT and the employee learns that some apps need to be downloaded directly from the provider’s website. The excitement starts to fade, and some signs of frustration begin to arise. The employee never heard of some of the apps, so how should they know the right website to go to? Because they don’t understand the process, what if the new employee downloads the apps from a malicious website? More frustration builds up. The day is almost over and the quest to get the Mac up and running is still far from concluded.
In scenario 2, all is the same up to the moment the employee boots-up the brand new M2 MacBook Air for the first time. The configuration time is quicker and once the home screen opens an elegant pop-up appears letting the employee know that all required apps are already installed and ready to use. No extra steps or Apple ID needed. In a few minutes the new employee is ready to go. Wow! The employee is also informed that a curated list of other approved but optional apps is also available on the Mac. The apps are ready to install all they need to do click the install button – less then 20 minutes into their new job and the new employee is already working.
I’m sure you would prefer scenario 2, right?
2. Problems with compliance
Companies normally handle important information and actions for their customers. These customers trust that all the recommended steps to protect that information and access are in place. Ruining this silent agreement by not having the right processes in place would not only ruin the customer’s trust but also expose the company to material liabilities in case a breach happens.
For this reason, it is imperative for companies to be compliant with privacy and security laws (such as FERPA or HIPPA), up-to-date certifications (such as SOC or ISO), and best practices. For all cases, rigid controls about which applications are used to process customer data, and how to keep everything patched are always required.
But how can an enterprise ensure this if employees are responsible to install and update all (and any) application whenever they want? This is literally an impossible task once a company expands beyond ten employees.
3. Problems with security
A strategy that relies on employees to manage their own apps on their Apple devices used for work creates material security exposures.
First, in order to install an app, employees need to be granted administrative privilege on their devices. This means that they have full control of their device. So, if they don’t follow security best practices and open a phishing email or click on the wrong website link, they will be in serious trouble.(If you want to learn more about the risks of letting employees use their devices as admins, check out this blog post.).
Unfortunately it’s extremely common for applications to have security vulnerabilities, and in some moments (they aren’t as rare as we would like) the vulnerabilities are critical and must be patched immediately by updating the application. But, if the application was installed manually by every employee, the company will never be able to get visibility into what devices need patching or the access needed to enforce the patching with urgency and ensure that patching was performed on all company devices. Resulting in major security consequences for the company.
Fortunately, a unified, definitive and automated strategy to manage and patch apps for all Apple devices used at work helps to ensure that the company will operate more efficiently, adhere to the highest security compliance standards, and run its business in a safer manner.
So how do you build a proper strategy to manage apps for all Apple devices in the workplace?
The perfect application and patch management strategy for Apple devices should cover all the different scenarios around installing and patching apps and the operating system. This can be achieved through a combination of tools that provide full support for Apple’s app purchasing program (Volume Purchasing Program), Self-Service, temporary apps, a custom App Catalog, Automated Privacy Permissions, and PKGs with pre and post scripting. Yes, that’s a lot to think through, and that’s why you need a trusted vendor to help you manage every aspect of it. Let’s break it down a bit.
The Apple Volume Purchase Program (VPP) is a service provided by Apple that allows businesses and educational institutions to purchase and distribute apps and books in volume to their employees or students. With VPP, organizations can purchase apps and books in bulk and distribute them to their employees or students, who can then download and install the apps on their own devices.
These apps can be distributed to employees through an Apple-specific mobile device management (MDM) solution for a zero-touch installation.
A Self-Service Portal is a tool made available by high-quality Apple-specific mobile device management (MDM) system that allows employees to manage their own apps without needing to ask IT to install. IT loads selected apps into the Self-Service Portal, and then users can install each app as needed. The Self-Service is normally very useful for pre-selected apps that are not required and may or not be used by the employees.
Temporary or project-specific apps is another tool made available by very sophisticated Apple-specific MDM systems with the goal of allowing temporary installation of apps for a specific project or for a limited time. These apps are typically not part of the standard set of apps that are deployed but are instead added on an as-needed basis to support the specific needs of a project. In many situations, these apps might be very expensive, so a company might only retain a limited number of licenses and distribute (and retrieve them) as needed.
Several of highly used Mac apps, are not available for installation from the Mac App Store. This list includes Zoom, Microsoft Teams, Dropbox, Google Chrome, Google Drive, most antivirus solutions and many more.
So, in order to install and update these apps the company will need to either rely on each employee updating them or have IT manually download, host and code installation scripts to be enforced by MDM solutions, repeating the process every time a new version of the app is released. Both options are far from efficient, automated, and safe.
Luckily, leading Apple-specific solutions will automate the whole process, by offering a ready-to-use solution for all required Apps not available on the App Store. This results in a truly automated process for installing and patching apps. Some providers even offer workflows that are far mor efficient than what is currently available for apps on the App Store.
A few of these solutions will even automate the process of granting the necessary permissions for each app, such as granting Zoom access to the camera and microphone, so employees don’t need to do anything.
Unfortunately, if you try a DIY route or even if you try to stitch together several different solutions, reaching an ideal application management and patching strategy is very difficult.
What if all of that could be part of a unique Apple platform?
Software providers that focus on solutions for managing and protecting Apple devices used at work can use their deep knowledge of Apple’s operating systems and specialization to integrate all the features and solutions that the IT and the security teams will need to manage and patch applications on Apple devices used at work – all in one solution.
This approach is known as Apple Unified Platform.
Mosyle, a leader on modern Apple endpoint solutions, is industry reference for the Apple Unified Platform approach through its product called Mosyle Fuse.
Mosyle Fuse integrates a complete and automated Apple Device Management, a Mac-specific next-generation antivirus, Mac-specific hardening and compliance, Mac-specific privilege management, Mac identity management, Apple-specific application and patch management with a complete library of fully automated apps not available on the App Store, and an encrypted online privacy and security solution.
By unifying all these solutions on a single platform, Mosyle is not only simplifying the management and protection of Apple devices used at work for IT and security professionals. Mosyle Fuse also reaches the next level of efficiency and integration that is impossible to be achieved by any independent solution.
Finally, the cost benefits of an Apple Unified Platform such as Mosyle Fuse is also impactful. Considering the average cost of each individual solution that should be part of the IT software stack for Macs, it has been estimated that by adopting an Apple Unified Platform such as Mosyle Fuse can generate savings of more than 70%. Even for small fleets. That’s a relevant amount.
So, if you have Macs used by employees at work, you should try unified Apple solutionssuch as Mosyle Fuse as they can bring amazing benefits to you and your company.
The post How businesses can (and should) manage apps on Apple devices first appeared on 9to5mac.com