27 Sep Seamless remote working with Apple in 2021 and beyond
To say the last couple of years have changed things is something of a gross understatement – from how we pay for products (when was the last time anyone used cash?!) to how we meet (who remembers having regular video calls before March 2020? Anyone? Exactly…) to how we interact personally and socialise (who knew what a “Zoom party” was in 2019?). While some of these may end up being limited phenomena, there is one thing that is here to stay…
Prior to the-thing-that-shall-not-be-named, remote working was something of a novelty; only adopted en masse by some of the more forward-thinking companies in the world, or for certain individuals in an organisation whose skillset wasn’t in geographical abundance and who didn’t live close to an organisation’s office.
However, the last 18 or so months have been akin to a mass experiment to see how working society can function when there is no other choice… and, overall, it was something of a success. Bar situations where remote work cannot happen (i.e. in more physically interactive roles), a huge proportion of society has managed to not only cope, but cope without serious detriment. From all this, one thing is for sure… remote working is here to stay. While “we got by” is the general consensus of most organisations when asked about coping with remote work, “we excelled” is far more seldom heard – wouldn’t it be great to excel?
Here’s how to do it…
When thinking about remote working (and, more specifically, IT to enable remote working) there are 4 main areas that need to be considered:
Provisioning is important because if you’re embracing remote workers, you need to be able to deploy kit to them… well… remotely. This needs to be a slick, smooth workflow as in this scenario, the remote worker isn’t going to have (and shouldn’t need) an IT person available to physically help them out.
Integration is key – as to enable that slick provisioning process, elements such as user accounts, permissions, group membership etc. all needs to be seamless to avoid multiple calls to the helpdesk to add a log in to this system, then grant access to that system.
Management is a bit of an obvious one, but effective management is constantly overlooked – devices need to be updated automatically (both applications and operating systems) as well as monitored, and fixed remotely if there’s an issue. Last but categorically and absolutely not least:
Security. Yes, everyone knows security is important in IT, however the landscape changes a little when users are working from home; you don’t control the network they’re connected to, you can’t choose their Internet Service Provider, and you don’t know who might have access to their machine during the day and outside working hours. These are all considerations that just taking a device straight out of the corporate network and sending it home with a user won’t actually account for.
Now we understand the reasons why these areas are important, let’s have a look in more detail at how to make them work as effectively as possible and excel in Remote working:
The slickest possible way to deploy devices effectively is by utilising Zero Touch Deployment. Jamf Pro works flawlessly with Apple’s Device Enrolment Programme, allowing you to have devices shipped directly to the end user, and then be auto-provisioned (without the user being able to opt out of this process). In this instance, the user will even have the “brand new device” experience, from unwrapping the shrink wrap to going through the first-boot setup. This is not only a completely hands-off experience for IT (which is also great for the user!), but also has been shown to increase user responsibility for the device, as the user feels more ownership of it due to the experience being similar to that of a personally purchased device.
Following initial onboarding, Jamf Pro can then take complete control of the device and deploy your organisation’s chosen apps, settings, scripts, a self-service app store and more.
Perhaps the largest impact of this is that not only does it allow you to enable your existing workforce to work seamlessly remotely, but it also enables you to hire anyone, working anywhere. As a result, this widens your available talent pool within your organisation as you’re not then restricted to who can feasibly travel a commutable distance to your office for their day-to-day work or when they need IT support.
So, you’ve got to the point where you can deploy a device’s apps and settings remotely and automatically… hurrah! However, the missing piece of the puzzle here is the user account – do you want the user to be able to choose their own username and password on their device? Sounds reasonable, but what happens if they forget their password? How do you enforce that they’re not using an easy to guess password? Would you rather be able to use Multifactor Authentication to properly secure the account? How can you ensure that all their apps and settings are contextual to the role they have and the team they’re in?
This is where Jamf Connect comes in. Jamf Connect can be deployed as part of a PreStage enrolment on macOS – meaning that before a device has finished its initial setup, a package can be deployed. In this case, the Jamf Connect package takes over the User Account process on macOS and allows you to replace the local username and password creation with a centralised user account, using services such as Azure Active Directory, Google Workspace, Okta, OneLogin and more. As a result, your user accounts are all centralised and can be controlled as such – the user even logs in to their device via the familiar login window they’re used to for services such as Office 365 and Google Workspace.
The cherry on top is that by using a combination of this and Active Directory integration in the Jamf Pro back-end, the apps and settings that a user receives can be dictated by their respective role or security group… no more ad-hoc app deployments for a new starter!
Now devices are being provisioned automatically, fully integrated with the infrastructure and users are happy, we need to keep it that way. Jamf Pro allows hugely granular control of your Apple estate. From app and OS updates being available via self-service (because nobody likes an unprompted passive-aggressive countdown timer popping up out of nowhere in the middle of a meeting!) to being able to change settings en masse, you have complete control of all of your devices wherever they may be.
In addition, the estate can be reported on in detail, so despite devices being spread across the country (or even the world!) you have a single pane of glass available to be able to see everything from device status, application usage, user assignment and more – and can even configure alerts if a device’s hard drive is about to fill up, for example. Couple this with the ability to restart individual services quickly and remotely, and you have a full suite of tools allowing management of devices as if they were in the same room… but from anywhere.
Finally, one of the biggest issues with remote work is dealing with devices when they are lost or stolen – this is made incredibly simple in Jamf Pro with the ability to remotely lock or wipe a device, as well as display messages on the screen requesting safe return. Using this feature, we’ve seen customers’ loss and theft percentages decrease dramatically within their estates – saving time, money, and frustration for both IT and the user. Imagine if you could do this from anywhere in the world…
“Just install Antivirus and you’re good, right?”
There are a few key things to consider when it comes to a good security posture… yes, Antivirus is one of them (and yes, macs do need Antivirus), but most AV only works on the basis of noticing when something bad has got in, quarantining it and removing it. Ideally, you want to be in a position where you stop the bad stuff getting in in the first place – this is where Jamf Protect comes in. With deep hooks into macOS, Jamf Protect can not only detect and isolate malicious applications when they’re running, but can prevent them running in the first place. This is a seemingly small but crucial step when it comes to security – it’s one thing calling the police to arrest a burglar when they’re in your house, but wouldn’t it be better to keep them locked out in the first place?
In addition, good security goes further than only preventing Malware and Ransomware from infecting your estate – it’s also about policies and settings being in such a configuration that attack vectors are limited as much as possible. As a result, Jamf Protect aligns with the CIS macOS benchmarks, giving you a “scorecard” to judge your estate by, and hooks into Jamf Pro to allow you to apply remedial settings with minimal fuss.
Going even further than this, Jamf Private Access gives you the ability to apply a true zero trust approach to your estate – ensuring that only devices in a specific state can access your sensitive services via secure tunnels that you define. Think of it as an intelligent on-demand per-application VPN (it’s just easier to say zero trust than all that!), giving you full peace of mind that even if an attacker were to gain usernames, passwords and even MFA devices for your services, they can only get in by using a fully authorised and provisioned device. There’s even more with Jamf Threat Defense and Jamf Data Policy (think Phishing prevention, Content Filtering etc) but at this point, that’s probably enough to mention!
So there you have it… going from “we got by” to “we excelled” in 4 steps, using 4 fully integrated systems, all from Jamf. If all that sounds daunting in any way, it’s not; it just takes some training and experience… and that’s where we come in. If you need some advice, consultancy or support, we have a fully trained, accredited and experienced team at your disposal and ready to go – feel free to give us a call to talk things through!
Get in touch today