Deploying Apple Macs correctly - choosing the right deployment strategy

Apple put an end to classic imaging two years ago by introducing the T2 security chip into its hardware (see hardware affected by this).

Thanks to Apple’s Device Enrollment Program (DEP), it is possible to hand over the hardware to users in new condition, still sealed in its original packaging. The hardware is purchased directly from the manufacturer or authorized resellers and therefore knows which Mobile Device Management (MDM) solution it should communicate with. This gives users the out-of-the-box experience and IT no longer has any logistical work to do, but can devote itself to its actual task: The targeted management and support of the device fleet.

After automated enrollment via Apple’s DEP, the Macs immediately receive the correct settings to ensure security and implement the company’s specifications. The Mac can now be managed via the MDM system, but has not yet received the company-specific software. There are different approaches to complete the initial deployment:

• If users are to be productive quickly and enjoy the greatest possible freedom of choice, only the most necessary applications (VPN, malware protection, possibly Microsoft Teams) should be installed. Additional software can then be downloaded as required via the company’s own self-service. This not only saves licenses, but also valuable time during deployment. Only the programs provided by IT are made available in the self-service, so compatibility and valid licenses are always guaranteed. This approach also means that no unnecessary software is installed, ensuring more free hard disk space and keeping the number of programs that need to be updated to a minimum.
• If the company prefers to install a defined selection of software during deployment, solutions such as DEPNotify can be used. This displays a loading screen during the deployment process, allowing users to track the progress of software installations. Depending on the software selection, this process can take more or less time. Based on our own experience, a complete enrollment including the installation of the entire Microsoft Office Suite, Microsoft Teams and Google Chrome takes 20 minutes.

We at SPIRIT/21 recommend the lean deployment approach in order to save bandwidth, time, licenses, hard disk space and - in the case of hardware replacement - also time. Added to this is the resulting modularity of the clients. As a user, you have the feeling of having more control over your Mac, as you can decide for yourself what is installed on it and what is not.