Got a tip for us?
Let us know
Become a MacRumors Supporter for $50/year with no ads, ability to filter front page stories, and private forums.
Apple Unveils 'Apple Business' All-in-One Platform
- Thread starter MacRumors
- Start date
- Sort by reaction score
Maybe Apple won't follow Jamf architecture, considering they acquire Fleetsmith 6 years ago. We'll see how it works.
The official press release says the service is going to be available in 200 countries, so hopefully they hold to their promise because I'd like to give it a shot, especially since it looks like they will offer a free tier, and I'm a single member LLC with very basic requirements, with potential to grow. And if it'll be possible to bring in my existing Entra ID for SSO, that's going to be one hell of a deal for small businesses like mine. Bring it on, Apple.
Some device management is part of the core operating system. Things like Configuration Profiles, Declarative Device Management (DDM), and Automated Device Management are Apple developed and all MDM vendor leverage those features for management.
Nearly all MDM vendors also install a binary agent that gives the agent (and the backend MDM server) the ability to perform additional function on the computer, things link installing software and running scripts. This binary runs at a root level.
A vendors MDM is not preloaded on to a device (Mac or iOS). When you first setup a device, it does a call back to Apple and transmits the serial number. Apple's servers have a list of serial numbers and if they are enrolled in Apple Business Manager. If the computer is enrolled in ABM, Apple transmit a URL of the MDM server that computer or iOS devices need to be enrolled in to. The device then starts the enrollment process.
EU regulators have rushed to the mic to affirm “Oh you better BET we’re gonna fine that! Apple has monopoly control over things Apple makes and that can’t be allowed. It’s fine for Samsung and other companies to have monopoly control over their devices because they’re not named after fruit. Or something, we don’t care.”
ScooterComputer
macrumors 6502
You really could have BOLD, ITALIC'd, and UNDERLINED that "shocking amount"… because it is SPOT ON! Just absolutely mind-boggling how bad Apple's Business tools are, and so very poorly, incompletely documented.
carrrrrlos
macrumors 65816
Big nope for my business - and my clients. Apple does not play well with others.
It makes sense that an interface to installl the MDM would be present within the OS.
However, the MDM can't itself be part of the OS, since if you delete and reinstall the OS, the MDM remains.
Further, the OS is on an unmodifiable (read-only) Signed System Volume (SSV) to which, by definition, nothing can be added (by a developer). Thus the MDM can't be part of the OS, since installing an MDM would require an addition to the OS. Hence the MDM must reside outside the OS.
Signed system volume security
SSV not only helps prevent tampering with any Apple software that’s part of the operating system, it also makes macOS software update more reliable and much safer.
That makes sense--MDM is something that can be installed only with permission from Apple, which in turn requires the devices and vendor be registered with Apple.
But my question was: Where is the software actually installed? While it makes sense that the OS provides interfaces for installing and using an MDM, the MDM cannot itself be installed as part of the OS since, as I mentioned in the post above, the OS is on an unmodifiable (read-only) Signed System Volume (SSV).
Once again, the MDM protocol is built in to in O/S by Apple, there is nothing to install because it is just sits there waiting to be activated by enrolling the computer. Apple build and includes the framework in the O/S. The files that activate the MDM are downloaded and saved one your computer. They are installed in the Library folder (FYI, the "System" folder is actually a mixed of the SSV and a writable partition.
For the binary agent, it also gets installed in the Library folder, where depends on the MDM company, but very likely /Library/Application Support/<<MDMName>>. But, they are installed only the root agent able to write or delete the file. When you enroll a computer with an MDM, the MDM is given essentially root level access to the computer and can write to pretty much anywhere on the computer. Heck as MDM admin for my company, I can send a command to write or delete just about anything as well.
Trust me when I say there is nothing mysterious about installing an MDM.
daven85
macrumors member
This is cool, but what I want as an Admin of a company fleet (enterprise and schools) is the ability to administrator some of the PPPc settings.
While user security it’s important, if I am giving devices to users/children on our care I should be able to push out a screen recording tool. Happy for it to show them it’s recording the screen but I should be able to control that.
While user security it’s important, if I am giving devices to users/children on our care I should be able to push out a screen recording tool. Happy for it to show them it’s recording the screen but I should be able to control that.
Something is wrong with this sentence and I couldn't follow it; could you please corrrect it?
Once again, not asking about the protocol, asking about whatever is installed as result of activating the MDM, and where that is stored such that it persists even after you do a wipe as an administrative user.
Can't just be the Library, since that's deleted when you do a wipe.
Nope, don't view it as mysterious. Just looking for a clear technical explanation that addresses my specific question.
Last edited:
I think you are trying to understand how the MDM configs get pushed to a device after a full wipe. Similar to how an Apple device checks for Activation lock, during the set up process, a check is made when the device connects to the internet. If the device is listed within the company's Apple Business Manager (proving company ownership), the device must be enrolled during the setup process to the managing MDM. This is done by just clicking "Enroll" when prompted after connecting to Wifi. There is no option to skip enrollment.
The MDM controls get pushed to the device during that enrollment. Hope that makes sense.
Yes, exactly.
So, essentially, the instructions to "install/verify MDM on this device" aren't stored on the device at all.
But that means every time an Apple device (that could potentially have MDM) connects to the internet, Apple must do this check. So even if there are, say, 100 M connnections to Apple's servers/hour from such devices, and only 100 k of them are from devices registered with MDM, Apple must check all 100 M. Right?
[That seems expensive, which is why I'd imagined the MDM configs were instead installed in a special firmware section of the device that would persist through a full wipe; this would obviate the need to do an MDM test on every single connection to Apple's servers.]
And just to test my understanding (I don't have any interest in trying to bypass MDM, nor do I own older Macs that have it): It seems this also means that people with older Macs, that could boot from external drives, could bypass MDM by booting to that drive instead of directly to the Mac; or if they don't need to connect to the internet at all from such a device, they could restore that device entirely from a bootable clone, and then use it without the bootable external drive, if they never connect it to the internet.
Last edited:
As I currently understand it, and this may be changing with this new system, the key difference is that this is not actually its own identity platform. It still requires something like Entra ID to provide the identity platform, which it then plugs in to for MDM functions.
I don't use Google Workspace but I do use the Microsoft stack and this is largely the identity portion, whatever the GW equivalent of that is.
For example I think these managed Apple IDs need to be tied to a Microsoft Entra ID or some other external identity management system.
Yes, that is what we have been trying to tell you.
In most cases, the check only happens during setup. When you first connect to the internet during setup (either by connecting via Wi-Fi or connecting a USB Ethernet adaptor, the computer checks in with Apple's activation servers to determine if is needs to be registered with an MDM. And, yes, if you somehow bypass the MDM enrollment, the computer does check in on a regular basis to see if SHOULD have been enrolled in to MDM.
But, these checks are very small packages, probably measured in bytes, not kilobytes or higher.
I imaging Apple has way magnitudes more traffic from the App Store, iCloud Services, Apple Music, etc, than the simple MDM checking.
And, to blow your mind, Apple servers are constantly communicating with Apple Servers. When an MDM needs to install a configuration profile or install an AppStore app, there is a process that the MDM follows.
Apple Server -> Device: "I need you to check in with your MDM server"
Device -> MDM: "I was told to that you have something for me to do"
MDM -> Device: "Yes, I need your to install this App/Profile/etc."
At that point, the next steps are dependent on what needs to be done. For example a configuration profile gets pushed directly from the server. But, an App Store store app gets pulled directly from Apple.
Depends on how old the device is and O/S it is running, but unless a user has a vintage Mac, you statement about booting from an external drive won't help. Again, the check happens during computer setup, so even if the O/S was booted from an external drive, the computer will still check in with Apple during setup and will see that it needs to be MDM enrolled. (Now, the result of a second enrollment will confuse the heck out the MDM server, as far as it is concerned, they are the same computer. MDM's typically identify computers by they UUID which is unique to each computer, unless you replace the system board.)
Regarding not connecting to the internet, that would work in the short term. And some companies need this for security reason as they require air gapped devices, that NEVER touch the internet.
But, there are two issues with this. First, a non-internet connected Mac is really limited, would be difficult to upgrade, and is really for only special use cases (and iPhones/iPads are essentially useless without a network connection.) As soon it comes online, it will ping the Apple server and politely inform the user that it needs to be enrolled in an MDM.
Second, a few O/S versions ago, Apple added a security feature. Once a computer has been enrolled in to an MDM the first time, a special setting is saved in the a non-volitale portion of the system board that survives between o/s wipes. The next time the device is wiped and setup is run again, the O/S sees that the computer was previously enrolled in an MDM and REQUIRES an internet connection to complete setup. It is no longer an option to skip joining a network. This is a prevent wiping a stolen computer and then just going through setup without connecting to the internet and then selling it to unsuspecting user.
You are essentially correct. In theory you could manage separate Managed Apple Accounts without an external source (like Microsoft EntraID), but every MAA would have to be created by hand. Apple does not (currently) provide any direct API method for managing MAAs.
Apple really does expect organizations to federate their existing Identity Provider to Apple Business (Manager). One the IdP is federated, MAAs are automtatic provision based on the IdP.
What I am saying is that various files installed by an MDM are installed in a way that prevents any users, even an Admin from deleting them. Only an account with root permissions can delete them.
And, I explained before the do NOT persist between O/S installs. If you wipe the O/S, it is free form the MDM. Then, during setup, it checks in with Apple servers to determine if it needs to be enrolled an MDM.
This is why it is important, when a company sells or gives away an older computer, it has to be released from the company's Apple Business Manager. (And, why you see constant reddit posts "How do I remove the Remote Management".
Sure, it is.
I apologize if I am not being clear enough. But, if you want to investing more, I would suggest searching (or using ChatGPT/Claude ) for terms such as Apple MDM, Automated Device Enrollment, Apple Business Manager. These are very common terms that will come up in an MDM documentation.
Jamf (one of the leading MDMs), actually has a pretty good introductory course:
Jamf 100 Course education
The Jamf 100 course offers a self-paced introduction to Jamf Pro and a foundation of the macOS, iOS and tvOS platforms.
www.jamf.com
There are sections specifically devoted to the MDM infrastructure, and they are pretty MDM agnostic. There is also sections on Jamf basics.
if you really want more information, I would take a look at that course and read through some of the introductory chapters.
flottenheimer
macrumors 68000
Very cool idea! Are you listening, Apple?
I am also running the IT-department at our household, while only at around 20 devices, the need for something like this is real.