sixcolors.com Open in urlscan Pro
199.16.173.247  Public Scan

Form analysis
2 forms found in the DOM

GET /

<form action="/" method="get">
  <input type="text" name="s" value="" size="40">
  <!-- <input type="submit" class="td-button" value="Search"> -->
</form>

<form autocomplete="off" role="search" class="jetpack-instant-search__search-results-search-form">
  <div class="jetpack-instant-search__search-form">
    <div class="jetpack-instant-search__box"><label class="jetpack-instant-search__box-label" for="jetpack-instant-search__box-input-1">
        <div class="jetpack-instant-search__box-gridicon"><svg class="gridicon gridicons-search " focusable="true" height="24" viewBox="0 0 24 24" width="24" xmlns="http://www.w3.org/2000/svg" aria-hidden="false" style="height: 24px; width: 24px;">
            <title>Magnifying Glass</title>
            <g>
              <path d="M21 19l-5.154-5.154C16.574 12.742 17 11.42 17 10c0-3.866-3.134-7-7-7s-7 3.134-7 7 3.134 7 7 7c1.42 0 2.742-.426 3.846-1.154L19 21l2-2zM5 10c0-2.757 2.243-5 5-5s5 2.243 5 5-2.243 5-5 5-5-2.243-5-5z"></path>
            </g>
          </svg></div><input autocomplete="off" id="jetpack-instant-search__box-input-1" class="search-field jetpack-instant-search__box-input" inputmode="search" placeholder="Search…" type="search"><button class="screen-reader-text assistive-text"
          tabindex="-1">Search</button>
      </label></div>
  </div>
</form>

Text Content

by Jason Snell & Dan Moren

MENU
 * About
   * Sponsorships
 * Archive
 * Sign In
 * Membership
 * Topics
   * Reviews
   * Apple Report Card
   * WWDC 2022
   * macOS Ventura
   * iOS 16
   * iPhone 13
   * Apple Silicon
   * Automation
   * Podcasting
   * E-readers
   * Apple Photos
   * 20 Macs for 2020

 * About
   * Sponsorships
 * Archive
 * Sign In
 * Membership
 * Topics
   * Reviews
   * Apple Report Card
   * WWDC 2022
   * macOS Ventura
   * iOS 16
   * iPhone 13
   * Apple Silicon
   * Automation
   * Podcasting
   * E-readers
   * Apple Photos
   * 20 Macs for 2020

THIS WEEK'S SPONSOR

Kolide can help you nail third-party audits and internal compliance goals with
endpoint security for your entire fleet. Learn more here. 

--------------------------------------------------------------------------------


BY JASON SNELL

March 31, 2022 8:00 AM PT

■ APPLE REPORT CARD


APPLE IN THE ENTERPRISE: A 2022 REPORT CARD

Last year, device-management startup Kandji approached Six Colors to commission
a new entry in our Report Card series focusing on how Apple’s doing in large
organizations, including businesses, education, and government. We worked with
Kandji and the hosts of the Mac Admins Podcast, Tom Bridge and Charles Edge, to
formulate a set of survey questions that would address the big-picture issues
regarding Apple in the enterprise. Then we approached people we knew in the
community of Apple device administrators and asked them to participate in the
survey.

This year, we’re repeating the process. Over the last couple of months, we took
the temperature of 71 admins, roughly half of whom report that they manage more
than 1000 devices. (If you’re an admin who didn’t take the survey, feel free to
fill it out.) They rated Apple’s performance in the context of enterprise IT on
a scale from 1 to 5 in nine broad areas.

Below, you’ll see the survey results, plus choice comments from survey
participants. Not all participants are represented; we gave everyone the option
to remain anonymous and not be quoted. Though Kandji commissioned this
survey—and we thank everyone there for doing so—it had no oversight over the
survey results or the contents of this story, which was compiled by Jason Snell
and the Six Colors staff.


OVERALL SCORES

In general, scores were up a bit from last year’s survey. Apple’s strongest
results were the same as last year: its hardware and its commitment to security
and privacy. The company scored worst on macOS identity management.

Now that there have been two surveys, we can compare last year’s scores with
this year’s and see how sentiment has changed. Except for macOS identity
management, which took a drop, and security and privacy, which remained the
same, all scores were up. Biggest moves were software reliability and
deployment, followed by the future of Apple in the enterprise.

Here’s what Tom Bridge of the Mac Admins community had to say when viewing the
final results:

“There’s no question that over the last year, the Mac’s position in the
Enterprise has improved, and that’s in no small part thanks to key changes made
to macOS Monterey. With increased reliability, the addition of new software
update commands for MDM, and the improvement of return to service workflows,
Apple is working to make Enterprise admins happy.

“It’s not all roses, and the identity management score should come as no
surprise to Cupertino. Though Apple announced recently that they intend at a
future date to work with Google Workspace to federate Managed Apple IDs, this
still leaves many customers having to provision users by hand — yes, in 2022 —
instead of through automated methods of some kind. An important note here: Apple
made their announcement concerning Google Workspace after the close of this
survey, and while it is welcome news, it is also not yet released. Perhaps there
will be some improvements in the score for next year.”

Though we asked participants for the number of devices they administer and
whether they work in business or education, the truth is that very few of the
scores varied between any group. If there’s a notable deviation between groups,
we’ll mention it in the section for that category.



This year we also asked three new questions focused on what’s happened in the
last year. The panel scored the Mac’s transition to Apple silicon as a 3.9, or a
solid B+.

We asked about the pace of their adoption of new Apple operating systems this
year, with 37% of responses indicating that it was faster than usual, 51% saying
it was about the same, and only 13% saying it was slower than usual.

Bridge’s analysis: “The score that showed adoption rates as ‘same’ or ‘faster’
being 85%+ is a good health indicator of the OS within Enterprise environments.
Security & Privacy and Hardware Quality are leading the way for Apple, and this
year’s entries into those areas are lovable products for the Enterprise
audience.”

We also asked about Apple’s new Apple Business Essentials service to see what
interest there was from our panel. 21% said they were not interested in trying
it, 19% said they might consider using it, 4% said they tried it and dropped it,
and 3% said they were currently using it. A whopping 48% said they had no
opinion or that the service wasn’t relevant to them.

Bridge: “This feels right to me, also. Most organizations have an MDM that they
use and love now, and the current release of ABE is not for them. That’s just
fine. Apple has a market to build, and wants MDM available everywhere for small
businesses of all sizes at reasonable prices.”

Read on for detailed results from each category, with commentary from panel
participants.


ENTERPRISE PROGRAMS

Grade: B- (average score: 3.4, last year: 3.3)

This category features a slightly lower than average score (3.2) from panelists
who support between 500-1000 devices. The most common recurring complaint is
that Azure Active Directory is still the only option for federated
authentication.

Luke Charters wrote: “It feels like there are incremental improvements slowly
trickling out. Handoff and Sidecar features for Managed Apple IDs are sorely
missed. It’s crazy that I can’t turn on Activation Lock via MDM on a Mac as I
can with iPhones and iPads. Azure being the only federation option in School and
Business Manager is also mind-boggling.”

James Smith wrote: “MDM continues to take small steps forward each year, but the
robustness around Software Update is not where it should be.”

Kevin Williams wrote: “Apple has made steady progress since we started with
various versions of the enterprise systems for schools. The difficulty has been
the number of pivots and whole-scale changes as they went from one solution to
the next. Since the deployment of Apple School Manager (which we joined at the
beta), it has steadily improved to the point where it is a reliable and
predictable tool to manage our users and devices, including third-party
integrations to automate from our school systems.”

John Welch wrote: “I think there are some areas they could do better in, in
particular (actual) high-security needs. The improved support for PIV/CAC cards
has been significant, but better support for integrating things like Touch ID
into sudo auth has been sketchy at best—the current methods don’t survive
updates well. Better auditing for the use of admin auth would also be greatly
appreciated by the high security/government/government-adjacent community. As
well, and this has been an issue with Apple for a long time, getting information
out of Apple if you don’t already know where to look is remarkably tedious.
Apple has a lot of useful information, but if you aren’t blessed with an
enterprise rep already, it’s not always easy to find.”

Mischa van der Bent wrote: “Would love to see implementations go a bit faster.
I’m working in the EMEIA region, and sometimes it takes a while for us to get
new features. For example, Apple Business Essentials is U.S.-only for now.”

Todd Ness wrote: “Overall, things are pretty much status quo. I was a little
disappointed in the short end to Intel Mac availability, though.”

Cameron Kay wrote: “There have definitely been improvements, but more work is
needed.”

Charles Edge wrote: “Overall we continue to see steady progress on the
enterprise programs provided. There are always going to be more things we want
to have, but we see progress. The APIs Apple provides for device management
continue to mature; for example, with the addition of declarative management, we
got new tools in our toolbox at the API level, even if not all of the vendors
support that feature yet. Apple also released unified documentation for its
enterprise programs this year. The most substantial place many of us would like
to see new options is in the ecosystem of tools or paradigms we have to work
with. That includes identity management. The Azure identity works well, but we’d
like to see other vendors supported. That said, identity is not easy, and the
standardized protocols and implementations of those are constantly maturing.
That makes it difficult to roll out changes.”

Joel Housman wrote: “Being able to purchase computers from Apple through their
enterprise portal and having them come pre-enrolled for zero-touch setup with
our MDM configured has been amazing. I can set up a computer for a user in less
than 30 minutes. By contract, our Dell Latitudes take me several hours to image
and lots of manual work to get them in the proper state to send out to an
employee.”

Rick Heil wrote: “Apple’s cloud and enterprise services continue to be the 3.6
roentgens of the management world—not great, not terrible. Stability seems to be
improving over the last year, but features still don’t quite meet the grade for
enterprise flexibility and manageability, are limited in scope or integration,
and almost exclusive focus on ‘click ops’ instead of being API available or
driven.”

Armin Briegel wrote: “There were two big changes in this area in 2021:
declarative device management and Apple Business Manager. Both are in early
releases, with limited access. Apple Business Manager is in beta, limited to US
organizations, with a very limited feature set. Declarative device management is
limited to BYOD-style deployments and iOS only. It is intriguing and promising
that Apple is choosing to progress in both of these areas, and it is
understandable that they are moving carefully. Business Essentials teases
managed corporate iCloud storage and AppleCare for organizations. Hopefully,
they will be made available to organizations using other management systems as
well. However, organizations still cannot volume purchase in-app purchases or
subscriptions and still cannot federate to identity providers other than Azure
AD. The new unlisted applications feature in the App Store might provide some
workarounds here, but it still adds complexity. With Apple Business Manager,
Apple is now also a consumer of the MDM API. This gives me hope this will create
some pressure as Apple Business Manager customers, and developers demand
features from the MDM team directly.”

Viktor Glemme wrote: “Still way too U.S. centered. A lot of programs are hard to
manage outside of California and especially if you have to support organizations
that span multiple countries.”

Stephen Short wrote: “Apple Business Manager is still frustratingly too simple.
My organization recently enabled SCIM provisioning using Azure (even though our
primary IdP is Okta). The entire experience of “taking over” personal Apple IDs
that use your organization’s domain is very clunky. Admins need to know the
specific accounts that will cause merge/takeover issues before the feature is
enabled. You get locked into a 60-day countdown before your organization can
fully control an account, and you don’t know the scope of which users are
affected unless they proactively contact IT to ask about a message from Apple.
Don’t get me started on the workaround/remediation for Developer IDs that use
your organization’s domain!”

Kale Kingdon wrote: “I feel Apple’s enterprise solutions have not drastically
improved from where they were last year, and while certain portions like
enrollment framework are rock solid, other systems like Managed Apple ID
Creation and Apple School Manager SFTP Uploads remain completely unchanged from
their initial, poor implementation.”

Robert Hammen wrote: “The good: we got some long-needed Mac functionality that’s
been available on iOS for years: Erase All Content and Settings, provisional DEP
enrollment of modern Macs. Also, update enforcement for macOS (which iOS does
NOT have). Also, after much complaining, Apple seemingly learned not to take
ABM/ASM down for maintenance/upgrades in the middle of the day during weekdays.
The bad: the MDM update enforcement is still super buggy. All deferrals at once,
or users get prompts/countdowns, but macOS doesn’t update. I really wish Apple
would put some more focus on making sure their features actually worked before
shipping an OS. Also, softwareupdated hanging (a problem that existed in Big Sur
and Monterey up to and possibly including 12.2) caused all manner of issues for
Mac admins, particularly those with Jamf whose recons would randomly hang
forever (or until a Mac was rebooted). BridgeOS bricking in 11.6/12.0.1 updates
for Intel Macs was also a problem that took way too long to recognize/act upon.”

Mike Stirrup wrote: “Mixed bag of bad and good ideas (Configurator 2 on iPhone
for device enrollment) and devices not appearing in ABM when they should when
bought from Apple. It’s as if they know it won’t or can’t work every time, so
here is a backup plan.”

Sam Schmitt wrote: “Apple seems to think that ABM/ASM are done and haven’t added
many new features. Most of the ones seem to be about deploying custom internal
apps, which isn’t used by most organizations. Meanwhile, support for other
Identity providers for Managed Apple IDs has been requested for more than two
years now and still nothing, which makes it a non-starter for many
organizations.”

Keion Dorsey wrote: “There have been drastic changes in the APIs and build. This
has allowed for more interaction. I would love to see a deeper enhancement with
devices and information. Make it easier to update devices in the enterprise,
such as lab settings. Let declarative management show update percentage and
progress. More direct integration with cloud vendors.”

Graham Pugh wrote: “Some processes have improved, but it remains far too
difficult to keep Mac computers up-to-date.”

Adrian Stancescu wrote: “My biggest gripe is that Apple silicon Macs have lost
the ability to restore the OS over the internet. It might not seem like a big
deal, but it affects the workflow in certain startup/SMB type of businesses.”

Stephen Robles wrote: “Apple Business Manager has been a solid experience this
year, and improved with additional tools like Apple Business Essentials. At
times, making purchases through the Business portal store can be cumbersome, but
it gets the job done for purchasing new equipment. Certificate renewals for Jamf
and the API integration have been great, and new devices purchased through the
Business Store always automatically enroll to Jamf reliability.”

Mike Caplinger wrote: “They pay just enough attention for it all to keep
working, mostly.”

Jason Broccardo wrote: “The overall scope and design of the various programs are
fine. It’s the details of the implementation that can break in odd and
frustrating ways.”

Brian LaShomb wrote: “Managed Apple IDs are still limited to Azure, which
excludes many organizations from using it. VPP is still a mixed bag for macOS,
with zero insight for the user on whether their app is, will be, or was
delivered. Any issue in this process requires an escalation to IT teams due to
the lack of visibility for the user.”

Kevin M. White wrote: “Managed Apple ID is a great idea that is significantly
limited by only allowing for Azure AD as a federated authentication source. The
fact that Apple still hasn’t integrated with any other identity provider
demonstrates a serious lack of effort on Apple’s part. Once again enforcing the
impression that Apple doesn’t care about enterprise needs.”

Allister Banks wrote: “The potential of Apple Business Essentials and
‘declarative management’ affecting MDM is promising, but that’s all they are at
this point—promises. The programs themselves are not improved and desperately
need it. No API to directly interact with the enrollment service (outside of
what vendors are allowed to do from a configured and registered MDM) is
laughable.”

Bart Reardon wrote: “There has been a clear push from Apple towards improving
enterprise services and relations overall, and I’d like to see this trend
continue.”

Jeremy Mentzell wrote: “Apple Business Manager continues to be a solid
management tool, but the larger “getting started” measures can be confusing.
Apple offering the Business Essentials product helps, but its limited
availability to only small businesses leaving out government, enterprise, and
education markets, seems odd. The larger disconnect between ABM, MDM, the
accounts, and various support subscriptions can still leave a sour taste.”

Jing Yao wrote: “Apple has made some nice quality-of-life changes like the
ability to manually add Macs to ABM, and the fruits of the Apple silicon labor
have reaped niceties like ‘Erase All Content and Settings’ for Mac in Monterey.”

Tomas Gal wrote: “Outside of the US and other very big regions, the program is
not fully-fledged—even in EU countries when there is an Apple presence in a
neighboring EU country, and there is no language barrier.”

Joel Anderson wrote: “Honestly, there haven’t been many changes to services in
the last year, which I think is a failure for a company the size of Apple, and
most of the changes made before that were negative—for example, new security
features were put in place with no way for organizations to easily manage them.”

Sam Rigby wrote: “ASM/ABM feels like a decent looking front end for a single Mac
Mini from 2013 on the back end. Managed Apple IDs are a pain to manage, with
limited integrations with Google Workspace (what much of the K-12 world uses for
directory and email). There’s a bit of clunkiness associated with approaching
MDM solely as an API provider and not building their own MDM. It’s also leaving
beloved services money on the table, but I digress. On the other hand, the MDM
APIs have gotten much, much better than they were, and we’ve had much more
success managing devices over the last few years than in the previous ten or
so.”


ENTERPRISE SERVICE AND SUPPORT

Grade: B- (average score: 3.4, last year: 3.2)

Panelists who work in education viewed this category much more favorably (3.8
average) than those who work in business (3.2 average).

Mischa van der Bent wrote: “I’m satisfied when working with enterprise services
and support! I have the feeling that Apple is changing in a positive way.”

Robert Hammen wrote: “Apple’s documentation is a bit all over the place and
lacking in useful detail/examples. Also, it can’t seem to post a changelog to
the “Use Apple Products on enterprise Networks” knowledge base entry, forcing
admins to make PDFs and diff the list of hosts to see what changed.”

Mike Stirrup wrote: “Limitation on device quantities (minimum of 800 active
devices) in ABM means we don’t qualify for the GSX to Jamf integration. Removing
this arbitrary figure would help with both support and device refreshes.”

Graham Pugh wrote: “Documentation has slowly improved, but rumors and insider
information are sadly often more insightful than official documentation.”

Jeremy Mentzell wrote: “Appleseed seems to be underutilized; massive potential
for sharing test cases and communicating feedback in a private community, but I
still never see much there or a drive to be there. Feedback mechanisms still
seem like there should be differences from Public/Private/AppleSeed beta testers
as well as independent vs. private Apple developers-everything externally
appears lumped together. Apple Configurator’s public release on iOS/iPadOS was
welcomed for helpful for bringing Macs into ABM, but why not iOS/iPadOS
devices?”

Fridolin Koch wrote: “Documentation has gotten better, AppleSeed too.”

Cameron Kay wrote: “They are slow to address the feedback and bug reports
submitted.”

Kevin Williams wrote: “Despite COVID, they have increased the number and types
of virtual events for school IT management. While many are rehashes of the
public events, they also have stepped up the number of tech-type events to help
schools better manage and deploy devices en masse.”

John Welch wrote: “If your needs happen to align with Apple’s almost perfectly,
then it’s amazing. But there are a lot of critical holes, especially regarding
macOS. Automation is particularly bad in that there is no one coherent
automation framework a la Windows and .NET/PowerShell, but rather a mélange of
things that communicate in the clumsiest of ways, leading to AppleScripts
calling shell scripts, shell scripts calling AppleScripts, having to bundle
entire scripting implementations in an application to call a python script, one
automation framework that only works in a user context, other automation
frameworks that clearly only exist as a way to run iOS shortcuts and which would
not be that useful for many enterprise needs. That’s not to say the iOS
integration and support is bad—but Apple clearly views user-created automation
as a toy best left to children. In comparison to what MS has done with
PowerShell at all levels of their platform, Apple fundamentally has no clue
about supporting user-created automation that doesn’t begin and end with Xcode
and Swift. Apple’s documentation for any of their automation efforts is at best
described as ‘bad,’ and the only reason the automation documentation not being
the worst part is that Apple’s support in their own products for automation is
so relentlessly abysmal. Apple has the resources to fix this—they currently
don’t care to.”

Marcus Rowell wrote: “The Appleseed beta program and documentation of enterprise
technologies are significantly improving. Feedback often feels like a black box
where you can only assume someone has read your feedback and very rarely receive
any indication that someone is acting on it. It does feel that with a
coordinated response from the community, Apple is listening now.”

Brad Chapman wrote: “Apple has gotten better at documenting changes in macOS
through AS4IT. Feedback Assistant is still a giant black hole. I have had many
FBs still open for over a year with no response. Only got traction on an issue
by filing an AppleCare for enterprise case plus a Feedback ticket and linking
both together by sending the FB number to ACE.”

Todd Ness wrote: “I feel like Apple has gotten better about the seed program
making full installers available more often. However, there are still releases
that are just dropped on us with no warning, which can make things difficult.
Also, notifications about releases are way behind the actual update showing up
in the catalog most of the time.”

Luke Charters wrote: “The Apple Platform Deployment and Apple Platform Security
documentation is a breath of fresh air coming from hunting through PDFs and
having to ask the enterprise support team for basic information. AppleSeed for
IT is great.”

Niko Torres wrote: “While this has been steadily improving, and the support
representatives are great when needed. There is still a lack of documentation
which leads to issues in self-resolution and Apple Support being able to
assist.”

Kale Kingdon wrote: “While overall Apple’s beta programs, documentation, and
Feedback Assistant are great, enabling solid feedback and testing workflows and
should be applauded in industry, Apple’s support process for organizations not
large enough to purchase their enterprise tiers is non-existent and downright
maddening. Core OS-level bugs can be raised with all diagnostic logs provided,
showing it’s a core OS issue, and Apple consultants will not even record the
issue without an enterprise support agreement being in place. While Feedback
Assistant is meant to be another avenue for reporting bugs, zero transparency is
provided, and with ongoing issues still prevalent after multiple point releases,
I can only assume this internal policy is ensuring issues are not reaching their
relevant departments.”

Stephen Robles wrote: “While I don’t have much experience on the developer side,
I often contact my local Apple Business rep at the nearest Apple Store. He is
always helpful and compiles quotes for new equipment quickly and accurately. He
makes purchasing new equipment a breeze.”

Adrian Stancescu wrote: “This needs to improve a lot. Too much secrecy in regard
to the future of macOS.”

Brian LaShomb wrote: “Apple does not allow video recordings of their conference
sessions, which often means that if you missed something, you need to do some
work to discover what you missed. I hope this changes.”

Kevin M. White wrote: “Apple’s enterprise-grade documentation improves each
year. For example, this year, Apple consolidated the previously separate macOS
and iOS deployment guides into the single Apple Platform Deployment guide. On
the other hand, does Apple even have an enterprise training program?”

Anthony Reimer wrote: “Apple clearly spent a lot of time on documentation this
year, particularly Apple Platform Deployment. This is much appreciated.”

James Smith wrote: “Feedback assistant is still not where it needs to be, and I
rarely get responses to issues raised there. I’m left to raising tickets through
the AppleCare for enterprise program if I actually want traction on an issue.”

Joel Anderson wrote: “If you pay for professional support, it is quite good. Any
education organization can join the beta program at the organizational level.”

Allister Banks wrote: “Ye olde ‘please attach sysdiagnose’ for things not
tangentially related to what sysdiagnose assists with, the ‘I’d like to close
this because I misinterpreted your problem’ nags that turn into a way to close
due to inaction, the flurry of mails right as Apple and the US will go on
holiday in hopes to close the feedback/radar due to inaction, all maintenance of
the broken status quo. Being able to share this crappy experience with my team
doesn’t improve the lack of positive results.”

Joel Housman wrote: “Only had to make use of them twice, but felt like we were
receiving top-tier, white-glove experience. Overnighted replacement units to us,
etc. No hassle in dealing with them to resolve issues.”

Rick Heil wrote: “The management of Appleseed Beta continues to be a stellar way
that Apple communicates with enterprise IT folks, and I am seriously
appreciative of it. However, Apple continues to struggle with basic
documentation practices that other vendors (Microsoft) excel at—including
changelogs for documentation, working examples for code and function docs, and
discussing roadmaps for deprecations.”

Jason Broccardo wrote: “Likely similar to answers from last year, Feedback
Assistant can be a bit of a disappointment. Submitted tickets can go without any
fruitful response or just slowly fade out. Apple can’t address all issues at
once, but better communication could help.”

Stephen Short wrote: “Apple has done a decent job at updating the AppleSeed
portal with release notes that cater to IT admins. The ‘What’s New’ PDFs that
arrive following WWDC are very helpful when planning for new macOS/iOS releases,
especially before you start installing a beta OS. Feedback Assistant is helpful
for reporting bugs on beta releases for organizations that are not paying for an
enterprise Support agreement, but it would be nice if there was a baseline free
(or lower cost) tier for IT to raise software issues with Apple post-beta
cycle.”

Armin Briegel wrote: “Feedback Assistant continues to feel like a black hole
which feeds on sysdiagnose logs. But AppleSeed for IT has brought some
improvements: most macOS Monterey beta releases now have a full installer and
IPSW download available, which enables testing beta deployment and update
workflows. The new guides for admins are frequently updated, which is wonderful.
However, there are still many woefully un- or under-documented topics for Apple
admins, such as installer package creation, custom configuration profiles, and
how management automation can best work with the privacy controls (TCC). Much of
this documentation is still reverse-engineered and provided by community
members.”

Tom Bridge wrote: “Apple’s Documentation teams continue to do incredible work,
and their efforts make up much of this score. The new unified Platform
Deployment Guide is a masterwork and required reading for all Apple admins.
Their new training for Apple Device Management is an excellent place to start
for new admins. In addition, AppleSeed betas represent a good program that needs
work. The beta notes are frequently very light on details of what’s happening
behind the scenes, and while major moves are telegraphed, sometimes minor
changes are not given their full attention in the documentation. In addition, a
few updates have shipped without any kind of testing.”

Sam Rigby wrote: “Enterprise training and support is lacking. I’m in Maine,
which had a robust 1:1 program even before the pandemic, and Apple pulled their
team from the state in 2018 or so. A conservative but well-informed estimate
(based on what I’ve purchased and what my friends have purchased) on the number
of Macs and iPads sold to Maine K-12 schools in the last two years would be 40k
(and could easily be as high as 70k), but we have a single sales engineer as a
point of contact. He’s very good, but he’s one guy, and so people don’t bother
asking him. Beyond the one guy, there are quarterly calls about the latest and
greatest, but little more than that. Our state’s school technology and tech
director listservs are much more accessible and, frankly, useful than proper
channels. On a positive note, Apple quietly announced a new AppleCare+ for Macs
that is only for schools that allows for two accidental screen breaks per year
per device, and is roughly the same cost as the old version of AppleCare for
schools. As someone putting a bunch of Macs in the hands of 12-18-year-olds,
that’s truly a wild warranty. I almost don’t want to say anything about it out
of fear that it might go away.”

Bart Reardon wrote: “As always, the more documentation we have access to, the
better. Appleseed, Apple Business Manager, and AppleCare for enterprise could
all do with more integration—a unified portal perhaps by which all these
services could be accessed and interact with each other. It would also be useful
to have an API to these services that could be used for inventory gathering, and
programmatic modification of assets would be very useful (thinking MDM
re-assignment, de-allocation, or even device release). A number of these
processes still require someone to log in to a portal and do a thing and can’t
be automated.”


HARDWARE RELIABILITY AND INNOVATION

Grade: A (average score: 4.4, last year: 4.2)

John Welch wrote: “The M* chip and architecture rollout makes me deeply regret
my old 17-inch laptop couldn’t have waited a year or so to die that I might have
been able to replace it with an M1 Mac. The hardware convergence we see between
the various platforms has been a long time coming, and I think it will serve
Apple well.”

Kevin Williams wrote: “The jury is still out, as we were bitten by the previous
version of MacBook/Air issues—keyboards and screen issues. We are replacing
those with M1 Airs as fast as we can, and while we had a few early-adopter
issues (Wi-Fi dropping randomly on early Airs, for example), the new devices
look like they are going to stand up to the rigors of teacher life better than
the last generation of Macs did.”

Bart Reardon wrote: “Taken in isolation, there are obviously things that one
could complain about. But when held against other hardware vendors in the same
space, there’s almost no comparison. The 14″ and 16″ MacBook Pros took the crown
from the 2012-2015 MacBook Pros as the best hardware form and function. (RIP
Touch Bar and butterfly keyboard!) Still too early to get a good metric on the
instance of warranty claims versus non-Apple devices in our environment for the
new hardware.”

Joel Anderson wrote: “The M1 iMac is a great piece of hardware. I just wish it
was better priced.”

Mike Stirrup wrote: “Great hardware let down by poor Bluetooth and USB-C
connections that disable themselves for no apparent reason, then come back to
life after a reboot.”

Luke Charters wrote: “Apple silicon has been great! We just need the Air and 13
Pro to support more than one external display. The base iPad is feeling a bit
stagnant at this point.”

Mike Caplinger wrote: “MacBook Pros continue to last longer than most PC
laptops.”

Marcus Rowell wrote: “Apple silicon is simply spectacular. Apple’s mastery of
the supply chain has seen good availability of devices when most other vendors
are really struggling to ship in a timely manner.”

Joel Housman wrote: “Out of 35 M1 Air/Pro machines we bought during 2021, I did
have two that had hardware failures, which is a higher rate than I would have
liked to see—but again, with the above comment, support made it easy to deal
with.”

Armin Briegel wrote: “The new MacBooks Pro with the M1 Pro and Max chips
fulfilled and exceeded expectations. Apple is on track to finish the transition
in the promised two-year time frame. The expectations set for the remaining Mac
product lines are high – it will be interesting to see how Apple meets them.
iPads Pro using the same chip as Macs demonstrates that Apple expects these
devices can be used for the same tasks. Swift Playgrounds now brings the
capability to build apps on the iPad, but overall, it seems that the amazing
hardware is still limited by the software.”

Mischa van der Bent wrote: “My comment will be that comparing the cost of the
devices, the innovation is behind. Some products are overpriced and give me the
feeling that we pay for the Apple logo instead of innovation.”

Tom Bridge wrote: “The 2021 MacBook Pro 14″ and 16″ computers are spectacular
machines—I only wish I could get them more rapidly. The 24″ iMac with M1 is also
an excellent desktop. Apple’s iOS and iPadOS hardware also come in a solid
distribution of price points and device functions. While accessories remain too
expensive for their value, Apple is delivering solid core hardware for the
enterprise.”

James Smith wrote: “The new M1 Pro and Max MacBook Pros are absolutely amazing
devices, and Apple has knocked it out of the park with them.”

Adrian Stancescu wrote: “The new Macs are a game-changer. There is simply no
comparison to the Intel counterparts.”

Robert Hammen wrote: “The new Macs are pretty great. Been disappointed at the
number of issues we’ve experienced with 16″ Intel MBPs failing, though. Unsure
if users are powering off mid-upgrade, but we’ve had a plethora of ‘suddenly
dead, can’t revive’ Macs.”

Jing Yao wrote: “Getting rid of butterfly keyboards was a big plus for
purchasing. Apple silicon Macs also allowed us to get way more power for less
money in a pandemic-constrained fiscal.”

Anthony Reimer wrote: “We replaced about a third of our lab computers with M1
Mac minis, and they have seamlessly integrated into our labs. Apple is really
knocking this platform transition out of the park.”

Kale Kingdon wrote: “In comparison to previous years, I have had no major or
minor concerns when it comes to reliability of all hardware platforms.
Innovation-wise, I give high marks due to the ongoing strength of Rosetta 2 and
how it has been a non-issue during Mac deployment. Thinking back to the PowerPC
era, this would have been unthinkable.”

Brad Chapman wrote: “The 2021 MBPs are awesome. I bought one, and it’s a great
machine. So glad Apple made them thicker and brought the extra ports back. The
M1 Pro is a real screamer of a CPU. I don’t feel like I’m missing out on not
having an M1 Max.”

Jason Broccardo wrote: “The build quality and performance of the Apple silicon
MacBook Pros are wonderful, leaps and bounds over anything that’s shipped the
past five years with a Touch Bar. But it’s taking time to assemble enough stock
to start our rollout—thanks, supply chain issues.”

Craig Cohen wrote: “The new MacBook Pros are the best portables in years. Leap
Years.”

Sam Rigby wrote: “We’ve seen a weird defect of glass breaking near the hinges
below the panel of 2020 MacBook Airs, but it’s been at a relatively low
manageable rate, and it looks like there will be some sort of limited warranty
to cover it at some point soon. Other than that, everything has been rock-solid.
Apple silicon transition was a significant jump.”

Ben Burton wrote: “The M1 Pro devices have been a complete revelation for us.”

Tomas Gal wrote: “After some hardware changes, reliability is better than
non-Apple products that we use too.”

Kevin M. White wrote: “We are finally at a point where I literally can’t imagine
a better general-purpose enterprise computer than an Apple silicon MacBook Pro.
Most computers sold to enterprises are mid-to-high spec portables, and the
MacBook Pro is perfect for this.”

Allister Banks wrote: “Everyone can sing Apple’s praises for the M1-wonders
(minus the notch). The only functional misstep we’ve seen in limited testing of
the new iMacs is broken wired network connectivity during DEP bootstrap, but
it’s not worth our time to chase down with Apple. No news is good news—IT people
not complaining because end users aren’t complaining means steady as she goes.”

Viktor Glemme wrote: “The new hardware from Apple this last year has been
amazing. The biggest hurdle and something that is still hurting: It’s impossible
to get access to the hardware. Shipping delays of four months for M1 Max
computers are hurting our and clients’ experiences with the new hardware.”

Paul Chernoff wrote: “The new Macs have been great, and our staff is very happy
with them. We have been experiencing problems in the past year with Apple’s
fusion drives, but those iMacs are 3+ years old.”

Cameron Kay wrote: “2021 hardware is even better than the first batch on Apple
silicon Macs, but they need to complete the transition for all models and
support more than one external display on entry-level models.”

Stephen Robles wrote: “Many of the devices I manage remotely are iPads, which
remain solid in all areas. Changes made, either in Jamf or Apple Business
Essentials, are consistent and reliable. The latest hardware releases in the
iPad and MacBook Pro category are also easy purchase decisions when new devices
are needed.”

Niko Torres wrote: “Solid device releases. Happy with the new Airs and Pros
alike. Mobile devices have been great as well.”

Stephen Short wrote: “It’s been a great year for Apple hardware. My organization
is very happy with the new Apple silicon chips in the 14 and 16-inch MacBook
Pros. Our users are clamoring for the new models, and the additional ports and
keyboard improvements are welcome.”

Graham Pugh wrote: “The reliability of Apple silicon devices is remarkable. But
Apple is shipping the devices with months-old versions of macOS which can have
problems updating.”

Rick Heil wrote: “Our repair rate has gone significantly up over the last three
years. While it remains lower than the PC repair rate, it is concerning that the
overall quality of the Mac hardware is so much more questionable. I’m not enough
of an expert to know if this is a byproduct of extra complexity or something
else. Apple silicon is a neat invention and has performance gains but hasn’t
been the smoothest transition for us from a management perspective.”


SOFTWARE RELIABILITY AND INNOVATION

Grade: B- (average score: 3.4, last year: 2.9)

Business panelists scored this category slightly higher (3.4) than education
panelists (3.2).

Mischa van der Bent wrote: “Love the fact that the OS foundation is more in
line. This will make the innovation better between iOS/iPadOS and macOS. Think
of the possibilities of what we can do with the BYOD method of account-driven
user enrollment on iOS/iPadOS if it also comes to macOS. This will bring back
personal-owned workflows.”

Mike Stirrup wrote: “Big Sur from Monterey was an easy step. Going to Monterey
from an older version has shown issues with secure tokens and the device
requiring a firmware password to complete the update. Not ideal with a workforce
that continues to be mostly remote.”

Sam Schmitt wrote: “A lot of the more enterprisey apps in macOS also happen to
be the most neglected, which can lead to problems that end up with Radars being
filed into the void.”

Cameron Kay wrote: “It’s still buggy and rushed. They aren’t taking care and
attention, and they are slow at fixing bugs or design shortfalls, especially
when it comes to management capabilities.”

Bart Reardon wrote: “I’ve been happy with the recent releases of macOS and iOS.
But to be enterprise-friendly, they need to be more open with OS feature
roadmaps. It doesn’t cut it to say, ‘python will be removed one day’ and then
remove it mid-cycle with not much more warning than a single beta update, and
then claim ‘we did say we were going to remove it,’ a response that I think
belittles the role that an admin needs to play. What’s the issue with giving a
definite timeframe that a feature is being removed? This type of attitude is on
top of the things Apple doesn’t get about how the enterprise operates. I need to
work off more than assumptions and vague guesses. If they know a feature is
being removed with a certain release, then what is the hesitancy in giving us
that info so we can plan well ahead? Stop it with the mystery and intrigue and
asking us to read between the lines. Straight facts, please.”

Stephen Robles wrote: “One of the mission-critical use cases for Apple hardware
in my work is external display support. I have multiple Mac mini and iMac
devices connected to displays via USB-C to HDMI adapters, Blackmagic Thunderbolt
devices, and SDI video cards. I have been hesitant to update to the newest macOS
versions as they typically break compatibility with the software used to drive
displays (usually ProPresenter and ProVideoServer from Renewed Vision). Bugs are
typically resolved over time, but the niche use cases take a while. We also have
to wait for Blackmagic to update its software to support the latest operating
systems, which could take several months.”

Paul Chernoff wrote: “I’ve been quite happy with improvements made in Monterey.
The ability to erase a drive while retaining macOS is wonderful. We can
experiment with new configurations, erase, and quickly have a new configuration
set up without the bother of reinstalling macOS.”

Kevin M. White wrote: “macOS Monterey seems considerably more reliable than Big
Sur.”

Joel Housman wrote: “Since 12.1, things have been great. We had a rough period
with 12.0 and 12.0.1 in which the system wouldn’t recognize the admin password
set by the MDM. There was a bug with Apple’s profile/MDM system and Keychain. It
didn’t happen on most systems, just a few. It was a bear to fix.”

Robert Hammen wrote: “Bottom line: Apple’s software reliability sucks. Every
version, major or minor, of macOS is whack-a-mole. Fix these x bugs, introduce
these y bugs. Apple needs to do something to make their software much more
polished/reliable/tested.”

Brian LaShomb wrote: “Apple still does not support virtualization of macOS in
any meaningful way, which means to develop for iOS or macOS at scale, you must
set up Apple consumer hardware to support build operations. It would be nice to
have an Apple-supported OS that could run headless on common virtualization
infrastructure used inside many organizations without resorting to Mac Minis.
Apple also seems to be all but absent in the world of open-source software.”

Tom Bridge wrote: “macOS Monterey represents a solid step forward over Big Sur.
The OS has been substantially more stable, and each release has been a step
forward, not a step sideways or back.”

Tomas Gal wrote: “Not ideal when stability is preferred, but users demand new
features and want to upgrade immediately.”

Viktor Glemme wrote: “Managing software updates has been nothing but a bag of
hurt over the last 12 months. If it is major updates or just minor, it’s been
painful with stuck software update processes, no easy paths to upgrading with
clients ending up having to reboot their machines several times just to get
Software Update to work. Also, I had hopes that software updates would get
quicker over the years with a new OS being prepared on the side, so during the
next reboot there would be no wait. Comparing upgrading Windows to upgrading
macOS is tragic. A Windows 10 update is hardly noticeable during reboot whereas
a macOS update requires planning 45-75 minutes of downtime.”

Rick Heil wrote: “Monterey was a significant improvement for us over Big Sur,
which was troublesome and buggy from the start. Delayed features such as
Universal Control are also somewhat surprising for a company that is used to
delivering big once per year. Some false starts in the early release cycle are
expected, especially in these pandemic times, but the continued issues with
softwareupdate hangs hugely concern me. From a security point of view, this is
the biggest issue we’ve had in years, and Apple’s lack of attention to it has
been confusing at best.”

Todd Ness wrote: “I’ve seen a few problems here and there with released updates
and then a second update right behind it to fix, like the battery drain issue in
12.2 that 12.2.1 fixed. My iPhones have been pretty stable but again had some
pretty big drain issues on a recent release.”

John Welch wrote: “There is a disjunction between the OS platforms (which are
outstanding) and the applications (which are not). I deeply hope that iWork gets
spun off so that it might live up to its true potential. I would like to be able
to use Pages for text documents more than 60 pages long without it coughing up
its own liver and forcing me to use Word. Apple’s app teams deserve far more
resources than they get, and it would do them well to be in an environment where
they can thrive and actually engage with their customers.”

Kevin Williams wrote: “While I encourage OS improvements, sometimes the wild
swings in appearance or functionality is hard for my users to keep up with. They
become frustrated that the process they learned a few months ago is radically
changed between software revisions.”

Fridolin Koch wrote: “Reliability was up, but innovation was a bit lacking.”

Anthony Reimer wrote: “Big Sur was a buggy OS until near the end of its cycle.
Had we been able to jump from Catalina directly to Monterey, we would have. The
removal of Python 2.7 in macOS 12.3 was unexpected (most were projecting macOS
13 for removal); Apple should consider renumbering the mid-cycle update to x.5
to more clearly indicate that significant features could be added or deleted
then. On the plus side, Apple continues to update the pro apps (Logic Pro, Final
Cut Pro) for free, and they are best in class.”

Jing Yao wrote: “Monterey built on all the things Catalina and Big Sur broke, so
it felt like a glass of cold water after that hell.”

Craig Cohen wrote: “macOS 12 has been the most stable macOS since Snow Leopard.”

Brad Chapman wrote: “Monterey feels like a pretty good iterative refinement over
Big Sur. The transition period from on-screen warnings about Python 2.7
deprecation (macOS 12 betas) to total removal of /usr/bin/python and all
libraries in macOS 12.3 was far too short. Even 32-bit apps were generating
on-screen warnings for 18 months in High Sierra and Mojave. While it’s unclear
how many public apps use python, it has been in use by the Mac admin community
for years.”

Ben Burton wrote: “Other than some teething problems with things like PPPC, Big
Sur and Monterey have been mostly solid macOS releases.”

Luke Charters wrote: “I know for marketing and shareholders and keeping up with
competition Apple needs to release fancy new features every year, but at this
point, if executives got up at WWDC and said Apple was spending a year improving
performance and fixing bugs I would be over the moon.”

Mike Caplinger wrote: “Sometimes things just don’t work, which is frustrating.
We use Profile Manager via macOS Server and it works about 98% of the time.”

Kale Kingdon wrote: “There were minor bugs during the iOS 15 cycle that should
have been caught before launch, but it was by no means as bad as the iOS 13 and
14 launches. Apple changing to releasing developed features during point updates
is a good cultural change. Innovation is the primary detractor, as there are a
variety of core apps on both platforms that have not received any love during
their major releases and honestly feel like there is no custodian for them
internally, which is concerning. Similarly, it’s mind-boggling how some issues,
like the stability of network file shares and configuration of the Files app on
iOS, are still as half-baked as they were when originally released.”

Graham Pugh wrote: “Monterey has been reliable, except for several significant
problems with software updates.”

David Coom wrote: “Need more granular controls on update delays.”

Armin Briegel wrote: “Monterey was a welcome ‘tock’ update after a series of
consecutive ‘ticks’ with Mojave, Catalina, and Big Sur. In a change for the
better, Monterey had few major or upsetting changes and some improvements.
Universal Control looks exciting but was delayed until 12.3. However, Handoff,
Sidecar, Airplay Receiver, and, presumably, Universal Control do not work with
Managed Apple IDs. Why Apple excludes school and business accounts from their
tentpole features is mystifying. Apple admins are used to major changes in the
spring update (usually the .3 or .4 release of macOS), but this year is
remarkable because Apple is removing the long-deprecated Python 2 and certain
file sync APIs. These changes have been communicated for some time and should
not come as a surprise. Yet, these removals are still troubling, as the spring
updates are not watched and tested as closely by third-party developers, and the
beta phase is much shorter, reducing the time for feedback.”

Allister Banks wrote: “Rosetta is conceptually dreamy, but Apple not allowing it
to stay installed during almost every patch upgrade on M1’s means it’s a
nightmare that sometimes silently remediates itself, but other times causes the
things that we transitionally need to rely on to fail. We had hundreds of
lockouts due to a FileVault2 enforcement tool relying on it. Just like python
being removed (Without a calendar date, how are software teams/decision-makers
supposed to plan and take the removal seriously?), it can take time, and no
amount of testing will cover all the corner cases at scale. On iOS/iPadOS/Macs,
the new Focus Modes are breaking notifications. It’s remarkable that Apple can
continue to make that situation inscrutable and worse in innovative ways. The
implementation of Erase All Content and Settings on Mac was great, though!”

Niko Torres wrote: “There’s room for improvement. Stability has been progressing
regularly. Apple no longer seems to rush gimmicky features while sacrificing
quality but also seems to never deliver on features as well. Overall, that’s
preferable as long as stability is intact.”


SECURITY AND PRIVACY

Grade: A- (average score: 4.1, last year: 4.1)

This was the second-highest score on the survey, maintaining its score from last
year.

Kevin Williams wrote: “While the insistence that managed Apple IDs for staff
have 2FA, it has been handled by our staff fairly well as we migrate or upgrade
them to new IDs.”

Armin Briegel wrote: “Apple continues to focus on Security and Privacy for
end-users. Sometimes Apple’s choices are at odds or at least not well aligned
with the requirements and practices of security in businesses. Apple has done
excellent work documenting the security features in their Platform Security
Guide, which has also received regular updates. After much community feedback,
Apple also added Recovery Lock to Macs with Apple silicon, which fills an
important requirement for organizations and was sorely lacking in early Big Sur.
On the other hand, there has been little improvement to provide built-in
management options for security features that are common in benchmarks such as
NIST or CIS.”

Graham Pugh wrote: “The key to security is an up-to-date OS, but the amount of
engineering required to attempt to get users to update their computers is
onerous, and updates remain far too big and slow to be installed. iOS is better
in terms of engineering, but updates are still quite large and slow to install,
often failing due to lack of space. This should never happen—OS installations
should use reserved space.”

Cameron Kay wrote: “Hardest bit about security on the Mac is getting end users
to patch their Macs. They just can’t be bothered. Apple needs to give us more
tools to ensure users patch.”

Kevin M. White wrote: “Even though Apple platforms are more popular than ever,
the number of significant security events (by this I mean security exploits that
result in wide-spread data leak/loss) remains low.”

Charles Edge wrote: “Apple continues to focus on and excel at privacy. Masking
addresses, reducing the telemetry vendors have into what we do and working out
just the right number of prompts to keep us secure without going insane from
click fatigue. When we did this survey last year, there were more security
issues to respond to; this year has been much better. There were sessions at
Defcon and Blackhat, but those were mostly about older issues with software
partners than exploits with Apple technology.”

John Welch wrote: “Apple’s record is not perfect, but ye gods, they are the only
desktop platform vendor even attempting to make it so that a non-technical user
can just use their systems without needing to become an amateur CISO. They’re
literally the only human spot in Infosec.”

Brian LaShomb wrote: “Apple does a good job with security, but there are still
very few options for adding organizational level trust. I would like to be able
to trust a source, like an enterprise domain or certificate chain for downloads.
Or allow essential communication tools to be trusted out of the box without user
intervention.”

Bart Reardon wrote: “I have gotten annoyed at times when functionality I once
relied upon is now locked away behind closed doors in the name of security or
privacy, but I understand and appreciate that the same functionality I once
relied upon as a management process is ripe for abuse elsewhere. There can be a
fine line between admin tool and malware.”

Anthony Reimer wrote: “Apple’s focus on security is top-notch. It would be nice
to be able to manage some of those controls more reasonably from an
administrator’s perspective. Nonetheless, Apple seems to be more responsive in
this regard lately.”

Joel Anderson wrote: “I like the added security features, but there also has to
be a way to manage them.”

Jeremy Mentzell wrote: “Despite Apple’s approach to bundling feature and
security updates into the same mechanism; I still hear gripes these should be
separate and faster with the threat landscape as it evolves. I don’t know the
right approach here.”

Allister Banks wrote: “Security goes hand in hand with people running updates,
and the situation was allowed to improve on iOS/iPadOS by providing patches for
previous versions, but repeatedly breaking MDM/supervised macOS devices from
applying updates is an obvious own-goal and one that continues with new wrinkles
to this day. Delta updates no longer being available exacerbates the corner we
get backed into with no release valve if Apple or its CDN screws up. Those
deltas weighing in at over 3GBs for remote workers make using Macs a punishment
and penalty for my coworkers if they slip on the treadmill that we need them to
keep pace on. Compelling and usable frameworks are the long game of platform
security, and Electron’s continued dominance, the slow uptake on file provider
system extensions, network system extensions breaking all connectivity during OS
upgrade, all these things hurt reliability that admins require and contradict
the obvious logic of getting patches out in a timely fashion and not holding
back upgrades. By forcing the move to system extensions, they traded kernel
panics with us getting kicked out of userland or, worse, silent failures where
security and connectivity are just broken. And getting vendors to even keep
pace, let alone adopt these frameworks, has reduced options available for many
shops, especially when we sacrifice sanity to the altar of compliance and
approved vendors.”

Kale Kingdon wrote: “Apple’s commitment to security and privacy is miles above
its competitors, and while small issues with implementation and MDM Frameworks
can mire the management experience, the security of the end-users is almost
never in question.”

Adrian Stancescu wrote: “Best in the industry.”

Brad Chapman wrote: “The pendulum is swinging too far toward absolute privacy
and starting to compromise the user experience for managed environments with
institutionally owned devices.”

Mischa van der Bent wrote: “Apple is getting to be more of a target in the
security world. And what Apple is doing to make the devices secure without
infecting the user experience is awesome. If you look at what Apple already
builds into the devices on a software and hardware level, it’s amazing. However,
for macOS, not all the security stack is controllable via a profile and still
requires a script. I hope Apple will change this soon.”

Mike Caplinger wrote: “Apple continues to do a good job here. We have had no
security incidents on any of our Macs this year.”

Stephen Robles wrote: “Always confident in security and privacy.”

Sam Rigby wrote: “There are some things that add extra clicks in our deployment
(not allowing standard users to grant access to certain things), but ultimately
it has been good.”

Luke Charters wrote: “Being strict on security is a place where they really
shine. The only point off here is because they need to start paying out properly
for bug bounties because a zero-day is doing to come along and show them why
they needed to be doing it in the first place.”

Marcus Rowell wrote: “Dialog fatigue is a big problem with Security and Privacy.
Admins need more control to pre-approve dialogs. Inconsistency with privacy
‘features’ is also a problem. If a device is business-owned, I already have full
control of it, so I should be able to manage all privacy features without user
acceptance or intervention. In some scenarios, I want to be able to pre-approve
Screen Recording for specific apps to make the experience better for the users.”

Robert Hammen wrote: “I applaud Apple’s efforts to improve the security and
privacy of its platform. The way PPPC is implemented is quite convoluted and
painful to manage, particularly since things whitelisted by profile do not
appear in the GUI. Also, Apple not allowing admins to pre-allow screen recording
for conferencing-type apps (i.e., Teams, WebEx) on supervised,
institutionally-owned devices is still problematic. Having to have the users set
this up (and then leave and re-join the conference they’ve created) is a pretty
terrible user experience.”

Joel Housman wrote: “Security improvements in both Big Sur and Monterey give me
increased confidence and desire to switch all my staff to using Macs. To solve
my Windows ransomware worries, I just want to deprecate Windows.”


DEPLOYMENT

Grade: C+ (average score: 3.3, last year: 2.8)

Deployment scores improved quite a bit this year, though it was still the
second-lowest score in the survey. Education sites rated this slightly higher
(3.4) than business (3.2).

Paul Chernoff wrote: “In conjunction with an MDM, setup is much faster now than
in the past. I do not miss disk imaging since it took too much work to keep
images up to date. Apple needs to improve on allowing the order of installation
of profiles and apps and better ability to see what has been installed. Basing
management on UDP results in lower reliability.”

Marcus Rowell wrote: “Deployment is improving. Prompting users to install
upgrades with tiny notification dialogs that disappear if you tap them anywhere
but in the right place isn’t a working solution. iOS-sized dialogs on macOS need
to go.

Brian LaShomb wrote: “This has gotten much better with the addition of Erase All
Content and Settings, which speeds up ‘resetting’ a device, should enrollment
attempts go sideways. Software Update is still fickle, though, and the number of
keys you need to configure to thread the needle for minor and major deferrals
seems like an arbitrarily complex path to take. Just allow us to use version
pinning.”

Graham Pugh wrote: “It remains possible to bypass Automated Device Enrollment
for a Mac that is enrolled into ASM/ABM—something that has not been a problem on
iOS for years. It’s past time for Apple to solve that. Software update
management is too difficult.”

Luke Charters wrote: “Sending out Software Update commands is improved but still
has a way to go. I feel like they say software updates are faster every year,
but it certainly doesn’t feel like it. It’s extremely hard to get users to
update when they take as long as they do. They need to fix app adoption on
managed devices.”

Kevin Williams wrote: “I think it is more down to better work with MDM partners
than anything directly customer-facing where the improvements have been
realized. Using our MDM designed specifically for schools, our deployment tasks
are significantly easier than even last year, and light-years better than over
the past eight years.”

John Welch wrote: “Is it perfect? Nothing is. Is it better than anything else
out there by far and improving all the time? Absolutely.”

Joel Housman wrote: “ABM and zero-touch enrollment have been a game-changer for
us. We have about 85 staff, and I’ve deployed 30+ M1 Macs since WWDC last year.
The system has been rock-solid in terms of reliability. The difficulties we ran
into during November and December with Monterey were unfortunate, but Apple did
resolve the issue with 12.1.”

Mike Stirrup wrote: “When a device gets up to Monterey, the Erase and reinstall
option is a fantastic time-saver for a technician, along with being able to DFU
and restore or update a device in 10-15 minutes. I still don’t trust the process
to work well enough to consider shipping a sealed machine to a new starter in
the business. A DEP-aware migration tool would be amazing.”

Anthony Reimer wrote: “Software Update has been very problematic in a shared
computer setting, where most updates happen with no user logged in. This is
particularly problematic when updating macOS on Apple silicon, which requires a
volume owner to authenticate. The MDM method to do macOS updates has been
unreliable and is not easily automated, so I have often resorted to installing
the entire OS instead. Even if I update via MDM or manually in the GUI, we are
still dealing with relatively large downloads and install times for security
patch updates compared to what we saw in Catalina and earlier. Monterey has made
improvements over Big Sur in all these areas, including Auto Advance, but
something that was easy in Catalina is still somewhat broken now.”

Jing Yao wrote: “There’s still a lot of work to be done to help enterprise with
built-in tools, so we don’t have to resort to scripting and packaging.”

Tom Bridge wrote: “Two major changes this year: Erase All Contents and Settings
for macOS and improvements to the Software Update MDM commands! The first is a
huge timesaver and has worked exactly as advertised. Everyone who worked on this
deserves a title bump, a raise, and a pony. The latter feature isn’t necessarily
working as hoped. There’s some good stuff going on here, but execution is highly
mixed. App Deployment via MDM is a rough go, and lifecycle management for that
software is just absent entirely. There’s hope, and things are getting better.”

Stephen Robles wrote: “Automated Device enrollment works very well, and
lifecycle management is excellent. We have a number of older iPads still in use
that we can still depend on.”

Ben Burton wrote: “Software updates, especially on M1 devices, are still
painful, and VPP remains weirdly unreliable.”

Steve Summers wrote: “I can have 10 laptops to deploy and on the 9th Mac, DEP
will fail for an unknown reason and the Mac will need to be erased and the OS
reloaded, then it will work and deploy correctly.”

Kale Kingdon wrote: “All facets of the deployment process have been satisfactory
with no glaring concerns, outside of the OS Update workflow which is still
plagued by inconsistency.”

Brad Chapman wrote: “The ability to add old Macs into ABM/ASM with the iPhone
and Apple Configurator is terrific. The new MDM controls for Big Sur 11.5 and
macOS 12.0 for software updates are a step in the right direction. However, a
couple of things happened this year that gave me pause. First, while the
software update improvements are good in theory, the actual experience for MDM
admins needs a lot of work. We still need to be able to delay the next major OS
release by 365 days. And the MDM commands don’t produce consistent responses
from devices. Second, there is a serious bug with the softwareupdate daemon
affecting Monterey, Big Sur and Catalina that causes the service to stall. End
users and the general public see ‘checking for updates’ forever in System
Preferences. For managed fleets, the inventory process never finishes… or the
MDM command to trigger software updates never finishes, and the service must be
killed, or the Mac must be rebooted. MDMs with agents, such as Jamf and Kandji,
never finish submitting inventory. We found Macs that have been stuck since
December 2021. By all anecdotal evidence, this has been going on for at least
six months. Many customers filed cases. Apple claims it is fixed in 12.3. No
promise yet for Big Sur or Catalina, where it really needs to work.”

Stephen Short wrote: “There’s still a lot of work to be done to reliably manage
software updates, which ostensibly help to address security vulnerabilities.
Deferred macOS update improvements are helpful in Monterey, but the API commands
are only marginally successful. My organization (and many others) must rely on
multiple tactics and procedures to ensure every Mac in their fleet is
successfully updated. This typically involves user communication or using device
trust products from other vendors to ensure a Mac complies with your
organization’s update policy. By far the best feature improvement in Monterey is
the ability to Erase All Content and Settings either from System Preferences or
using an API command. This can drastically reduce troubleshooting times with
users and allows Macs to be returned to service and re-issued without a
time-consuming erase and reinstall of macOS.”

Jeremy Mentzell wrote: “ADE is great. Update cadence and beta programs allow
those with availability and concern to evaluate as aggressively as they wish.
MDMs continue to be able to force or delay updates, and Apple continues to give
hardware long life with software updates. It will be interesting to see the
contrast between Intel Macs and Apple silicon Macs as time progresses.”

Adrian Stancescu wrote: “Pretty good, but please get rid of macOS Server once
and for all and find a proper replacement to Profile Manager. It’s shameful at
this point in time to still ship it.”

Cameron Kay wrote: “It’s still too easy for a user to bypass MDM enrollment and
have an unmanned Mac. Apple needs to make it impossible for a Mac to bypass
automated device enrollment.”

Robert Hammen wrote: “Will give them props for Erase All Content and Settings
and provisional Mac enrollment. VPP app deployment on macOS is still a complete
dumpster fire and the complete opposite experience of app deployment on iOS,
where it just works.”

Armin Briegel wrote: “With Erase All Content and Settings, Monterey has provided
a feature that Mac Admins have wanted for a long time. Apple also added the
necessary configuration profile and MDM commands to manage this feature. On the
flip side, while the softwareupdate process is now somewhat more reliable, the
management options are still deficient to the point that community solutions,
such as Erik Gomez’s wonderful Nudge, are being deployed in scale. In an attempt
to improve the management and security of Apple Remote Desktop and Screen
Sharing access, Apple rendered it un-usable at scale.”

Todd Ness wrote: “Love the new Erase All Content and Settings option for
resetting a computer. ADE seems to work pretty well from the initial boot, but
to make a running computer get into ADE after it has been set up has become
nearly impossible. ipsw deployment is also a nice addition from the Intel
hardware.”

Mike Caplinger wrote: “I miss NetBoot and NetInstall. We’re slowly adapting to
the ‘new way’ of doing things. We have a lot more capability now, but I’m old
school and miss the simplicity of just NetInstalling a new image every month.”

Sam Rigby wrote: “We tried automated device enrollment, but with kids as our
primary users, it just didn’t make sense. OS upgrades and software updates are a
bit of a mess, to be honest. We try to push updates, but if there’s a smarter
way to do it without pissing people off, we haven’t figured it out. This is
mainly due to the problems with doing any updates over the air. And with the
timing of the release cycle, we often stay behind until the summer and then
deploy using the previous year’s highest point release. (We’ll update everything
to Monterey this summer.) App deployment is rock solid, no complaints.”

Viktor Glemme wrote: “The fact that it is so unreliable is strange. It’s like
Apple doesn’t listen to any of their larger clients. If you have a 20-25%
failure rate of upgrades in a small organization, it is survivable. But when
that number suddenly encompasses several thousand devices that need handholding
to do the basic tasks, it is a struggle.”

Keion Dorsey wrote: “Software updates and OS updates and deployment could be
better.”

Jason Broccardo wrote: “Apple’s years-long struggle with properly automating and
administering software updates at scale continues unabated.”

Bart Reardon wrote: “macOS updates and upgrades probably need the most work.
When managing hundreds if not thousands of devices, and there is a requirement
to deploy a specific update, the commands to deploy, prompt, and install that
update need to be consistent and reliable for an enterprise environment. There
needs to be a clear understanding that updates need to be enforceable with a
specified schedule if the environment requirements demand it. Currently, there’s
too much wiggle room and too many gray areas. On macOS, VPP is borderline
useless. It’s less of a command to install an app and more of a suggestion to
the OS to maybe install an app if it can get around to it. It’s not consistently
reliable. That said, the features and reliability of device deployment and
lifecycle is well ahead of the capabilities on other OSes, which are still
playing catch up.”

Kevin M. White wrote: “While I appreciate the announcement that Apple is working
on declarative management (aka MDM 2.0), this still doesn’t solve the problems
we have today. It’s frustrating to see how hard Apple works to include robust
built-in security features but then provides extremely poor methods for managing
these features. Examples include a relatively robust software update mechanism
that suffers from limited management controls, a powerful system-level privacy
and security model that is somehow simultaneously too complex and not feature
complete, and an incredibly fast and secure web browser with near-zero
management features. Again, the impression here is that Apple creates features
that benefit the consumer without consideration for the enterprise.”

Rick Heil wrote: “No real changes have been made other than conditional DEP and
Erase All Content and Settings in my view. But Erase All Content and Settings is
worth a higher score alone. We’ve been asking for it for years, and it is
everything I dreamed about. While it is disappointing Apple decided to gate both
Erase All Content and Settings and conditional DEP for newer hardware, I’m
thrilled to have both nonetheless.”


MACOS IDENTITY MANAGEMENT

Grade: C- (average score: 2.9, last year: 3.3)

This was the lowest-scoring category in the survey and the biggest drop from
last year’s survey. Opinions on this category were dramatically different based
on the size of the organization, with those who support between 500 and 1000
being far more negative and those supporting less than 100 devices being far
more positive.

Fridolin Koch wrote: “Apple should be more proactive and work with Identity
Providers to make more Login Window replacements are possible.”

Marcus Rowell wrote: “Apple’s identity story is not coherent. Everyone has a
personal Apple ID, yet there is confusion around the enterprise identity.
Managed Apple IDs are limited in scope and limited to Azure AD. Microsoft and
Google have a cloud OS where your identity, data, and applications live
primarily in the Cloud. Apple is many years behind and probably can’t catch up
at this stage, so they need to allow a user to sign into their Mac with either
their Microsoft or Google Identity.”

Viktor Glemme wrote: “I still rely on Jamf Connect for proper identity
management.”

Armin Briegel wrote: “There has been very little progress with regards to
identity management since last year. Third-party SSO extensions remain in
‘preview’ or ‘beta’ limbo or entirely non-existent. It is hard to judge if this
is Apple’s or the third-party developers’ fault. Apple is not pushing their
cloud solutions forward for organizations either, though managed iCloud storage
extension in Apple Business Manager shows some promises.”

Brian LaShomb wrote: “We still utilize enterprise Connect as there are still
outstanding issues within the Kerberos Extension. I would like to see
first-party FIDO support for user authentication.”

Todd Ness wrote: “The SSO agent has way more problems than enterprise Connect
ever had. If a user’s password expires, it is not pretty to get the SSO agent
working, and the password has to be changed externally instead of with the SSO
agent.”

Graham Pugh wrote: “My organization does not yet employ SSO, but I do find it a
shame that Microsoft has a monopoly on SSO integration with Apple. I’m surprised
Apple hasn’t been sued over this.”

Ben Burton wrote: “Are Apple even still doing any work on any of this? I haven’t
seen any improvement.”

Jeremy Mentzell wrote: “Growth and integration with Identity Management
Solutions continue positively. MAIDs offer businesses that support them good
flexibility. But Apple’s Managed/Business iCloud lacks FEDRAMP certification and
will hold people back.”

Robert Hammen wrote: “Strong demand for SCIM integration with services other
than Azure. Some folks are unhappy that the SSO extension lost functionality,
coming from Enterprise Connect.”

Stephen Short wrote: “Mac admins have been treading water for years regarding
enterprise identity management, and it’s still abysmal. Apple needs to take
ownership of federated identity and make it easy for IdP vendors like Okta,
Azure, and Google to easily integrate their directory offerings into the
standard authentication/setup experience in Setup Assistant. For all the money
and resources Apple has at its disposal, it’s a dereliction of duty for them to
outsource a key component of the enterprise user experience to third party
vendors.”

Bart Reardon wrote: “I deployed the Kerberos Single Sign-On extension after WWDC
2019 and macOS 10.15, replacing Active Directory binding, and it has only gotten
better over time.”

Kevin Williams wrote: “Again, I think it’s working with the MDM partners where
this becomes apparent to us. Using Mosyle extensions, our staff log in using
their Google account to their Mac, making it a one-stop account for everything
they need to remember.”

James Smith wrote: “Utilizing the Extensible enterprise Single Sign-on framework
with Azure identities works wonders for those who work in a Microsoft-centric
environment.”

Adrian Stancescu wrote: “Why are there still mobile accounts in macOS? The
writing has been on the wall for a long time, and since macOS Server is all but
dead, why are mobile accounts still shipping?”

Craig Cohen wrote: “Too much reliability on third-party and not enough built
support for IDP in the cloud.”

Kevin M. White wrote: “Apple’s current offerings for identity management
integration aren’t even half-measures. User-initiated enrollment is a neat
feature that very few enterprise organizations will ever trust. (Apple doesn’t
understand that BYOD will never be a solution for most enterprises. You can’t
dictate what an employee brings to work, so how many of them are going to have
Apple devices on the latest software versions? Further, the value of keeping
corporate information as secure as possible vastly outweighs the burden of
purchasing in-house hardware.) Federation against Azure for managed Apple ID is
a good start, but Azure identity services is a small percentage of the overall
identity market. Finally, none of the current identity integrations matter until
Apple addresses one of the core things that makes macOS different from iOS: a
local user account. Apple needs to create a macOS identity framework that can
solve for the entirety of macOS user account services including FileVault, login
window, and Keychain.”

Sam Schmitt wrote: “I haven’t seen this catch on as much as I’d like it to.
Microsoft is doing a better job at incorporating cloud-native identity into its
platforms. This could be a great place for Apple to have differentiated
themselves.”

Brad Chapman wrote: “It doesn’t feel like Apple has made much improvement in
this area. The SSO / Kerberos extension has not achieved feature parity with
enterprise Connect, particularly where branding and customization are concerned.
We’re seriously thinking about switching to NoMAD or Jamf Connect.”

Rick Heil wrote: “We do not use any of Apple’s federation or identity management
software because we don’t trust it to actually work.”

Tom Bridge wrote: “Adoption of the Kerberos SSO methodology by various
organizations has been really slow going. Apple does federate Apple IDs with
Azure Active Directory, and that’s good, but there are many, many more SSO
providers that are worthy of this privilege, and Apple should announce a program
to allow SSO Providers to participate in that process. In addition, it’s long
past time that the login window support signing in via single sign-on providers
natively, and create accounts based on that sign-on process, and keep the
passwords in sync via periodic reauthentications and token refresh.
Alternatively, an adaptation to a process like Windows Hello would be welcome.”

Joel Housman wrote: “We’ve adopted JumpCloud as our IAM. It’s been great, and
they’ve been rapidly iterating on their feature set during 2021. My assumption
is JumpCloud uses Apple’s IAM APIs to do what it does, and therefore I can say
we’ve been very happy with the implementation.”

John Welch wrote: “They could be doing better here, and I think a more direct
partnership with Microsoft on AD access and integration rather than almost
completely relying on third parties for the implementation of that would be a
massive help.”

Cameron Kay wrote: “Apple needs to provide Azure AD and other cloud IdPs built
into macOS so enterprise users can log in to their Macs via their enterprise
user IDs and have passwords and password policies synced.”


MDM PROTOCOL AND INFRASTRUCTURE

Grade: B- (average score: 3.5, last year: 3.2)

This category, up from last year, was especially lauded by education users
(3.8), not so much by business (3.2).

Adrian Stancescu wrote: “Very good, but just stop pretending that macOS Server
is a real product, or that Profile Manager is something a sane person should
use.”

Todd Ness wrote: “I love the thought of being able to manage updates via MDM,
but it is just not very useful. I’m not sure if that is all Apple’s fault or if
Jamf is to blame for some of it. I cannot target all 1100 updates at once—about
250 seems doable. There is no forced update after the deferrals end, either,
which makes it somewhat useless. The forced update has no interaction, which is
a bit of a problem as well.”

Sam Schmitt wrote: “I am excited about declarative management APIs and how they
can be used in the future.”

Ben Burton wrote: “VPP is really flaky. Software Updates via MDM command are
too.”

Stephen Short wrote: “It’s a mixed bag. The macOS software update deferral API
commands in Monterey are an improvement but are still not totally reliable. Even
if your MDM is escrowing a secure token, users on Apple silicon may still be
prompted to authenticate to authorize a macOS software update. If your
organization wants to force an update, it’s still too easy for a user to
indefinitely avoid updates (absent other forms of intervention and remediation
outside of Apple). The ability to Erase All Content and Settings using an API
command in Monterey is a very welcome feature. This can drastically reduce
troubleshooting times with users and allows Macs to be returned to service and
re-issued without a time-consuming erase and reinstall of macOS.”

Viktor Glemme wrote: “Much better than previous years. It’s still missing
features and functionality. As MDM becomes more and more important in an
agent-less world, we need to have more features in the MDM spec to help us
manage devices.

Luke Charters wrote: “Some commands are instant; others just never get received.
The best is when they get received, and nothing happens, and there’s no error.
We’ve checked, and our network can communicate with Apple according to the
enterprise network support page.”

Jing Yao wrote: “Small quality of life improvements, but I’d still like to see
more meaty improvements, so we don’t have to resort to scripting and hacks.”

Anthony Reimer wrote: “MDM is not as reliable as I would like. The lack of
round-trip feedback continues to be an issue. I am looking forward to the work
Apple has begun on moving to state management—this could be a real boon for Mac
admins.”

Niko Torres wrote: “Overall integration is working well. Pain points may
resurface in the future as Apple continues to tighten security.”

Kevin Williams wrote: “I think it has been in this category where their work has
become apparent (and useful) to us, the end-user. So much more is available for
us to manage our Macs and iPads that we wish there was an MDM for Windows that
came close to the abilities we have on our Apple devices. That used to be
reversed for years.”

Cameron Kay wrote: “Apple’s infrastructure is still a bit flaky. Also, their
protocol is ‘best effort,’ which means things many never make the device. And if
something fails at device enrollment, the device goes unmanaged.”

Paul Chernoff wrote: “Improving but lots more work to do. Using UDP lowers the
reliability of MDMs. We need better control, especially the order in which
profiles are installed since some profiles depend on others being installed
first.”

Mischa van der Bent wrote: “Didn’t have any big issues this past year. The MDM
protocol is a strange beast, but I love it! I’d love to see the declarative MDM
come to the entire ecosystem, not only for ADUE.”

Graham Pugh wrote: “There have not been any significant changes in 2021.
Declarative MDM is not yet available in any meaningful way.”

John Welch wrote: “Everyone is still chasing Apple’s tail.”

Robert Hammen wrote: “Super interested to see where the new declarative device
management goes. The MDM functionality in macOS has not changed significantly
since its release in macOS 10.7 Lion. We desperately need the ability to set
settings once (Dock), but allow users to make changes. The ‘set settings or
don’t’ functionality isn’t good enough. I would also love the ability for MDM to
become more stateful. For example, if there’s a profile to enable the firewall,
if it’s somehow disabled, the device should automatically re-enable it.”

Allister Banks wrote: “MDM continues to be ‘management over UDP’, the most
popular vendor implements the spec in such a way that what payloads are
installed is not shared with admins, and the local frameworks are private, and
the ‘public APIs’ (system profiler and the profiles command) are inconsistent,
incomplete, and ungainly to wrap. Infrastructure-wise, underlining the lack of
API for the business/education enrollment portals, a certain gig economy company
found a way to overwhelm Apple’s servers due to the overall lack of rate
limiting when performing verification on enrolled status. We must continuously
poll or check side-effect artifacts that imply some sort of state because Apple
never built the actual hooks for gauging metrics or getting accurate telemetry
regarding enforcement or acceptable operating constraints. In a previous
lifetime, years ago with Managed Client for OS X we had ‘manage once’ friendly
defaults. Now vendors like Kolide measure ‘fence-jumpers’ when Apple only
provides restrictive walls.”

Rick Heil wrote: “MDM still feels like it is, at best, an afterthought. Lack of
documentation and definition around the existing application of profiles, plus a
lack of use case for declarative MDM announced at WWDC 2021 makes me concerned
about what will be coming for macOS at WWDC 2022. I think everyone involved
agrees that MDM for macOS needs a full overhaul—the million-dollar question is
if Apple will design their new system in a manner that is truly useful for
enterprises.”

Marcus Rowell wrote: “The old MDM protocols are limping along. Hopefully the new
declarative protocols live up to their promise and are implemented with feedback
from the community.”

Mike Caplinger wrote: “There is always slow but steady improvement.”

Mike Stirrup wrote: “Still feels like a set-it-and-hope-it-happens process.
Commands often fail if the device is not active when a policy is enabled.”

Bart Reardon wrote: “No major issues with MDM. I’m glad to see there are efforts
on improving the protocol by adding declarative device management, and Apple
isn’t resting on its laurels.”

Stephen Robles wrote: “The number of websites and portals required to manage an
MDM like Jamf can be ungainly. Some areas, like the certificate renewal website,
is hilariously old. But still performs the function just fine.”

Joel Housman wrote: “We have zero experience with MDM and iOS devices as we just
issue a stipend to staff to pay for services (phone/data) and don’t own any
devices ourselves. As for macOS, MDM has been great. We can either deploy all
our software through VPP over MDM from the Mac App Store or we can use MDM
payloads to load it from outside of VPP if the software isn’t available on the
Mac App Store.”

Jason Broccardo wrote: “I’m still testing MDM changes like the new software
update options available for use with macOS 12 Monterey. Not conclusive yet if
they are any improvement on what we’ve had before.”

Craig Cohen wrote: “Declarative management is a great line in the sand that I
can’t wait to cross.”

Fridolin Koch wrote: “Declarative Management looks promising but is not here
yet.”

Armin Briegel wrote: “Declarative device management shows a lot of promise but
is still too limited to give a fair judgment or be actually useful. At WWDC 2022
Apple will have to prove its commitment by pushing this new paradigm forward in
features and scope, while addressing the shortcomings of the current MDM
protocol, which remains as woeful as before.”

Kale Kingdon wrote: “While the reliability and stability of the MDM Protocols
remain solid and unchanged (outside of the OS Update Commands), there has been
no discernible innovation in the current ADE device framework. And with declared
management still only being supported on UIE devices, I feel I’m waiting for the
other shoe to drop when it comes to potential changes.”


THE FUTURE OF APPLE IN THE ENTERPRISE

Grade: B+ (average score: 3.8, last year: 3.4)

Robert Hammen wrote: “Still fairly bullish on Apple in the enterprise. I think
sometimes the developers and product marketing don’t have enterprise in mind
when introducing new functionality or features in the OSes, and then Apple has
to scramble afterward to address holes in enterprise workflows.”

Mike Caplinger wrote: “Our users are very happy with their MacBooks. I don’t
think that will change in the next few years.”

Rick Heil wrote: “From outside the MacAdmin sphere of influence, Apple devices
and products still have a certain cachet to most employees and are still our
dominant computing device. I don’t see that changing any time soon, even if the
platform becomes increasingly difficult to manage. End-users still prefer the
flexibility and experience they get with macOS versus other operating systems,
and love the sleek, well-designed hardware Apple produces.”

Anthony Reimer wrote: “My views since last year haven’t changed much. I really
like the people that Apple has hired from the Mac admins community to help them
up their game, and it is clearly paying off. Apple’s hardware is fantastic. I
support Apple’s aim to give users more control over their privacy, even on a
corporately owned device. But Apple makes it hard to administer computers where
there is more than one user. We want to make it easier for our users to avoid
common privacy and security pitfalls, but Apple’s systems/rules are often an
impediment. Apple is getting better, but they need to continue to get better.”

Stephen Short wrote: “I am generally positive on the prospects for slow,
continued improvement for enterprise management of Macs and iOS devices. There
are certainly areas like software update and identity management that need a lot
of work, but I feel like Apple has done a good job at informing admins of
upcoming changes via AppleSeed. Organizations that have a relationship with an
Apple rep for purchases may have a better experience at reaching the correct
team or person to assist them when support issues arise, especially if they are
not paying for an enterprise support agreement.”

Jason Broccardo wrote: “Don’t see Apple’s foothold going away any time soon.”

Niko Torres wrote: “Apple gives the impression that they are listening, which is
heartening. I still am prepared for the inevitability that they will spring
something on us due to past experience but am hopeful they are moving towards
more transparency in enterprise management.”

John Welch wrote: “I honestly can’t complain too much. Are there things I’d like
to see them do more of? Sure. Better PIV/CAC support is something the entire
civilian and military government sector would love to see, especially iOS users.
Buying a reader for non-Macs is non-cheap. I’d love to see support for FaceID in
at least MacBooks. Building out a proper Boot Camp integration for ARM versions
of Windows and Linux would be of use to the enterprise, and non-enterprise too,
for that matter. I think government/defense customer needs are always going to
be an issue for Apple because many of them simply don’t translate well to
general needs. Most people will never need a PIV/CAC card, but for
government/military/defense, they’re critical. Should Apple build card readers
into Macs? In my current gig, I would say absolutely. When I worked other
places, I would have said, ‘meh, maybe, no big deal.’ I think their opening of
repair options is a huge boon for people working remotely in areas where the
nearest Apple store might be hundreds of miles away, and I’d like to see them
consider adding built-in cell support to the MacBook line. For remote workers,
it’d be a big step in the right direction for a large swath of their users.”

Joel Anderson wrote: “Apple is still a popular choice, but Google is kicking
butt, especially in education.”

Bart Reardon wrote: “The impression I get from Apple as an organization and from
the Apple employees I deal with (account management, service reps, purchasing)
is that there is a concerted effort being made to not just implement some bare
minimum feature set or present their idea of what Apple in the enterprise should
look like, but to listen to the people that manage these devices and use that
feedback to inform how their products look and behave.”

Adrian Stancescu wrote: “100% confident that Apple will do amazingly well in the
enterprise. The Apple silicon Macs are unbeatable.”

Fridolin Koch wrote: “They have to keep the good vibes around the M1 going and
do more for enterprises regarding roadmaps and enterprise features like SSO.”

Luke Charters wrote: “I feel confident, but they need to make some fundamental
improvements to really make it great.”

Armin Briegel wrote: “Apple silicon-based hardware continues to impress and
excite. This puts Apple in a great place to gain mind and market share in the
enterprise. However, Apple needs to understand the workflows and requirements of
IT and security teams outside of Apple. Most of the issues that make managing
Apple devices so cumbersome seem to stem from workflows that fail to address
real-world requirements. These obstacles will impede the momentum that Apple is
building on the user side. I repeat my request from last year: When Apple
designed the new Mac Pro, they hired a team of Pro users to understand their
workflows and requirements. Apple needs a similar effort to understand the
workflows and requirements of businesses.”

Stephen Robles wrote: “I believe Apple is taking great strides to support small
businesses and creating useful tools like Apple Business Essentials. I look
forward to what they build in the next few years.”

Kevin Williams wrote: “I like to think that these improvements (like their
efforts with the Mac) are not just a few-year focus and that they will continue
to improve these services over time. They’ve finally got them in a good
place—now it just needs care and feeding constantly, and not a complete overhaul
like in the not-so-distant past.”

Brian LaShomb wrote: “Migration of corporate-owned devices to another MDM
provider is still a painful process and one that Apple will have to face
eventually with its own offerings now entering the MDM space. The lack of
ability to control the macOS version deployed remains a concern. With a maximum
90-day deferral for updates, some organizations will end up being forced into
situations that could cost their business time and resources without their
consent. All based upon what would seem to be an arbitrary constraint.”

Mike Stirrup wrote: “I hope Apple sees the enthusiasm the community has shown
for the new M1 devices and works on improving the tools for Apple admins to
manage them. They show glimmers of hope occasionally with promised improvements
but are often too slow at implementing them.”

Marcus Rowell wrote: “The cloud OS strategy of Microsoft and Google is seeing
them absolutely own the infrastructure that manages identity, security, and
hosts the business apps and data. Even Microsoft Word is now a heavily
cloud-OS-integrated app. While these two continue to include Apple devices as
first-class endpoints for the cloud OS, Apple’s user-focused hardware and
software will continue to win new enterprise customers. If the features and
functionality start to become much better on other platforms than Apple, when
then? That Apple dominates the phone market is probably the core reason that
Apple devices are first-class Cloud OS clients.”

Sam Rigby wrote: “It’s a mixed bag. Ultimately, this is an iPhone and services
company, and so it could very easily decide that the juice isn’t worth the
squeeze for enterprise/schools.”

Ben Burton wrote: “The hardware and OS remain the absolute best in the industry,
but a lot of Apple’s enterprise stuff feels completely ignored.”

Kale Kingdon wrote: “While I am happy with the core feature sets provided to the
enterprise community, the seemingly random half-baked solutions that fail to be
iterated upon year after year show that the teams initially assigned to these
projects, while extremely passionate, are thoroughly under-resourced and
potentially moved from project to project at whim. Most of us understand at a
core level that Apple’s focus is on the consumer, and the feature sets that we
live and breathe are second, third or fifth fiddle in priority. But it can be
disconcerting to see such a highly valued company not have the resources
dedicated to core features of its operating systems and frameworks.”

Viktor Glemme wrote: “Apple is better every year at its enterprise game. Still
feel it needs to listen to the larger organizations and help them manage devices
better.”

Joel Housman wrote: “It is clear to me that Apple is putting more wood behind
the arrow when it comes to enterprise support and their platforms. Each WWDC,
more features come built into iOS, macOS, the enterprise portal, or ABM that
support the needs of organizations. As long as they keep adding features and
capabilities at the rate they’ve done so over the last five years, I’m happy.”

Cameron Kay wrote: “They need to listen to IT admins needs more. The enterprise
team at Apple doesn’t seem to have much real-world experience and seem to see
things distorted to the rest of us.”

Jeremy Mentzell wrote: “This feels like it’s on the upswing with renewed support
in the government and education teams, but much more attention is needed.”

Graham Pugh wrote: “Fortunately for Apple, their hardware remains very
attractive, and Apple silicon devices have increased their popularity. Apple’s
enterprise developments are just about able to maintain this.”

Allister Banks wrote: “Hard to tell a trillion-dollar company you’re taking your
business elsewhere or really find any leverage with issues besides the normal
backchannel network of internal people who care or the press blowing it up.
Apple gives off the impression we only need to care about the software they
preinstall or offer bundled and can’t even let us patch it effectively. The same
people being allowed to iterate in the wrong direction for users’ security and
stability is not encouraging.”

Todd Ness wrote: “It seems like they are trying. Of course, it is never fast
enough for those of us waiting for better solutions.”

Jing Yao wrote: “With the Apple silicon transition and the new capabilities that
will come to the Mac from it, the future should bring some more improvements at
a faster pace than it has previously.”


PARTICIPANTS

Thanks to Kandji for commissioning the survey, and to Tom Bridge and Charles
Edge of the Mac Admins Podcast for their help in analyzing the results. Thanks
to Amanda McTaggart for doing a lot of heavy lifting in prepping the survey
results.

And finally, thanks to the participants. Participating in this survey were Joel
Anderson, Allister Banks, Jake Baranski, Tom Bridge, Armin Briegel, Jason
Broccardo, Ben Burton, James Capen, Mike Caplinger, Brad Chapman, Luke Charters,
Paul Chernoff, Craig Cohen, David Coom, Keion Dorsey, Charles Edge, Ryan
Ellerbe, Tomas Gal, Viktor Glemme, Ted Goranson, Robert Hammen, Rick Heil, Joel
Housman, Cameron Kay, Kale Kingdon, Fridolin Koch, Glenn Kowalski, Stuart
Lamont, Tom Larkin, Brian LaShomb, Gregor Longariva, Liam Matthews, Jeremy
Mentzell, Harald Monihart, Todd Ness, Graham Pugh, Bart Reardon, Anthony Reimer,
Sam Rigby, Stephen Robles, Marcus Rowell, Sam Schmitt, Stephen Short, James
Smith, Adrian Stancescu, Mike Stirrup, Matthew Suddock, Steve Summers, Niko
Torres, Mischa van der Bent, John Welch, Kevin M. White, Kevin Williams, Jing
Yao, Tony Young, and 15 others who wished to remain anonymous.

If you appreciate articles like this one, support us by becoming a Six Colors
subscriber. Subscribers get access to an exclusive podcast, members-only
stories, and a special community.

--------------------------------------------------------------------------------


SEARCH SIX COLORS


 * Sponsor
 * Twitter
 * RSS Feed
 * JSON Feed
 * Privacy Policy

Six Colors® is copyright © 2022 by The Incomparable Inc.
Powered by WordPress | Hosted by Pressable



SEARCH RESULTS

Magnifying Glass
Search
Close search results
Sort by:
Relevance•Newest•Oldest


NO RESULTS FOUND


FILTER OPTIONS


Search powered by Jetpack
Close Search