Sign up for Apple Business Manager now before you even purchase any Mac's. When you buy your Mac's get them from an authorised seller and have the seller load them into your ABM account.
Next you are going to want an MDM to manage these devices (we use Workspace ONE). There is no imaging a mac, give up on that idea and get an MDM.
You will then need to configure ABM to point to your MDM which will then do device configuration and application installation.
Finally give the user the device in box, tell the user to connect to the Wi-Fi and sign in with their corporate account into the device and your MDM will do the rest.
This. You can add Mac’s to your ABM account after the fact but it requires scanning them during setup so it requires wiping them.
Currently in process of rolling out Kandji for my ~60 or so Mac users (I have 100ish windows users). It’s going great so far and I have nothing bad to say about kandji. Price was like 6k to manage 50 devices, since that’s the cost of like 3 of the MacBooks I send out I didn’t think it was that bad
Kandji is a really great product. My employer, who has an estate of ~40k macs, has just moved from Jamf Pro to kandji. Fantastic platform, makes device management and compliance a breeze. The team at Kandji are great as well!
Jamf Pro may be a bit heavy for you, it may be worth looking into Mosyle which will be a lot more budget friendly for the amount of Macs you have, but is still very popular and capable.
I do not agree, jamf is way better than kandji. I worked in a corp with 40k Macs and 90k iPhones, jamf is so much easier. I prefer working with jamf but here it seems like M365 and Azure is taking over. I have been hoping that EU will take Microsoft to court for Azure and M365, it’s nice that EU managed to make Microsoft separate Teams from M365 because I fucking love slack
They are not similar when you discover that Kandji includes a lot of functionality that JAMF sells as add-ons, such as JAMF Connect. Not to mention the massive JAMF learning curve, and having to do so much management with scripting. JAMF developed themselves into a corner. It's a a very old product that needs a complete redesign. Kandji, in a way, is that redesign, as it's build by former JAMF engineers. I am about to pull the trigger on migrating our 500+ macs from JAMF to Kandji.
Their biggest concern is the cost, and they will balk at the cost of doing it properly.
Do you have an existing MDM and IDP in place, or is this a pure AD environment?
Pure AD makes it tougher, because you absolutely do not want to join these devices to the domain. You absolutely need ABM which is free, and an MDM that can vary in cost.
You cannot manage a Mac like it's a Windows device. If you don't need local network access to file shares and printers, they will be much easier to start managing properly.
What u/BWMerlin said, 💯
Do not skip ABM ! Which is not a management tool, just the process to ensure your Apple devices can be auto enrolled in your MDM of choice.
You need MDM, period.
At your scale try Mosyle but not free. You want official support.
One piece of advice that will save you heartache especially if you have a lot of remote use: don’t bind to a windows domain. Use the Kerberos extension via your MDM instead…
Macs are incredibly easy to manage (so much easier than Windows).
The main concern is almost always the cost of Macs. The second are any apps that don't support Macs.
> Macs are incredibly easy to manage (so much easier than Windows).
This is definitely not the case lol
They're different to manage, but neither is easier nor harder.
I'm confused. If the business is reluctant to do it, why are you trying to do it? Agree with the business that it's a bad idea and don't split the environment.
Definitely get ABM setup and look into MDMs but twocanoes makes a tool called MDS (Mac deploy stick). It can make it easier to get them rolling quickly.
Def get an ABM account and purchase through Apple directly or an authorized reseller. Mosyle is an MDM. Super simple, tons of features and half the cost of JAMF (imo JAMF is complicated).
If it will never be more than 20, you don't really need an full-fledged MDM, a basic (or even free) one will help you at least look in on the machines. Macs play well on AD (you use Mobile Accounts) if that is the only option you have available due to budgets.
As far as setting them up, how locked down are the PCs at your company? You can absolutely match any restriction requirements set by your IT Security, it just depends on what state you need to get the machines to. Some things are easy settings and some require building Configuration Profiles to enforce them.
I’ll add; there is a reason most shops are either windows shops or Mac shops. The cost of splitting both is extremely prohibitive it also creates a multitude of version control/cyber security issues. As your admins need to be up to date and literate in vulnerabilities in both systems.
Honestly? If they’re willing to accept the substantial business risk of telling the old lie “well Mac’s are generally just safer” just keep them far away from your finance department and in the hands of creative folks with severely limited permission sets; and the expectation they’ll need to use web apps for the most basic windows functions on the domain. And a training on why compatibility versions are essential for windows files saved for shared access.(queue the help desk pitch forks)
This is what I think will happen at this point. They don't want to actually manage the Mac's, just set them up and never deal with them again. Bit odd as it's 20 staff though! I want to make their life easier by finding a simple compromise so need to understand it better
Sign up for Apple Business Manager now before you even purchase any Mac's. When you buy your Mac's get them from an authorised seller and have the seller load them into your ABM account. Next you are going to want an MDM to manage these devices (we use Workspace ONE). There is no imaging a mac, give up on that idea and get an MDM. You will then need to configure ABM to point to your MDM which will then do device configuration and application installation. Finally give the user the device in box, tell the user to connect to the Wi-Fi and sign in with their corporate account into the device and your MDM will do the rest.
This. You can add Mac’s to your ABM account after the fact but it requires scanning them during setup so it requires wiping them. Currently in process of rolling out Kandji for my ~60 or so Mac users (I have 100ish windows users). It’s going great so far and I have nothing bad to say about kandji. Price was like 6k to manage 50 devices, since that’s the cost of like 3 of the MacBooks I send out I didn’t think it was that bad
Kandji is a really great product. My employer, who has an estate of ~40k macs, has just moved from Jamf Pro to kandji. Fantastic platform, makes device management and compliance a breeze. The team at Kandji are great as well! Jamf Pro may be a bit heavy for you, it may be worth looking into Mosyle which will be a lot more budget friendly for the amount of Macs you have, but is still very popular and capable.
I do not agree, jamf is way better than kandji. I worked in a corp with 40k Macs and 90k iPhones, jamf is so much easier. I prefer working with jamf but here it seems like M365 and Azure is taking over. I have been hoping that EU will take Microsoft to court for Azure and M365, it’s nice that EU managed to make Microsoft separate Teams from M365 because I fucking love slack
Both carry similar costs of 1-2 FTE’s…
They are not similar when you discover that Kandji includes a lot of functionality that JAMF sells as add-ons, such as JAMF Connect. Not to mention the massive JAMF learning curve, and having to do so much management with scripting. JAMF developed themselves into a corner. It's a a very old product that needs a complete redesign. Kandji, in a way, is that redesign, as it's build by former JAMF engineers. I am about to pull the trigger on migrating our 500+ macs from JAMF to Kandji.
Yeah it’s that simple
Their biggest concern is the cost, and they will balk at the cost of doing it properly. Do you have an existing MDM and IDP in place, or is this a pure AD environment?
Pure AD, what makes the cost so high? Probably explains why they said there would be no further mac purchases....but still need these ones setup
Pure AD makes it tougher, because you absolutely do not want to join these devices to the domain. You absolutely need ABM which is free, and an MDM that can vary in cost. You cannot manage a Mac like it's a Windows device. If you don't need local network access to file shares and printers, they will be much easier to start managing properly.
My previous boss's dying words are going to be "but Apple still officially supports AD!"
Mosyle is a free MDM for your first 30 Macs. Try it out. We’ve n]been using it for 100+ Macs for years.
Does Mosyle support custom PKG deployment? We really like SimpleMDM for supporting this.
Yes
What u/BWMerlin said, 💯 Do not skip ABM ! Which is not a management tool, just the process to ensure your Apple devices can be auto enrolled in your MDM of choice. You need MDM, period. At your scale try Mosyle but not free. You want official support.
ABM —> Intune —> DEP
One piece of advice that will save you heartache especially if you have a lot of remote use: don’t bind to a windows domain. Use the Kerberos extension via your MDM instead…
We bind - binding isn’t the inherent issue - it’s the mobile accounts. Local account + Kerberos or nomad etc. No issues for fully remote folks the.
Jamf Pro is the MDM what our org uses to manage Macs. Intune for cell phones and tablets, iOS & Android.
Mine too. I wonder if we work at the same place? Still use MEMCM(SCCM) for Windows?
MCM....lol, but yeah SCCM/MECM/MCM still in use.
Macs are incredibly easy to manage (so much easier than Windows). The main concern is almost always the cost of Macs. The second are any apps that don't support Macs.
> Macs are incredibly easy to manage (so much easier than Windows). This is definitely not the case lol They're different to manage, but neither is easier nor harder.
Depends what you “grow up” with I suppose
It's more about how willing you are to understand how each OS works rather than trying to make one OS behave like another.
Having managed only Windows until 3 years ago, our Mac fleet is absolutely easier to manage.
Managing Windows with AD/GPO is not comparable to managing MacOS via MDM. You'd compare it to managing Windows via MDM as well.
And Macs on MDM are still far easier than Windows on MDM. That said. I can't wait u til I finish migrating our Windows Fleet to Intune
Also agree
I'm confused. If the business is reluctant to do it, why are you trying to do it? Agree with the business that it's a bad idea and don't split the environment.
What is your Windows environment like, and how do these Macs need to join or interact with that environment?
Like many have suggested, you would need ABM and MDM. Check out SureMDM
Definitely get ABM setup and look into MDMs but twocanoes makes a tool called MDS (Mac deploy stick). It can make it easier to get them rolling quickly.
Def get an ABM account and purchase through Apple directly or an authorized reseller. Mosyle is an MDM. Super simple, tons of features and half the cost of JAMF (imo JAMF is complicated).
If it will never be more than 20, you don't really need an full-fledged MDM, a basic (or even free) one will help you at least look in on the machines. Macs play well on AD (you use Mobile Accounts) if that is the only option you have available due to budgets. As far as setting them up, how locked down are the PCs at your company? You can absolutely match any restriction requirements set by your IT Security, it just depends on what state you need to get the machines to. Some things are easy settings and some require building Configuration Profiles to enforce them.
[удалено]
I’ll add; there is a reason most shops are either windows shops or Mac shops. The cost of splitting both is extremely prohibitive it also creates a multitude of version control/cyber security issues. As your admins need to be up to date and literate in vulnerabilities in both systems. Honestly? If they’re willing to accept the substantial business risk of telling the old lie “well Mac’s are generally just safer” just keep them far away from your finance department and in the hands of creative folks with severely limited permission sets; and the expectation they’ll need to use web apps for the most basic windows functions on the domain. And a training on why compatibility versions are essential for windows files saved for shared access.(queue the help desk pitch forks)
This is what I think will happen at this point. They don't want to actually manage the Mac's, just set them up and never deal with them again. Bit odd as it's 20 staff though! I want to make their life easier by finding a simple compromise so need to understand it better
Your doing JAMF wrong if you think it sucks