Taking a Look at Apple Business Essentials for Small and Medium Business

Taking a Look at Apple Business Essentials for Small and Medium Business

Apple Business Essentials

Apple has finally done it. They finally released a MDM called Apple Business Essentials, which I had been waiting for a very long time to happen going back to my BlackBerry days. Previously, I discussed Managed Apple IDs. Today, we will spend some time together looking at what is available in the Beta. We’re going to cover a quick look at their new Apple Business Manager in Beta, Subscription Options, Users, User Groups, and Roles, Collections, and available settings. This should be really fun so let’s get started!

The New Apple Business Manager

The new ABM is pretty neat as they gave it a bit of a face lift to make it look cleaner and more sleek. I definitely think it runs way better than the old one did. Let’s check out the video as it’s pretty straight forward:

Apple Business Essentials Subscription Options

At this point in the plan, we only have access to the “Employee Plan”, but it appears a device plan will be coming later presumably for stuff like Apple TVs and other connected devices they have planned. They call it “conference rooms, kiosks, and other service devices.”

Let’s look at our subscription options:

Number of DevicesiCloud Storage IncludedCost
150 GB$2.99
3200 GB$6.99
32 TB$12.99

One of the things that I love about how they’ve set things up is you can buy all 3 subscription tiers and assign them out to people based on user groups or just users individually. That give you nice flexibility, which is definitely a win.

All Things Users in Apple Business Essentials

User Management is always the most important aspect of any solution. Apple has done a nice job integrating with Azure to deliver SCIM provisioning. You can check out a short video below to show you how to pull in your users via SCIM before we get started:

Now that we have covered how we get users into Apple Business Manager, let’s talk more about User Groups and Roles, which I hope will evolve more because I don’t find them to be all that compelling at this juncture.

User Groups in Apple Business Essentials

The user groups aren’t particularly exciting at this juncture, but hopefully they will evolve. You have two options for user groups:

  • Smart User Groups that add users to a group based on criteria
  • Manual User Groups where you physically add users

The reason why we use Azure AD SCIM is to get specific attributes pulled in like department below. You can ALSO add in custom attributes for Division and Cost Center as discussed here:

Once you have done that, you can use department to create dynamic user groups as you can see below:

Your finished product is nice and clean:

User Roles in Apple Business Essentials

User Roles aren’t particularly useful at this point, you can edit their rights but that’s about it. Obviously you can assign people to various roles, but it would be ideal to be able to create your own, but we aren’t there yet. This table below lays them out:

Role NameRightsDescription
AdministratorFull Access to EverythingAdministrators are responsible for Apple Business Manager at your organization, and for accepting Apple Business Manager Terms and Conditions.
People ManagerCreate, Edit, Delete Locations
Edit Role Privs (except for Administrator)
Participate in AppleSeed for IT
Use Managed Devices
Sign in to iCloud.com with Managed Apple ID
Use Managed Apps and Books
Manage Apple IDs
Reset Passwords
Create, Edit, and Delete User Groups
People Managers are responsible for specific locations within the company. They can be assigned to any location, and manage individuals and content.
Device Enrollment ManagerParticipate in AppleSeed for IT
Use managed devices
Sign in to iCloud.com with Managed Apple ID
Use Managed Apps and Books
Manage Automated Device Enrollment (aka DEP)
Release Devices from Org
Device Enrollment Managers help Administrators with Apple Business Manager. They are located at the company, and manage devices and MDM servers.
Content ManagerParticipate in AppleSeed for IT
Use managed devices
Sign in to iCloud.com with Managed Apple ID
Use Managed Apps and Books
View Apps and Books
Buy Apps and Books
Manage Apps and Books
Content Managers are responsible for volume purchasing at specific locations within the company. They can be assigned to any location, and manage licenses for apps and books.
StaffParticipate in AppleSeed for IT
Use managed devices
Sign in to iCloud.com with Managed Apple ID
Use Managed Apps and Books
Staff are non-managerial personnel at specific locations within the company They can be assigned to any location, and can use devices managed by your organization, but may not sign in to Apple Business Manager.

For me the main benefit here is you can block a user’s ability to enroll devices or use icloud.com to access content. Beyond that, the roles at this juncture don’t have a ton of value outside of giving admins access to Apple Business Manager.

Apple Business Essentials Settings

Settings are basically your profiles. Let’s lay out what available settings are out there today:

Application Layer FirewallEssentials, Security, NetworkMacOSBuilt-in and signed software will automatically be allowed to receive incoming connections whenever firewall settings are enforced. You can choose to block all incoming connections and enforce stealth mode.
Password and Screen LockEssentials, SecurityMacOS, iOSYour standard policy. It’s interesting for MacOS you can force password reset for everyone to ensure you are in compliance. Also, encompasses Smart Card profile settings.
VPNEssentials, Security, NetworkMacOS, iOSSupports either Cisco IPSec or L2TP over IPSec
Wi-FiEssentials, NetworkMacOS, iOS, tvOSSupports Pre-shared Key and EAP-TTLS and up to TLS 1.2
AirDropSecurity, NetworkMacOSSupports Enable/Disable and Enable/Disable password sharing
CertificateSecurityMacOS, iOSOnly used for uploading root certificates
GatekeeperSecurityMacOSEnforce Gatekeeper mode and Allow/Disallow Override
AirPrintNetworkMacOS, iOSPush down AirPrint printers
Conference Room DisplayPersonalizationtvOSRestricts Apple TV to AirPlay only and customize a screen saver display message
Energy SaverPersonalizationMacOSSupports standard power adapter, battery, and power event schedule features
iCloudPersonalizationMacOS, iOSStandard iCloud Restrictions and only work on DEP-enabled devices
Login WindowPersonalizationMacOSCovers Appearance, Login Windows Auth Options, and User Account Controls

You will notice from my list above that the supported feature are VERY small business centric. I think it might be a little narrowminded to assume that a SMB can’t have user certificates, but it’s truly a basic solution from a profile perspective.

Apple Business Essentials Collections

Collections let you assign apps and settings to users and devices. They are one of the main tenets of Apple Business Essentials. The best way to see how this all comes together is this video demo below showing you how we build an initial configuration for MacOS:

Enrolling a Mac in Apple Business Essentials

You can check out the video below to see how the enrollment process works on MacOS:

Enrolling an iOS Device in Apple Business Essentials

Check out the video below for their enrollment powered by iOS User Enrollment:

Final Thoughts

So, in the end we have finished our full evaluation of Apple Business Essentials.

From an unbiased level, I would say that it will work for some companies, but I think it’s a bit limited. With the large degree of certificates and growing requirements of small businesses, it eliminates many from the equation. I do love how easy it is to manage. You no longer need to manage APNS certificates or many of the nonsense involved in MDM today.

The one thing that I would really love to see is the ability to directly manage and access iCloud data for your managed Apple IDs like administrators can with OneDrive today. Overall, they are making some nice strides with ABM since its inception, but there is still a ton of work to do. Let’s hope they don’t stop here and deliver better user management, roles, and deeper integration of profiles. The one that is really missing are SSO extensions which are huge for SSO today in Office 365.



Social Media

Get The Latest Updates

Subscribe To Our Weekly Newsletter

No spam, notifications only about the latest posts and updates.