Apple has finally done it. They finally released a MDM called Apple Business Essentials, which I had been waiting for a very long time to happen going back to my BlackBerry days. Previously, I discussed Managed Apple IDs. Today, we will spend some time together looking at what is available in the Beta. We’re going to cover a quick look at their new Apple Business Manager in Beta, Subscription Options, Users, User Groups, and Roles, Collections, and available settings. This should be really fun so let’s get started!
The New Apple Business Manager
The new ABM is pretty neat as they gave it a bit of a face lift to make it look cleaner and more sleek. I definitely think it runs way better than the old one did. Let’s check out the video as it’s pretty straight forward:
Apple Business Essentials Subscription Options
At this point in the plan, we only have access to the “Employee Plan”, but it appears a device plan will be coming later presumably for stuff like Apple TVs and other connected devices they have planned. They call it “conference rooms, kiosks, and other service devices.”
Let’s look at our subscription options:
| Number of Devices | iCloud Storage Included | Cost |
| 1 | 50 GB | $2.99 |
| 3 | 200 GB | $6.99 |
| 3 | 2 TB | $12.99 |
One of the things that I love about how they’ve set things up is you can buy all 3 subscription tiers and assign them out to people based on user groups or just users individually. That give you nice flexibility, which is definitely a win.
All Things Users in Apple Business Essentials
User Management is always the most important aspect of any solution. Apple has done a nice job integrating with Azure to deliver SCIM provisioning. You can check out a short video below to show you how to pull in your users via SCIM before we get started:
Now that we have covered how we get users into Apple Business Manager, let’s talk more about User Groups and Roles, which I hope will evolve more because I don’t find them to be all that compelling at this juncture.
User Groups in Apple Business Essentials
The user groups aren’t particularly exciting at this juncture, but hopefully they will evolve. You have two options for user groups:
- Smart User Groups that add users to a group based on criteria
- Manual User Groups where you physically add users
The reason why we use Azure AD SCIM is to get specific attributes pulled in like department below. You can ALSO add in custom attributes for Division and Cost Center as discussed here:
Once you have done that, you can use department to create dynamic user groups as you can see below:
Your finished product is nice and clean:
User Roles in Apple Business Essentials
User Roles aren’t particularly useful at this point, you can edit their rights but that’s about it. Obviously you can assign people to various roles, but it would be ideal to be able to create your own, but we aren’t there yet. This table below lays them out:
| Role Name | Rights | Description |
| Administrator | Full Access to Everything | Administrators are responsible for Apple Business Manager at your organization, and for accepting Apple Business Manager Terms and Conditions. |
| People Manager | Create, Edit, Delete Locations Edit Role Privs (except for Administrator) Participate in AppleSeed for IT Use Managed Devices Sign in to iCloud.com with Managed Apple ID Use Managed Apps and Books Manage Apple IDs Reset Passwords Create, Edit, and Delete User Groups | People Managers are responsible for specific locations within the company. They can be assigned to any location, and manage individuals and content. |
| Device Enrollment Manager | Participate in AppleSeed for IT Use managed devices Sign in to iCloud.com with Managed Apple ID Use Managed Apps and Books Manage Automated Device Enrollment (aka DEP) Release Devices from Org | Device Enrollment Managers help Administrators with Apple Business Manager. They are located at the company, and manage devices and MDM servers. |
| Content Manager | Participate in AppleSeed for IT Use managed devices Sign in to iCloud.com with Managed Apple ID Use Managed Apps and Books View Apps and Books Buy Apps and Books Manage Apps and Books | Content Managers are responsible for volume purchasing at specific locations within the company. They can be assigned to any location, and manage licenses for apps and books. |
| Staff | Participate in AppleSeed for IT Use managed devices Sign in to iCloud.com with Managed Apple ID Use Managed Apps and Books | Staff are non-managerial personnel at specific locations within the company They can be assigned to any location, and can use devices managed by your organization, but may not sign in to Apple Business Manager. |
For me the main benefit here is you can block a user’s ability to enroll devices or use icloud.com to access content. Beyond that, the roles at this juncture don’t have a ton of value outside of giving admins access to Apple Business Manager.
Apple Business Essentials Settings
Settings are basically your profiles. Let’s lay out what available settings are out there today:
| Name | Category | Platform | Details |
| Application Layer Firewall | Essentials, Security, Network | MacOS | Built-in and signed software will automatically be allowed to receive incoming connections whenever firewall settings are enforced. You can choose to block all incoming connections and enforce stealth mode. |
| Password and Screen Lock | Essentials, Security | MacOS, iOS | Your standard policy. It’s interesting for MacOS you can force password reset for everyone to ensure you are in compliance. Also, encompasses Smart Card profile settings. |
| VPN | Essentials, Security, Network | MacOS, iOS | Supports either Cisco IPSec or L2TP over IPSec |
| Wi-Fi | Essentials, Network | MacOS, iOS, tvOS | Supports Pre-shared Key and EAP-TTLS and up to TLS 1.2 |
| AirDrop | Security, Network | MacOS | Supports Enable/Disable and Enable/Disable password sharing |
| Certificate | Security | MacOS, iOS | Only used for uploading root certificates |
| Gatekeeper | Security | MacOS | Enforce Gatekeeper mode and Allow/Disallow Override |
| AirPrint | Network | MacOS, iOS | Push down AirPrint printers |
| Conference Room Display | Personalization | tvOS | Restricts Apple TV to AirPlay only and customize a screen saver display message |
| Energy Saver | Personalization | MacOS | Supports standard power adapter, battery, and power event schedule features |
| iCloud | Personalization | MacOS, iOS | Standard iCloud Restrictions and only work on DEP-enabled devices |
| Login Window | Personalization | MacOS | Covers Appearance, Login Windows Auth Options, and User Account Controls |
You will notice from my list above that the supported feature are VERY small business centric. I think it might be a little narrowminded to assume that a SMB can’t have user certificates, but it’s truly a basic solution from a profile perspective.
Apple Business Essentials Collections
Collections let you assign apps and settings to users and devices. They are one of the main tenets of Apple Business Essentials. The best way to see how this all comes together is this video demo below showing you how we build an initial configuration for MacOS:
Enrolling a Mac in Apple Business Essentials
You can check out the video below to see how the enrollment process works on MacOS:
Enrolling an iOS Device in Apple Business Essentials
Check out the video below for their enrollment powered by iOS User Enrollment:
Final Thoughts
So, in the end we have finished our full evaluation of Apple Business Essentials.
From an unbiased level, I would say that it will work for some companies, but I think it’s a bit limited. With the large degree of certificates and growing requirements of small businesses, it eliminates many from the equation. I do love how easy it is to manage. You no longer need to manage APNS certificates or many of the nonsense involved in MDM today.
The one thing that I would really love to see is the ability to directly manage and access iCloud data for your managed Apple IDs like administrators can with OneDrive today. Overall, they are making some nice strides with ABM since its inception, but there is still a ton of work to do. Let’s hope they don’t stop here and deliver better user management, roles, and deeper integration of profiles. The one that is really missing are SSO extensions which are huge for SSO today in Office 365.
