So you want to manage Apple devices without using MDM? Here’s how.
Recently, I was asked a question I haven’t heard in several years: Can you manage Apple devices without using MDM?
The technical answer is yes. You can use configuration profiles and Apple Configurator to do this.
But you really shouldn’t try that approach. With mobile device management (MDM) vendors licensing their software for as little as $1 per device or user per month, MDM should be the go-to option for all but those on the tiniest of shoestring budgets. (There’s also the possibility of using Apple Business Essentials, a stripped down solution from Apple intended for small organizations.)
MDM and Apple Business Manager (or Apple Business Essentials) allow for zero-touch deployment. IT does not even have to see a device; it can be shipped new in the box to an employee and it will automatically configure and enroll in MDM when querying Apple’s activation servers during startup.
By contrast, managing devices manually can be extremely time consuming because you have to set up each device by hand when installing configuration profiles — and you must touch it every time you need to make changes. Security updates (or any software updates) cannot be forced to install, leaving it up to each user to install them or not.
When a device is managed via MDM, there’s a constant back and forth communication between the device and your company’s MDM service. This allows a whole host of features, particularly security features such as being able to query the device status, lock/unlock the device, install software updates, and add applications and other content over the air.
You also gain the ability to securely separate work and personal use of a device and to make use of managed Apple Accounts rather than relying on a user’s personal Apple account.
Managed Apple Accounts perform the same function as personal Apple IDs, but they’re owned by an organization rather than the end user and they link to an employee’s work-related accounts. They can also be managed in a way that allows users access Continuity features at work and provides a work-related iCloud account. One big advantage here is that work related passwords and passkeys can sync across all of a user’s work devices (and they can be automatically removed from a device if a worker leaves the organization.
Another consideration to keep in mind if you’re a small shop looking to save a few dollars is that you might not always be small. You may not think you need the features that come with MDM solutions, but as your company grows, your needs will change — and you’ll likely have to go through the headache of migrating away from manual management anyway.
This is the part where I tell you to turn back from trying to manage Apple devices manually.
But if you’re truly determined to go it without using MDM or you’re really that cash strapped and you have a small number of employees and devices, here’s what you need to know. (Just don’t say you weren’t warned if you go this route and run into problems or security breaches.)
The basic component for managing devices is the configuration profile; it’s an XML file that specifies the various options you want to set up. These profiles have been around since the iPhone 3G launched in 2008 (two years before MDM even existed). These files also underpin MDM configuration, but you get a much broader selection of configuration options and an easier interface via MDM.
Apple Configurator for Mac is a free tool available in the App Store. There is an iPhone version as well that’s used to enroll devices if they’re not eligible for zero-touch deployment — typically, devices bought outside of a business purchase from Apple or an authorized reseller. (The Mac version can also be used for this purpose.)
The latest version of Apple Configurator supports the management of iPhones, iPads and Apple TVs, but — cautionary alert — it does not support managing Macs. (This is another downside to manual device management.)
Apple Configurator allows you to create a blueprint for various device types and to create configuration profiles with a simple-to-use GUI. You can then assign your profiles to blueprints. Configurator also lets you prepare devices to receive configuration profiles; backup and restore devices; determine whether they will work using Apple’s Supervision functions, which provide some additional control over devices; and to install apps.
Once you’ve set up blueprints and added configuration profiles and apps, you’ll need to connect each device via a USB-to-Lightening cable (for older devices) or with a USB-C cable (for newer devices) and then assign the device to a blueprint. When preparing a device for Apple Configurator, you can choose to remove various steps in Setup Assistant (just as in MDM). You can also set the device name, wallpaper, and home screen layout.
Managing Macs works essentially the same way — by building configuration profiles. But you need to hand install them on each Mac. Depending on the payload of the profile and whether a user has local admin privileges, the Mac user might be able to delete installed configuration profiles. Keep that in mind.
Apple Configurator can also be used to revive or restore the firmware of Apple devices (including Macs).
Apple provides a user guide that offers additional details and a walk-through of tasks in Apple Configurator.
So, as I noted from the very start, you can see that it’s certainly possible to manage Apple devices manually. But hopefully, you can also now see that there are too many advantages to managing devices using MDM (or Apple Business Essentials) to do it the old-school way.
From better security to a lighter IT workload and an improved user experience, MDM really can streamline everything needed to keep your fleet of Apple devices up and running.