Choose a mobile device management solution

What is mobile device management (MDM)?

iOS, iPadOS, macOS, and tvOS have a built-in framework that supports mobile device management (MDM). MDM lets you securely and wirelessly configure devices by sending profiles and commands to the device, whether they’re owned by the user or your organization. MDM capabilities include updating software and device settings, monitoring compliance with organizational policies, and remotely wiping or locking devices. Users can enroll their own devices in MDM, and organization-owned devices can be enrolled in MDM automatically using Apple School Manager.

How does MDM work?

After the enrollment profile is approved, either by the device or the user, configuration profiles containing payloads are delivered to the device. You can then wirelessly distribute, manage, and configure apps and books purchased through Apple School Manager. Users can install apps themselves, or apps can be installed automatically depending on the type of app it is, how it’s assigned, and whether the device is supervised.

What is supervision?

Supervision generally denotes that the device is owned by the organization, which provides additional control over its configuration and restrictions.

For more information, see About Apple device supervision in Apple Platform Deployment.

Considerations when selecting an MDM solution

There are many MDM solutions available from a variety of third parties. You should evaluate which aspects of MDM are most important to your organization—including hosting options and pricing—before you choose a solution. The tips below can help with your decision.

• Locally hosted or cloud-hosted: An MDM solution can be hosted on a local server or in the cloud. MDM is a lightweight HTTPS-based protocol that can manage devices anywhere in the world with low data-traffic impact, making it well suited for cloud hosting. If your organization chooses a cloud-hosted or internet-hosted solution, many of the MDM configuration steps described in this reference can be considerably reduced or eliminated entirely.

• Device support: Some MDM solutions are built with in-depth support for specific Apple device types, for example—just Mac computers or iPhone devices—while others offer cross-platform support. You can choose a mix of MDM vendors so each device type is supported with a specialized solution. Automatic assignment by device type in Apple School Manager makes this simple. Or choose an MDM vendor that supports all Apple device types used across your organization.

• Education-centric functionality: Some MDM vendors offer functionality designed specifically for education environments. Make sure your MDM vendor supports solutions such as Apple School Manager, Classroom, Schoolwork, Shared iPad, and all the education features introduced with the latest versions of Apple operating systems the day of the launch.

• Query and reporting services: An MDM solution can query Apple devices for a variety of information, including hardware serial number, device UDID, Wi-Fi, Media Access Control (MAC) address, and FileVault encryption status (for Mac computers). It can also query for software information, such as device version and restrictions, and list the apps installed on the device. This information can be used to ensure that users maintain the appropriate apps. iOS and iPadOS allow queries about the last time a device was backed up to iCloud, and about the app assignment account hash of the logged-in user. In tvOS, MDM can query enrolled Apple TV devices for asset information such as language, locale, and organization.

• Vendor support access and policies: MDM is a mission-critical service. You need to evaluate the support, services, and training your MDM vendor provides.

Based on your criteria, you can create a short list of MDM solutions and set them up on a trial basis with just a few test devices to evaluate which solution best meets your needs before making a final decision. Apple School Manager allows you to connect with more than one MDM solution, and assign devices to different servers as needed. For more information, see the video Choosing an MDM Solution.

Network requirements for your MDM solution

When installing and configuring your MDM solution, consider how you’ll configure the network, Transport Layer Security (TLS), infrastructure services, Apple services, and backup.

When you install a locally hosted MDM solution, you need to configure all of the following items. Configure and test each one early in the process to ensure a smooth deployment. If your MDM solution is externally managed or hosted in the cloud, your MDM vendor may handle many of these items on your behalf:

• DNS: An MDM solution must use a fully qualified domain name that can be resolved from both inside and outside the organization’s network. This lets the server manage devices whether they’re connected locally or remotely. In order to maintain connectivity with clients, this domain name can’t change.

• IP address: Most MDM solutions require a static IP address. The existing DNS name must persist if the server’s IP address is changed.

• Configure MDM with TLS: All communications between Apple devices and the MDM solution are encrypted with HTTPS. A TLS (formerly SSL) certificate is required to secure these communications. Don’t deploy devices without a certificate from a well-known certificate authority (CA). Note the expiration date and make sure to renew the certificate before it expires.

• Firewall ports: To enable both internal and external access to the MDM solution, certain firewall ports must be open. Most MDM solutions accept inbound connections using HTTPS on port 443. Both the MDM solution and the devices must communicate with the Apple Push Notification service. Prior to November, 2020, MDM solutions used ports 2195 and 2196 with APNs; clients use port 5223. After November 2020, MDM solutions use port 2197.