Apple and the enterprise: A complicated relationship
The iPhone before it was enterprise-ready
While Leopard Server was quietly changing Apple’s approach to the enterprise, the original iPhone—clearly not an enterprise product—was released. A year later, in 2008, Apple began to give the iPhone some enterprise chops. In addition to launching the iPhone 3G and the App Store, which would revolutionize smartphone software development across the board, Apple included two important capabilities in what was then called iPhone OS 2. The first was support for Exchange Active Sync. This allowed access to key Exchange features, including push notifications; the enforcement of a handful of security policies through Exchange; and the ability to remotely wipe lost or stolen iPhones.
The second change was configuration profiles. These XML files, which could be created from scratch or by using the iPhone Configuration Utility, were the first method Apple offered for IT departments to pre-configure user iPhones, provision them with security certificates, and impose a range of restrictions on what a user could do with a managed iPhone. The process of deploying configuration profiles was cumbersome because they either needed to be installed by hand, emailed to users, or hosted on an company’s intranet—not an ideal solution to iPhone management. Seen through the lens of a BlackBerry-dominated enterprise, the Apple process looked crude and resource intensive. But it was a beginning and one that foreshadowed the iPhone as an enterprise device.
iOS 4, mobile management and third-party solutions
Three months after releasing the iPad in 2010, Apple shipped iOS 4—it was the most significant iOS upgrade yet from an enterprise perspective. iOS 4 answered many of the enterprise IT complaints about the iPhone and iPad. In addition to the basic Exchange policy support introduced two years earlier, Apple unveiled broad security and device management capabilities.
The security advantages alone were a big deal and included APIs that allowed developers to easily create encrypted data stores on a device. That made it possible for enterprise apps (and even some consumer apps) to store content in a secure manner. Even if the device itself wasn’t passcode protected, the data within an app could be secured if that the device was lost or stolen.
The bigger news, however, was Apple’s mobile device management (MDM) framework. Although based on the existing configuration profiles, Apple’s MDM system made it possible to apply policies directly over the air and query devices for a range of information, including what configuration profiles and apps were installed. The release also offered several new management and feature restriction capabilities. While Apple hadn’t replicated the classic BlackBerry system with its 500+ management options, it did cover the most important areas, making it possible for enterprise IT to comfortably support iOS devices.
An even more important aspect to iOS 4’s MDM model was that Apple opened it up to third-party vendors instead of creating a single and proprietary Apple management console. In fact, it wasn’t until a year later that Apple shipped its own MDM solution when it released Lion Server. That’s significant because it was the first time Apple adopted a truly a hands-off approach to enterprise IT. The result was an explosion of mobile management vendors offering the ability to manage iOS devices in enterprise environments. While each company provided essentially the same core management capabilities, they differentiated based on a variety of factors, including support for other mobile platforms, IT-focused integration features and additional capabilities based on an agent that could be installed on a device.
Apple pulls out of the data center
A few months after unveiling a device management model that put other enterprise vendors at the heart of Apple’s iOS business strategy, the company did something that sent shockwaves through its business and education markets: it canceled its last piece of enterprise hardware, the rack-mounted Xserve server. When a Mac IT professional emailed then-Apple CEO Steve Jobs to complain, he responded with one of his brief and blunt emails saying that no one was buying the Xserve (at least, not in quantities large enough for Apple to continue advancing the line).
The move was further evidence that Apple had decided not to compete with long-time enterprise vendors. Instead, it focused on making its products the best enterprise citizens possible—through built-in functionality or through support for third-party vendors. It was a shrewd strategy and it allowed Apple to focus on business users directly rather than IT departments that had rarely paid attention to, or even noticed, Apple’s enterprise solutions. Unfortunately, it also pulled the rug out from under some long-time customers that had fully invested in Apple’s end-to-end enterprise approach.
Although Apple pulled out the data center, it didn’t stop developing its server platform. The company marketed the Mac Pro tower and the Mac mini as server options, including a specially configured Mac mini designed as a server. The focus, however, had shifted to the small business market and away from the enterprise. This was painfully clear when Apple released Lion and Lion Server during the summer of 2011.
After installing the low-cost Lion Server, which had become an add-on to Lion itself rather than an independent product, long-time Mac sysadmins were in for another shock. Server Admin, the advanced server administration tool in OS X Server, was effectively gutted; the new Server app that replaced Server Preferences was clearly intended to be the primary management interface of OS X Server.
Mountain Lion Server streamlined management further by removing Server Admin completely and building any functionality left in the Lion Server version of Server Admin into a more robust version of the Server app. Mountain Lion Server still supports Open Directory as an enterprise identity server—it is a required service option when hosting some services like Profile Manager. The overall message, however, is clear: OS X Server is no longer destined for the enterprise data center.
Apple’s light-handed approach to enterprise integration
With Lion and Mountain Lion, Apple began to bring iOS technologies and features to the Mac. There are a number of very visible examples of this cross pollination: full screen apps, integration with Apple’s push notification service and Notification Center, multi-touch gestures, the Mac App Store, deep integration with Twitter and Facebook, and Game Center. A far less visible change was support for iOS-style configuration profiles, which Apple introduced in Lion alongside Profile Manager, a basic mobile device management service included with Lion and Mountain Lion Server.
Although Lion supported configuration profiles, their capabilities weren’t as robust as in iOS and they didn’t offer much in the way of enterprise identity or user account management. What they did offer was the ability to manage a range of settings and restrictions for individual Macs. They could be used to streamline the setup of multiple Macs using the new Profile Manager service, a third-party product, or by simply installing them manually. That last process is simple: opening the profile on a target Mac installs it and adds a System Preferences icon for managing it.
In Mountain Lion, the capabilities of configuration profiles expanded significantly. They gained the ability to manage virtually every facet of OS X or installed applications. The new abilities matched all of the options available through Open Directory and support for enterprise identities and user accounts, but in a much more lightweight fashion.
The complete move to configuration profiles, which consist of XML data, gave systems administrators the option for managing the OS X user experience without needing any complex relationship to an enterprise directory service. In effect, it separated Mac management from identity management and authentication. Just configure a basic connection to Active Directory using Apple’s AD plug-in to support authentication of Active Directory users and then deploy configuration profiles as a separate step and you’re done.
Apple extended the Profile Manager service in Mountain Lion Server to support this new management model. The result was an easy-to-use GUI for creating configuration profiles and using them to manage enrolled Macs.
Apple made one more significant change in its shift to configuration profiles as a Mac management solution: it added the the MDM framework introduced in iOS 4. That made it possible for every mobile management vendor that supports iOS management to also support Macs in the same way. As a result, IT pros can now manage Macs using the same tools they use for mobile devices and they can manage a user’s enterprise identity with standard Active Directory tools.
Over the past 15 years, Apple has worked, and at times struggled, to figure out the best way to integrate its products into enterprise environments. Perhaps the biggest stumbling block has been how to approach a user’s enterprise identity—how to authenticate users and deliver single sign-on; offer enterprise-grade Mac and iOS management solutions; and deliver a system that avoids placing a burden on enterprise IT. The current model is a good one, but there are improvements needed for both iOS and OS X. Soon, I’ll offer a look at how Apple is further integrating enterprise identity support in both iOS 7 and OS X Mavericks and why it will appeal to enterprise and Apple IT professionals.