Device management software recommendations for small organisation

(Jolin Warren) #1

There’s been mention of OurPact, which is device management software aimed at families. I’m supporting a small organisation (around 16 Macs) and they need to be able to wipe laptops and phones if needed. I’m aware of Jamf, but I assume there must be other options and wonder if any on here have recommendations.

We also have Mac OS Server running on a mini, which is currently used to set some configuration profiles on the Macs (and as a file server), so maybe I should just be using this? One complication might be that I think there are some Android phones that would need to be remotely wiped, but I’m still getting confirmation on this point. I wondered if anyone had any advice based on their experience of such things. Thanks!

(Curtis Wilcox) #2

The need to manage non-Apple hardware is an important factor to know. If it’s just Apple hardware, Profile Manager in macOS Server may be sufficient.

What does the org use for email? If they already use Office365, they may already have or could switch to a plan that includes MDM for Office 365, it can do remote wipes. Google’s G Suite can wipe mobile devices too.

The MacEnterprise list is a good place for info and questions about MDM systems, not just for large, “enterprise” organizations (the list is also republished as a Google Group, which can be easier to browse and search).

(Adam Engst) #3

I don’t have much expertise here, but other MDM firms that I see at shows often include Solar Winds and Addigy.

(@lbutlr) #4

I have about that many Apple devices to manage and I do it the old-fashioned way, manually. This is not the best way, but since it’s a family it’s not too bad.

However, I do know people who do this professionally, and they all says that an MDM like Jamf is a “no-brainer”.

(Jolin Warren) #5

Thanks all for the advice. I will find out whether Android phones are an issue tomorrow. I’m slightly wary of using Server Profile Manager mainly because I don’t have my head round it, and the need for keeping on top of SSL Certificates which I don’t feel I’m successfully doing at the moment. I’m thinking that a third-party service might be more reliable and less admin. Another key consideration is that ideally I’d like it to be useable by one or two people in the organisation, instead of relying on me for it.

Thanks, I hadn’t heard of them, so will check them out. If anyone comes across any other services, just let me know.

Thanks, Curtis, but they don’t use either of those to the best of my knowledge. Email is through GreenNet. But I will definitely check out the MacEnterprise list, as I’d always assumed it was for big organisations (have vaguely heard of it but never checked it out).

(Jolin Warren) #6

Having had another look at Profile Manager, it does seem that there’s an easy and straightforward Wipe command, so maybe this will be sufficient. I’ve got it running well enough that the computers are enrolled (and pick up certain settings) with Profile Manager, so they all appear in the web interface and can be wiped (in theory, haven’t tested it).

I just find the certificate issue perplexing. I’m using LetsEncrypt to generate SSL certificates for the server, and have renewed the certificate periodically as needed. But the Trust Certificate provided by Profile Manager still has the original certificate with the original (long past) expiration date, so it shows up as expired. And the configuration profiles are unsigned. So the current SSL certificate is used to secure connections to the server, but doesn’t seem to flow through to the Trust Profile and configuration profiles. Can’t for the life of me figure out how to get them all to use the current certificate. :man_shrugging:

I think I need to join the MacEnterprises list and see if they can help (unsurprisingly, the Apple Support forums were of no use).

(Curtis Wilcox) #7

The Let’s Encrypt FAQ explains that code signing (and email encryption) requires a different type of certificate that it does not issue. Let’s Encrypt is for encrypting data on the move, not for data at rest (macOS profiles, installers, software, individual email messages, etc.).

(Jolin Warren) #8

Ah, thanks, that makes sense. The whole certificate area is one I find very confusing, so though this probably seems basic, I wasn’t aware of that. What I don’t know is how the Trust Profile certificate was originally created and how to update it. But now I know it’s not related to Let’s Encrypt, I can do some digging. Thanks so much, Curtis.