Device imaging in the IT world has been commonplace for a very long time. It’s the process of taking a purchased laptop/desktop and applying a custom setup before deploying it to the end-user. This custom setup will include items like corporate applications, corporate policies, etc. Once a custom image has been applied to the machine, it can then be deployed to the end-user. For many years, this practice has been the standard operating procedure for corporate IT departments. For Apple organizations, imaging is dead, and the device enrollment program is now the process IT departments should be using.
About Apple @ Work: Bradley Chambers has been managing an enterprise IT network since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 100s of Macs, and 100s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, stories from the trenches of IT management, and ways Apple could improve its products for IT departments.
I just finished up deploying 50 of the 2020 MacBook Airs to our faculty, and it was my first time moving away from “imaging” the devices to letting Apple School Manager and Jamf School handle all of the equipment setups. This process is called zero-touch deployment, and I wrote about it recently in terms of how it will change with employees working from home.
IT departments are continually being asked to do more with fewer resources, so simplifying the device deployment process is critical in the future. Instead of having to unbox every single device, apply the image, and then deploy, all you have to do is hand the employee an unopened box. Yes, you read that right. With Apple’s device enrollment program, Apple has created a deployment system for IT departments that scales from ten employees to ten thousand.
How Device Enrollment Program simplifies device deployment
I want to explain how the device enrollment program works when I talk about zero-touch deployment through Apple School Manager. When a device is purchased through Apple by an organization, they generally buy directly from Apple. When the device ships, the serial numbers get assigned to that organization’s ’Sold To” account number with Apple. That Sold To account number is then attached to the organization’s instance of Apple School Manager or Apple Business Manager. The information from ASM or ABM will then sync to over to the organization’s mobile device management solution. This process happens over a few minutes in the background, and before the device even arrives at the location of the organization.
When the device arrives and is handed to an employee, they might be wondering how everything gets set up. Every piece of Apple hardware goes through an activation process with Apple. When the devices connect to a network, it talks to Apple’s activation servers. Apple’s activation servers recognize that it’s a corporate device, hand it off to the MDM for enrollment. Before the user can select any settings, they get enrolled in the MDM. The MDM then starts applying policies and installing applications in the background. This process happens so fast that when Zoom was preinstalled on our machines, its settings window popped up before the computer had even finished with the initial setup wizard.
Once the end-user gets logged in, all of the corporate settings are applied through configuration profiles, and the apps have been installed. All of this happened without an IT person to set it up. If an organization is using something like Jamf Connect for identity management, that process happens inline. If no, an MDM solution can install a secondary administrator account so IT can access the device behind the scenes to update anything.
Wrap-up
In my eyes, device imaging is now dead. Setting up devices ahead of time is a legacy process. Using Apple’s device enrollment program through Apple School Manager and Apple Business Manager turns deployment season into something as simple as ordering equipment and handing out unopened boxes to employees. All of the corporate settings will be applied without using any further IT department resources.