Talking MDM with Tom Bridge

Guest: Tom Bridge, Principal Apple Product Manager, JumpCloud  

Episode Description

Leading Apple industry speaker and practitioner Tom Bridge joins host Ryan Bacon on the podcast for a second time to talk about the evolution of mobile device management and the future of MDM, as well as Tom’s new role at JumpCloud.

Listen to this episode of Where’s The Any Key? to learn more about how MDM started, the direction Apple is taking it, and important things to keep in mind when using an MDM tool to manage your Apple fleet.


The following is a transcription of an episode of our podcast, Where’s The Any Key? Feel free to reach out with any questions you may have in response to this recording. You can find our show on Apple Podcasts, Spotify, and wherever podcasts are available.

Ryan Bacon: Welcome to Where’s The Any Key? The podcast where we talk shop about topics, tips, and trends for the modern IT admin. I’m your host, Ryan Bacon, the IT support manager at JumpCloud. 

Introducing Tom Bridge 

Ryan: Joining me again is Tom Bridge. He is a producer on the Mac Admins podcast, as well as one of the newest additions to the JumpCloud team. Tom came on to be the principal product manager for our Apple products. Welcome again, Tom. In more ways than one!

Tom Bridge: Hey. Thanks, Ryan.

Ryan: Welcome to the podcast.

Tom: It’s great to be back. It’s great to be here. I’m really excited about joining JumpCloud. I’ve had a 20 year career in IT. And the last 15, I’ve been one of the top partners at Technolutionary, here in Washington, focused on small and medium businesses. I mean, essentially focusing on their Apple lifespans, right? Going from, Macs are the only things we have to worry about, to, okay, there’s this new iPhone, and dealing with all of that stuff. Then the iPad, then the Apple TV, then all of these things that represent the Apple landscape in the corporate environment.

So going from no iPhones to, okay, we need mobile device management, to, okay, now there’s a new type of mobile device management for iPads. Now there’s a new kind for Macs too. It’s been a crazy 15 years. It’s been an incredible experience. I couldn’t be more happy to be bringing all of that experience to the JumpCloud team, and to work on the product because it’s not just been a place where I have been just a Mac admin out in the wilderness. I’ve been a JumpCloud customer for five or six years now. So I’m excited to be joining this team now.

The Evolution of Macs in the Business World

Ryan: It has been a very interesting journey for Macs in the business space. You brought up MDMs, and that’s really what we’re going to talk about today. But I remember, it wasn’t that long ago when Macs, in the business world, you were either some sort of designer.

Tom: Right, yep.

Ryan: Or you were an exec who just had to have a Mac, and you were a pain in the neck of every IT admin out there. And it’s changed dramatically in a fairly short amount of time. I mean, like you said, you’ve been living in this. The vast majority of my career, up until JumpCloud, has been Windows with trying to shoehorn Macs into the environment as infrequently as possible, trying to avoid it as much as you can. And it’s because Apple never really cared about the business sector until fairly recently.

Tom: Right.

Ryan: So getting that to work was always a challenge. But with MDMs, with the ever-growing set of tools that are out there, it’s not that difficult anymore. And frankly, I would rather manage a fleet of Macs now, than a fleet of Windows systems.

Tom: For sure. I have spent a lot of time around Windows IT, I’ve spent … Because every small business, whether they say they’re all Mac or not, they’ve got Windows somewhere in their enterprise, right? Usually it’s accounting, usually it’s the data folks who will just not give up Excel for Windows. But the strength of their tool chain over the last 20 years is nothing short of astonishing. I mean, when you think about Active Directory and Active Directory’s roots within management systems, and you look at all of the technologies that Microsoft has brought to play, sure. I was going to say, there’s a huge wealth of opportunity there. But if you look at how Apple’s done it instead, they’re really enabling other people to provide the management frameworks.

Ryan: Right.

Tom: So they’re allowing for a lot more innovation in the field. So essentially, instead of having an ossified structure, what you’ve done is you’ve provided people the blueprints for a room inside of a house. So it’s up to the product manufacturer at that point, to really take those blueprints, study them, figure out what they want to keep and what they don’t, and then build tools on top of them. So you see an incredibly rich marketplace of mobile device managers out there right now.

It’s a very mature market in a lot of ways, which is really fun. But every now and again, we get somebody brand new in the space as well, who’s got a different take on things. And it’s really exciting to be in this space now. I would much rather manage Macs than, literally, anything else. I take that back. Managing iOS is a great joy as well, it’s just a very different problem landscape. And I feel like you’ve got really two choices at that point. Are you dealing with BYOD devices? Are you dealing with company owned devices? And how you respond to that is different based on that result.

Ryan: Yeah, definitely. You’re talking now, innovation in the field and how Apple is facilitating that, completely, the opposite direction of what Microsoft did with AD. And I think that that really is the way to go. I mean, it used to be … AD was your only choice.

Tom: Right.

Ryan: That was it. But now, when you’re looking at MDMs, you have … Over the past several years, there’s just been an explosion of offerings available. And until I really started working with Macs more, I never really looked at it because I never needed to. Every place I looked, for phones, it was BYOD. And like I said, it was Windows other than a couple of outliers. So my experience was Windows with a little bit of SCCM thrown in there for the configuration and app management, and stuff. I’ll divert from talking about SCCM before I start having flashbacks.

Tom: Well, this is a family friendly podcast, Ryan. And that sort of language … No, I’m just giving you a hard time, because I know what kind of language comes up in my mind when I start thinking about those things.

Ryan: When I started playing with MDMs and those solutions, it was a completely different experience. It was like, oh, this is neat. You add in stuff like VPP, and the ability to do custom apps and that sort of thing. And I still consider myself maybe a little bit of a step above a novice when it comes to MDMs, because there are certain things that I’m still learning, especially when it comes to the custom packages and stuff like that.

Tom: Sure.

Ryan: But what I learned, the stuff you can do with zero payload packages, and all of that stuff, my mind was blown. I think back to trying to do boot scripts and GPOs, and all this other stuff to try to get your systems and environments where you wanted to. But then now I feel like you have so much more control, or at least you have the ability to do more types of things.

Tom: Well, sure. And I feel like the different types of things is what’s most fascinating, right? I feel like we get MDM profiles for settings that we want to lock in place, and certain security things like FileVault where we can say, “Cool, put this profile down on the machine. Now that’s going to require the user to accept the encryption process. And then it will give me the backup key as the mobile device on the backside.” So we get some of those cool enablements, but Apple is also smart enough to say, the root user is present on the machine.

It does system tasks, it does useful things. And wouldn’t it be cool if you could actually build an agent that can interface with that, and do useful things on behalf of an organization that aren’t necessarily MDM capable yet. Or to run scripts, to essentially lock some settings into place, or to do remediations when remediations are required. I think here of an organization that maybe isn’t using a mobile device manager, but they want to keep an eye out, to make sure that the PF firewall stays on the Mac.

So to be able to use root agents to do those kinds of things is an incredibly powerful option. And that’s a big part of the management scheme these days, is having something on the machine that can do jobs for you, right? We always think about this as a landscape that allows for automation, and that allows for automatic remediation of defects, for example, so that if your users maybe get into trouble on their own, maybe you want to have some tools that’ll stand the guard rail, stand the bike back up, let’s get up and then push it down the street again. Right? That’s what I think about with the different frameworks that are available for managing Macs.

Tom’s MDM Journey From Meraki to JumpCloud

Ryan: Yeah, definitely. I’m going to take a step back, and I want to hear about your experience, your journey with MDMs.

Tom: Sure.

Ryan: Like I said, I’m fairly new, but you’ve been in this game for quite some time.

Tom: Yeah. There are a ton of MDMs out there, which means that there are a ton of different options. And we were unique in our consulting agency, that what we were doing was essentially presenting a catalog of MDMs and saying, “Any of these MDMs that we present here are ones that we will support use.” That started out at the time with Meraki Systems Manager, with a veritable offering that’s been around for a good long time, from the folks at Cisco Meraki, even before they got bought by Cisco. Right? So we’d opened a profile manager, which is the one that Apple builds you as a … Like a demonstration build, right? It’s the model house in the neighborhood. Sure, the cabinets are on backwards and upside down, but you get the idea of how these things function and work together.

You had a demonstration MDM. And they encourage people to get their feet wet, but maybe not use it in production, which is smart because, eventually, the database eats itself. And then you’re left sad and alone, re-imaging all the iPads again. So I’m not saying this from direct experience, I’m saying this from sad, unfortunate weekend, direct experience. But when Meraki Systems Manager came out, it was very straightforward to enroll a device and have a bunch of profiles come down. One of our clients was using it to manage a series of iPads that act as signs, right? And it runs in a custom file maker database on the iPad. So what we were using it for was to keep those iPads physically attached to the wall. And if they were physically disconnected from the wall, and left the network, well, they were very fancy bricks.

That was one of our deployments at that point, was to put these things into autonomous mode where you can slop down an app and force the user into it. But even that is a recent development. In the battle days of MDM, the amount of things that you could do, even going back to iOS 4 and iOS 5, really before they were iOS at that point, was very limited. Right? So what you wanted to make sure was, if a device went for a walkabout and you found out before it got off the network, you could kill it. Or if it showed up again, you could kill it again. That was really the Genesis of the MDM space. So the feature set has gotten a lot more broad and wide, over the last 10 years.

But I think of time spent with Meraki Systems Manager, with simple MDM. And simple MDMs, purposefully designed feature set, I think is probably the best way to phrase it, as well as, Workspace ONE. I’ve spent time on each of those. I’m JAMF certified. I’ve managed that, not in production, but in test environments and things along those lines, but have a wealth of JAMF experience. In some cases, looking over shoulders, in some cases, working in test beds and sandboxes, to make sure that the needs of the organization are being met as that moves toward production. And then, of course, there’s always new MDMs out there. Mosyle made a splash on the scene a few years ago when they came out. And they’re doing it again now, with their new Fuse product. I think at one point, I think we counted, between profile manager and the rest, I think we had a half a dozen MDMs in production.

So figuring out where the limits of MDM management are, is probably the most important thing you can do as an IT admin. And then figuring out what’s important for you, from those lists of application tools is a big part of what happens next. And then once you figured out everything that you think you have to manage versus everything that an MDM can do, you’re going to realize that there are some gaps there. So what you have to build on top of that is all of the shim network of payload free packages, like you were talking about, and scripts, and other return to service tools. Things that maybe MDM isn’t the most adequate at doing.

Ryan: We normally don’t talk much about the JumpCloud product on this podcast, unless it comes up normally. With your experience and your new role at the company, I think this is a good time for some speculation, some talking about pipe dreams, or maybe more realistic than pipe dreams. But this is just where we could talk … I think it’s … Monday. Coffee’s almost kicking in.

Tom: Yeah, I’m with you, and I’m two hours ahead of you. I had to go downstairs at 11:00 because I was like, “I need the last cup from the bottom of the French press because this is going to be a tough day, otherwise.”

Ryan: Okay. I think that something that we can provide is, not only some insight into what it’s like to introduce a new MDM, because the JumpCloud MDM is almost a year old.

Tom: Right.

Ryan: And it was something where, I remember early on, there were talks about it. And I would like to talk about that some, but then also move on into where we would like it to go in the future, maybe some speculation. Obviously nothing official. Disclaimer, this is just two guys …

Tom: Two guys talking.

Ryan: Two guys talking. No product promises here, or anything like that.

Tom: Sure.

Ryan: I really started looking into MDMs early on in my JumpCloud career because it’s like, okay, how will we manage … I was mainly looking at it for software deployment.

Tom: Sure.

Ryan: What can we do? One of our previous people, Scott Reed, did a lot of work on a true Zero-Touch deployment with JAMF. And he demoed that for me, fairly early on. It really opened my eyes to what was possible with an MDM solution, integrated with a directory solution, all of this stuff, and what that could look like. So I really started diving into MDMs at that point, mainly from the lens of, what can I do to help me?

Tom: Right.

Ryan: And that’s also when I would talk to our product team and stuff like that. And they were like, “Well, what are some features you would like to see on here?” I’m like, “I want MDM support. I want us to be an MDM.” That was on my wishlist for a long time. And how it started off was, they started doing, I’ll call it casual exploration.

Tom: Sure.

Ryan: Like, what would be involved with it? It was not a high priority until the murmurings of Big Sur.

Tom: Yeah, because the summer before Catalina, so this is … Now we’re Big Sur in production. I’ve been there for six months. So let’s go back two years. Apple gets up and says, during the middle of WWDC, not in the keynote because management features don’t make the keynote. They barely make the state of the union, which is the second big talk, but they did that year. And they basically said, “We’re really focused on the use of MDM protocol to deliver these profiles. And in a future version of the operating system, you will not be able to do this directly anymore.” And what Apple was trying to say at that point was, if you’re installing mobile configuration profiles through root agent use, which is how pretty much everybody was doing it. Munki was doing it that way, other software products were doing that. JumpCloud was doing it that way. You’re going to lose that feature without the user’s approval.

So what came out, Big Sur, obviously, was a situation where if you just try and use the profiles command on your command line to install a mobile configuration profile, you get an experience that is immediately familiar to anybody in iOS land, which is, this has downloaded a profile. Are you sure about that? Because profiles can do some pretty wacky things. So how about we make that user approve profiles? That’s what we get in Big Sur. And obviously that breaks a few things. For example, JumpCloud was doing that for FileVault 2 enablement. So essentially, if JumpCloud was saying, “Here is your FileVault key, or your FileVault settings, and this is where you should send your recovery key,” that key redirection profile was being installed by the root agent with the profiles.

Well, that doesn’t work anymore. Or worse, the user can say, “It’s nice that you think that, but I don’t want to do it.” I run into that problem with my seven-year-old, when it comes to … It’s time to sign into class. And he’s like, “No, I don’t think I’m doing that today.” But you’re just standing there, just a little bit dumbfounded at the wisdom that has just come from the seven-year-old, or the wisdom that has come from your co-worker who is suddenly, “You know what? I’m just not going to do that.” You just stand there. You’re just like, “Okay. Well, we need to have a chat about this.” Right?

Ryan: Yes.

Tom: And that leads us down the path where JumpCloud now has an MDM that’s available as part of it, because they had to.

Ryan: Right.

Tom: And you mentioned Scott Reed. I’ve been talking with Scott since before we presented together at JNUC last year, or two years ago now, 2019, about the prestage prestige. And the challenges that we get to face, as MDM administrators, are also unique and fun. Combining that with identity, I think, that’s going to be a secret weapon for JumpCloud because, essentially, allowing the organization to say, “Cool, I have an organizational chart. I have groups of users. I have all sorts of things here that …” All of that stuff already lives in JumpCloud’s environment. Groups of users are a thing, groups of systems are a thing. Wouldn’t it be rad if you enroll your corporation’s device and you get profiles that are meant for your own security, based on your role?

Groups of systems that are higher security than others, for example, I think is probably the best way to phrase it, so that if you’ve got somebody in engineering, who has direct CodeCommit access to prod, well, guess what? You get a little bit of extra security associated with your environment. And you’ve gotta log in at the desk, on boot, with MFA, not just anything. So if we start to think about the ways in which we can extend that identity into the mobile device management, and into the laptop management that’s all associated with that, boy, that’s really critical. I’m really excited to get to work with Dale and Jeff, and all my other product team folks here, as well as Jared and all the other folks in engineering, to dive deep on this stuff. These were the conversations that Greg Keller and I were having, as he was saying, “Hey, how about you come do this stuff with us?”

That was where I got really excited, because I didn’t want to be a consultant forever. I really didn’t. When we started Technolutionary, I was what? I was 28. I was five years into my job. The organization I was with was about to make a lot of really bad mistakes and I wanted out. I started the consulting firm with my boss because, well, we both still wanted a paycheck after they made all these mistakes. And we were pretty sure that that was going to be something that was going to drastically affect the size of the organization. It did. We got into consulting because it seemed like a good idea at the time, which is never a great way to establish a long term plan, which seems like a good idea. But what we learned in the first five years was a lot more about how businesses work than about how anything else happens.

Ryan: Right.

Tom: And I feel like consulting is about learning what your clients do, as much as providing them frameworks to do it better with computers.

Ryan: Exactly.

Tom: So I think that’s a long-winded way of saying, I was ready for this. The increased focus on mobile device management over the last, five, 10 years, and the opportunity to combine that with the technology that’s really on the rise still, which is identity management, and is only going to get more important here in the … I mean, I don’t think we’re quite in the post pandemic world yet, but anybody over 16 can sign up for their vaccination appointment, which is rad. So I feel like we are turning the corner on all of this in a new and different way.

A Vision for the Future of Mobile Device Management

Ryan: Yeah, definitely. You touched on this, but my experience with JumpCloud rolling out its MDM features was that … At first it was like, okay, we’re mainly just going to do this to push policies.

Tom: Right.

Ryan: And that sort of stuff. But then they kept adding to it and adding to it. And now we’re looking at things that I didn’t necessarily think of, because when I thought of the Holy Grail of Zero-Touch was that JAMF set up, using post enrollment scripts and LDAP, and stuff like that, which, that Holy Grail still had some significant holes in it. Mainly that a user could mess up the process by putting in the wrong username when creating the local account. So when I started seeing the JumpCloud Zero-Touch, and when I started playing with that, all the extra stuff that’s being talked about, that’s being done, it was stuff that … It wasn’t even on my radar.

Tom: Sure, yeah.

Ryan: I wasn’t even hoping for it. So I’m curious to see you going into this role. If roadmaps, and customer wants and needs weren’t a consideration, what would you do? What would you like to see with that?

Tom: I think that the future is bright for automation. And I feel like automation is a big part of what happens with any organization’s IT systems, because you never want to see IT as a cost center. You always want to see it as enablement. So for any organization, what you want to do is allow them to be flexible and lean. One of the things that we always struggled with, internally, was the internal migration of employees. For example, you’ve got a staff of 50, and you might have a couple of people every year who are switching teams, who are going on in new roles, who then, it’s a whole big ticket system to make sure that they get from point A to point B, and that they might have different tooling needs on their laptops.

So for an organization to just say, “Okay, cool. So-and-so is moving from engineering to product, or so-and-so is moving from marketing to product.” Well, when they do so, you want to be able to rearrange their computer so that it’s now a product computer instead of an engineering machine, or a product computer instead of a marketing machine, and that their identity lifecycle changes as well. They’re changing departments in your HRIS, which can then deliver information to your directory. So if we think about this in JumpCloud parlance, well, great, now the person has a new … They have new metadata in their directory record. Let’s adjust their system as part of their system groups. So pick up any systems associated with that object, shove those into new departmental based roles so that when you go from engineering to product, maybe you lose CodeCommit access, or commit to product access.

And it can change your identity credentials to match, change your software deployment stack as well, because that’s certainly something that a lot of organizations are telling us matters right now, is the ease of software deployments and making sure that the software patch management that’s being done on their fleet gets them to current faster. That’s one of the things that I’m going to be hard at work on, here, over the next period, as we go through a lot of these things. But I think that the adventure of all of this is going to be figuring out ways that this is going to help other Mac admins, and to move those needles forward, and to build in some tools that maybe help them do, not just third party patch management, but first party patch management. So the operating system, for example.

There’s really no great, perfect way to update anymore. Big Sur took away the software update commands that would allow us to point at an internal catalog, for example. And we can no longer use tools like Munki to enforce operating system updates because that’s just not how the world works anymore. Apple has said that it’s their domain and they want to own it, and I’m happy to let them. But at the same time, we also need a way to ensure patch management across the organization because that’s hugely important for system insights and compliance. Because I think here, of the SOC 2 requirements and the CIS Level 2 requirements, all of these things, they say, “You’ve got to have a plan for patch management, for your operating system, so that you can go from where you are to where you need to be in a sane amount of time.”

Ryan: Right.

Tom: That is something that is very interesting to me because MDM doesn’t do it at all. You can enforce an update, but that’s just like grabbing the machine away from the user on the fly, perhaps when they’re least expecting it, in the middle of a presentation to the board or in the middle of a CodeCommit, or in the middle of saving a bunch of things out to disk. They could have the operating system just, blink out on them. And that’s hostile. So we need better tools to manage those kinds of things. Those are what I’m going to be focusing on here, primarily. There’s a lot of work to do in the pipeline. And I’ve been looking at the roadmaps, with the engineering teams. I’m really excited about what I’m seeing in there, and really excited to bring those features here forward. But I think that a lot of what we’re going to be working on is to flesh out the MDM that is present now, as well as build a bunch of better implementations of-

Ryan: Right.

Tom: … what we’ve been seeing up there. Because part of spending a lot of time with different MDMs is that I really like how some things happen on some MDMs. Meraki’s tagging feature is really awesome. Nobody else does that, I don’t know why, because the rest of Meraki maybe isn’t my favorite. But I look at some of the other backend tools that I really enjoy, and I think of all of the things that we’ve built over the last five to 10 years with them, and I’ve got a lot of opinions. I’m really interested in bringing some of that opinion, thought leadership to our teams, to say, “This is what we should be doing. Let’s get it done. Let’s do these things.”

Ryan: I am also really excited to see where this goes. I would say it’s one of the perks of being the internal … Essentially, I’m a customer of JumpCloud. That’s how it is.

Tom: Right.

Ryan: We use the product to manage our company. So as a customer, it’s really neat to see the growth and development, and to get that look under the hood. That’s one of the things that I really love about my job and the opportunity that I have here. 

Thoughts on Apple’s Plans & Limitations

Ryan: You mentioned something, and it made me think. You were talking about how Apple, with its updates and stuff like that, how it’s saying … Apple wants to own all this. So Apple’s procurement of Fleetsmith. What does that say to you? Because I’ll say what it says to me is, when the person who essentially holds the key to the kingdoms like they do, throws their hat in the ring as well, it may just be my cynical nature popping up, but I’m like, “Oh, what does this mean for all of us, everybody, all these vendors out there who are creating, who have MDMs that have to now compete against Apple?” What are your thoughts on that?

Tom: Well, I’m very interested to see what they’re doing with Fleetsmith. And I feel like, in a lot of ways, what they’re trying to do is they’re trying to set the bar. They’re trying to set the bar up off the ground. Because, I mean, that was the thing about profile manager, right? It was a reference implementation of the MDM specification. It literally does everything. But doing everything doesn’t make you a good MDM automatically. It just makes you an MDM that does everything, because you do need a reference implementation. So my thought was, well, maybe what they really want is a more forward-looking reference implementation. And Fleetsmith is definitely that. What I was actually wondering is if they weren’t going to offer this as a part of Apple Business Manager to say to small businesses out there that have 10 Macs, “Oh, by the way, we will help you manage them for the first 10 devices, or first 20 devices,” or things along those lines.

I certainly know that Apple was very interested in their engineering group at Fleetsmith. Jesse Endahl, and everybody over there is tremendously smart. I always had a lot of respect for the work that they were doing, especially with their third party application library, which was immediately and unceremoniously sunset, as part of the acquisition announcement. So the challenge there obviously is trying to figure out, really, Apple’s tea leaves, and what are they doing, and why are they doing it this way? This gives us another front to see what they’re doing and what they’re developing. They actually released new features on Fleetsmith the other day.

So I do think that, yes, Apple is throwing their own hat in the ring. They’re saying that they have opinions on how this ought to be done, even though they are the reference or the specification. And I think as long as Apple plays by their own rules, right? Like they played by the rules of the road of the MDM specifications, and don’t privilege their own tool over the open marketplace that they’ve created, or enabled rather, then I think it’s great. Let’s do it. Let’s learn from how Apple thinks that you want to do these things, and have good and created differences as we go through the process.

Ryan: That’s interesting. Hearing it that way does make me feel a little bit better about that prospect. So thank you for that.

Tom: Well, I expect that on the day of that acquisition announcement, there were a lot of MDM manufacturers saying a lot of four letter words that are not appropriate for this podcast.

Ryan: Yeah, exactly. That would be interesting, to see maybe some small scale or limited use MDM integrated into Apple Business Manager.

Tom: Yeah, it seems to be a real stem to stern solution that they think they can offer. Now I still think that they’re struggling to figure out some of their next world, right? Some smart criticisms of Apple, for example, come from some of the organizations that say, “Well, Apple’s not really providing a full identity solution.” And you talk with the Fraser Speirs’ of the world, who were big on one-to-one deployment for Apple devices in their enterprise. What he came to figure out was actually, no, Google gives me better tools for this. I need to manage my organization in a way that’s going to make sense. And he did. So I think that Apple doesn’t always have all the answers, but sometimes they’ve got a pretty good set.

Ryan: And I think that you’re right about Apple’s … Especially their identity management part of Apple Business Manager, especially if you’re doing stuff like VPP and app deployment, that sort of thing. Because now that JumpCloud’s working on the MDM solution, I’ve been looking … Before Apple Business Manager was just like a toy for me. It’s like, I’ll play around with this. And then it was used for the testing of the product. And now, as our MDM product grows and the functionality grows, now it’s like, I’ve been really looking at like, okay, how am I going to leverage this? We’re going to get to a part where I need to get our entire employee base into Apple Business Manager. And right now, their only option for a federated identity is Azure AD. And I’m like, “That’s not good.” There’s other things, how they handle locations, and devices that aren’t purchased through … Manually adding devices to Apple Business Manager. Well, you can manually add iOS devices.

Tom: Yeah, there’s a way to back port iOS devices back into the ABM. But every place else you’re stuck, yeah, you’re stuck. You’re really stuck. We had a lot of feedback for Apple when that came out. We were like, “You really need a way to get this in because we have all these machines that we bought over the years, that are not on ABM.” And Apple’s response as infuriating and hilarious as it was, was, we should just buy more devices, which I had a good, long laugh, and then realized he was serious. And then it was that old vendor graphic, “Oh, you’re serious? Let me laugh harder.” But I do feel like they at least gave us the ability to corporatize an iOS device.

Ryan: Right.

Tom: The fact that they have not allowed us to do that for a Mac is frustrating. I’m hopeful that that is just an artifact of being able to … I mean, that’s the other challenge with iOS versus macOS, right? Is in the activation side of things. Now that we have this lovely M1 MacBook Air that I’m using here today, Apple’s model for the M1 Macs may be different than the iOS devices. But what they’ve said is no one who’s using a Mac is going to be required to activate them on the Internet. So having that escape hatch for offline activations or offline continuance is so important for a huge slice of their customers where Macs are in use, but not on the Internet. And here in DC, we have a large number of those for very interesting, five-sided buildings, for example.

Ryan: Yeah, I would imagine so. When I was talking to our Apple rep, when I’d bring up my feedback for them, the most common thing was, “Yeah, we hear that a lot.”

Tom: You hear that a lot because there’s a lot of people doing things.

Ryan: Yeah. There’s hope that things will change. I mean, we are nowhere near Apple’s biggest customer, so the leverage that we have with Apple is practically nil. But still, I’ll take that practically nil leverage that I have, and I’m going to pester them about federated access and expanding that, even if it’s just LDAP. Just give me something.

Tom: Give me some method to give you my user count. Now I will be the first to tell you with some not small percentage of frustration, that managed Apple IDs are not terribly useful right now.

Ryan: They’re not.

Tom: And when we think about what they’re useful for, the answer is, well, it lets me assign a paid app to a person instead of a machine. That is the only use case that I can point myself to.

Ryan: Yeah, that’s the thing. That’s the main reason why I would want it. One of the vulnerabilities that we look at for having Macs in a business environment, especially where you deal with sensitive information and IP, and stuff like that, when you have people who have personal iCloud, Apple IDs and stuff like that, and they’re like, “Oh, I’m going to sign in on my personal Apple ID so I can listen to my Apple music.” And they don’t realize that they click that checkbox for their iCloud storage or their iCloud drive, now mapped to the main Finder stuff. And then all of a sudden, all of these sensitive company documents are on an individual’s personal iCloud drive. And you have no way of knowing that or controlling that. Well, I mean, you can with policies and stuff like that.

Tom: Sure.

Ryan: Forget that, but that’s something … I’ve had a very awkward experience where an employee left the company, and I had to go get something off of their system. I logged into it and it was connected to their personal iCloud. And the Messenger app had some very personal stuff in it, and then it opened up immediately when I logged in. And I’m like, “Oh, I do not want to see this.” And I’m sure they didn’t want me to see this. So managed Apple IDs, you’re right, they’re very limited in scope. I want to see them more useful so that when you come on board and you start working at JumpCloud, you automatically get a managed Apple ID.

Tom: Right.

Ryan: And honestly, we’re going to start doing that more, once we have VPP support and stuff like that, so that we can assign out apps and stuff like that. But for a while, as part of our onboarding process, we were creating these managed Apple IDs, but then it’s like, why are we doing this? It’s pointless. It was just adding more work to it. But yeah, it will become a necessity in the not too distant future. So I would like to see more controls around that.

Tom: For sure. And I think that Apple has always been … They want to enable the use of their own product. So bringing features and things like that to mobile device management isn’t something that isn’t going to happen, so to speak. If you’ll forgive the terrible double negative.

Ryan: This is just something that just popped into my head, that I would like to see at some point in the near future. That would probably involve better identity management in ABM, but I would like to see something where you can restrict Apple ID access on a system, to a user’s work email address. I would love to see something like that.

Tom: For sure. And there are all kinds of things that could really … I feel like Apple ID for domains is what I’m looking for.

Ryan: Yes.

Tom: To basically say, “Let’s really provide some useful tools here.” I mean, because the other thing is, for example, for mobile devices or for mobile backup here, I think in specific, we had a client that was using iOS as their only platform for a team of 20 people. You get an iPad and an iPhone, and off you go. So we started setting them up with managed Apple IDs because they didn’t want them to be able to, at all, do commerce, except via the VPP store. So that’s, okay, great. Now that’s definitely a system, but they had people using messages and trading … They were essentially sending photos of sites back and forth with messages. Those start to stack up. They really wanted those things in the backup. Well, you can only ever have five gigs of storage in a managed Apple ID, in the back. No way to buy more.

Ryan: Oh, wow. I didn’t know that.

Tom: So If you really want to do that, you’re in a lot of pain. After you get to that five gig mark, you can’t even buy an extra storage pool for your organization. My understanding was that was supposed to be on the roadmap. I had a conversation with someone from Apple, on the record about it, and they said they’d promise more information, but it’s been a year and a half, and we have nothing. So I’m hopeful that maybe, perhaps we will get some of that this summer.

Ryan: Oh, man, I wasn’t aware of that limitation.

Tom: Yes.

Ryan: That is interesting, with air quotes, as in unfortunate.

Tom: Yeah. I was going to say that’s interesting as in “oh, God, oh, God, we’re all going to die,” if you’ll pardon me quoting Serenity.

Closing Remarks

Ryan: All right. That’s all the time that we have. Again, my guest today is Tom Bridge. Tom, how can people get in contact with you?

Tom: If you want to find me, you can find me on the JumpCloud Lounge, Slack. That’s a great place to pop into my DMs and say hello, and say, “Hey, I had some questions about this, that and the other.” I’m always happy to talk with folks, and we’ll figure out how to do that best for the organization going long term. And of course, you can always find me on email, on [email protected].

Ryan: Well, thank you very much, Tom, for joining us. And I hope we’ll talk to you later.

Tom: All right. Thanks, Ryan. See you around the JumpCloud.

Ryan: All right. Bye. Thank you for tuning into Where’s The Any Key? If you like what you heard, please feel free to subscribe. Again, my name is Ryan Bacon. I lead IT at JumpCloud, where the team here is building a cloud-based directory platform that provides frictionless, secure access to virtually any IT resource from trusted devices, anywhere. You can learn more and even set up a free account at JumpCloud.com.

About JumpCloud

The JumpCloud Directory Platform provides secure, frictionless user access from any device to any resource, regardless of location. Get started, or contact us at 855.212.3122.