Ever since employee-owned devices, and particularly iPhones and iPads, began appearing in offices, organizations of all sizes have struggled to properly administer and secure non-corporate-owned smartphones and tablets. In fact, the trend became so pronounced it spawned a new acronym: BYOD, for Bring Your Own Device.
SEE: BYOD Policy (Tech Pro Research)
Businesses are torn about satisfying sometimes competing initiatives: accommodate employees' iPhone and iPad adoption, enable employee productivity, efficiently deploy and administer applications, and secure business data from unauthorized access. The way to balance these interests is to use a mix of capable platforms as part of your mobile device management (MDM) strategy.
How to use Apple's VPP and select an MDM
When managing Apple devices, start by creating an Apple Volume Purchase Program (VPP) account. A VPP account is Apple's solution to enabling businesses to centralize application purchasing and deployment.
Businesses seeking to open a VPP account must create a dedicated Apple ID. Businesses use the dedicated Apple ID to administer the VPP account, including creating program administrator accounts for purchasing and distributing App Store applications, business-to-business apps, and iBooks titles.
Once your business has a VPP account, program administrators can log into the VPP store, search for needed material, enter quantities to purchase, and complete purchases that are billed to the corporate credit card associated with the Apple VPP account. An important detail for many organizations' procurement processes: businesses can associate purchase orders with VPP credits that can be delivered electronically to program administrators.
Note: Currently, the VPP program is available in dozens of countries, including the US, UK, France, Germany, Australia, and numerous others. It's likely your organization won't encounter any availability issues, but you should consult the VPP availability information to rule out any potential location-related problems.
Once software applications and iBooks titles are purchased, program administrators can distribute the material by providing the intended recipients with redeemable codes for each respective app or book or by assigning apps directly to specific devices through a third-party MDM platform.
To distribute VPP-purchased content, your business must first connect the MDM solution it's using to the VPP account; the connection is made using a secure token. Your business links its MDM solution and VPP account by logging in to the VPP store, going to the account summary, downloading a token, and uploading the token to the MDM server, which establishes a secure link between the two platforms for one year.
Some organizations may leverage Apple's Configurator 2 to manage iPads and iPhones. Organizations using Configurator 2 do not need to complete the token step -- instead, sign into the VPP account; iOS 9 and OS X El Capitan enable preloading apps for all deployments using Configurator 2. Configurator 2 can also simplify iPad and iPhone deployment and administration within small and medium-sized businesses.
If your business wishes to leverage its MDM platform to distribute VPP purchases, it can do so by uploading a spreadsheet listing redeemable codes on to an MDM server for distribution to authorized and intended endpoints. Most MDM systems can also generate a push notification message to appropriate users, informing the users of the need to redeem the code, while also tracking which users have completed the code redemption process.
Numerous third-party MDM and Enterprise Mobility Management (EMM) products are available, including VMware AirWatch, Citrix XenMobile, IBM MaaS360, Microsoft Intune, MobileIron's MobileIron Core, and LabTech by ConnectWise's LabTech. Each offers a range of features, functionality, and capabilities.
Most MDM platforms provide the same basic features. The difference for many businesses will be cost, integration with existing remote management, and monitoring (RMM) platform investments, or a preference for a specific interface or administrative console.
That said, businesses should expect to receive all the following capabilities when deploying an MDM platform: cross-platform support for a variety of OSs, including iOS, Android, and Windows, asset tracking and reporting, centralized application deployment and removal capabilities, remote system wiping and device setting, and software configuration restriction administration. Other options, such as end-user self-service portals and secure collaboration features, are supported in some but not all MDM platforms.
Before choosing an MDM solution, your organization should complete a formal project management initiative that includes a project charter, project scope statement, and work breakdown structure. This will require your organization to define the business' stakeholders, list the MDM's goals and requirements, specify a budget, and list corresponding assumptions, risks, and dependencies in order. This process will help eliminate surprises and cross-platform incompatibilities when the MDM solution is deployed.
Once a potential MDM solution is identified, your organization should proceed using a controlled test. There should be no need to commit to rolling an untested platform enterprise-wide without first conducting at least limited testing.
But wait -- your organization may find it's committed to leveraging an existing platform's MDM component due to the business already having deployed a RMM platform on its servers and client computers. The MDM component may be an add-on to an existing RMM platform in which the firm has already made a significant financial investment, not to mention all the time required to configure and deploy the underlying RMM tools.
A final and important tip
In order to ensure your organization's needs are properly met by the selected MDM platform, remember to carefully navigate the specification requirements stage of the corresponding project initiative.