Managing iCloud stuff in a small org

[RedTomato]

Hiya some quick tips on managing iCloud stuff in a small org would be very welcome.

I advise a small org who have a lot of Apple stuff. There's about 6 staff, which means 6 Apple laptops of various ages and 5 iPads, plus staff bring in their own iPhones. It's a very liberal org with plenty of trust in staff.

My problem is I don't know what's the best iCloud set up for this org.

- I want all laptops and iPads to have Find My Mac / iPad turned on, which means all needs to be signed into iCloud.
- Staff all use iCal and we have numerous shared and group calendars.
- our email is handled via Gmail
- Staff sync iCal and other iCloud stuff with their own iPhones.
- Staff are free to download their favourite apps onto laptops and ipads.

Option 1:
Just allow everyone to have a separate iCloud login and password, and track them on a master spreadsheet. Does that seem sensible?

Option 2:
I can move to having a single iCloud account for all apple devices, but that would seem to create problems with app downloads and payments and individual calendars. It also seem to mean every time there's a problem they'll come bother me, which is highly undesirable.

Which is best? Thanks for any advice.

 

[DaveOP]

Hiya some quick tips on managing iCloud stuff in a small org would be very welcome.

I advise a small org who have a lot of Apple stuff. There's about 6 staff, which means 6 Apple laptops of various ages and 5 iPads, plus staff bring in their own iPhones. It's a very liberal org with plenty of trust in staff.

My problem is I don't know what's the best iCloud set up for this org.

- I want all laptops and iPads to have Find My Mac / iPad turned on, which means all needs to be signed into iCloud.
- Staff all use iCal and we have numerous shared and group calendars.
- our email is handled via Gmail
- Staff sync iCal and other iCloud stuff with their own iPhones.
- Staff are free to download their favourite apps onto laptops and ipads.

Option 1:
Just allow everyone to have a separate iCloud login and password, and track them on a master spreadsheet. Does that seem sensible?

Option 2:
I can move to having a single iCloud account for all apple devices, but that would seem to create problems with app downloads and payments and individual calendars. It also seem to mean every time there's a problem they'll come bother me, which is highly undesirable.

Which is best? Thanks for any advice.

You should look into some of the Free MDM solutions. I believe Meraki, or one of them gives you a small number of clients for free, and would do exactly what you're looking for. MDM can store an iCloud bypass key, so you can let employees have their own Apple ID's without having to know the passwords.

 

[Geeky Chimp]

Using a generic Apple ID would very quickly turn into a big headache for everyone. Take a look at MDM solutions. A lot allow you to track the location without having to login to the users iCloud with their Apple ID. Also a lot allow you keep a bypass activation lock code for the enrolled device. Some allow you to escrow the FileVault2 recovery key too. You shouldn't need to keep a copy of each users Apple ID & password.

 

[ZMacintosh]

Some questions you need to ask yourself is what is your goal in the environment. And find the why to those bullet points.

I would not rely on Find my Device for any sort of management of invidious devices, that's just not what's its meant to do in a scaled environment. Using MDM is an option to inventory and provide policies to devices, but I wouldn't worry so much about managing users to that extent and let them be self sufficient. What do you have to gain by managing devices to the incremanetal level?

If they're company owned devices, use the MDM to inventory and track that way, let users use iCloud for their own items and manage themselves and anything else can be served via G Apps or other SMB tools.

 

[960design]

Hiya some quick tips on managing iCloud stuff in a small org would be very welcome.

I advise a small org who have a lot of Apple stuff. There's about 6 staff, which means 6 Apple laptops of various ages and 5 iPads, plus staff bring in their own iPhones. It's a very liberal org with plenty of trust in staff.

My problem is I don't know what's the best iCloud set up for this org.

- I want all laptops and iPads to have Find My Mac / iPad turned on, which means all needs to be signed into iCloud.
- Staff all use iCal and we have numerous shared and group calendars.
- our email is handled via Gmail
- Staff sync iCal and other iCloud stuff with their own iPhones.
- Staff are free to download their favourite apps onto laptops and ipads.

Option 1:
Just allow everyone to have a separate iCloud login and password, and track them on a master spreadsheet. Does that seem sensible?

Option 2:
I can move to having a single iCloud account for all apple devices, but that would seem to create problems with app downloads and payments and individual calendars. It also seem to mean every time there's a problem they'll come bother me, which is highly undesirable.

Which is best? Thanks for any advice.

Yep... Use Meraki to manage up to 100 devices for free. If they are company purchased you can lock the MDM profile to prevent theft using DEP. Another option is to use Mac Mini running server to create mobile management profiles, although not as robust as cloud based solution.

Definitely let clients use own AppleID for iCloud and iTunes. Buy in helps protect devices and increases security.

 

[adam9c1]

Take a look at Jamf Now. (I believe 3 devices are free) and after that $2 per device.
Also if you sign up using my referral I get a free device.

 

[DJLC]

In your case, I'd advise a free MDM for inventory tracking and remote wipe/lock capability. Let staff use personal Apple IDs so their stuff is synced from iPhone to company MacBook.

Also, an important point: if you're going to use MDM, you're going to want to use VPP (Volume Purchase Program) for business. This will make it so the company holds the included licenses for iLife / iWork. Get set up with that, request your apps be added to VPP (assuming you purchased the Macs thru Apple's Business channel), then assign licenses to your Macs with your MDM. If you don't do this: the licenses for those apps are permanently tied to the employees' personal Apple IDs. If one of them leaves the company, you will be unable to update or reinstall any of those apps.

 

[ZMacintosh]

In your case, I'd advise a free MDM for inventory tracking and remote wipe/lock capability. Let staff use personal Apple IDs so their stuff is synced from iPhone to company MacBook.

Also, an important point: if you're going to use MDM, you're going to want to use VPP (Volume Purchase Program) for business. This will make it so the company holds the included licenses for iLife / iWork. Get set up with that, request your apps be added to VPP (assuming you purchased the Macs thru Apple's Business channel), then assign licenses to your Macs with your MDM. If you don't do this: the licenses for those apps are permanently tied to the employees' personal Apple IDs. If one of them leaves the company, you will be unable to update or reinstall any of those apps.

If the user already has the apps then it won't matter if they sign in and use them.

However apples VPP considers an iLife/iWork license per device so even if they were accepted you could essentially get the vpp device license if that were to occur and the user accepted them under their Apple ID

 

[960design]

If the user already has the apps then it won't matter if they sign in and use them.

However apples VPP considers an iLife/iWork license per device so even if they were accepted you could essentially get the vpp device license if that were to occur and the user accepted them under their Apple ID

My experience has been that if a user signs in using their AppleID and opens the app for the first time the device license is transferred to their AppleID even if they previously have purchased / owned the license. In other words if they open the app first the MDM loses the license. You must open the app without being signed into an AppleID for the MDM to claim the initial free license issued with each new device.

I typed device way too many times.

You should be able to retrieve your licenses by contacting Apple Support, but not with the MDM.

Shameful plug:
I wrote a white paper on this very topic about a year ago and haven't tested it since.

 

[ZMacintosh]

My experience has been that if a user signs in using their AppleID and opens the app for the first time the device license is transferred to their AppleID even if they previously have purchased / owned the license. In other words if they open the app first the MDM loses the license. You must open the app without being signed into an AppleID for the MDM to claim the initial free license issued with each new device.

I typed device way too many times.

You should be able to retrieve your licenses by contacting Apple Support, but not with the MDM.

Shameful plug:
I wrote a white paper on this very topic about a year ago and haven't tested it since.

Correct it will tie to their ID and with Apple they have a few options where they can essentially assign a license to that device (since apple sees each Mac has a license to the os/iwork/ilife). it really depends on how they have their VPP set up, but one of the environments we manage we let users use their own apple id's and its been easier to adopt Mac solutions and they bring their own apps if they want or we can hand them out at the device level. less a management of the user and more so on infrastructure which is nice. MDMs just help a little better.

 

[DJLC]

My experience has been that if a user signs in using their AppleID and opens the app for the first time the device license is transferred to their AppleID even if they previously have purchased / owned the license. In other words if they open the app first the MDM loses the license. You must open the app without being signed into an AppleID for the MDM to claim the initial free license issued with each new device.

Correct it will tie to their ID and with Apple they have a few options where they can essentially assign a license to that device (since apple sees each Mac has a license to the os/iwork/ilife). it really depends on how they have their VPP set up, but one of the environments we manage we let users use their own apple id's and its been easier to adopt Mac solutions and they bring their own apps if they want or we can hand them out at the device level. less a management of the user and more so on infrastructure which is nice. MDMs just help a little better.

We got new MacBook Airs for our staff about 2 years ago. And I immediately requested VPP managed distribution for the MacBook order so our MDM would hold the licenses. Going that way, our staff who got the new MacBooks initially DID have their Apple IDs credited with the iLife/iWork purchase. However, we also still had the license in VPP / MDM. So kind of just a perk for those employees. We've had some turnover since then; all I've had to do is have the new staff member login to the MacBook, invite them to VPP, then tell our MDM to update/install the apps. Been very easy. But without that essential VPP step at the beginning, I think I'd be ripping my hair out now.

 

[960design]

We got new MacBook Airs for our staff about 2 years ago. And I immediately requested VPP managed distribution for the MacBook order so our MDM would hold the licenses. Going that way, our staff who got the new MacBooks initially DID have their Apple IDs credited with the iLife/iWork purchase. However, we also still had the license in VPP / MDM. So kind of just a perk for those employees. We've had some turnover since then; all I've had to do is have the new staff member login to the MacBook, invite them to VPP, then tell our MDM to update/install the apps. Been very easy. But without that essential VPP step at the beginning, I think I'd be ripping my hair out now.

Probably should ask this through a PM as it is now pedantic. All 5500+ of our Apple OSX / iOS devices are delivered to the user and attached to our MDM via DEP ( too many acronyms ) so they are attached to our organizations' VPP account before even being turned on for the first time. Am I missing a phone call to someone to ensure we have all 5500+ Pages attached to our MDM? Currently we only have about 500 Pages licenses purchased separately via VPP available in our MDM. Should I not see 5500+ licenses?

 

[DJLC]

Probably should ask this through a PM as it is now pedantic. All 5500+ of our Apple OSX / iOS devices are delivered to the user and attached to our MDM via DEP ( too many acronyms ) so they are attached to our organizations' VPP account before even being turned on for the first time. Am I missing a phone call to someone to ensure we have all 5500+ Pages attached to our MDM? Currently we only have about 500 Pages licenses purchased separately via VPP available in our MDM. Should I not see 5500+ licenses?

So — when you order devices, licenses are NOT automatically added to your VPP account. Use the links below to request Mac or iOS app licenses that come with device purchases. All you need is the Apple order number. I believe you must have purchased devices thru the Apple Education or Business channels, although I could be wrong. But if they're in DEP, you definitely bought them right.

For Mac apps: https://support.apple.com/en-us/HT203022

For iOS apps: https://support.apple.com/en-us/HT202953

Note that for MDM deployment, you want to choose Managed Distribution on those VPP fulfillment forms. The other option is Redeemable Codes, and with that you give up the ability to reassign licenses to different people. Once you pick one of those options, you can't change back.

 

[960design]

So — when you order devices, licenses are NOT automatically added to your VPP account. Use the links below to request Mac or iOS app licenses that come with device purchases. All you need is the Apple order number. I believe you must have purchased devices thru the Apple Education or Business channels, although I could be wrong. But if they're in DEP, you definitely bought them right.

For Mac apps: https://support.apple.com/en-us/HT203022

For iOS apps: https://support.apple.com/en-us/HT202953

Note that for MDM deployment, you want to choose Managed Distribution on those VPP fulfillment forms. The other option is Redeemable Codes, and with that you give up the ability to reassign licenses to different people. Once you pick one of those options, you can't change back.

Thanks... I'll give it a try.

 

[RedTomato]

Absolutely superb replies in this thread, many thanks for all your help.

Also many thanks for keeping in public sight the info about ensuring app licences are tied to the MDM - that's something I'm going to have to sort out.

 

[RedTomato]

Coming back to this thread to say that Meraki has now ended their free tier. It's getting harder to find free MDMs for small organisations.

The only two I can find at the moment are:

- Miradore, with an unlimited free tier, but few features at that level
https://www.miradore.com/miradore-online-plans-and-pricing/

- Manage Engine Desktop Central, with a 25 device free tier, that includes mobile devices MDM. Seems to have more features but is more complex.
https://www.manageengine.com/products/desktop-central/

I'm currently looking at using Miradore as it seems more simple. I'm not sure if we can still use Apple's VPP separately - I have no experience with it. Our most pressing need is iCloud account management and device password management. App licence management is unneeded at the moment.

 

[960design]

Coming back to this thread to say that Meraki has now ended their free tier. It's getting harder to find free MDMs for small organisations.

The only two I can find at the moment are:

- Miradore, with an unlimited free tier, but few features at that level
https://www.miradore.com/miradore-online-plans-and-pricing/

- Manage Engine Desktop Central, with a 25 device free tier, that includes mobile devices MDM. Seems to have more features but is more complex.
https://www.manageengine.com/products/desktop-central/

I'm currently looking at using Miradore as it seems more simple. I'm not sure if we can still use Apple's VPP separately - I have no experience with it. Our most pressing need is iCloud account management and device password management. App licence management is unneeded at the moment.

1. Apple Server does a great job for 500 or so devices ( actually tested well on up to 5000 ). It is finicky and you can lose everything with a couple of incorrect clicks, so backups are essential.
   https://support.apple.com/profile-manager
2. Mosyle is another great MDM that has a free tier.
   http://mosyle.com/

We need DEP, enterprise app and VPP app management, remote licensing, location and much more.

 

[DJLC]

1. Apple Server does a great job for 500 or so devices ( actually tested well on up to 5000 ). It is finicky and you can lose everything with a couple of incorrect clicks, so backups are essential.
   https://support.apple.com/profile-manager
2. Mosyle is another great MDM that has a free tier.
   http://mosyle.com/

+1 on Mosyle. But it's geared toward schools. While a business COULD probably make use of it, be prepared to deal with terms like "teacher" and "student" and "class" within the MDM itself. Theoretically you could just make all employees "Teachers" and distribute settings and apps that way. I'm not sure if it'll talk to a business DEP or VPP account properly; Apple does have a distinction between schools and businesses, but I'm not sure where the line is drawn.

Profile Manager — I've been told by multiple Apple employees that Profile Manager isn't really meant to be used for real. It's a proof-of-concept for third party MDM developers. So I really wouldn't recommend anyone use it in any capacity that matters. Last time I tried, it only barely worked and updates to configurations / profiles weren't exactly reliable. At the time we had 330 devices enrolled.

 

[Geeky Chimp]

We switched from Windows Server to macOS Server running on Mac mini’s several years ago. It was a great switch and we’ve never had an issue with Profile Manager bar a minor glitch fixed by a restart.
The only thing to bear in mind at the moment is with the update to High Sierra and macOS Server 5.4 several features have either moved into macOS or been removed without any real explanation (eg iOS File Sharing) so the future plans aren’t clear.

 

[960design]

Profile Manager — I've been told by multiple Apple employees that Profile Manager isn't really meant to be used for real. It's a proof-of-concept for third party MDM developers. So I really wouldn't recommend anyone use it in any capacity that matters. Last time I tried, it only barely worked and updates to configurations / profiles weren't exactly reliable. At the time we had 330 devices enrolled.

Same here, our local Apple Engineer states the exact same thing. I believe they all read the same white papers, but have little actual experience with the deployment.

In my experience, it worked without a hiccup for 100 devices.

 

[DJLC]

Same here, our local Apple Engineer states the exact same thing. I believe they all read the same white papers, but have little actual experience with the deployment.

In my experience, it worked without a hiccup for 100 devices.

To be fair, I haven't given it a chance since Yosemite w/ Server 3. After our one nightmare day, I didn't dare try it again — it glitched out in Safari and deleted an entire device group. Which then removed restrictions from 300 student iPads; go figure it was the one time it actually pushed commands. Nothx, I'll stick with Mosyle for our environment.

I guess the lesson here is: be very careful with what you let macOS Server do, and be even more careful with the buttons in Profile Manager. Learn from my stupid mistake!