I don't agree, I really liked airwatch and we managed tens of thousands of mobiles with it. It had its issues but every product does. The problem was that when we had to move to Intune some features we used in airwatch weren't even supported yet!
It really made me laugh when Gartner put Intune in their magical Quadrant but not airwatch as Intune wasn't even feature complete at that point for basic mobile uses. I'm sure those Gartner guys just talk to the sales suits but don't actually try the products.
But now we're stuck with Intune due to decisions made at top level.
Yeah the Mac side was the worst. Many features didn't work reliably or were not updated quickly enough to keep up with OS updates. It was all very beta unfortunately.
For Mac JAMF is pretty much the gold standard and I tried to get it but the leadership preferred a "single pane of glass" sadly.
For Windows we always just used SCCM and even now we're only in hybrid mode with most functions in traditional management.
I don't really know much about this area, but I did poke around Jamf one or twice and it seems absolutely awful. Not disagreeing that it might be the gold standard, but that doesn't really say much in the MDM industry.
For example: any single Jamf admin can type a bash script into a text box which will then be automatically executed on every machine as root.
As the other reply said, this is something you need to enable to only the most expert admins, and have processes to test it properly before you deploy it to the entire population.
FWIW our antimalware solution has the same capability.
But JAMF is the 'gold standard' because they are the only ones that really focus on Mac management. The used to be called Casper Suite, perhaps that rings more of a bell (I think JAMF is a pretty poor name but anyway)
There is a lot of innovation, with many viable options, in the Apple MDM market. Kandji, FleetDM, micromdm, etc. In my experience, Jamf is only the ‘gold standard’ when one has only cursory knowledge of the space.
I understand, I'm mainly talking from my enterprise background. From what I know the newer developments focus a lot on Apple specific implementations like DEP enrollment.
Unfortunately we can't use that because we can't use Apple federated accounts (they still require the UPN and email to be the same which we can't comply with) and because our IDP isn't supported.
This is the problem in enterprise, where you're often stuck with a relatively small amount of Macs (in our case less than half a percent) and thus the macs have to comply with the rest of the environment. Because the environment isn't going to be adapted to Apple's requirements. We're stuck with the requirement to limit user admin rights, to have security proxies (Zscaler), and many other things that don't work seamlessly on a Mac. Like the built-in password restrictions MDM profile, this is way too basic to fully encompass our security policy (it seems more like a mobile one shoehorned onto a Mac). So we need a lot of workarounds to meet our security policy.
For this JAMF works really well because it has lots of workarounds for enterprise setups that aren't done "the Apple way".
If you're free from legacy constraints the more modern solutions work great but in our environment we don't have that luxury, sadly. There's just too many strings attached from the security side.
You can sometimes script your way around the issues but every major macOS update will break things and JAMF is pretty good at figuring all this stuff out.
No approvals and no CI with clickops is indeed not a core tenet, but these are things you can implement on top of a solution like Jamf.
However, the market wasn’t always asking for it. Most Mac management is done by a sole individual at the org, usually not a large team where everyone can review everyone’s changes. This is steadily changing, but there are still tons of people who do clickops in Jamf because it’s what they understand and have the bandwidth to do.
We have almost a hundred thousand users and we don't have an approval process for macs either. Because we only have a few hundred :)
I think the windows guys have everything more proceduralised. But the Mac work is more of a one man show. I still don't think they have an approvals process though. They mainly still use SCCM and I don't think that has approvals built in.
And yeah things get tested in a separate environment before they're deployed in live. But as there's just one person doing both on Mac there's not much point to an approvals process. Which is also the person that gets to deal with any mistakes so there generally aren't any :)
And it's not a bad thing either, the Mac side is usually much quicker to adopt new features. Both because there's not that many and because Mac users are always interested in new OS versions whereas Windows users generally prefer to stay on what they know.
I recently implemented Terraform for a Jamf instance. In my experience macadmins are often much better at code driven workflows than Windows admins. MacOS is, after all, a real Unix. And Apple’s MDM protocol documentation is far superior (that’s why features are implemented quickly).
Jamf’s script feature is agent based, just like Airwatch’s, not an implementation of the MDM protocol.
> And Apple’s MDM protocol documentation is far superior (that’s why features are implemented quickly).
In terms of the overal tooling I have to disagree. SCCM is way more powerful than anythng Apple has to offer.
In terms of actual MDM "Modern Management" for Windows (Intune), yes that's only in its infancy but it's because most of their customers still use SCCM for most tasks. It's a bit chicken-and-egg.
But Apple's MDM is not great. The password profile is extremely simplified, not able to handle any complexity (example: In our AD passwords must contain special characters and numbers if they are shorter than 10 characters but don't need to when longer because we want to stimulate passphrases). Also, as far as I know (I don't work in this scope anymore) it still has no MDM profile to mandate the user installing updates in a timely manner. You can delay them but not force the user to install them. This stuff must be handled with scripting. The MDM app deployment is also very hit and miss which is why most MDMs do it through their own agent. It works fine when using the mac app store but most apps are not on there and usually there is a need for a customised package anyway.
And on the topic of customised packages, having to go through Apple's notarisation is really annoying. We should be able to just deploy our own signing keys to the machines that we own, and deploy to those machines whatever we want that's signed with our internal key without having to get Apple's OK on it. Sometimes the notarisation service refuses to work for some reason (happens especially with package installers combining code and signing keys from 2 different vendors) and I need to obfuscate the embedded packages to make it work.
So no, in terms of MDM I think Apple is not great for enterprise usecases. If you're a small all-apple shop and you can align everything with Apple's requirements then you may fare better but we don't. Less than a percent of our systems are macs.
> are often much better at code driven workflows than Windows admins.
Yes but Apple does shoot us in the foot sometimes by changing stuff around. I have to say that PowerShell is much more consistent in this manner.
I still prefer Mac but I have to say the enterprise management tooling is just way better on Windows. Apple doesn't really seem to care about enterprise users at all.
Another point is that terrible federated apple ID system that to this day still requires the UPN to be equal to the email address. In our environment this is different for a reason and there is no way it's going to get changed just to satisfy an Apple requirement.
It really made me laugh when Gartner put Intune in their magical Quadrant but not airwatch as Intune wasn't even feature complete at that point for basic mobile uses. I'm sure those Gartner guys just talk to the sales suits but don't actually try the products.
But now we're stuck with Intune due to decisions made at top level.