5 min read

7 Best Practices for Deploying MDM: Part 1

This post provides tips for effective Mobile Device Management (MDM) of Mac devices, including managing certificates, staged rollouts, personal recovery keys, and using Single Sign-On (SSO).
Written by
Josh Zweig
Published on
February 22, 2023

Mobile Device Management (MDM) software is complicated. Even the name is confusing: MDM refers to a class of software used not just to manage mobile phones but also laptops, tablets, and even desktops. MDM software is often a requirement for businesses that need to satisfy various compliance or regulatory frameworks, but deploying and managing MDM solutions is difficult, especially if you've never done it before. In this post, we will focus on best practices for Mac Device Management and share our tips for ensuring you can safely deploy, manage, and scale your MDM solution.


Best Practice 1: Manage and Renew Certificates

The Apple Push Notification service (APNs) certificate is issued by Apple and used by your MDM Server to communicate securely with your enrolled devices. If this certificate expires, you’ll need to reenroll every device at your company. Renewing is as easy as clicking a button, but reenrolling those devices will be pretty painful if you let it expire accidentally. Put a calendar event on a few of your teammates’ calendars for one month before the date your APNs certificate is set to expire.

Best Practice 2: Staged Rollouts

Take baby steps. You’ll be very likely to hit a few bumps in the road when deploying new policies or configuring new profiles. For any change you make with your MDM solution, we strongly recommend staging the change with a small early adopters group before slowly rolling out the change to the rest of your users. An early adopters group will help you find bugs before a large-scale rollout, as well as help build trust amongst the team that potentially disruptive changes are always validated before being rolled out.

Best Practice 3: Use Personal Rather Than Institutional Recovery Keys for FileVault

FileVault is the name of your Mac's system for Full Disk Encryption. You can use your MDM Solution to configure each individual FileVault instance with a unique recovery key (Personal Key), or the same key across your company (Institutional Keys). Recovery Keys can be used to decrypt and access the files encrypted with FileVault and allow a user to regain access to their computer in the event of a forgotten password. It’s much better to have separate keys for each device so that in the event a key is leaked, the impact would only be limited to one device. The good news is using personal keys is no more work than using an Institutional Key. As a last note, make sure to have the keys escrowed to your MDM server so that users can recover their accounts if they forget their passwords and are locked out of their devices.

Best Practice 4: Use Single Sign-On (SSO)

It’s critical to be able to associate any device with the user who is responsible for that device. The best way to do this with MDM is to integrate your MDM Solution with your Identity Provider (IdP) (Google Workspace, Okta, Active Directory, etc.). Then, you should gate the enrollment process with an authentication with the IdP, so the device is linked with a user identity during enrollment. This prevents you from wondering: “Which Josh owns this ‘Josh’s MacBook Pro’?” and makes it easy for you to know which user to email if a need arises. In general, this is a good example of one way you should be looking to leverage MDM in the context of your other security tools.

Until Our Next Post

Solving a lot of these challenges is much harder than it should be. We hope these best practices help you make the right security decisions and make it easy to achieve some basic security at your company. We’ll be back in a few days with Part 2. And if we can ever help, don’t hesitate to contact us, or schedule a demo.

Get started with Zip
Learn more about Zip's MDM, EDR, IT, and Compliance solutions and we'll find the right fit for you.