Apple device management considerations for MSPs
RMM software has evolved into a cybersecurity attack vector, creating concerns for MSPs and their customers. Does Apple's configuration-based management approach offer a solution?
Dave Sobel is host of the podcast The Business of Tech and co-host of the podcast Killing IT. In addition, he wrote Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business.
In this video, Sobel discusses remote monitoring and management (RMM) software with Jason Dettbarn, founder and CEO of Addigy Technology, a provider of Apple device management platform for MSPs. They explore the differences between Apple OS and Windows management approaches.
Transcript follows below. Minor edits have been made for brevity and clarity.
Dave Sobel: Obviously, talking to anybody who's in the RMM [software] space is interesting for me right now. But I want to take a quick moment [for you to] tell me a little bit about the Apple view of the market, the Apple space. Oftentimes, when we think about RMM products, we always talk about ones that have been on the Windows side for a long time, but there's other ecosystems. Tell me about what's going on in the Apple side of things.
Jason Dettbarn: Yeah. The Apple device management business has been in BYOD [bring your own device]. I think [BYOD] has been the way most people have absorbed it for the last few years. But in the last two or three years, it's blown up. Every organization, from every enterprise to SMB, has a good number of Macs. Typically, for our MSP partners, they're usually check writers. They're the ones in the boardroom. And we need to make sure that [the Apple technology is] being managed as best as possible. There's a lot of growth within the Apple space, especially with the latest Apple M1 systems that are out there.
Apple OS vs. Windows management approaches
Sobel: We're both engineers by background, so we can take a little bit of that [perspective into this discussion]. My understanding is the Apple approach is very different from the Windows approach in the way devices are managed. Apple is far more focused on what I would term 'configuration and policy management enforcement' than what Windows does, which is more like automation control and execution. Is my perception right?
Dettbarn: You are spot on. This is the first interview where anybody's asked me that particular question. When we go back in time to when Addigy started, the only way you could manage a Mac was you had to have an agent on the device and you had to manage it through that mechanism, which gave you a pretty open palette for how you [could] do things. For us, it was about configuring the device and delivering a service.
But two years ago, Apple said, 'If you're going to have full control of this device, you're going to have to have it enrolled in an MDM, mobile device management.' Well, every MDM that was built at that time was designed for a phone, not for a computer, the workhorse of an organization.
So, it's that culmination where every MDM you're going to look at is about configuring the device and that's one leg of that stool. But it's [also] about delivering the best experience for the end user, the best security, and making sure the system is always in compliance. [Those areas are] what we really focused on.
Sobel: Okay. It's that architectural difference, which is more of a choice, right? Because particularly if I'm thinking about this from an Apple perspective -- and by the way, I'm a Mac user myself -- the Apple, the Mac OS, was managed via an agent-style approach. Apple, being Apple, put [the] sledgehammer down and said, 'No, you're going to switch this style and move to a configuration approach.' But those are all engineering decisions that theoretically would also be paralleled over on the Windows side, if so chosen, correct?
Dettbarn: Correct. We're not focusing on Windows at all, but that's something that you're seeing with Windows Autopilot, with [Microsoft] Intune, and being able to provide that automated out-of-the-box provisioning, which is very similar in Apple's MDM style. So, it's the same sort of piece that is being brought over to the Windows side.
The thing that's been lacking on the Apple side is identity. Remember, they still have that consumerized view, where the end user logs in with their own credentials and they approve software to run or not run. That's where you really need the MDM. If you want security software to run, then you need an MDM to not only to deploy but bless it to do its job on the device. Otherwise, the user has the full control over if that software is going to be [allowed to] do its job or not.
Sobel: Okay. Now, you brought it up, and I want to ask [about] Intune. I'm super intrigued with that approach. How do you think about Intune? Competitor? Complementary? Coopetition? How does Intune fit into your ecosystem?
Dettbarn: Absolutely complementary. We work a lot with Intune. It's about trying to find ways, in a partnership perspective, that we can completely align there. We're not fully there yet on a technical perspective, but [Intune's] Apple MDM has a handful of operations it can perform. It can't do patching. It can't deploy software directly onto the machine. There's a lot of gaps there, and [Intune] is going to be very, very focused on the Windows stack itself. We believe it's highly, highly complementary.
RMM security risks
Sobel: Okay, that makes sense. Everyone knows I've been very critical of this technology space recently because of the fact that I think it's become a vector of attack more than a management tool.
Now, some of my thinking is also that switching to a configuration approach actually minimizes that [attack vector] because, rather than running code, you're enforcing configuration, which are different risk levels.
Tell me your take on the risk of [RMM software] being an attack vector. You can think about your own [software] in this context. What's your take on being an attack vector now?
Dettbarn: I think there's a few approaches to that overall. You're exactly right. Forrester's paper just came out a couple of weeks ago, and they really [focused] on the security of a Mac. I think a lot of that is branding, where there has just not been a tremendous amount of devices out there. Apple does a very, very good job of trying to stay on top of security with the Mac itself, but they obviously are distracted from the end user and that identity and access management of devices.
My point is that it really comes down to having the ability to move as a cloud vendor. If we have a problem at a security level, we can address that very quickly from a cloud perspective. We maintain the identity access manager for the end user, and you build those layers of controls at a multitenant level. I completely hear what you're saying, and it's only going get more challenging on the Apple side. But from an engineering perspective with MDM, there is absolutely no way to provide any security and management without doing MDM itself. And then you really need to go above and beyond that, because you have to make sure the system is always in compliance and stays in compliance.
Configuration-based management
Sobel: So, my working theory is that a configuration-based approach to management -- meaning enforcing a set of policies as a minimum versus trying to protect every endpoint -- is the strategy we need to be moving to as management companies. It's the only way to get to zero trust, where we're not an attack factor. Am I right, or am I wrong?
Dettbarn: You're absolutely right. So, on the internal IT side of the house on Windows, it's about the user itself. When [users] sit down in front of any computer, only once they've logged in they get what they need on that machine. Period. That's been great.
On the MSP side of Windows, we actually just focused on the device itself. It was all about the device, device, device.
And that's actually where Apple is at, in a way, which is a problem, which is, 'I can configure the device [but] I don't know who's on it.' For example, if you take the serial number off of a computer, you can put that into a VM and provision that configuration management without anything as far as security for the system itself. It's a serial-number spoofing. It's not very good.
We need to make sure that [when] you put a computer out of the shrink wrap in front of an end user, yes, every MDM can do zero-touch [provisioning], but can it ensure that when that user logs in, they're going to get just what they need to be doing because they're in an engineering department or finance department? If they switch roles, if they move out of the organization, it's about focusing on the user and how that ties to the device itself for what they need.
How cloud services fit in
Sobel: Okay, I love that. So, you said this: The approach had been endpoint management without representing the user. I think one of the things I've advocated for is that we need to have the concept of a user within these management platforms.
Let's extend that one step further then. How does cloud services fit into your vision of management? Because again, we're still talking at a device level here, but now we know that there's this other component that we have to manage. It used to be like an email server was a device [and] now it's not. Now it's a set of [cloud] services. How do services fit into your vision of management?
Dettbarn: It's collective. So, we're a Google organization. [Google is] our IdP [identity provider]. Anything we buy and use has to tie into Google with MFA [multifactor authentication]. That is the base. We have to have that. If not, it doesn't fit into our IT organization. I think that's how most large internal IT organizations roll.
Back in the early days -- I came from CA Technologies -- these tools became more commoditized and able to deliver that power without the complexity. I think we're going to see this on the SMB side. We have to provide SMBs that capability so all their cloud utilities have that IdP, and then the vendors that they choose also have to tie in properly to those organizations.
Let's use your zero-trust scenario. IT has owned the credential side of the house. One thing I've always looked at in the future is that it's really HR. HR is all that matters. We can see in the future, whether it be BambooHR -- that's a customer of ours -- or Workday or others: You sit in front of a computer; you don't have a password yet; [and] we identify and validate that you are who you say you are with something better than a password and MFA. That sees the entire organization, your access to all your tools. And your status at an HR level is what dictates everything. But IT has owned that [function] because HR didn't have the infrastructure. But it takes a lot of time for these changes to move through organizations in my opinion.
Sobel: Yeah, but I think with what we're seeing is that that move is happening really fast because of the push to the cloud. I know, on the show, I harp constantly about, 'Oh, be in the business value. Be in the business value.' Your statement of, 'Well, that moved from IT to HR' is that it's moved from a technical component to a business function. For those listeners, that's what I mean. You need to be over on the business side of this because this is an HR function.
Dettbarn: Exactly. I was in the on-premises side of the house, at CA, Kaseya, etc. You're managing 10 different versions of software out there over years, and you cannot be as quick to deploy security based enhancements. I look back, and you have to be able to do a cloud perspective. Even as a founder, I understand how my customers are using my product, how we can make it better, where there are problems. It's extraordinarily important to have that and be able to tie into the right tools within your organization.
Why SMBs lag in migrating management systems to cloud
Sobel: I'm going to give you one last scenario, and we're going to poke at it, because I want to know your thinking on this.
I'm working on a lot of thinking around what the SMB of the future looks like, or even the SMB of the present. One of my most popular pieces on my YouTube channel is a piece called, "If I was starting an MSP today." The obvious [parallel] that I'm thinking about is, 'If I'm starting an SMB today.' If we're starting an SMB today -- I've started one recently -- you check the checkboxes for cloud service after cloud service after cloud service, right? My accounting is in the cloud, my commerce system is in the cloud, my line of business is in the cloud -- everything. Check, check, check, check, check. That seems like a very modern approach.
And then we have this whole space of digital transformation, which is trying to get people that have been around a while to look like that.
But my take here is that the management of those systems focused on the SMB has taken a long time to even get traction. What's your take on that statement? Am I right, and why is it being held up? Why have we not moved toward that at the speed I think we would want?
Dettbarn: I mean, [my take is] not very provocative. It's people, in general. I think you've probably predicted -- everybody has predicted -- that the iPad was going to take out the Mac, or [similarly the] Surfaces and everything else. There's an inevitability to those things, at least as being a central hub for your computing experience. But we're slow to change as end users and especially as operations teams.
At the end of the day, HR is never going to fully own the keys to the castle. They're going to have the systems in place and manage it, but IT will still own it.
The major difference is people are a disruptive factor, where changes are hard.
Where Apple management tools should go next
Sobel: Last question then. So, you're in this space that is getting a newfound attention, the community at large being both customers and IT providers. I always keep this magic wand on my desk, and if I hand you the magic wand and say, 'You can wave it on those that are using your technology and you [can have them] do one thing differently,' what would it be?
Dettbarn: That's an interesting one. I think it starts with a couple of Apple tools, in general, and then I'm going to talk about one thing that I think we may not see eye to eye on. But I'm going to touch on it anyway.
So, the first part is using Apple Business Manager and identity tools. Apple Business Manager gives you that ability to provision that device out of the box. It provides the highest level of security, and more so if you have a problem with the device, you can really hit a button, wipe it and rebuild it. Most of our customers use it, but they've got to get their own end users on board with it and enroll. That's key No. 1. It's not a huge aspect of it.
The next piece is automation. This is that topic that I know is probably a little interesting. But the way I look at it [goes] back to the early days of Addigy itself. We took a DevOps approach of doing things. Administrators themselves, they want to get things fixed and get them done. We take that engineering approach that a lot of organizations do with DevOps. With Netflix, they have a [chaos engineering] utility called Chaos Monkey that they run randomly to take down infrastructure. They have to go set that infrastructure back up turnkey. We want to be able to make sure that there is that level of automation that ensures that things get provisioned the right way, but also [addresses] the repetitive remedial tasks that people are doing on a constant basis.
I think it's really important to look at automation not as a flip of a switch, because that's impossible, but as a culture of trying to drive more speed with how you do things. And it doesn't have to actually be completely solving a problem. We're the only monitoring, remediation-based tool within the Apple space. If we have a problem on a machine, maybe we can't fully fix it. But if I take a snapshot of the disc and take a look at the processes running, and that's logged in a ticket that I look at a day later, I've got all this relevant information I can use. And maybe I can evolve my automation, and we can get certain aspects better for the end-user experience and for the scalability of the MSP.
Sobel: I don't disagree with it, but I will tell you that that will be a really hard wish to give to the genie.
Dettbarn: It's a culture. Little by little. I know it's a hard thing, but when you have a culture in a team where they can chip away at that over time, it really changes the way you deliver IT.
About the author
Dave Sobel is host of the podcast The Business of Tech, co-host of the podcast Killing IT and authored the book Virtualization: Defined. Sobel is regarded as a leading expert in the delivery of technology services, with broad experience in both technology and business. He owned and operated an IT solution provider and MSP for more than a decade, and has worked for vendors such as Level Platforms, GFI, LogicNow and SolarWinds, leading community, event, marketing and product strategies, as well as M&A activities. Sobel has received multiple industry recognitions, including CRN Channel Chief, CRN UK A-List, Channel Futures Circle of Excellence winner, Channel Pro's 20/20 Visionaries and MSPmentor 250.