> And Apple’s MDM protocol documentation is far superior (that’s why features are implemented quickly).
In terms of the overal tooling I have to disagree. SCCM is way more powerful than anythng Apple has to offer.
In terms of actual MDM "Modern Management" for Windows (Intune), yes that's only in its infancy but it's because most of their customers still use SCCM for most tasks. It's a bit chicken-and-egg.
But Apple's MDM is not great. The password profile is extremely simplified, not able to handle any complexity (example: In our AD passwords must contain special characters and numbers if they are shorter than 10 characters but don't need to when longer because we want to stimulate passphrases). Also, as far as I know (I don't work in this scope anymore) it still has no MDM profile to mandate the user installing updates in a timely manner. You can delay them but not force the user to install them. This stuff must be handled with scripting. The MDM app deployment is also very hit and miss which is why most MDMs do it through their own agent. It works fine when using the mac app store but most apps are not on there and usually there is a need for a customised package anyway.
And on the topic of customised packages, having to go through Apple's notarisation is really annoying. We should be able to just deploy our own signing keys to the machines that we own, and deploy to those machines whatever we want that's signed with our internal key without having to get Apple's OK on it. Sometimes the notarisation service refuses to work for some reason (happens especially with package installers combining code and signing keys from 2 different vendors) and I need to obfuscate the embedded packages to make it work.
So no, in terms of MDM I think Apple is not great for enterprise usecases. If you're a small all-apple shop and you can align everything with Apple's requirements then you may fare better but we don't. Less than a percent of our systems are macs.
> are often much better at code driven workflows than Windows admins.
Yes but Apple does shoot us in the foot sometimes by changing stuff around. I have to say that PowerShell is much more consistent in this manner.
I still prefer Mac but I have to say the enterprise management tooling is just way better on Windows. Apple doesn't really seem to care about enterprise users at all.
Another point is that terrible federated apple ID system that to this day still requires the UPN to be equal to the email address. In our environment this is different for a reason and there is no way it's going to get changed just to satisfy an Apple requirement.
In terms of the overal tooling I have to disagree. SCCM is way more powerful than anythng Apple has to offer.
In terms of actual MDM "Modern Management" for Windows (Intune), yes that's only in its infancy but it's because most of their customers still use SCCM for most tasks. It's a bit chicken-and-egg.
But Apple's MDM is not great. The password profile is extremely simplified, not able to handle any complexity (example: In our AD passwords must contain special characters and numbers if they are shorter than 10 characters but don't need to when longer because we want to stimulate passphrases). Also, as far as I know (I don't work in this scope anymore) it still has no MDM profile to mandate the user installing updates in a timely manner. You can delay them but not force the user to install them. This stuff must be handled with scripting. The MDM app deployment is also very hit and miss which is why most MDMs do it through their own agent. It works fine when using the mac app store but most apps are not on there and usually there is a need for a customised package anyway.
And on the topic of customised packages, having to go through Apple's notarisation is really annoying. We should be able to just deploy our own signing keys to the machines that we own, and deploy to those machines whatever we want that's signed with our internal key without having to get Apple's OK on it. Sometimes the notarisation service refuses to work for some reason (happens especially with package installers combining code and signing keys from 2 different vendors) and I need to obfuscate the embedded packages to make it work.
So no, in terms of MDM I think Apple is not great for enterprise usecases. If you're a small all-apple shop and you can align everything with Apple's requirements then you may fare better but we don't. Less than a percent of our systems are macs.
> are often much better at code driven workflows than Windows admins.
Yes but Apple does shoot us in the foot sometimes by changing stuff around. I have to say that PowerShell is much more consistent in this manner.
I still prefer Mac but I have to say the enterprise management tooling is just way better on Windows. Apple doesn't really seem to care about enterprise users at all.
Another point is that terrible federated apple ID system that to this day still requires the UPN to be equal to the email address. In our environment this is different for a reason and there is no way it's going to get changed just to satisfy an Apple requirement.