Once you have secured and configured devices to work with your environment, it’s time to turn your attention toward delighting your coworkers! This is where you go from just being another rude IT hack who’s locking down devices to actually becoming a world-class awesome human (or at least someone with a tad bit of empathy) that people are genuinely excited to be in an elevator with. To begin this journey, try to always think of step 1 as thinking of your users as your coworkers, as our friend Emily from the Mac Admins Podcast says.
Therefore, when we like to think of customizing the user experience, we like to think of that experience as putting access to the resources our coworkers need to do their jobs front and center without putting any unnecessary obstacles in the way. We want to do so in an efficient way, where we automate as much as we can in order to delight our coworkers. We want to give freedom, but without putting people at risk. As we covered in the last chapter, each organization has a different posture when it comes to securing devices, but rarely will you hear people complain that you actually paid attention to what they thought.
If we do our job, the first thing most of our coworkers will do is take an Apple device out of a box, join a wireless network, and then get a bunch of stuff on their device. What happens next is still based on the platform and, in some cases, whether you’re in a school or company.
Getting iOS and iPadOS Devices in the Hands of Users
Supervised: The MDM is in total control of the management of the device, and the device cannot be unenrolled from the MDM. Push deployment of apps and media does not require the device’s user to consent.
Unsupervised: The MDM is managing the device, but the user is ultimately in charge because they can remove the MDM profile from the device and unenroll. While enrolled, push deployment of apps and media requires user consent.
For most companies, schools, and institutions, supervision of devices is the preferred method because it allows the mobile device to be completely managed without user consent. DEP makes this easy for those organizations by enabling devices to be automatically supervised once enrolled with the devices’ associated MDM server. This can allow for a very streamlined process of getting the mobile device out of the shipping box and into the users’ hands because the device can be set up with the desired configuration almost as soon as it powers on and communicates to a network for the first time.
For those organizations which can’t use DEP for whatever reason, supervision is still possible by using tools like Apple Configurator to put iOS and iPadOS devices into supervised mode and enrolling them with the organization’s MDM server. It’s more work for that organization, but ultimately the same outcome: a mobile device which is completely managed by that organization’s MDM.
macOS
For macOS, the process is a little more complicated. Supervision as its own management concept on macOS has only become possible starting with macOS Catalina, where all DEP-enrolled Macs are set as supervised by default, with refinement in macOS Big Sur and later, where all MDM-enrolled Macs are set as supervised by default. Meanwhile, it’s possible to use means other than MDM to configure Macs, which is by itself unheard of in most mobile device environments. Instead, scripts, installer packages, and other means to deploy settings and files are available options on macOS. Let’s take a look at how Mac admins can use MDM, configuration profiles, scripts, installer packages, and other means to build on Apple’s work and provide an intuitive and customized user experience for their own environments.
Planning the macOS User Experience
Acceptable use policies that the user needs to agree to before using company equipment
Branded desktop background image
Branded word processing, presentation media, or spreadsheet templates
Whether or not the user will have administrator privileges
Organization-specific mail server settings for email clients
Organization-specific bookmarks for web browsers
- 1.
Apple can make changes between OS versions which can make applying certain settings more difficult.
- 2.
The more the user experience is governed by Apple’s defaults, the less time that the Mac admin will need to spend on managing it.
In general, we recommend managing what’s required and leaving everything else alone. Both your users and you will be better off for it.
Transparency Consent and Control Protections on User Home Folders
- A.
You’re logged in as the user in question.
- B.
The process or tool writing to the location has been allowlisted using a Privacy Preferences Policy Control profile. (More information on these profiles can be found in Chapter 4.)
This does not mean Mac admins won’t be able to make changes to the user home directories, but it does mean that admins won’t be able to just drop a file into place. Instead, alternate methods may need exploring.
Using Profiles to Manage User Settings
The user experience of applying this profile is that the home page setting in Safari is filled in with the requested website. It is also grayed out to indicate that the setting cannot be changed (Figure 11-2).
The fact that the end user can’t change the Safari setting highlights one of the characteristics of profiles, which is that by default their settings are designed to be enforced and not allow the user to change them later. Depending on the requirements of your organization, this characteristic of profiles may be advantageous or be a drawback.
An advantageous characteristic of using profiles to manage settings is that they can be used to apply settings which would otherwise be blocked by the user-focused privacy protections. This is because profiles are using Apple’s frameworks to apply these settings, rather than trying to write directly to a file stored in the user’s home folder.
Using Scripts to Manage User Settings
Running this script as part of your provisioning process will ensure that the Mac will have the desired Energy Saver settings applied by the pmset command-line tool. However, unless the script is rerun later, the user won’t be restricted from modifying the Energy Saver settings themselves.
Modifying the macOS Default User Template
Macs can have multiple accounts. Each new account gets a unique home directory, and so each user can have a different experience with a system. These home directories are created from a template directory provided by Apple, and it is possible to customize the template for new user home directories in order to provide a similar user experience to each new user account. The user templates are available at /System/Library/User Template on macOS Mojave and earlier and at /Library/User Template for macOS Catalina and later.
If you are considering altering the default user template, think long and hard about alternative ways to accomplish your goal.
For those not experienced with how permissions and settings work on macOS, modifying the user template directory can be a quick and effective way to give both you and your users weird and difficult to diagnose problems.
Everything past ~/Library/Application Support does not exist by default in the User Template directory, but creating the missing directories inside the template and moving the Office template files into them would allow your users instant access to those templates.
Customize the Desktop
Another example of modifying the user experience would be to put a “Welcome to the Company” PDF on the desktop. Chances are your organization will have a bunch of forms and documents that new employees need to sign, agreeing not to abuse the Internet in your office or steal intellectual property. I like putting fun company facts up front and then at the end of that PDF maybe links to set up any accounts or eSign any forms at the bottom. This small way of crafting the onboarding experience can go a long way, and it’s as simple as putting a PDF in the Desktop directory of the appropriate user template prior to creating user accounts.
Customize the User Preferences
User preferences are usually stored in a property list, or .plist, file. While you can customize the preferences stored in the user template directory, first try to customize the setting using a custom profile in the MDM of your choice. Once you’ve determined you can’t customize settings in the way you want using MDM or via a script, an alternative approach is to configure the setting on your Mac and then find what preference file changed. Assuming it’s a user setting stored in ~/Library/Preferences, you can then load the file into the Preferences directory of the appropriate user template to push it out to new user accounts.
This is a place where customizing the experience on an iOS device is substantially different from doing so on a Mac. We’ll look at managing the home screen to provide an awesome user experience for iOS in the next section of this chapter.
Configure the iOS Home Screen
The home screen is how we interact with an iOS device. Pushing a specific home screen configuration allows you to customize that experience and make it easier for people to get at what they need.
The right layout will be different for everyone. But usually you’ll see an expense app, Maps, the camera, a line of business app like Salesforce, the Calendar app, an app to access your contacts, and any apps to access your organization’s documents (e.g., Dropbox, OneDrive). Keep in mind that you want your coworkers to still like you and to have a great experience with their devices, so leaving some nonbusiness apps up front and center will help with that.
Once you’ve crafted the best experience for the humans who will be using your devices, click Apply to make the change and see your app badges move.
We reviewed how to do this with Apple Configurator, but most MDMs support similar functionality. The look and feel will be a little different, according to the device management tool you’re using, but the experience usually looks similar to the one shown in this section.
Custom App Stores
Jamf Pro (Figure 11-5)
Munki
Most of these applications look and work in similar ways, where the user can launch the self-service application and make their own choices from what’s available to either install an application or run a particular task.
In many cases, these self-service tools can also be branded with your company, school, or institution’s official logo. This helps build trust in your user community for using the tool in question, since it is visually affiliated with your organization.
Test, Test, Test
In Chapter 3, we looked at building profiles, which can be used to customize settings on devices. In Chapter 4, we looked at pushing those profiles out through MDM. In Chapter 9, we talked about testing. But it’s worth reiterating that you should be testing different regressions of tests. The information from Chapter 9 will help guide you to making sure that the desired state of devices after a test matches up with the state you actually end up with.
Summary
One of the best parts of administering Apple devices is the elegant user experience that they come with out of the box. As administrators, it can be tempting to lock down systems and customize this experience until the native experience is barely recognizable. Don’t do that.
Instead, take a page out of Apple’s notebook and try to delight your coworkers. Yes, we said coworkers and not users. When you think of how you can give them what they need without restricting them in ways that destroy that elegantly crafted user experience, you will make friends, grow the population of devices on this platform you (hopefully) love, and likely get more budget to do even cooler stuff. Now that the devices are in a secure and predictable state, we’ll spend Chapter 12 reviewing how to customize the online experience and gate access to various SaaS services based on whether the device meets the security posture of your environment.