The difference between Managing Apple and Windows Devices in Business
How businesses manage Apple and Windows Deployments
Windows has been the go to device for businesses for years. With the ability to buy a vast selection of devices from different manufacturers and Windows releasing new versions of Operating System such as XP all the way up to Windows 11. This has further been aided by Microsoft’s Email and Storage platform Microsoft365 allowing business to setup professional email as well as store and share files in the cloud. Not to mention active directory allowing you to create an account that allows users to have one password for their computer, server and email giving them the ability to log onto any company device on the network. Microsoft have updated how devices are managed in business with the release of Intune and Endpoint Manager allowing IT to centrally deploy devices and apps as well as set device configuration.
Apple however for years has had its focus on the consumer market. Although their first product being a Mac, Apple only over the last few years has put a focus on the business market. Apple offers Apple Business Manager for free allowing you to deploy Apps and Devices. By enrolling your devices into Apple Business Manager you can deploy devices through a MDM (Mobile Device Manager) to get devices setup easily and manage them effectively. There is also a belief that Apple devices are built primarily for the creative sector. However with recent advancements in Apple Silicon and the use of a MDM this is no longer the case.
So what are the main differences between deploying a Windows and Apple Device into business? What are the pros and cons and can the two methods work together?
Let start by looking a Windows.
Windows Devices are the most commonly used device in business for many reasons. Devices tend to be cheaper to purchase outright, Microsoft 365 offering professional email and Cloud Storage and just generally the way IT has been run for decades. Microsoft now offers its users the Windows OOBE (Out of Box Experience) working with Windows Autopilot. This allows IT to buy a device, find and then upload the serial number to Endpoint Manager before erasing the device and being presented with the companies Sign in Window for users to sign in with their Azure/Microsoft365 Credentials and the company apps and configurations being deployed. IT will need to configure the OOBE beforehand but in general it is a quick process to get users onboarded, however there doesn’t appear to be a way to automatically add the serial number to Intune. Some manufacturers offer an option to setup Autopilot before they ship the device to you. However they will follow the same process you would by doing it yourself and it does seem as though the device has to be erased once its serial number has been uploaded to Endpoint Manager.
When it comes to App deployment Microsoft365 apps can be deployed easily from Endpoint Manager but you would expect this when they are built by the same company. This is great for IT administrators reducing the time that they spend patching applications. When it comes to 3rd party apps, this is a different process. Endpoint Manager doesn’t support Win32 app deployment so apps need to be packaged into .intunewin file format before they can be uploaded and deployed. IT administrators can download the Microsoft Content Prep Tool to create these files and there are various articles and YouTube videos online for how to do this. IT Admins also need to create command arguments (switches) for the app configuration when setting up the deployment in Endpoint Manager.
Let’s now look at Apple Deployments. Apple doesn’t have its own Deployment tool as such like Microsoft has Endpoint Manager, however it does have Apple Business Manager and Apple Business Essentials which can both be used for managing devices and they acquired Fleetsmith an Apple focused Mobile Device Manager back in 2020. There are a variety of different MDM tools in the market some that support both Microsoft and Apple deployments and some that only support Apple. We are going to look at JAMF Pro as this is the market leader in Apple Device Management. JAMF offers a number of ways to deploy and manage devices. The two most common are PreStage Enrolments and User Initiated Enrolment. PreStage Enrolment allows you to make use of Zero Touch Deployments. A PreStage is configured in JAMF where you specify which setup assistant screens the user sees, which configuration profiles are deployed for Security and functionality and which Packages are deployed. Then when you buy a device from Apple or a authorised reseller they can enrol the device serial number in Apple Business Manager. In Apple Business Manager you can add multiple MDM Solutions and specify where devices should be added to, for example JAMF. You can also import devices using Apple Configurator. This makes Deployments easy for business as all the user needs to do is open the box turn on their Mac and either create their account or sign in. This is made even easier when using JAMF Pro with JAMF Connect, where users can sign in with their existing credentials from Microsoft365, Google Workspace and Okta as well as others. This helps increase security as well as improving the end user experience as users don’t need to remember new credentials they just use the one that they use to sign into their emails. IT can also specify what account type the user is. When they setup the user they can specify whether they are an admin or standard user of their Mac, without having to remote onto the device and manually change it. This is also the first account that gets created on the device even if it is a standard user account. This means that if a user logs into another device in the future their account permissions will always be the same.
The other option for deployments is to use User initiated deployment. This commonly used for BYOD and is where a user goes to their JAMF enrolment url and signs in. They then download a CA Certificate and MDM Profile which enrols the device in JAMF. This requires the device to be setup which means that the local user account isn’t going to be from the SSO provider such as Microsoft or Google. However with some setup you could create an erase install script where the machine can be erased and then use JAMF Connect to create the user account, whilst also using user initiated enrolment.
When it comes to app deployment IT Admins have multiple options. For all device types IT can deploy apps using the Apple App Store. Apple Business Manager let’s you purchase free and paid for apps and assign them to users. You can then scope them to your MDM solution such as JAMF and then configure which devices you want to deploy to. For App deployment on Mac you can also deploy 3rd party apps such as Chrome or Zoom alongside apps from the App Store. JAMF Pro comes with a JAMF built app called composer which allows IT admins to download the app and then package it up ready for deployment. You can then upload the package to JAMF and scope to devices and users.
Both Microsoft and Apple deployment options give you the option of using your own App Store for Microsoft this is called Company Portal and for JAMF this is called Self Service. Both work in a very similar way where IT can specify which apps can be downloaded by users. However with company portal when you want to deploy apps from the Microsoft Store it appears to just create a link for users taking them to the Microsoft Store for them to download, whereas with Self Service which ever type of App you deploy whether that be from the App Store or a 3rd party app the download will take place in self service without directing you to another app. 3rd party apps from company portal though are all actioned without leaving the app. With Self Service if I were to have one improvement, it would be to show the progress of the install. Self Service allows you to deploy more than just apps, you can use it to allow the user to change their desktop background install printers as well as a host of other polices and configuration profiles, but no option will display to the user the progress. Now on smaller tasks such as printer installs this isn’t so much of a problem, however on bigger tasks like Adobe or Microsoft365 app installs or macOS Updates or Upgrades these tend to take longer as the app or update has to be downloaded before it can be installed. But the user isn’t shown the progress of the task and can lead them to wonder whether it has failed or got stuck.
Company portal has some nice options such as compliance policies. You can mark devices as non compliant if they don’t meet certain criteria. For example you can setup a Compliance Policy to mark devices as non compliant if they do not have the latest version of Windows10 installed. You can also have Endpoint Manager send the user an email if the device is non-compliant, this could be used to get the user to update their machine to keep the device compliant.
In summary both options have their Pros and Cons. Endpoint Manager does work otherwise it wouldn’t be used by thousands of businesses worldwide, however I don’t feel it has the same level of capabilities that are offered by JAMF. You could argue that Endpoint Manager is more cost effective as it allows you to manage Windows, Android, macOS and IOS all within one platform, however Endpoint Manager doesn’t manage Apple devices nearly as well as JAMF does nor does it offer the same level of functionality. JAMF is a platform that has been designed and built purely for Apple Devices so although it is an additional cost, the feature and functionality improvements it offers as well as the time savings makes it a worthwhile investment.
If we were to compare the two deployment and operating system options for business, I would definitely say deploying Apple devices is the better option. I hope to do another article going into more detail about the difference between Windows and Mac in business but from a deployment perspective deploying Apple devices is easier. Zero Touch deployments means that IT doesn't need to get hands on with the device before hand, they can be shipped directly to a user. This improves the onboarding experience and reduces the setup time even for users moving to a new device.
Security with Apple Devices is also far greater. Security out of the box on a Mac is greater than Windows but when adding in JAMF Pro, Connect and Protect you take Security to the next level. By ensuring that only authorised apps are installed on machines you increase security for your users and your company data. The introduction of JAMF Connect allowing businesses to create user accounts on the Mac from Cloud Identify Providers adds to security but also improves the end user experience.
When it comes to App Deployment for IT this is quick and simple. IT can either deploy apps from the App Store or on Mac they can package the App quickly and effectively and upload to JAMF to be deployed automatically or by the user. With Windows and Endpoint Manager this process is longer and more complicated.
To conclude if a company were to choose either Windows or Mac for use within business I would most likely recommend Apple and Mac, due to the Security, User Experience, Cost Effectiveness and Efficiency offered as well as its benefit when supporting a remote workforce. However both options have a place in business as offering employees a choice of the hardware they use is proved to increase employee retention and provide a better overall IT Experience.