Six Colors
Six Colors

by Jason Snell & Dan Moren

This Week's Sponsor

Save 20% on the award-winning Audio Hijack with coupon code 6C20AH!

By Jason Snell

Apple in the Enterprise: A 2023 report card

In 2021, device-management startup Kandji approached Six Colors to commission a new entry in our Report Card series focusing on how Apple’s doing in large organizations, including businesses, education, and government. We formulated a set of survey questions that would address the big-picture issues regarding Apple in the enterprise. Then we approached people we knew in the community of Apple device administrators and asked them to participate in the survey. We are especially grateful to the members of the Mac Admins Slack for their participation.

This is our third year doing the survey. Over the last few weeks, we took the temperature of 117 admins, roughly half of whom report that they manage more than a thousand devices. They rated Apple’s performance in the context of enterprise IT on a scale from 1 to 5 in nine broad areas.

Below, you’ll see the survey results, plus choice comments from survey participants. Not all participants are represented; we gave everyone the option to remain anonymous and not be quoted. Though Kandji commissioned this survey—and we thank everyone there for doing so—it had no oversight over the survey results or the contents of this story, which was compiled by Jason Snell and the Six Colors staff.

Overall scores

Apple’s strongest scores came in hardware—Apple silicon Macs are a big winner—and in the company’s commitment to security and privacy.

In most categories, our panel’s view of Apple in the enterprise was on an upswing. The company made large gains in the categories of enterprise service and support and in macOS identity management (its 3.3 average was still fairly low overall, but up a whopping 0.4 from last year). However, Apple took a big hit in the deployment category, which dropped 0.2 to become the lowest scoring category in the survey.

We also asked a couple of questions outside the traditional set. For the second straight year, we asked about the pace of operating-system adoption. There was a big change here, with “quicker than usual” moving from 37% last year to 51% this year. (A decision by Apple to force a Ventura update as a “minor” upgrade may be at least partially responsible—see the comments in that category for the gory details.)

With numerous reports that Apple might be forced to open up iOS to third-party app stores, we asked our panel about what their policy might be toward such app stores. Were they open to supporting them under some circumstances, would they reject them outright, or are they in an environment that doesn’t even allow use of Apple’s own App Store?

More than half of the people who answered said that while they allowed the App Store, they wouldn’t want to allow third-party app stores. In their detailed comments, several expressed concern that any policy ruling that forced Apple’s hand might make it harder for admins to block third-party app stores, which would make them very unhappy. Only 21% of respondents said they would be open to the idea of third-party app stores.

Here’s what Tom Bridge of the Mac Admins Podcast had to say about this year’s results:

“It’s no surprise that folks are thrilled with hardware and appreciative of the privacy work Apple continues to do. I love to see that, good feedback for Apple around that.

“Deployment and Software Reliability take a hit this year. Software Update was a disaster, and that is firmly reflected here. Apple had every opportunity to make that a gain this year, but a late mistake in last year’s 12.3 release which went unnoticed til 12.6 meant a lot of updates were extremely confused this year.

“Continued gains in MDM are the result of Apple making big moves for the future. And last but not least, the future is bright. A solid grade on the hopefulness of admins.”

Read on for detailed results from each category, with unvarnished commentary from panel participants.

Enterprise programs

Grade: B- (average score: 3.5, last year: 3.4)

Mischa van der Bent wrote: “Apple needs to enable their programs in other regions. Currently, the enablement of Apple Programs are mostly limited to organizations in the U.S.. For instance, Apple Business Essentials is still not available in EMEIA.”

John Welch wrote: “The programs are fine. At this point, they’re almost in maintenance mode.”

Craig Cohen wrote: “Major commitment and major strides. Work still to be done.”

Marcus Ransom wrote: “This year we saw a big improvement in areas such as MDM, with the introduction of Declarative MDM to macOS, Platform SSO and some additional commands for updating and deferring operating systems. Apple Business/School Manager (AxM), which is the cornerstone of Apple deployment is still missing some granular controls around Roles, device grouping and API access. Businesses are still hoping for Managed Apple IDs to include features that will support the functionality we know and love in consumer Apple IDs (iCloud Keychain, Continuity etc). The inclusion of Google Workspace for MAID federation alongside Azure AD was appreciated but this still excludes many organizations who use other cloud identity providers.”

Cameron Kay wrote: “Apple School Manager/Apple Business Manager should include warranty start and end date data of all Apple Devices in that Enterprise and MDM vendors should be able to import this data so it can be looked up from the MDM management console.”

Rahul Adari wrote: “Apple has performed really well with ADE [in the] last year.”

Nic Wendlowsky wrote: “Managed Apple IDs are still a messy behemoth, especially for enterprises where consumer Apple IDs have run rampant for years prior to Apple Business Manager being set up. Many consumer-focused features of Apple IDs are still not implemented for MAIDs: iMessage, Sidecar, Universal Control. Additionally, the inability to forcibly log out an Apple ID from a device managed by the claimed domain for MAIDs is a huge factor. There should be better controls to ensure the type of ID that can be logged in to a managed device (regex for the domain and distinguishing between consumer and MAIDs).”

Daniel Woodcock wrote: “The lack of warranty info in Apple School Manager/Apple Business Manager is a odd oversight to still have in 2023. That info should be available for importing into MDM management services/consoles. This should not be up to MDM vendors to manage through legacy GSX API calls.”

Kat Maerz wrote: “Apple has come a long a way, but they still aren’t fully understanding that privacy doesn’t exist in the enterprise. A company owned device shouldn’t have privacy.”

Grant Brinkman wrote: “The progress made towards DEP for Mac OS has been promising, but there are still a lot of workflows that need to be supported better through MDM management.”

Todd Ness wrote: “Managing the OS version on my computers is still a bit of a nightmare. Why can we not get a simple dialog to pop up and force a user to install an update? Microsoft is outpacing Apple here by a long way.”

Stephen Short wrote: “Managed Apple IDs are still a mess for multiple reasons. The primary frustration is that there’s no MDM method to distinguish between personal and managed Apple IDs. If your org’s goal is to prevent personal data from living on company-owned devices, it means that you have to use additional iCloud restrictions (like blocking Photos or Documents syncing) that may result in a poor user experience. Managed Apple IDs also do not support Apple Pay, which would be an excellent feature for company-managed credit cards, and would allow frequent travelers to store boarding passes in the Wallet app associated with the managed Apple ID. Another identity issue with managed Apple IDs is that it’s cumbersome (and explicitly recommended against by Apple Support) to use a managed Apple ID as a Developer ID. If an org enables managed Apple ID federation with Azure AD or Google, any existing Developer IDs associated with your domain have to be transitioned to email addresses not controlled by your org, which is a compliance issue. Support’s suggested workaround was to set each developer as a “people admin” in Apple Business Manager, which gives far too much access to your org. If there was a dedicated Developer role (or better yet, the ability to create custom roles) it would resolve this issue.”

Charles Edge wrote: “In general, we continue to see steady improvement in the services Apple provides for businesses. In some spots, it’s clear that Apple Business Essentials is benefitting MDM developers, as there are features the Apple engineers wouldn’t likely think to build without it. Yet in other areas, where people haven’t embraced how Apple wants devices to be managed, there’s still little empathy and therefore fewer features to work around. We see new features, like SSOE, but many are young and third parties haven’t fully exploited the APIs Apple has made available.”

Craig Doran wrote: “Declarative Device Management appears to solve some important issues with devices achieving a desired state, hopefully in a more timely and consistent state. However, the progress is still behind where I thought we would be when it was announced. The release of Configurator for iPhone is a big step forward in getting Macs into ABM. However, the device management role in ABM should be split to require another role for device removal.”

Jon Crain wrote: “Apple is still lacking in enterprise features like APIs and other IdPs for their offerings. However, there is a tangible increase in the team size and the communication of those inside Apple working on making these things better.”

Jacob Burley wrote: “I’d still love to see opening ABM/ASM up to allow for using more IdPs than just Azure and Google. Even just opening up SCIM would be a huge step in making Managed Apple ID adoption more widespread.”

Søren Theilgaard wrote: “It definitely works very well, but deploying VPP apps to macOS is not always stable, and it’s hard to investigate. So for macOS we always prefer the version from outside the App Store if available (which it often is), like the Microsoft suite of apps.”

Fraser Hess wrote: “I’m mostly happy with ABM — everything works, but there’s not been much innovation recently. I would like to see SAML Single Sign-On and more multi-factor authentication options.”

Rebecca Latimer wrote: “Managed Apple IDs continued to be of limited usefulness. It’s hard to justify using them when they are restricted from so many services.”

David Tommey wrote: “I feel that significant steps have been made inside Apple to improve enterprise performance. Specifically standing up a team that gives enterprise a voice inside Apple.”

Topher Wheeler wrote: “ABM is still too limiting on what you can do with organization owned devices, especially in regards to activation locks that are immensely time consuming to overcome for some fairly common use cases like introducing an MDM after deployment or acquiring devices from third party contractors or from M&A instances.”

James Corcoran wrote: “Apple are doing well overall, but some more integration with corporate identity would really help us. With hundreds of developers, MAID compatibility for Apple Developer accounts would align with our identity and access strategy.”

Adam Tomczynski wrote: “ABM ASM very stable. Interesting spin on Apple Business Essentials. Provides just the right amount of features, in my opinion.”

Armin Briegel wrote: “Apple is cautiously expanding the scope and functionality of Declarative Device Management. The progress is encouraging, but the limited scope does not yet address most of the challenges with current MDM protocol. Apple Business Essentials and the attached services of expanded iCloud and AppleCare are still limited to U.S. only. MacAdmins can still not manage subscriptions and in-app purchases from the App Store. The direction the Apple is moving is encouraging, and the caution is definitely warranted, but it is still too early to be excited.”

Kevin Williams wrote: “After many, many, (many) years, I don’t think I once had to give ASM or any of the tools I use a second thought. It’s been a long time coming, but the direct use of the tool, and the integration with our MDM platform, really has meant that the ‘it just works’ is finally true.”

Kelly Guimont wrote: “Delivery of programs has been reliable, but some of the messaging around large changes has been confusing or not in line with the magnitude of the update.”

Shad Hass wrote: “Apple has continued to let me down by not releasing any substantive fixes or updates that would alleviate the headaches of managing a fleet of Macs. With OS updates buggier than ever, Apple is still forcing us to be very hands-on when managing Macs.”

Luke Charters wrote: “Everything has felt more stable this year. I am going to complain for the second year running about the lack of Continuity features with Managed Apple IDs. Working in the education sphere, these are sorely missed by teachers in iPad based learning environments.”

Joel Housman wrote: “No complaints from me. I primarily make use of Apple Business Manager, Managed Apple IDs, and MDM APIs. I have noted improvements in expanded MDM features and appreciate the continued improvement Apple is making with their MDM API.”

Fridolin Koch wrote: “With the introduction of the Enterprise Workflow Team, things are looking up, but we have only seen small results so far.”

Bart Reardon wrote: “Business essentials is not available (yet) in Australia but I was fortunate to see a demo. It has some way to go but looks promising. I would still like to see tighter integration with other services though so that I could log in to Apple Business Manager and from there see our AppleCare Enterprise information, developer accounts, e-commerse portal, warranty information, purchases etc from the one location.”

Alex Jones wrote: “Apple Business Manager is still slow and clunky. Managed Apple IDs are next to useless and still don’t support Okta for SSO and SCIM. We have to “double-federate” with Azure AD as a middleman. Some of the limitations placed on Managed Apple IDs prevent some of our engineers using them for their Apple Developer Program account – usually because of needing app-specific passwords for CI/CD build tools.”

Tom Bridge wrote: “Apple’s Enterprise programs are not a monolith, and some individual item I hold in high esteem (ABM/ASM are a 4, the MDM APIs are a 4), but others need revision and work. Specifically, Managed Apple IDs need the ability to have an iCloud Keychain associated with them to fulfill their promise to the community. Overall, Apple is middle of the pack here, and that’s okay.”

Brad Chapman wrote: “Apple has continued to iterate improvements to Apple Business Manager and the AppleCare Enterprise portal. Apple has also had some missteps, like placing a permanent link to Business Essentials at the top corner of ABM. This sales tool was displayed to ALL customers, even if they had their own MDM server linked, or had far too many devices for Business Essentials to be usable (Apple’s recommended limit was about 500-1000; and we have over 50,000). Roles and Permissions in ABM/ASM need more granularity, and actions need more detailed auditing. Releasing devices is a permanent, irreversible action that needs an audit trail for investigations and disciplinary measures. The first version of ABM in 2018/2019 had this logged and easily accessible. The current version does not—at least, not to the customer.”

Damien Barrett wrote: “Apple has been paying more attention to Enterprise, even if that’s not the conventional wisdom. My experience with their sales team(s) and Enterprise support has been pretty solid, even while it can still be true that Apple’s primary focus remains “consumer first.” Projects like mSCP (a GUI for managing the Security Compliance Project’s baselines) shows me they are paying more attention to Enterprise wants and needs. When I asked for help adhering my Mac fleet to a security baseline, Apple granted me a free several-hour session with one of their security experts to help me start to achieve this goal, thereby winning over some members of our usually dismissive security department.”

James Nairn wrote: “They work and are reliable, but not much innovation.”

Edward Marczak wrote: “Apple’s Enterprise management gets increasingly shoddy year over year, frustrating Mac admins everywhere. It seems as if Apple is nearly at the promised land, but never quite gets there. We see where they’re going—which is great!—but the current implementation of management tools, primarily MDM, are just too limited and unreliable.”

Graham Gilbert wrote: “I see the quality of Apple’s MDM engineering getting worse. Managed login items were a trainwreck when they were introduced.”

Rich Thomas wrote: “ABM is fine, still a bit slow at times. Being able to add devices using Configurator for iOS is great (if a little cumbersome still). Would love bulk upload options. Also would like to be able to upgrade managed Apple ID storage for users without Business Essentials.”

Kale Kingdon wrote: “Overall, enterprise programs are still quite solid, but minimal effort has been seen in the last 12 months to improve features in the education sector. Apple School Manager Azure Federation Sync being unable to read class metadata for student users and populate classes automatically, without CSV files, continues to be an ongoing frustration among schools. Managed Apple IDs continue to evolve, but the features and restrictions seem to be solidifying the wall between a consumer device and an organization-owned asset. User-Initiated Enrollment of a personal device in a managed environment allows a consumer Apple ID and a Managed Apple ID to coexist on the same device quite happily, providing the best of both worlds. However, on an ADE Registered, Supervised Device a consumer Apple ID cannot be entered if it’s already provisioned with a Managed Apple ID. This ensures the user cannot download apps, books, music, etc. on a supervised device if the organization wants the benefits of MAIDs. This is inconvenient for average employees of less strict companies, but downright problematic when you expect your users to easily test new apps for productivity workflows or for their educational benefit. It surprises me that the company that envisioned the simplicity of User-Initiated Enrollment, which prides itself on user creativity and freedom, did not see this use case on supervised devices and provide a suitable solution.”

Enterprise service and support

Grade: B (average score: 3.7, last year: 3.4)

James Corcoran wrote: “While the individuals are great, your support requests often go into a black box until you are told to test a beta with very vague release notes. Would like more feedback about our reported issues.”

Mikeal St. Ayre wrote: “It is difficult to gather appropriate info unless you are already in the enterprise ecosystem.”

Marcus Rowell wrote: “Apple’s increased focus on the AppleSeed for IT program is certainly paying off. With Apple opening the program up to a wide range of businesses and enterprises, along with higher resourcing and advocacy, the program has become more accessible and relevant to more Apple Admins. The nurturing of the growing AppleSeed for IT community on the Mac Admins Slack has facilitated a community that shares the identification of changes and issues in beta releases, and coordinates feedback. With clear feedback channels and guidelines for what makes actionable feedback, Enterprise issues are being surfaced earlier in the beta cycles, feedback is coordinated by the community, and Apple is responding earlier and better to the issues faced by those who managed Apple devices.”

James Smith wrote: “There has been an increase over the last 12 months of Apple engineers engaging with admins directly in places like the Mac Admins Slack and I hope this continues into the future.”

Craig Doran wrote: “The surprise of Ventura upgrades being handled as a minor update was a terrible development. It left Mac administrators scrambling to control updates beyond what MDM software update payload restrictions were fully capable of. It required delicate timing and getting fleet to specific OS levels.”

Søren Theilgaard wrote: “The documentation is very good, but I miss best practices. Apple should be more specific in best practices for implementing management solutions on Apple devices. Sending out commands to have Macs update the OS is really a well implemented and very reliable function.”

Dennis Logue wrote: “Apple’s Enterprise support used to be superior to most other enterprise vendors. The reps that you would get on the phone were always knowledgable and could typically resolve issues quickly. My experience with Apple’s support has been disappointing this past year. The people that I speak with seem far less competent and haven’t been able to provide clear answers. Apple’s Enterprise support is now about on par with the rest of the industry.”

Alex Jones wrote: “The Appleseed program and enterprise documentation is pretty good. Their human support, however, is not. It’s very difficult to get in touch with the right team. You get passed from pillar to post with each team saying it’s ‘not their area.’ And even when you do get to the right person/team, they usually just say, ‘Sorry, it’s not something that’s supported.'”

Mischa van der Bent wrote: “I’ve had a great experience working with enterprise services and support over the past year. I also wanted to mention that, overall, Apple’s beta programs, documentation, and Feedback Assistant are excellent. I have the feeling that Apple takes our feedback seriously, both from the Feedback Assistant and from the community.”

Graham Gilbert wrote: “The quality of AppleCare is generally low. If we didn’t know people who worked at Apple we would rarely get our issues resolved.”

Kevin Williams wrote: “I always feel there is room to improve here—not that we have a ton of support calls, but it always feels like there is one extra step in the process that doesn’t need to be there. We have a local/regional team that we can call on, but we haven’t really needed much from them this year.”

Jon Crain wrote: “There is a definite push from the teams involved here to make things better.”

Ali Al-Itejawi wrote: “One of the betas was never released and went into public release directly and caused major issues with Recovery issues. This was an issue that may have been solved if there was adequate beta testing cycle.”

Rich Thomas wrote: “Documentation is improving all the time, especially with deployment guides. The Mac Evaluation Utility is a fantastic tool and the test plans in the Appleseed program are a great foundation for us. There are still gaps, especially around things like declarative management, but on the whole much better than years gone by. AppleCare can still be a frustrating experience at times, especially for hardware repairs. Still regularly getting connected to agents who suggest going to a store.”

Todd Ness wrote: “I submit feedback and rarely if ever get replies these days. Thank God for the Mac Admins Slack community who figure out and help those of us who cannot focus on the Macs all day everyday.”

Charles Edge wrote: “Appleseed continues to get better (despite a kerfuffle about what accounts might or might not be able to access the program in the future) and we see added active participation in online groups from actual Apple employees with connections to developers who can help evolve Appleseed and Feedback Assistant in ways people are actually asking for them to mature.”

Kat Maerz wrote: “Apple doesn’t own mistakes. The latest update to Ventura is causing major issues on [FileVault] machines. They refuse to own it.”

Kelly Guimont wrote: “My experience with Appleseed and training opportunities has been pretty good overall. I wish there was an option to access recordings afterward for reference.”

David Tommey wrote: “Documentation has improved significantly since last year. More direction and guidance on platform security and management has helped Mac admins.”

Cameron Kay wrote: “Apple is getting too greedy. Every year they put up the price of AppleCare Enterprise Support and reduce what it offers. It used to include extended warranties for Apple Devices and OS Support, but now we have to pay $35k extra for OS support, and next renewal they’re cutting the number of support cases from unlimited to 50 per year. What’s also frustrating about paying for AppleCare OS support is tickets you log bugs about typically never get fixed. So you’re paying a lot of money just to be told you have to wait for the next major OS release and maybe your bug will be fixed. Not acceptable!”

Joel Housman wrote: “We finally bit the bullet and purchased an AppleCare OS Support Agreement in January 2023 which I’ve already made use of twice. Being abled to talk to dedicated enterprise-focused staff trained with the expectation that customers who call them are other IT professions has been a huge time saver for us. Previously, we’d use the same AppleCare+ support numbers that regular retail customers were using. By comparison, calls to Apple take half the amount of time they previously did. We’re immediately able to cut to the chase and attack the problem itself without first needing to jump through all of the hoops they have a retail customer go through first.”

Kale Kingdon wrote: “While the Apple Enterprise Portal (and the wider support structure) is currently going through an update process, it still remains a decidedly poorer cousin compared to other vendors in this space. Staff who contact the dedicated support line for organizations with Apple Enterprise Support Agreements can be walked through any manner of Level 1 issues but the AEP does not show the tickets raised by your users, making it impossible to review the effectiveness of that particular service or follow up with the end users. Similarly bizarre, you are unable to add comments or updates to tickets you’ve individually raised via the portal. The only option is to respond to the generated email chain. The entire AEP feels bolted onto their existing consumer support system, with barely enough features to be acceptable to organizational administrators. Removing Activation Lock from a non-responsive warrantable device is no less painful for organizations as they have to follow the same process as consumers, namely uploading a tax invoice to provide proof of purchase. Ostensibly this makes sense at face value until you consider that not only is the device registered via ASM/ABM (potentially directly from the reseller providing a line of ownership) but also that each serial is registered with AppleCare for Enterprise (ACE), which requires verification of ownership to even set up the agreement. This not-insubstantial edge case causes extreme delays on warranty claims, while under an agreement specifically designed to alleviate them.”

Daniel Woodcock wrote: “Over the last several years the price of AppleCare Enterprise Support has gone up, while at the same time reducing the level of service provided. We should never be in a position whereby we need to justify the cost and necessity of this service to our business leaders, especially when you consider what this service offers to Apple. Many cases we have raised in the past have been linked to platform and OS issues, problems that would not only affect multiple enterprises, but thousands of end users. Beyond the enterprise getting high level technical support, Apple would be getting priceless troubleshooting and test data around beta OS builds and new hardware. The enterprise effectively has been paying Apple to provide them with end-user test data—then, in return, we get “priority” support. The recent limiting to 50 support calls makes us second guess what we will raise up the chain. The “value” in this service needs to be maintained, for the betterment of the platforms Apple and the enterprise manage. We shouldn’t be in a position of having to justify the purchase to our bean counters. Limiting the flow of data that comes up from then enterprise can only negatively impact Apple’s consumer base due to a lack of agility when it comes to picking up on possible platform issues. Greed should not get in the way of Apple keeping their platforms safe and reliable for the Enterprise and consumer bases.”

Marcus Ransom wrote: “The new Enterprise Workflows team at Apple proved their value to enterprise customers right from their inception. Having a deep understanding of the requirements of enterprise IT within the Software Engineering organization has made a noticeable difference. I am keenly looking forward to see how their influence within Apple develops and the positive impact they make to ease of adoption and ongoing management in the enterprise. Apple’s expanded documentation continues to make it easier to get the clarifications required for working within a complex enterprise environment. The improved timelines between new features and supporting documentation is a noticeable difference this year and illustrates the efforts being put in to deliver this. Improved availability of regional-specific documentation is also greatly appreciated for those of us outside the U.S.”

Brad Chapman wrote: “AppleSeed for IT includes meaningful Test Plans and clear requests for feedback. Bugs filed with Feedback Assistant are seeing improved turnaround times and an increased rate of response within the first 7 days. For highly critical bugs that must be addressed within a beta period, the response is also improved. Admins have been advised to write ‘Deployment Blocker’ in the title of feedback that are showstoppers. The KB articles in the series ‘What’s New for Enterprise in…’ with each release of macOS are a positive step toward more release transparency overall. Admins like reading release notes. Please give us more! When it comes to documenting its technology, Apple needs to consider its audience of IT and security professionals. Apple also needs to be more blunt and direct with its audience. Sometimes the reader needs to be explicitly told what NOT to do, or what should NOT be attempted, or what will BREAK if they do X, Y, or Z, or what HAS broken when users try A, B, or C. It’s better to disclose potential issues first and let customers prepare for possible issues, and having nothing happen, than to wait for customers to experience the problem, be caught by surprise, and leave them at the whims of AppleCare. Finally, Apple should be commended for offering training at affordable prices for budding IT professionals. Their testing provider, Pearson, has a lot of room for improvement; the OnVUE app and testing service was awful. The live-proctored sessions were intimidating and testers were not allowed to talk, even if the proctor was satisfied the testing room was empty. Some people need to think out loud, but the live proctors would accuse a tester of cheating simply for talking, and threaten to abort the exam.”

Bart Reardon wrote: “Overall service and support is excellent, especially with the introduction of the device support and management training courses. The only let down (again) is the apparent black hole that is Feedback with its non-intuitive requirements on selecting the right account to send feedback from (for those that have Appleseed for IT and one or more developer accounts) and the cryptic way in which Feedbacks are worded. It’s a failing of the system if the only hope of getting any response at all is if you happen to know an Apple employee and can forward them the Feedback number.”

Rebecca Latimer wrote: “They are definitely trying. The Appleseed beta program is a wonderful resource, but feedback often feels like it goes into a black hole. Meaningful changes only seem to happen when several Mac Admins band together and submit massive amounts of feedback, like in the case of managed login items.”

Damien Barrett wrote: “I have no complaints here. Even while our Mac numbers have not grown at the rate we believed they would, Enterprise Service and Support has remained responsive and optimistic as we work towards building platform-agnostic IT at my F500 workplace.”

James Stracey wrote: “Access to macOS and software betas and associated documentation continues to get better. However, AppleCare is still atrocious.”

Luke Charters wrote: “This is my seventh year working with Apple devices in enterprise environments and the support has never been better. Appleseed for IT and the documentation has been great. My only criticism is that it would be nice if Feedback Assistant could be less of a black hole.”

Nic Wendlowsky wrote: “The lack of documentation for Device Management preference keys for Ventura has been very frustrating. Still, seeing the deprecated System Preferences keys still with no new equivalents for System Settings is unacceptable.”

Armin Briegel wrote: “We saw the benefits of the AppleSeed for IT program last year, when MacAdmins identified an issue with the new update mechanism from Monterey to Ventura. Apple reacted quickly to address the problem with the 12.6.1 update. The nature of the problem remained frustrating, but this shows that Apple was listening and ready to act where necessary. Management options for the new login items were also missing in early betas and added after requests through the AppleSeed for IT program. The Platform Deployment and Security Guides remain a great resource and are regularly updated, as are the new on Training courses for IT. I still wish Apple would expand these documentation efforts into some other areas relevant for Apple admins and developers, such as creating installer packages, configuration profiles, and the various useful, but often poorly documented command line tools.”

Anthony Reimer wrote: “Apple gets top marks for hiring more excellent people from the Mac Admins community to work on a a team that has given admins more of a voice in the development process. For example, the Login Items notifications introduced in the initial Ventura beta were rightly called out by admins as too noisy. That new team at Apple helped admins be heard, giving us a much better result when Ventura shipped. The documentation that Apple is producing is great. My only quibble is with Feedback Assistant, which can feel like a black hole sometimes—but even then, the addition of flagging a submission as a ‘Deployment Blocker’ is Apple’s way of finding out what’s stopping people from upgrading to the latest version of the OS.”

Tom Bridge wrote: “Appleseed is moving in the right direction, but making this a ‘secrets inside’ program that can’t be discussed cleanly and clearly in public seems to be erring on the side of secrecy for no good reason. While Feedback Assistant is significantly better than in previous cycles — thank you for the automatic sysdiagnose inclusion — there’s still work to do make this better.”

Stephen Short wrote: “Apple is continuing to improve communication to Apple admins via the AppleSeed portal, and I think their outreach efforts at conferences like JNUC is appreciated.”

Jason Broccardo wrote: “The AppleSeed for IT program is worthwhile but it seems like we get better unofficial AppleSeed support through the private channel in the Mac Admins Slack. This is a pattern with Apple — the official channels can be opaque, but if you know the right backchannel you might be able to get an answer. I appreciate the Apple employees who spend their time answering questions, but I do wish the information and details were made publicly available for a larger audience. I greatly appreciate that improvements Apple has made to their enterprise-centric documentation the past few years. I consult both the Platform Deployment Guide and the Platform Security Guide almost weekly. They are both wonderful resources and encourage Apple to make more technical detail like this available.”

Edward Marczak wrote: “Apple doesn’t seem to take feedback seriously, act on it in a timely manner, or seem to understand the view from the front lines. The latter is the most frustrating, as it amounts to, ‘you’re holding it wrong.'”

Vaughn Miller wrote: “The formation of the Enterprise Workflows Team at Apple has been a positive development so far. A big ship turns slowly, though.”

Fraser Hess wrote: “The Appleseed beta program is a must-have for any Mac admin. Documentation is improving. But Apple is still too secretive. Many bug fixes and some impactful changes are not properly disclosed. I’m not as down on Feedback Assistant and the feedback process as some—I have had bugs fixed this year—but Feedback Assistant needs work.”

Hardware reliability and innovation

Grade: A (average score: 4.4, last year: 4.4)

Luke Charters wrote: “In the education space, the value proposition of the M2 MacBook Air and the 10th Gen iPad just isn’t there when their predecessors are still available.”

Rich Thomas wrote: “Apple Silicon is still doing great, we’re really happy with the performance and reliability of our devices on the whole. Innovation is hard to quantify here, but there aren’t many missing features for us… Maybe webcam upgrades?”

Mischa van der Bent wrote: “At the beginning of this year, I started working with the brand new 14-inch M2 MacBook Pro, and let me tell you, what a game-changer it has been! Apple continues to surprise me with the reliability and speed of their Apple Silicon machines. And just when you think it can’t get any better, they come out with the new M2 series. Let’s not forget about the new iPad Pro M2 – connect it to an external screen and you’ll almost forget that you’re using iPadOS instead of macOS!”

Christian Lambert wrote: “Hardware reliability and innovation is strong for Mac due to Apple Silicon. Outside of SoC design, innovation is lacking across the board. Always has. More focused on refinements.”

Charles Edge wrote: “Our organization experienced zero failures this year, despite my sincere suspicion that plenty of devices were dropped, got wet, and were in general mistreated.”

David Tommey wrote: “Apple devices have been the most reliable and, with the move to Apple Silicon, most performant in our organization.”

Jason Broccardo wrote: “Apple Silicon continues to be wonderfully built hardware.”

Søren Theilgaard wrote: “Apple Silicon has changed the hardware game for Macs, and M2 is just awesome! These Macs simply just work, they are silent, have a great display, a great keyboard and the best trackpad on the market.”

Marcus Rowell wrote: “Apple’s custom silicon effort is still simply spectacular. The transition to Apple Silicon exceeded expectations and keeps going. Simply amazing. The rest of the industry is still gobsmacked. Great incremental improvements across all products.”

James Smith wrote: “Apple’s recent hardware has been excellent. The performance increase between the M1 and M2, while not as impressive as the difference between Intel and M1, was a modest improvement.”

Kelly Guimont wrote: “Apple Silicon has been great, and I look forward to where it might go!”

Kevin Williams wrote: “Anything is better than the butterfly days, but we still see a fair number of display/ribbon cable issues with the laptops. Airs AND Pros of any type – I think the move to super thin displays leaves zero bezel and any slight bump in the bottom of a bag seems to set them off to failure. Never had any of these issues with the OG 101’s with the CD drives (not that I want to go back to 5 pound laptops, but..) or the Air with the 1″ bezels. Our 9th gen iPads for the students and iPad Airs for the teachers have been solid, and we were happy they did not get rid of the 9th gen with the price increase for the 10th gen. We also use the Logitech Rugged Keyboard case Apple sells for education (without touchpad) and that really makes the device work for everyone.”

Brad Chapman wrote: “Apple Silicon Macs are insanely powerful and appear capable of delivering on Apple’s vision of a seamless user experience between Mac, iPhone, iPad, and various accessories.”

Cameron Kay wrote: “We hardly ever get any broken Apple devices. Most of our repairs are from accidental damage. One shortfall Apple’s entry-level laptops have is that they don’t support two external displays. I hope Apple addresses this with the M3 when it’s released. Having to pay an additional $500 for a 14″ MacBook Pro to have two external display support is too high a price.”

Fridolin Koch wrote: “The Hardware is still top notch. What really hurts in the Enterprise is the lack of two-monitor support on the Macbook Airs (hoping for the M3 generation there).”

Adrian Stancescu wrote: “They did the best they could being stuck on TSMC’s 5nm process for longer than expected.”

James Nairn wrote: “Hardware is good/reliable and there are continual improvements but now Apple Silicon is Business as Usual—a bit of the excitement has died down.”

Daniel Woodcock wrote: “Reliability and repair hardware service/ repair delivery times for the enterprise are still industry-leading. The only exception to this would be around DOA devices. Apple needs to clean up their DOA practices for the enterprise. As a consumer, I can walk into an Apple store with a DOA device and get it swapped out without much drama. A similar experience needs to be implemented for the enterprise, especially considering current supply chain issues. Innovation around portable devices is industry-leading. Battery life, general performance, service experience and reliability make iPhone & Mac easy choices for the enterprise. Where this falls down though is around “market segmentation” or “product stack segmentation.” The entry-level portable Macs (MacBook Pro 13″ and MacBook Air) still not supporting multiple external displays natively is a huge missed opportunity. For my organization and others who I am in contact with, this is the one sticking point to having MacBooks as the default device. Having to pay in excess of $500 to run two external displays needs to be resolved when the M3 upgrade comes. There are other similar examples of forcing people into higher segmented products in order to get what would be described as basic features for the enterprise. Smoothing out the scale so organizations don’t need to make a huge jump up the price chain to get basic features would go a long way to make the Mac the go-to option.”

Reid Blondell wrote: “I’ve been managing Macs since the 68K days. I continue to be impressed by the Apple Silicon transition. Obviously, some processes had to change, but this has been the smoothest transition yet.”

Edward Marczak wrote: “Hardware is absolutely where Apple shines. The Apple Silicon Macs are pretty much perfect all around: Power, great battery life, ports—we have physical ports again!, dropping the TouchBar, and the choice of all of this in a relatively compact package.”

Nic Wendlowsky wrote: “Apple Silicon processors have been solid. But the continued inability for Macs to handle multiple displays in a single Thunderbolt 4 connection is absurd. Every Windows computer made in the last four years can do this and Enterprises are not going to buy new displays just for this issue, they’re going to use multi-connection workarounds and further the perception that Apple doesn’t care about Enterprise environments. iPhones and AirPods need to be using USB-C/Thunderbolt connectors already.”

Tom Bridge wrote: “Apple Hardware continues to outperform the industry in clear and meaningful ways, providing substantial value to customers in the enterprise. Literally no one else comes close to Apple’s quality in hardware manufacturing, battery life, and operational excellence.”

Marcus Ransom wrote: “Apple Silicon has turned the EUC landscape on its head. The computing power and battery life of the entry-level MacBook Airs is well suited to enterprise users with standard requirements. The higher spec machines give multiple pathways for satisfying the most power-hungry users. The only real limitation of the entry-level Macs is multiple external displays. There are third-party solutions to this, but many orgs would like to see that offered out of the box.”

Stephen Short wrote: “Apple Silicon Macs are absolutely fantastic, no notes. My only feedback is that users (and IT departments) should be able to switch out the VESA mount on the new Studio Display without requiring a Genius Bar appointment.”

Mark Frischman wrote: “Mac reliability has seemed to improve significantly with the release of Apple Silicon based machines. The previous generation of MacBook Pros – particularly the 13-inch Intels – had an unusually high rate of failure, especially the batteries.”

Graham Gilbert wrote: “The quality of the hardware is the best in the business, and continues to be the reason they are successful in enterprise in my opinion.”

Bart Reardon wrote: “Zero complaints. Best hardware money can buy, regardless of what the OS is.”

Rebecca Latimer wrote: “The 10th generation iPad is a confusing mess. It seems to be aimed at education, but anyone in education would tell you (without hesitation) that there are some huge missteps here. No headphone jack? Maybe a slight annoyance for consumers but imagine trying to explain to a classroom of kindergarteners how to pair bluetooth headphones. Or picture re-wiring hundreds of iPad carts to use the new USB-C charger.”

James Corcoran wrote: “Apple Silicon has had a measurable impact on our developers’ capabilities. It is just so much faster, enabling them to do more!”

Grant Brinkman wrote: “So far M2 has been a minor upgrade from M1. Not much to write home about.”

Kale Kingdon wrote: “The continuance of the M Series chipsets is slowly starting to change the conversations and landscape in heretofore untouched parts of the enterprise market; and the reliability of their products is going from strength to strength. The fantastic iPad 10th Generation is necessary, long sought after and completely the wrong price point. Apple knows that to compete in education, you need to meet a price—and try as they might, they couldn’t get it cheap enough. The 10th generation is therefore, regrettably, a device destined to be skipped in some sectors. Similarly questionable but much less understandable is the base M2 MacBook Air still not natively supporting two external displays. A powerhouse under the hood and elegant in design, this is a perfect MacBook for nearly every user. The omission of that feature could make this device one tick box away from a bean counter choosing to move their fleet from Windows to MacOS, or simply give their users choice. Apple desperately needs feature difference to upsell customers to the MacBook Pro, but at what opportunity cost?”

Shad Hass wrote: “The continued extreme limitation of ports on devices still leads us to dongle hell for anyone using their laptops for anything desk-related. The single-external display for both the M1 and M2 is very disappointing, and the notch being so large but still lacking FaceID is unappealing. Apple’s continued use of the slow Lightning connector until they were forced to adopt a standard, then complaining about that standard, when they have already been adopting it widely in every other product seems borderline dishonest. The efficiency and “good-enough” speed of the new Apple Silicon chips is nice, though that seems to be more of a fault of Intel for their silicon troubles over the last half decade.”

Damien Barrett wrote: “Like almost everyone else in our Apple world, I remain completely blown away by the new M1 and M2 architecture Macs. At this point, we’re about 75% switched over to ARM. I’m eager to replace the last of our Intel Macs. In particularly, the M1 and M2 MacBook Airs offer incredible “bang for the buck” and we hope to be able to use this model to implement platform-of-choice and see significanty lower total cost-of-ownership. I have yet to see a hardware issue with any of our M1/M2 machines and my users are ecstatic at the performance. One developer told me that his compile times a fraction of what they were on his 2018 MacBook Pro. Another who works with enormously large data sets was concerned that 16GB or RAM would not be enough, but his M1 MacBook Pro handles his tasks with ease”

Armin Briegel wrote: “Two years into the Apple Silicon transition, new releases might seem incremental, but they are still way ahead of anything else. It’ll be interesting to see what Apple does with the Mac Pro and iMac. The iPad product line, while excellent, seems caught in a weird transition with some features only available to certain models, seemingly without reason. The excellent iPad hardware still is limited by choices in iPadOS.”

Todd Ness wrote: “I cannot believe Apple still has not integrated touchscreens into their laptops. We’re basically running the same OS as the iPad these days—it should be a no-brainer.”

Adam Tomczynski wrote: “Big improvements in the Mac lineup, even if the Studio is a stop-gap for a more modern Mac Pro. In terms of mobile, iPadOS needs extensive polishing to be a laptop replacement. iPhone battery life is great. Its camera can take very good photos, but when zoomed in it is very hard to focus. The Apple hardware is of very high quality with no defects that I’ve noticed.”

Jon Crain wrote: “Steady, reliable increases are always welcome. Some lines have remained stagnant and are waiting for updates, but our business is focused primarily on the Mac portable line and that is seeing very good improvements and reliability.”

Dennis Logue wrote: “Our environment is a fairly even mix of Windows laptops and Apple devices (mostly iPads). From a hardware reliability standpoint, the iPads are far superior. We have virtually no outright hardware failures when compared to what we see with PC laptops”

Software reliability and innovation

Grade: C+ (average score: 3.3, last year: 3.4)

Todd Ness wrote: “Out of 1450 devices I have many tens of users, including several of my executives, that have to get help kickstarting the autoupdate daemon multiple times to get updates to even be seen on their devices. I miss the ability to download an update and push it through Jamf to enforce an update. Now at least I have Intune that can set the minimum OS allowed to connect and then the people will update because they cannot work until they do.”

Brad Chapman wrote: “MacOS Ventura’s System Settings feels like the beginning stages of a redesign that should have been started sooner and more thoroughly fleshed out. It feels like the iPad version was transplanted to the Mac without any consideration for the fact that Macs have wide screens. Stage Manager is also confusing and superfluous.”

Cameron Kay wrote: “The great Software Update debacle is still not fixed in macOS, thought it is a little more manageable in macOS 13 with MDM commands for forcing updates that actually work, unlike the ones in macOS 12 and earlier. macOS still has too many bugs in the OS itself and its bundled apps. Apple Mail and Calendar apps are still extremely buggy, especially with Microsoft Exchange/Office 365 accounts.”

Mischa van der Bent wrote: “Last year, I mentioned how I loved the fact that the OS foundation was more in line, which I believed would lead to better innovation between iOS/iPadOS and macOS. However, it seems that Apple is slowing down on innovation, particularly when it comes to BYOD. While the possibilities of what we can do with the account-driven user enrollment on iOS/iPadOS are exciting, the lack of support for this method on macOS is disappointing. If Apple does not bring this feature to macOS soon, it may hinder personal-owned workflows and negatively impact productivity.”

Stephen Short wrote: “macOS is generally stable and reliable, but I’m still thrown by the transition from System Preferences to System Settings. The discoverability of multiple settings is poor, and sometimes related functions are scattered throughout different categories. I find myself using the search bar to do almost anything in the app. It seems like it was designed to mimic iPadOS, but without any usability gains or improvements.”

Kevin Williams wrote: “I think macOS is in a good place, although the constant changes to the UI for settings and other management things makes it hard for us to keep teachers and staff in the know on how to do some simple things for themselves. iOS likewise keeps changing UI in random ways, and we can’t keep the students and staff up to date on knowing how to do things.”

Dennis Logue wrote: “Apple’s software still lags behind their hardware in terms of innovation and reliability. While I still think it is better than what we experience with Windows, we still have to work around bugs and some frustrating limitations in iPadOS.”

David Tommey wrote: “Platform stability has been an issue, many more bugs have seeped into production releases. This has had an impact on the trust that we can update our org quickly to the latest OS release.”

James Corcoran wrote: “Platforms are feeling more reliable. Would like more focus on enterprise features.”

Christian Lambert wrote: “Software reliability is slipping and innovation is slow.”

Nic Wendlowsky wrote: “Ventura has been solid on its own. But Apple could do better to slow down their major release cadence for macOS to once every 2 years and make the beta release open to 3rd party vendors longer than ~6 months. This would vastly improve the time needed for vendors to update their applications for the upcoming release and be a positive step towards enticing Enterprises to adopt Apple products more broadly by making it less of a scramble every single year.”

stephen johnson wrote: “macOS software updates are still a dumpster fire.”

Graham Gilbert wrote: “What reliability? macOS is in its worst state I have seen in my entire career.”

Ali Al-Itejawi wrote: “The software update process on macOS machines is the worst, with both GUI being unresponsive and unreliable as well as MDM commands not being respected by the machine.”

Grant Brinkman wrote: “The changes in Ventura, though hated by some, have been welcome to me. I have gotten very accustomed to using Stage Manager, and it is extremely helpful. Additionally the new System Settings is miles better than System Preferences. It takes what many users are used to from iOS and iPadOS and puts it into macOS. Stage Manager on iPad is sketchy at best, but I like that they’re at least making an attempt at having the interface be similar to Mac.”

Edward Marczak wrote: “There seems to still be a long-running sentiment that software quality has slipped, but I’m really not seeing that, particularly in the Enterprise. Help Desk is not inundated with reports of crashes or other bugs, but more with standard corp/tech questions and password resets. Pages and Numbers, which could be staples of Enterprise offerings, are great consumer products—but fall incredibly short of what’s needed in the Enterprise. Same for FaceTime: with remote work and streaming at an all-time high, FaceTime completely misses the boat, so we all stick with the standards of Google Meet, Cisco WebEx, and Zoom.”

Mikeal St. Ayre wrote: “They need to slow down, ship working software, not rolling bug fixes.”

Armin Briegel wrote: “macOS Ventura was a solid update, with few issues for users and admins aside from the ongoing challenges with software update. On iPads, however, Stage Manager is an un-useable mess and third party apps that could really make use of the excellent iPad hardware are held back by platform and App Store limitations.”

Craig Cohen wrote: “Better focus on software update and upgrade reliability.”

Adrian Stancescu wrote: “The botched HomeKit migration on iOS 16.2 left a bad taste in my mouth.”

Fridolin Koch wrote: “Death by a thousand cuts. The overall stability of Ventura is great, but lots of small niggles are annoying admins and users, and users are losing faith in the platform!”

Joel Housman wrote: “Pretty good overall with a few minor hiccups that were fixed with various point releases. You always wish that they could be better, but when I compare Apple to Dell (yes, we still have about 20 users that prefer Windows), the Apple machines are rock solid and our Dell machines are a flimsy, wet house of cards.”

Marcus Ransom wrote: “Software updates and upgrades are an area that caused many headaches for Mac admins and enterprise organizations in the last 12 months. General unreliability of the underlying frameworks, poor end-user experience during the updates, bugs with the deferral profiles, devices booting into recovery, this list goes on. Without community provided solutions like Nudge and SUPER, it becomes challenging to deliver the patch compliance required in an enterprise environment. I am looking forward to seeing innovation to make updates a straightforward process so we as admins can go back to dealing with the many other things we could be focusing on.”

James Nairn wrote: “Current OS offerings are as good I remember. MDM commands are still unreliable and managing software updates via MDM is a disaster. That area is frankly embarrassing.”

Daniel Woodcock wrote: “Software Update! We still can not reliably keep our fleets up to date. We also still see too many bugs around OS updates and bundled apps. The enterprise should not be in a position of needing to hold back updates for extended periods due to testing and validation. We should be able to rely on MDM commands to keep the fleet up to date, as well as having confidence in updates that are pushed out. Due to the amount of zero-day vulnerabilities that pop up these days, we need to remain agile and be able to push out updates in a reasonable time with confidence nothing will break or regress in terms of performance.”

John Welch wrote: “Honestly, Apple’s the only OS vendor of note even attempting new things. Windows won’t and god knows Linux can’t.”

Charles Edge wrote: “As a developer who sits at the crossroads between device management, security, and software reliability, it’s easy to see how the updates have made the life of a developer and admin better. Some endpoints still have unexpected or undocumented behaviors; however, when we mention them, they get fixed. So, forward progress!”

Kelly Guimont wrote: “I’m in the middle because iOS and iPadOS have been pretty good, but Ventura has been buggy and confusing for users. I’m not opposed to change, but the Preferences/Settings rewrite has been hard to use and administer.”

Rahul Adari wrote: “Ventura’s performance is exceptional.”

Fraser Hess wrote: “macOS Ventura has some big updates for the enterprise. For example, Declarative Device Management, Platform SSO, and required network access to wipe and set up an MDM-enrolled Mac. On the user front, the new System Settings is the rewrite we didn’t need and makes it less likely we’ll get the rewrite we still need. Despite all the changes, the upgrade to Ventura has been a non-event at my company.”

Bart Reardon wrote: “1/2 point deducted for the arbitrary limitation on only allowing 2 copies of macOS to be running in VM’s. The hypervisor framework in macOS is amazing but is held back on running macOS VM’s by this requirement. I have a Mac Studio with an M1 Ultra chip in it and with a 2 VM limit it barely makes a dent in the machine’s capability.”

Luke Charters wrote: “Rolling out Ventura and iPadOS/iOS/tvOS 16 hasn’t been completely bug-free, but it has been better than previous years. I’d be happy if it was like this every year.”

Kale Kingdon wrote: “macOS and iOS remain incredibly stable and drastically unchanged over the last year, a comparatively mature OS on both sides with solid foundations making reasonable progress in traditional sectors. If anything, I feel Apple should not be afraid to release a new macOS version with even fewer new features, to allow developers time to work on bug fixes, polish and tech debt.”

Tom Bridge wrote: “For all of Apple’s focus on polish and completeness of vision, they fall short of the mark often on the Enterprise front. Software Update — both for end users and for MDM manufacturers/operators — is a travesty in its current form. That admins cannot depend on ScheduleOSUpdate should be an embarrassment across the company, given how important patching is to the good working order of the platform. The embarrassing situation surrounding macOS 12.3 to 12.6 and OTA updates was as unfortunate as it was disabling to customers. The System Settings app is a violation of human interface guidelines, good taste, and good functionality for end users and admins alike. It is inconsistently designed, and doesn’t live up to the standards of the platform. Many features of Ventura cannot be used with Managed Apple IDs at the core, especially Continuity Camera, which many orgs want to use with their managed iPhones.”

Anthony Reimer wrote: “Aside from the mess that is System Settings (which replaces the mess that was System Preferences), Ventura has been a solid OS. Delivering the macOS upgrade has been a different matter. The iOS upgrade had some nice new features. I continue to use and be impressed by the iWork apps; collaborating on presentations using Pages and Keynote via iCloud has worked well for me.”

Damien Barrett wrote: “Managing software updates remains a messy, unreliable chore. Okay, it’s a little better than it was, but it’s still pretty disappointing that Apple just hasn’t gotten this right yet. It’s not comfortable for me to have to continue to explain to my management that we don’t have the same level of software update control as has existed on our Windows fleet for literally decades. Never mind the recent boot-to-recovery/unlock code snafu with Ventura 13.2.1. How did that slip through quality control?”

Jason Broccardo wrote: “The transition to macOS 12 Monterey and to macOS 13 Ventura has gone well overall. Each OS has had hiccup points, especially around the update experience for particular dot updates, but the overall experience of rolling out the new OSes has gone well.”

Adam Rice wrote: “Ventura overall is rock solid. Any Mac that can run it, should—and many Macs that can’t should, via OpenCore Legacy patcher. It’s up there with 10.6.8.”

Vaughn Miller wrote: “Monterey and Ventura have been solid OSes. Software update continues to be a train wreck.”

Craig Doran wrote: “The OSes were lacking in features compelling to enterprise users.”

Rich Thomas wrote: “Very few complaints in this regard, Ventura and iOS 16, once installed, actually have driven very few support tickets. Installation isn’t always great though, booting to recovery, failing to download, asking for recovery keys, all that madness.”

Reid Blondell wrote: “Fragile Secure Token environments continue to be a huge pain.”

Marcus Rowell wrote: “The GUI of Notifications on macOS has to change. They are user hostile with confusing dismissal and action targets. I see users just disable any Application’s request for approval to enable notifications. Ensuring users are notified of critical management tasks (ie updates) is impossible to do reliably with the current Notifications.”

Security and privacy

Grade: A- (average score: 4.2, last year: 4.1)

Søren Theilgaard wrote: “Apple has upped the communication level and precision on security. They made it certain that Ventura is more secure than Monterey. They also implemented XProtect Remediator as an improved remediation technique.”

Kevin Williams wrote: “I think it’s the main reason we feel so good about the devices in student hands, frankly. They’ve struck a good balance between control for the school and privacy for the student. Paired with a good MDM it’s a solid win.”

Luke Charters wrote: “I really appreciate the new background items management in Ventura. Their bumpy introduction during the beta period was a testament to how receptive and adaptive to enterprise customers Apple has been. Rapid Security Responses are a welcome addition. I’m keen to see the enterprise experience of deploying the first real one that comes out.”

Craig Cohen wrote: “Apple leads with security and privacy.”

Jon Crain wrote: “I feel like they are simply maintaining. The fact that they only officially patch and support the latest OS without creating great tools for upgrades is a very big issue.”

Armin Briegel wrote: “Apple remains strong in this area. However, their focus on end-user privacy is often at odds with enterprise management requirement. Many features, like the new Advanced Data Protection for iCloud, are unavailable for managed Apple IDs. I don’t think user privacy and manageability have to be opposed. Apple could (and should) work harder to make all features available in managed environments. Several standard security options on macOS are still not able to be managed with profiles.”

Rich Thomas wrote: “Privacy, I would say Apple does a great job. Security? It depends. RSR should be great and much needed. However, enforcement of OS updates is painful.”

Rebecca Latimer wrote: “The security change regarding login items was clearly made without enterprise in mind. It’s a great move for consumers, who have improved visibility for things like malicious LaunchAgents. But it also has the result of nagging end users to turn off important security tools that were installed by IT in enterprise settings. Yes, we can carefully hand-craft a configuration profile to prevent this nagging, but it shouldn’t have come to that.”

Graham Gilbert wrote: “Restricting critical security features such as passkeys and iCloud Keychain to consumer Apple IDs shows Apple’s lack of care and attention to the enterprise space.”

James Nairn wrote: “Good, but Apple needs to tweak the balance between user privacy and enterprise management requirements for enterprise owned devices—in favor of enterprise. We should be able to mandate software updates and be confident that they can be applied.”

Kale Kingdon wrote: “Apple’s constant progress toward a more secure OS ecosystem is laudable and appreciated by every Systems Administrator I speak to. On the privacy front, I fear their focus on this core tenant is continually coming at odds with usability. Apple made changes in 16.2 to AirDrop behavior, changing discoverability from “Everyone” to “Everyone for 10 minutes” with no further management options available. This change was introduced to solve AirDrop “bombing” but it has adversely affected the education sector that cannot or have not yet implemented MAIDs or the Classroom app. AirDrop is used regularly in classrooms around the globe to collaborate and deliver resources. Changing that setting regularly is at best frustrating and at worst, insurmountable for younger students. This seems to highlight yet that Apple is struggling to develop a single product and single OS that fits a cornucopia of use cases.”

Daniel Woodcock wrote: “The customer experience is completely different to the admin slog. Automating Mac management is becoming increasingly challenging due to Apple’s introduction of new privacy features that disrupt our ability to automate tasks via scripts or other MDM platform tools. In line with this, Apple tends to take a considerable amount of time to present alternative methods to execute administrative tasks (assuming they even consider or action replacement procedures). Apple needs to remember that the changes they make not only affect consumers. The enterprise needs to be kept in mind. Especially when it comes to automating tasks and managing devices.”

Fraser Hess wrote: “One of the top things Apple could do to improve macOS security in the enterprise is to make MDM-driven software update bulletproof. Apple’s privacy features are very user-centric, often forgetting that many users such as employees and students don’t own their devices and sign EULAs acknowledging that they don’t have any expectation of privacy from the organization. The new Login Items management and notification system gives the user too much information and generates call tickets. In enterprise, finding persistent malware is best left to EDR solutions.”

David Tommey wrote: “With the push for advertising directly in several Apple applications, the pronouncements of increasing privacy seem fairly hollow ”

Bart Reardon wrote: “Apple’s competition should stop making knock off iPhones and MacBooks and instead copy their stance on privacy.”

Marcus Rowell wrote: “Apple shows continuous innovation on a wide range of Security and Privacy components across their devices and platforms. Improvements in hardening of the physical and software security, introduction of Security Keys to protect Apple IDs, and Advanced Data Protection for iCloud are the result of multi-year projects by Apple and are providing real end-user security and privacy. We are still seeing increasing dialogs with more decisions for users with no clear correct path. There is still inconsistency in privacy controls. We admins can have full control of all data on devices and yet can’t pre-approve Screen Recording to make the user experience better.”

Nic Wendlowsky wrote: “Ventura patches have been solid. Really love the Rapid Security Response rollout. But if Apple is going to support n-2 or n-3 major versions, they need to patch the same vulnerabilities in all currently supported macOS versions. It’s disingenuous to claim to support Big Sur, Monterey, and Big Sur while having a big caveat in your documentation that says you’re not going to back-port all Ventura patches to Big Sur and Monterey.”

James Stracey wrote: “Still no native controls to easily manage egress firewalls, and while USB based SMB controls work, they are still marked as deprecated. The lack of these capabilities may lead to an increased exposure to data loss events.”

Kelly Guimont wrote: “Security/Privacy is always a balance and lately it’s been swinging toward more hassle/user aggravation for the same amount of security.”

Dennis Logue wrote: “Apple’s Security and Privacy decisions, specifically the inability to manage individual settings, create regular problems in a K-12 environment. While I appreciate the focus on security and privacy for my personal devices, working with and around those settings is a daily battle in an educational environment.”

Mischa van der Bent wrote: “In my response from last year, I mentioned how Apple is becoming more of a target in the security world and how impressed I was with the way they’re making their devices secure without compromising the user experience. However, as the security landscape continues to evolve, I believe that declarative MDM (based on device state) will be a great addition to the security stack. Along with this, Apple needs to add more control via a configuration profile instead of relying on scripts, which are still required for some aspects of the security stack in macOS. While Apple already builds impressive security features into their devices on a software and hardware level, improving the controllability of these features will help enhance overall security posture.”

Craig Doran wrote: “Apple’s privacy controls for cameras, microphones, location, and screen sharing are admirable for personal use, but are difficult to explain to other IT departments why they cannot be managed. Much of enterprise computing became obsessed with security initiatives—yet Apple’s improvements there were either obscure or not promoted in a way that Apple admins could trumpet to their security team. iCloud+ security improvements were not welcomed by enterprise network security administrators. The MDM vendors started introducing security products which undercut the message that Macs have an edge on Windows for security and also sets up what I fear is a conflict of interest for them.”

Grant Brinkman wrote: “I love having the option to encrypt iCloud, and the new hide-my-email and hide-my-IP features are very nice as well. Also having lockdown mode as an option for those in particularly difficult situations is a good improvement.”

James Corcoran wrote: “Overall, security and privacy is great on Apple platforms… except for macOS software updates, where MDM completely lets the enterprise down. Keeping macOS devices on compliant operating system versions is near impossible with Apple’s native MDM software update commands. At present, we are unable to reliably patch a vulnerable OS without third party tools.”

Vaughn Miller wrote: “Apple has done many things to make Apple operating systems some of the most secure. But problems with software update continue to knock this score down.”

Joel Housman wrote: “There were a few zero-day issues that arose in the past year with Ventura or Safari that needed to get patched, but Apple released out-of-cycle security updates in all cases and we made use of our MDM to push our users to apply those updates.”

Damien Barrett wrote: “Apple remains the leader in security and privacy, particularly with iPhones/iOS. Our security department considers iOS so secure that they only very lightly manage phones enrolled into InTune. Our much smaller Android phone fleet are significantly more locked-down/managed (because they have to be). On the Mac side, I have been able to pretty easily adhere our Mac fleet to a common NIST security benchmark/baseline. Apple is paying attention to cybersecurity trends and continues to lead the industry in securing their platforms.”

Cameron Kay wrote: “For the end user Apple Security and Privacy stuff is good. Not so much for system administrators. Every year it gets harder and harder to automate the management of Macs, because Apple added some new privacy feature that breaks our ability to automate things via scripts. And Apple usually takes years to provide an alternative method to perform the admin tasks. Having the users have to go into System Settings to approve Screen Recording before remote support tools such as Splashtop and Teamviewer work is also a major hassle for support staff.”

Jason Broccardo wrote: “Apple has now stated in writing that the current shipping OS is the one that’s really and truly supported, but they are also keeping their kind of official N-2 OS support strategy. When updates are made available Apple can still be vague or late to report if one of the two (sort of) still supported OSes has all the same relevant security patches and fixes as the new OS (e.g. does 12.6.3 close all the same CVEs as 13.2?). It would be appreciated if Apple was more upfront about security issue not being addressed in the older OSes they are still releasing updates for so customers could better plan mitigations and remedies.

Adam Tomczynski wrote: “Apple shines here. Period.”

John Welch wrote: “Security-wise, it’s not even close. Windows is a mess of patches and fascia that gets worse by the week. Linux is somewhat better, but the “oh has that bug been around for decades?” oopsies that happen all too regularly show that open source is a licensing mechanism, not a magic spell. Neither Linux nor Windows seem willing to do the work to actually harden and improve their OS, beyond some weird libertarian insistence on Caveat Emptor and relying on human perfection.”

Brad Chapman wrote: “When it comes to the technology, Apple is the leader in this space.”

Marcus Ransom wrote: “While implementing new features such as Background Login Items caused a decent kerfuffle this past year, the overall security provided by Apple’s approach makes it somewhat easier to provide a secure environment leveraging the Endpoint Security Framework, code signing, application sandboxing and other built-in frameworks. We saw a rapid adoption of security benchmarks supporting macOS Ventura, but many of the security controls demanded by NIST, CIS etc. still require scripts to implement, with only a small subset being able to be managed with configuration profiles.”

Reid Blondell wrote: “Apple’s handling of the Login Items notifications, specifically the depth to which they addressed the feedback they got, pleasantly surprised me.”

Adam Rice wrote: “Lockdown Mode, Advanced Data Protection for iCloud — great stuff.”

Alex Jones wrote: “Security & Privacy are great on Apple’s platforms. However, the most annoying thing about Apple is their dictatorial approach to user privacy in the enterprise. Enterprises should have full control over their devices if needed, and it should be the enterprise’s choice on what is acceptable from a user privacy perspective, not Apple’s. For example, we have so many users get confused about how to share their screen in a Google Meet/Zoom/Teams meeting. We, as an organization, should be able to allow Screen Recording permissions for Chrome/Zoom/Teams via MDM. Similarly, if we try to help someone via remote access with something like TeamViewer, the user still has to root through the System Settings to allow us to do this. Not great when the whole reason we’re trying to connect to help them is because they’re not the most computer literate to begin with.”


Grade: C (average score: 3.1, last year: 3.3)

Armin Briegel wrote: “MacAdmins now have the option of requiring internet during enrollment and thus better ways of enforcing automated enrollment. Despite the changes in macOS Ventura, managed software updates remain challenging, unreliable and laden with bugs. The level of frustration among MacAdmins with software update on macOS is hard to overstate. Not only is Nudge still a popular tool to address these short comings, but has been joined by Kevin M White’s super.”

Daniel Woodcock wrote: “The two big problems here are around MDM enrollment and MacOS update management. It is still possible to get around Automated Device Enrollment—that need to be addressed.”

Jason Broccardo wrote: “No issues with ADE or app deployment. Software Update, on the other hand, continues its multi-year adventure in being a horrible experience. If the experience of using macOS as a whole was the same as using software update, we’re not sure we would want to purchase Apple systems and work with macOS. Despite years of discussing it with Apple, we’re not fully convinced that Apple appreciates the gravity of how software update’s misbehavior affects our daily operations and long term plans for using macOS systems. Apple software update’s inability to properly do its job is impacting our ability to operate as a company because we are unable to comply with security protocols.”

Craig Doran wrote: “macOS software updates in enterprise is a mess. MDM triggered updates are unreliable and not fine-controlled enough. The surprise of Ventura upgrades being handled as a minor update was a terrible development. It left Mac administrators scrambling to control updates beyond what MDM software update payload restrictions were fully capable of. It required delicate timing and getting fleet to specific OS levels.”

Kelly Guimont wrote: “It’s improving, but most of that has been better documentation of what’s happening and what’s available to configure and use.”

Edward Marczak wrote: “Train wreck? Dumpster fire? What’s the right analogy here? MDM isn’t ready for the tasks that Apple wants Enterprise to use it for. Software Update has gone backwards to the point that I can only wonder how we got here. Bugs, awful UI, it’s all here. This is the category single-handedly making life miserable for anyone trying to manage Macs in an Enterprise setting.”

Kevin Williams wrote: “Again, paired with a solid MDM, we’ve been really happy the past 2-3 years. We use Moysle for our MDM, and it’s designed specifically for schools – full integration with ASM, our student and staff get populated via API, even the kid’s schedules get pre-populated for use in Apple Classroom for those who use it. We hand configure every iPad so it’s ready for a student when they walk in the door (accounts, apps, everything – a true custom out of box experience) and paired with our MDM, we can configure 100+ in a day. Outside of the time waiting for apps to download and install, we touch the iPad for maybe 5 minutes or less to configure accounts, apps, backups – literally everything we’d want – label them, put them in a case, and they are ready to go.”

Vaughn Miller wrote: “Automated Device Enrollment coupled with auto-advance through the setup wizard is a boon for automated deployments. Lack of automation for OS updates drags this score down.”

James Corcoran wrote: “The state of managing software updates via MDM on macOS deserves a negative rating. Apple’s approach to macOS MDM software updates is fundamentally broken. Using the MDM commands to update macOS is a terrible user experience, if it event works. Compared to Microsoft’s Windows Update for Business solution, Apple is limping along with a sub-par solution that needs to be completely reimagined. At present, you are unable to reliably patch a vulnerable OS without third party tools.”

Reid Blondell wrote: “Not to pile on Software Update, but the abundance of third-party tools to ‘help’ with updates speaks volumes.”

Stephen Short wrote: “Apple still can’t seem to get automated software updates for macOS using MDM to consistently work. It seems every major upgrade to macOS promises improvements for software update reliability, but then the release notes for multiple point releases will include some line item about fixing the supposedly improved software update functionality. The softwareupdate process itself seems to be the culprit, and I was amused when there was a note in AppleSeed discouraging admins from using the launchctl kickstart command to resolve issues with Macs unable to successfully download or install updates.”

Rahul Adari wrote: “ADE is top notch.”

Cameron Kay wrote: “Getting users to upgrade their Macs to the latest major version of macOS is still extremely hard work, especially on Macs with low free disk space. Apple needs to add an option to free up disk space for updates. They also need a better UI so users know their Mac is having a major OS upgrade installed automatically and can monitor the progress. Its also still too easy for a user to circumvent Automated Device Enrollment so their Mac remains unmanaged. Apple needs to address this ASAP.”

Graham Gilbert wrote: “Software updates on macOS are quite simply a joke. Apple should be ashamed of the ‘quality’ of software update. The fact we aren’t able to simply specify that all patches be installed within X days continues to amaze me. Instead we are left with a fragile string of MDM commands that provide a terrible user experience. I cannot emphasize enough how bad software updates are. We spend zero time managing updates on Chrome OS and Windows, because Google and Microsoft give us sensible controls.”

Jon Crain wrote: “ADE is fine. Software updates and OS upgrades continue to be an unreliable dumpster fire. There are very few admins who rely on anything but third-party tools to make this happen.”

Ali Al-Itejawi wrote: “OS updates causing more and more issues, users are being put into Recovery. No or slow feedback from Apple makes this very painful.”

Rich Thomas wrote: “Software update is still a tough experience at scale. Keeping Macs and iOS devices up to date with MDM is difficult, reliance on community tools like Super is essential for us. iOS is even worse if anything, especially as we use our devices in a retail context so have to meet a number of standards for handling payment data. There is no good way of getting all of our iOS devices up to date in a reliable manner, as the passcode has to be put in by end users. Retail staff just won’t do that, it needs to be enforceable.”

Tom Bridge wrote: “High scores for ADE and device lifecycle mixed with very low satisfaction for software updates, OS Upgrades, and app deployment. Upgrades & Updates were dramatically improved by new OTA update size, but no decrease in upgrade time, and the unreliability of the MDM commands.”

Fraser Hess wrote: “Automated Device Enrollment is ‘something only Apple could do’. My Windows friends wish they had it. But it could use a built-in software update. macOS Software Update is getting better but has so many bugs. Tools like Nudge and Super really help but their existence is an indictment of how bad it’s been. It’s not the end-user’s job to patch their computers but nagging them to do it until it’s done is what we’ve been left with. However, given the progress, I’m optimistic that Apple will make this work. The delta update from Monterey to Ventura and the implication that admins couldn’t block that upgrade came as a shock. But after the shock wore off, and we decided to embrace the advantages, this upgrade cycle has been the smoothest so far at our organization.”

James Smith wrote: “Software Updates via MDM still leave a lot to be desired. One day I will be able to deploy and enforce macOS updates only using MDM commands, but today is not that day. I am still reliant upon 3rd party tools (like Nudge), and Conditional Access policies to ensure my fleet stays up to date.”

Christian Lambert wrote: “OS updates/upgrades are still an area of needed focus as there is no reliable tool that Apple provides for automating OS updates/upgrades. Apple has made strides to hire additional heads to supplement this area.”

Adam Rice wrote: “Software Update has been terribly buggy for years, but Ventura has fixed most of the biggest problems and finally delivered incremental OS updates which are much smaller and faster. We still need a reliable and friendly way to get users to update their Macs quickly when needed, but until Apple delivers we have great open-source tools like Nudge.”

Jacob Burley wrote: “The software update mechanism hasn’t worked exceptionally well since Big Sur, which means that actual enforced rollouts of updates do not always succeed. This leads to a poor experience on the admin and the end user side, even when using something like Kandji’s Managed OS.”

Alex Jones wrote: “Great to see that ADE now supports enrolling Macs manually using an iPhone. Still not a great solution when a device has been sent to a remote user and they don’t have an iPhone. It would be much better if Apple allowed devices to be auto-enrolled into ADE upon manual enrollment into an MDM, much like how Intune and Autopilot works. ADE is still not as reliable as it needs to be on macOS. It’s far too common for the Remote Management screen to be skipped during Setup Assistant, whether intentionally or unintentionally. OS Upgrades are still a pain to manage and the mechanisms provided by Apple hardly ever work. Most MDM providers end up having to build workarounds for these problems, and it results in a really bad user experience. The lack of App Store support with Managed Apple IDs is always a big problem. We want to allow our staff to download free apps from the Mac App Store as and when they’re needed, but they cannot do this with their Managed Apple ID. It would be great to have a managed App Store where all our approved App Store apps could be browsed and installed on demand. It’s not great when the IT team has to say ‘use your personal Apple ID instead.’ Erase all Content and Settings has been the biggest improvement in this area recently. It’s far easier to re-deploy a device that supports this, whether done manually by the end user, or remotely via an MDM erase.”

Kale Kingdon wrote: “Apple continues to provide a rock-solid foundation of deployment tools that make me appreciate managing Apple fleets day after day. That said, every year they somehow manage to break something critical—currently MacOS MDM Update commands—and then leave it broken for a concerning amount of time. The negligence against a core framework of a core platform is quite surprising.”

Damien Barrett wrote: “No complaints here. ABM works quite well. I have no experience with Apple Business Essentials. We don’t use MAIDs either. The only breaks we’ve seen with device enrollment have been the fault of our main vendor not enrolling serials on time — not something Apple has any control over (and it doesn’t happy very often; maybe 5% of the time). With our MDM and and IdP in place, we’re almost at zero-touch deployment, a key marker for our move to makes Mac a standard offering for every employee.”

John Welch wrote: “You will never get a straight answer on this, because what is fine for one person is garbage for another. The tool and feature sets are solid, and from what I see, many of the problems are caused by admins more concerned with being clever than being reliable. Boredom should be the standard, not excitement.”

Mark Frischman wrote: “Loved being able to add computers to ABM via Configurator. And “Erase all content and settings” has been a game changer! ”

Marcus Rowell wrote: “Delta upgrades have significantly reduced the time for upgrades. Fantastic work, Apple. Reliably getting notifications, scheduling and completing macOS software updates is still very broken.”

Todd Ness wrote: “Fix updating. Let me set what version all the environment should have. Give the users a pop-up that says update now, remind me later, or schedule it. And actually enforce the update. Forcing the update and rebooting with zero warning is useless, but so is reminding users that the update needs to be installed and having them click the X and sleep their computer overnight so the update is never installed.”

Charles Edge wrote: “ADE, major OS upgrades, and apps are pretty solid. Software updates for point releases continue to be a work in progress.”

Dennis Logue wrote: “Automated Device Enrollment and Volume Purchasing for iPadOS and iOS are very reliable and make maintaining a large deployment of device with only one or two staff.”

Grant Brinkman wrote: “Combing Automated Device Enrollment and MDM management has made our fleet rollout easier this year than ever before. However, recurring issues with software update make it difficult to keep our machines patched, even using MDM and Mac Admins tools like Super and erase-install.”

Nic Wendlowsky wrote: “ADE is getting better, the APNS seems to be improving its reliability and shortening command delivery. OS updates and upgrades are still a huge issue in the Enterprise space. The hoops we have to go through as admins to get Macs upgrades are time consuming and tedious: Managing elevation for full upgrades, suppressing updates and upgrades until testing has been completed not only for internal groups but mostly for 3rd party vendors who have no obligation to support major or minor releases in a timely manner, and the inability to truly force an upgrade to a Managed and Supervised device is disappointing; these computers belong to the organization, not the employee, so strict enforcement should be built in.”

Adam Tomczynski wrote: “ADE paired with my MDM is very stable. macOS updates, on the other hand, are one epic fail. Updating/upgrading macOS in an enterprise lacks consistency and at times can lead to catastrophic failure. This is not acceptable. Period.”

Bart Reardon wrote: “Only one complaint: managed software update on macOS. The existence of tools like Nudge indicates there is still a lot of room for improvement here.”

Brad Chapman wrote: “Automated Device Enrollment has gained significant improvements. The benefits of Declarative Device Management have yet to materialize. Software Update is still a flaming hot dumpster fire! There was a high profile mistake in macOS Monterey 12.3 – 12.6 that was only caught during the beta cycle for Ventura, which required an elaborate and unprecedented server-side workaround on Apple’s part. Their Mac admin community advocates exhorted customers to upgrade to Monterey 12.6.1 as fast as possible to ensure that existing software update deferrals continued to work as expected. This created chaos and despair among Mac administrators, especially those with a fleet heavier on Apple Silicon devices where programmatic software updates were no longer possible. Only those organizations that adopted ‘user notification’ tools like Nudge or Super were successful in this endeavor. Organizations with ‘standard’ users (non-administrators) encountered additional headaches that generated support calls.”

Anthony Reimer wrote: “A mixed bag here. Restoring macOS using Apple Configurator and an IPSW has been a godsend. When I get a new computer to deploy in our labs, the first thing I do now is wipe it using Configurator and let Automated Device Enrollment and my MDM (mostly) take care of the rest — fast and reliable. Software update still does not function reliably. Even updating the OS on my lab computers via MDM, which is the main method Apple provides for systems where a user is not managing the process, only succeeds about 80% of the time. I can see where Apple is headed by offering major version upgrades to macOS without having to download a 12 GB installer and it will be good… eventually. Finally, Apple has been narrowing the window of how many years they will support a particular device. At one time, an 8-year-old Mac could often run the latest version of macOS. With the last two releases of macOS, that window narrowed to 5 years and Ventura cut out models still being sold in 2018 and 2019 (Mac mini 2014 and Mac Pro 2013 respectively). Because we still had both of those models in production and could not get funding in place before our academic year began, we were blocked from upgrading to Ventura.”

Mischa van der Bent wrote: “Overall, I believe Apple has done a great job in facilitating enterprise deployments in the last year. The implementation of Automated Device Enrollment is a solid solution and a must-have for large-scale deployments. It helps streamline the setup process and reduces manual efforts, making it easier for IT teams to manage their devices. However, I do think there is room for improvement when it comes to OS upgrades during the enrollment of a fresh out of the box machine. At times, Apple ships devices with months-old versions of macOS, which can present problems when updating. It would be beneficial to have a bit more control during enrollment and the ability to update/upgrade to a specific macOS version before continuing with enrollment. This would help ensure that devices are up to date and avoid any issues that may arise from using an outdated version of the OS. Regarding software updates, app deployment, and lifecycle management, I think Apple has continued to make strides in these areas, with a strong focus on security and privacy. The app deployment process has been made more efficient with Apple Business Manager, and I appreciate the continued emphasis on improving MDM capabilities. Overall, I think Apple’s performance in facilitating enterprise deployments in the last year has been positive, with room for incremental improvements.”

Luke Charters wrote: “I manage both Windows Autopilot and Apple ADE devices. You could say set-up and enrollment of an Apple device after doing it on a Windows one is like giving a glass of ice water to somebody in hell. You could also say that experience is reversed when pushing out OS updates.”

Søren Theilgaard wrote: “ADE is simply the best zero touch deployment in the marketplace.”

Joel Housman wrote: “We make use of Apple Business Manager and exclusively purchase from an Apple Enterprise-focused ecommerce site. Machines arrive to us pre-configured, matched to our MDM provider, and I can set up a machine in about 30 minutes. It isn’t quite zero touch, because we have a number of software packages that are not able to be remotely installed and joined to our account, but it’s 85% of the way there. There’s only minor configuration I need to finish up once we apply the MDM and the policies to the machine which auto-installs a list of applications. Most of the fault with the further manual configuration that needs to be done lies with various 3rd party application developers who don’t provide means to install their apps via MDM while also applying necessary org-specific attributes during installation. For example: we use backup software in which the client needs to be given full disk access to the machine and then an activation key passed to the client to join it to our account. The activation key is unique for each user. This is something I must do manually because I cannot trust our staff to follow-through on granting full disk access themselves or applying the key themselves, so I have still have to configure the machine myself, do this last 15% of configuration, and then ship it to them. I get that Apple is super privacy focused on the part of the user, but the computer is owned by the org, not the user. The MDM API needs to have the ability to grant security permissions such as Full Disk Access (backup software, remote support software), Accessibility(remote support software), Screen Recording (used by Zoom/Slack for screen sharing and remote support software). I have to end up doing this manually for 5 or 6 apps for each machine we roll out.”

David Tommey wrote: “Deployment performance is severely lacking. It is almost impossible to use Apple tooling alone to ensure the estate is updated in a timely fashion. This specific item alone drags down the whole score even though other aspects of deployment have improved.”

macOS identity management

Grade: C+ (average score: 3.3, last year: 2.9)

Stephen Short wrote: “Apple really needs to step up and provide native support for SSO (and account provisioning) at the login window for devices managed with MDM. It’s really sad that a company with such large resources is relying on 3rd party developers like Jamf to supply a critical business function. Ideally, an identity provider like Okta would only need to supply a configuration profile that orgs could deploy to facilitate account creation and password sync functionality. I’d even be happy with having users sign in with a managed Apple ID to facilitate account creation as well.”

Bart Reardon wrote: “There are still a number of limitations preventing use of managed Apple ID’s in an enterprise environment, particularly iCloud keychain.”

John Welch wrote: “The steady improvement in smart card integration across macOS and their other platforms are hugely welcome in my world.”

Kelly Guimont wrote: “I’d like improved functionality for managed Apple IDs, like Universal Control/Sidecar.”

Nic Wendlowsky wrote: “Great strides to make Identity Management more extensible. The hard part now is waiting on the big vendors (Microsoft and Google) to build their apps and tools to work with the new features. A great feature would be to marry Managed Apple IDs with the ability to redirect all Apple-hosted iCloud storage to Microsoft (SharePoint/OneDrive) or Google Workspace (Drive). This would allow Enterprises to use nearly the full features of consumer Apple IDs while being able to fully control the data uses by those features for security and compliance needs, thus absolving Apple of needing to adjust ToS or BAAs/HIPAA/GovCloud agreements as much.”

Alex Jones wrote: “Great to see Platform SSO finally become a reality. Shame that we’re still waiting for Identity Providers like Okta to actually add support for it. Even still, it’s only one step in the right direction, but slightly contradictory to Apple’s general approach on passwords in the consumer world. Why is a password still required at all? When will we get password-less for macOS? Just enroll Touch ID during Setup Assistant, no password needed. Or defer to the IdP for an MFA factor other than password. IdPs seem to be ahead in the passwordless world, but they’re still being limited by the support from the endpoint, whether macOS or Windows.”

James Nairn wrote: “Not an area we have greatly explored, but user SSO is certainly a direction of travel. If Platform SSO could be extended to include JiT account provision that would be a big win for us.”

David Tommey wrote: “More work needs to be done to help identity providers leverage the tools and extensions Apple has built. Almost a year after announcing platform SSO, not a single provider I am aware of has successfully implemented it into their platform”

Fridolin Koch wrote: “Apple could (and should) do more to entice Vendors to support SSO Extensions and in Case of Microsoft, maybe pick up the ball themselves (aka Enterprise Connect for Azure).”

James Smith wrote: “While available since the release of macOS 13, we are still waiting for 3rd party vendors to adopt the Extensible Enterprise Single Sign-on framework.”

Marcus Ransom wrote: “The introduction of Platform SSO in Ventura was a great indication of Apple understanding the need for linking the local user account to a cloud identity. It will be great to see this when it is implemented by the cloud identity providers. More and more organizations are wanting to provide a full user/device/data trust model and this is now easier than ever on macOS. More choice and flexibility around cloud identity providers with Managed Apple IDs will be imperative to expansion in the enterprise.”

James Stracey wrote: “The SSO extension is still not consistently applied to a device and I can’t believe we’re still unable to manage which Apple ID domains a user can log into on macOS.”

Armin Briegel wrote: “Apple added Google Workspace federated authentication to Apple Business Manager last year. They also introduced Platform SSO. However, the practical implementation is left to the identity providers and none of them has a solution yet. Until we get working implementations, it is hard to judge the new functionality. Apple also added support for external Security Keys to Apple ID, but again, managed Apple IDs are excluded. You can make a good argument that this is the federated identity provider’s job, not Apple’s. This further confirms that Apple is not even trying to be a player in the Enterprise Identity space, but attempting to support organizations with integrations instead.”

Damien Barrett wrote: “The Enterprise SSO extension continues to work (we use Kerberos), even while the MS SSO extension is actually a little bit better. I remain eager to see what the imminent Platform SSO will allow for us. Having a first-party Platform SSO extension that could replace our MDM IdP connector (that enables Zero Touch) would be amazing, but it’s unclear to me whether it will have this functionality. However, that Apple is working on the Platform SSO extension shows that they are listening to their Enterprise customers. I am hopeful, even while I keep other solutions in my back packet in case it doesn’t allow for everything I’d like.”

Todd Ness wrote: “We have a bunch of problems with the SSO extension, it is not pretty if you have a regular account and an admin account or connect a service account to Outlook. I’ve had tickets open with my 3 vendors, MS, Zscaler and Apple on this for more than a month and it is working better after fixing zscaler problems, but the multiple account thing is still a huge problem.”

Søren Theilgaard wrote: “Apple has improved a lot of the frameworks for 3rd party developers, which is really great. Microsoft has implemented this very well, so it shows that the framework works. So it’s clear that moving to the cloud is the way of the future, and we suddenly got a lot of options for IdP solutions. Configuration through MDM is also easy to deploy.”

Jon Crain wrote: “More ID providers are needed with ABM.”

Dennis Logue wrote: “We use Managed Apple IDs and SSO with Azure AD, and these work reliably.”

Marcus Rowell wrote: “Still no coherent Identity story. With Personal Apple IDs (which everyone has) there have been improvements. Managed Apple ID are still horribly limited in scope. Whilst we have Platform single sign-on for macOS, there appears to be little adoption by vendors.”

Brad Chapman wrote: “Federation of Managed Apple IDs is still a pain. We can’t even consider it without iCloud Keychain. Platform SSO feels like a half-baked product that’s meant to serve as an example for how others should build a login window replacement. Jamf Connect and XCreds already won this battle. Passkeys, introduced last year, are too new to be judged for their utility.”

Charles Edge wrote: “This is new, so there’s plenty of rough edges. No passkeys due to iCloud Keychain being disabled, spotty vendor support. In general, I have high hopes and continue to watch what’s happening – hoping that the need for Chrome extensions or other unnecessary requirements for specific flows get removed as time goes on.”

Jason Broccardo wrote: “We are still waiting for Okta to deliver support for Platform SSO and for Apple to deliver support for using Okta to federate.”

Bill Christie wrote: “Not really Apple’s fault per se, but the lack of adaption by Microsoft of platform SSO is a disappointment. Microsoft is working on it, of course, and implementation takes time, but this is a security piece that could change perceptions in security departments and help adaption in Microsoft dominated environments.”

Mark Frischman wrote: “Still needs improvement, but heading in the right direction.”

Daniel Woodcock wrote: “Apple’s support for Cloud Identity Management on the Mac is currently inadequate, and there is a noticeable lack of effort in this regard. While their Platform SSO may seem like a viable alternative, it falls short of the full integration and functionality that comes with binding to Active Directory and utilizing Mobile Accounts. To be truly effective, Apple must provide complete integration with significant Cloud Identity Providers within the Mac Login Window and Directory Services. This integration should allow users to have accounts established, authenticate with multi-factor authentication, and maintain password synchronization. It is crucial that Cloud Identity support is not left solely to a third-party workaround that may break with each new macOS security update.”

Mischa van der Bent wrote: “Apple’s SSO platform is impressive, but its success relies heavily on the implementation by Identity Providers. To create a seamless integration process and optimal end-user experience, Apple should work more proactively with Identity Providers. I’m hopeful that by collaborating closely and listening to feedback from IT teams, Apple can continue to improve the platform and provide a reliable and easy-to-use SSO solution.”

Rich Thomas wrote: “Some good features here, but adoption hasn’t been as quick as I would have liked from our IdP, Okta. Might not be an Apple problem, difficult to tell.”

Fraser Hess wrote: “Platform SSO is a big step forward but Apple needs to get more Identity Providers inside the tent.”

Kevin Williams wrote: “The API connection between our school systems and ASM is reliable are robust, and has been working fantastically for the last 2-3 years. Interested in the new passwordless future, but that remains to be seen.”

Kale Kingdon wrote: “The strides Apple has made in this area over the last few years are appreciated and the movement to Platform SSO, while unrealized, is welcomed with open arms. My only quibble is the lack of an option to sign into macOS with a Managed Apple ID and have either a mobile or local account be provisioned and kept in sync with their iCloud data, similar to SharediPad.”

Shad Hass wrote: “Their terrible support for AD binding, while still not supporting anything newer themselves, has left me not confident in their abilities here. SSO extension is not a great replacement, as it needs constant connection to on-prem servers as well.”

Luke Charters wrote: “Identity management has been pretty good. At this point, however, I’m waiting for the rollout of Platform SSO.”

Graham Gilbert wrote: “We have had to build out our own device trust platform in macOS. Managed device attestation on iOS looks promising, but until it is on macOS it really doesn’t have any utility in the enterprise.”

James Corcoran wrote: “While Apple have put considerable effort into this, their is poor adoption from the big identity provides. Makes me wonder if Apple’s approach is too bespoke.”

Cameron Kay wrote: “Apple is being incredibly lazy when it comes to supporting Cloud Identity Management on the Mac. Their Platform SSO doesn’t go far enough and isn’t a viable replacement for binding to Active Directory and using Mobile Accounts. They need full integration with major Cloud Identity Providers into the Mac Login Window and Directory Services so users can have accounts created, login with MFA support, and keep their passwords in sync. Cloud Identity support shouldn’t be left to a third-party hack that breaks every time Apple released a security update for macOS.”

MDM protocol and infrastructure

Grade: B (average score: 3.6, last year: 3.5)

James Nairn wrote: “Reliability can always bee improved. If MDM is to be the only way of managing Apple devices then it must be as reliable as possible.”

Kale Kingdon wrote: “Declarative management should still be highly lauded, with potential new workflows of devices reliably switching functionality based on time and/or location—even without a network connection. That said, the implementation of this is now in the hands of MDM developers and largely unrealized. Mature solutions will take time, while the administrators sit on the sidelines eagerly hoping for a new era of Apple device management. Noticeably absent, however, is any indication that existing payloads or MDM commands will be given a fresh coat of paint or any quality-of-life features.”

Charles Edge wrote: “I see fewer failures to enroll devices and send commands. We used to sometimes have hours (sometimes a day) where we couldn’t enroll new devices, but those issues seem to crop up far less.”

James Smith wrote: “Improvements are modest but more reliability around Software Update would be appreciated.”

Brad Chapman wrote: “Managed Software Update MDM commands are still unreliable, especially for portables. We have resorted to using Nudge, an open-source tool that encourages our users to click the Update button. There are complications caused by CoreDuet and Duet Activity Scheduler Daemon (dasd) that will block the MDM update command if the laptop is too warm, or memory usage is moderately high, or battery is below 50% — a threshold that made sense for Intel Macs, but needs to be reëvaluated in the age of Apple Silicon Macs with 20-hour battery life.”

Craig Doran wrote: “Good developments and increase of payloads.”

Todd Ness wrote: “It mostly works, but the update stuff via MDM is not very helpful.”

Nic Wendlowsky wrote: “MDM protocol has been reliable. Would love to see an API opened up for renewing APNS certs automatically to remove the human element from it causing catastrophe by expiring. For the payloads themselves, we really need more info on the replacement for the deprecated preferences.”

Luke Charters wrote: “MDM commands have been so much more reliable this past year. I would like to see payloads expanded to control more of the basic settings on iOS, iPadOS, tvOS.”

Mischa van der Bent wrote: “I still love the MDM protocol, but I’m excited about the potential of declarative device management. It’s frustrating that it’s currently limited to a small subset of use cases, but I’m hopeful that Apple will expand more support in the future. However, I’m aware that MDM vendors need to adopt this as well, so it may take some time to become more widely available. Overall, I’m optimistic about the future of device management on Apple devices.”

Graham Gilbert wrote: “The MDM protocol hasn’t really changed. Declarative MDM looks promising, but at the movement the configuration items available to us are worthless.”

James Stracey wrote: “Better monitoring and reporting to ensure the correct application of MDM based policies would is a core requirement in the enterprise.”

Adam Tomczynski wrote: “The protocol capability is evolving, which is a good thing—though perhaps at too slow of a rate.”

Reid Blondell wrote: “MDM commands and payloads have been fairly reliable for me, but when they’re not, I’m not sure whether to blame Apple or the MDM vendor.”

Daniel Woodcock wrote: “At present, it remains uncertain how Declarative Management will address the various inadequacies of traditional MDM. Additionally, Apple must offer a more extensive selection of configuration profile payloads for security benchmark settings. Currently, not all of these benchmarks can be effectively enforced through config profiles, as some require scripts or lack any means of enforcement. We are forced to either rely on open source projects lacking that Apple polish, or our MDM providers who in many cases does not prioritise the development of the tools we need. To ensure compliance, Apple should introduce config profile support for all major security benchmarks, leaving no room for user circumvention.”

Søren Theilgaard wrote: “I think that the MDM capabilities are superb, and moving to JSON will really be improving performance when MDM providers start to implement and support this full scale. New features are explained well at WWDC and the new privacy controls in Ventura for Status items was easily to manage, so very nice to see these options hand in hand. But I’m still missing features (like config for active corners and what items to show in menu bar), and Apple Configurator is totally lost in being the reference for creating config profiles. Apple did not make a full circle for building configuration profiles.”

Kat Maerz wrote: “They need to give us a bit more control. On the iOS side, allow multi-user support. Shared devices are common.”

Fraser Hess wrote: “Declarative Device Management is an important innovation and has been solid.”

Damien Barrett wrote: “I have incredible hope for a a new MDM framework that will allow me to not only have management parity with our Windows fleet, but far surpass it. At so many F500’s, Security is driving the bus towards modernizing our IT stack, tools, and management; we are no different. Being able to show Cybersecurity and InfoSec that a new MDM framework with versatile and reliable DDM controls will secure the Mac fleet can only lead to a greater embrace of platform-agnostic IT.”

Dennis Logue wrote: “Device Management compared to what it was when I began managing iPads 10 years ago is fantastic. However, advancement in this area has stagnated over the last few years. There are any number of settings and features from Accessibility to Safari that we can’t manage via MDM which then forces us to rely on elementary school students, or their teachers, to manually manage a growing number of settings.”

Anthony Reimer wrote: “The biggest change for me is that I am having success deploying the core Apple apps using the MDM; it wasn’t reliable before. macOS updates are only about 80% successful. Otherwise, I haven’t seen much movement here. Declarative management can’t come soon enough.”

Jon Crain wrote: “Things seem to be moving very slow here. There is a promise of declarative management, but it has just been very slow in coming. MDM has always had decent reliability but the common issues related still remain.”

Craig Cohen wrote: “DDM has the potential for the future of device management.”

Stephen Short wrote: “Declarative management for iOS and macOS is a step in the right direction, but it’s up to each MDM provider to implement those changes for their customers. Would love an MDM command to force restart a Mac.”

James Corcoran wrote: “MDM has been remarkably reliable and consistent since inception. Now, the transition to declarative device management has begun. Watch this space—no pressure, Apple.”

Rich Thomas wrote: “Apart from software update, I find MDM pretty solid. It’s always a balancing act, and in certain situations I would like to be much more prescriptive and restrictive (again in the retail and payments space) but overall the MDM framework is useful and reliable.”

Armin Briegel wrote: “Declarative Device Management is showing a lot of promise. While Apple expanded its scope an functionality, its full potential is not being used yet. The BYOD user-enrollment strategies for iOS and macOS are interesting but are still missing some features to be useful. There are related technologies, such as distribution through the App Store, Managed Apple IDs, and iCloud for Business where Apple still needs great improvements.”

Marcus Rowell wrote: “The gradual roll-out of Declarative Device Management looks like it is on-track for such a big change, with a careful-let-us-see-how-this-works approach. With two limited scope releases completed, I’m hoping things are ready for a full release this WWDC.”

Kevin Williams wrote: “I always wish there was ‘one more thing’ our MDM could do if Apple allowed it, but mostly it’s been fantastic for the past year or two. We’ve been using various ways to use iPad in a 1:1 school for almost 10 years, and certainly the current state is light-years ahead of where we started. Same for Mac management via MDM—we wish there was something so simple yet powerful on the Windows side!”

Marcus Ransom wrote: “Declarative MDM offers so many possibilities. While the slow implementation of features leveraging MDM 2.0 can be frustrating, ensuring it is delivered carefully and incrementally is much better than needing to re-enroll devices. The minimal current configurations available is tempered by the excitement for the future state.”

Jason Broccardo wrote: “Our MDM still only has limited support for Declarative Device Management (which itself still has limitations) so any improvements Apple has made to the MDM protocols is more theory than practice for us.”

Cameron Kay wrote: “Still a work in progress. We haven’t seen what Declarative MDM will provide to fix the numerous short falls of traditional MDM. Apple also need to provide more config profile payloads for security benchmark settings. Not all of these benchmarks can be enforced with config profiles currently and rely on scripts or for some there’s no way to enforce. Apple needs to added config profiles support for all the major security benchmarks so they can’t be circumvented by users.”

David Tommey wrote: “Declarative device management addition has been a great addition to the MDM spec, but the unreliability of MDM initiated software updates has held the platform back significantly.”

The Future of Apple in the Enterprise

Grade: B+ (average score: 3.9, last year: 3.8)

Mischa van der Bent wrote: “Apple is improving its enterprise offerings every year, on hardware, software, and services, but they need to continue listening to larger organizations and improve device management capabilities to meet their needs. While there is still work to be done, Apple is making progress in this area.”

Fridolin Koch wrote: “The Future still seems bright for Enterprise adoption, but there are some shadows creeping in with decreasing Budgets and a lot of ‘hot stuff’ in Enterprise being Windows-only (Azure SQL Tools, Power Apps/PowerBI).”

Marcus Ransom wrote: “The last year showed us that Apple devices are no longer relegated to being simply tolerated, or even unsupported in the enterprise, but are now able to be integrated as first-class citizens. The number of enterprise vendors not providing timely support for the annual OS refresh cycle is reducing and the appetite for employee choice programs is growing.”

James Corcoran wrote: “Apple has a great reputation with leadership in our organization, where we’re 50/50 CYOD.”

Damien Barrett wrote: “Apple is finally paying attention to Enterprise (except with AppleTV management). It’s really an interesting balancing act on the company’s part — keeping devices user-friendly and attractive, but also building the tools and infrastructure to allow them to be managed like enterprise devices. I find it incredibly interesting to watch what Microsoft is doing with Windows 10/11 and TPM2 — effectively following Apple in securing their OS. I predict that the next version of Windows won’t even be Windows — it’ll be a Linux or Unix derivative with a Windows32/64 emulation layer for legacy apps. Again, following Apple’s lead in securing their platform.”

Shad Hass wrote: “I’m sure they’ll introduce more features for Enterprise faster than they can fix the ones they currently have, leaving so much potential on the table while trying new methods of sales and revenue.”

Cameron Kay wrote: “I still feel Apple is being lazy and only doing a half-baked attempted at enterprise management. They’re quite happy to take your money but offer little in return. They either still don’t get it or don’t want to spend the money to do it properly.”

John Welch wrote: “I think it’s solid, but I would like to see Apple doing more in the CAD/CAM/Additive Manufacturing world, to get vendors like PTC and Dassault to add Apple as a platform. Manufacturing needs more than just Autodesk.”

Adam Tomczynski wrote: “I feel the transition to ARM with better performance without compromising of battery life for mobile Mac, total cost of ownership, and focus on user data security and OS security is what will help Apple propel gaining more of the market share.”

Joel Housman wrote: “I think Apple’s recent behavior over the past five years or more shows they recognize this is an area they need to pay attention to and have slowly been making iterative improvements with each new release of macOS. I would say: please keep making these continued improvements.”

Graham Gilbert wrote: “I’m sure Apple will succeed since people want iPhones. This is not indicative of the quality of macOS, which is at an all-time low.”

Nic Wendlowsky wrote: “Definitely positive. The Device Compliance Partner API looks like a positive step in the right direction for MDM vendors to better utilize Conditional Access in Microsoft Endpoint Manager and other identity providers (Okta, ping, OneLogin) by simplifying the data needing to be parsed. As much as its a reverse-cliche, Apple needs to look at some of the things that helps Windows stay as the #1 OS in the Enterprise: longer OS support; more granular control over updates, upgrades, and patches; expanded customization of macOS to meet unique customer needs.”

Craig Doran wrote: “Less optimistic than last year. End users still want Mac devices but tech spending is stalling and there is more pushback about procuring Macs.”

Bart Reardon wrote: “There is a sense of year over year improvements to Enterprise support. The overall impression though is that Apple are still trying to figure out (at least publicly) what that is.”

Kale Kingdon wrote: “While the future is bright and I look forward to WWDC with more excitement than trepidation, I feel that Apple’s ideology of having an OS & device combination that needs to be everything for everyone, across all markets and sectors is straining against the bonds of its initial conception. Using privacy as an example, we continually come up against issues where a feature initially designed for a consumer experience requires end-user acceptance even under management. This is perfectly acceptable on a personal or organization-owned device, but how can an 8-year-old student with reading comprehension difficulties or a terminally ill patient being kept pain-free by life-saving drugs make the educated decision to enable location services or some similar prompt? In these instances, the user is incapable of providing informed consent, requiring us to build workflows where support staff handle the prompts that are outside of MDM control, thus defeating the purpose. Otherwise, we burden these users with a potentially complex task outside of their comprehension. Apple’s stalwart position on user privacy and security is a breath of fresh air compared to the other tech giants of our age, but the inability to delegate certain responsibilities to administrators, in specific instances, results in a poorer experience for everyone involved. Interestingly enough, a potential solution has been hiding in plain sight. We are currently running iPads in two different modes, with Supervision and without. iPads respond to commands differently when under supervision, more restrictions are available and in certain circumstances, the UI changes. Perhaps the time has come to expand non-supervised and supervised to also include ‘Supervised Education’ with its own set of features, checks and balances.”

Dennis Logue wrote: “Apple always seems to move in the right direction, just not always as quickly as we would like.”

Vaughn Miller wrote: “The formation of the Enterprise Workflows Team is a sign that at least someone in Apple is taking enterprise seriously.”

Jason Broccardo wrote: “Apple is not going anywhere, but Software Update is going to continue to be a huge point of friction for corporate environments or any organization trying to manage Macs at scale.”

James Nairn wrote: “Apple need to engage more in the Enterprise to get real life feedback, hopefully before implementing new functionality. Often new functionality is revealed with little to no MDM management offered which then has to be added in. Login Item notifications in Ventura is one example.”

Kevin Williams wrote: “I’m always afraid they are going to mess something up (because it seems they can’t stop themselves from screwing up a free lunch sometimes..) but if the last two or three years are any indication, it seems they have figured out how to move forward while maintaining a good thing. We did re-evaluate whether after 10 years it was time to move to Chrome or Windows for our students, and while there some advantages and better compatibilities with other software platforms out there, it was decided to stick with Apple for another five years on the student side. On the teacher side, I don’t think anyone except a few specific areas in our building would ever consider leaving Apple without a fight.”

Rich Thomas wrote: “Engagement from Apple is actually pretty good if you know where to look. MacAdmins slack is a treasure trove of knowledge, and it’s good to see Apple interacting with it, even in a limited capacity. We’re in a much better place than ever before in that respect.”

Brad Chapman wrote: “The new Enterprise Workflows team at Apple is making serious headway into improving our quality of life as Apple device administrators. Kudos to them, and we hope they continue to be our advocates inside the walled garden.”

Jacob Burley wrote: “I think Apple is taking steps that show their commitment to Apple in the enterprise, from building the new Enterprise Workflows team to even launching their own MDM for small business. I’m definitely confident that they will continue to grow in this area, but would love to see Apple embrace modern concepts such as SSO for ABM, or even an API for ABM. This would help tie Apple services into our existing IT offering.”

Reid Blondell wrote: “I have seen improving efforts with outreach – talking and listening.”

Rebecca Latimer wrote: “There is so much friction in simply keeping our fleet up-to-date that I worry about the future of Apple in enterprise. We have absolutely no trouble with keeping our Windows and Chrome devices on the latest OS.”

Marcus Rowell wrote: “I’m still concerned about the CloudOS strategy of Microsoft and Google. I can almost run only Chrome or Edge on macOS and be full a citizen of the CloudOS world with no local Apps. Once all my data and apps are accessible via Browser, why do I need macOS when ChromeOS will do?”

David Tommey wrote: “With the addition of a team inside Apple to drive enterprise improvements I have faith that the future is bright.”

Grant Brinkman wrote: “If Apple Silicon devices can keep the same ~7 year reliability as many of their computers have had in the past, then Apple devices will continue to be a compelling purchase in enterprise. Though only time will tell how AS devices stack up in the long run.”

Fraser Hess wrote: “I feel quite confident about the near future of Apple in the enterprise. The expanding Enterprise Workflow team is doing great work, and they’ve been going for less than a year. The next benchmark is this year’s WWDC. Will there be features in macOS 14 that, like Login Items, appear to have been designed without the enterprise in mind?”

Luke Charters wrote: “Feels like things have never looked more bright for Apple in the enterprise.”

Jon Crain wrote: “The team that is working with admins is a solid smart growing team. There is evidence they are moving things in the right direction. I am very optimistic that things are getting better.”

Armin Briegel wrote: “Apple’s excellent hardware and the way they have (so far) mastered the supply chain issues has allowed them to gain market share with consumers and enterprise. They need to support these gains with similarly excellent management and deployment support. Then, they should be able to consolidate and further expand. There is a lot of work left to do.”

Daniel Woodcock wrote: “Apple have many of the right pieces there, however many are half baked or not implemented in a enterprise-friendly manner. The hardware is 90% of the way there. We just need a couple more basic features on the low end, and better or fairer product segmentation in the middle of the stack. After that, the Mac would be a easy choice for most enterprises. On the other hand, Apple are at best 50% on their way to meeting what the enterprise actually needs. There are several critical areas where Apple needs to make significant improvements before enterprise adoption of their products can be assured. These areas include Cloud Identity Management, and enforcement of security benchmark settings. Specifically, Apple must provide full integration with major Cloud Identity Providers (Azure, etc.), offer a comprehensive solution for Declarative Management, and introduce config profile support for all significant security benchmarks. It is essential that these improvements are made to ensure seamless integration and airtight security for enterprise users.”

OS Adoption trends

Mischa van der Bent wrote: “It’s great to see that more and more organizations are adopting the newer versions of macOS, iOS, and iPadOS to keep their devices secure with the latest security patches. Compared to previous years, the upgrade cycle seems to be moving at a faster pace, which is a positive trend for overall device security.”

James Nairn wrote: “We are moving to running the latest macOS within a couple of months of release.”

Adam Tomczynski wrote: “The instability of the Mac during the upgrade process is what is holding me back.”

David Tommey wrote: “We have seen an 85% adoption of the latest OS. This may be skewed due to an early MDM bug that would initiate a major is upgrade instead of a minor one.”

Kale Kingdon wrote: “In my experience, interest & conversion across MacOS & iOS platforms have been never higher.”

James Corcoran wrote: “Thanks to AppleSeed for IT, our organization adopted the latest OSs on release day last year. Apple’s native MDM functionality to manage those software updates has completely let us down. We have had to use third party tools to manage macOS upgrades.”

Rich Thomas wrote: “It’s about the same, which is to say, slow. Issues with software update, complications added by the removal of admin rights to meet security baselines make it fairly tough.”

Christian Lambert wrote: “We keep users/devices as close to the most recent release as possible. Especially with Ventura being the only OS that supports all security updates.”

Nic Wendlowsky wrote: “iOS adoption is fine, developers have that cadence down pretty well and the containerization of iOS apps makes securing data easier. macOS is the main issue. Still, Apple releases major OS versions too frequently and stops support for n-1 and n-2 versions too soon. Both of which try to strong-arm developers to make apps compatible with new architecture in unrealistic timelines. Enterprises cannot move as quickly as Apple wants. They are more likely to remove macOS computers altogether than allow the computers to be force-upgraded without compatible security software.”

Armin Briegel wrote: “Whether the organizations like it or not, Apple is pretty much forcing a fast adoption rate. While some customers are still resisting, sometimes for good reasons, there are very few efficient tools left to block upgrades. Unfortunately, the tools to encourage and enforce software updates are broken and have a poor user experience”

Jason Broccardo wrote: “We’re about 85% of the way to being all Ventura and expect to be at 100% by the end of April. Nudge is the driver of our compliance.”

Jon Crain wrote: “Apple does not give proper reliable tools to enterprises to make this happen. They have communicated better than in the past about what risks companies open themselves up to by doing this though which is helpful from a security perspective.”

James Stracey wrote: “Upgrading devices from macOS Monterey to Ventura continues to be plagued with issues.”

Grant Brinkman wrote: “Historically, our org has gone so far as to skip major OS versions if they did not seem stable and wait until the next cycle. With 90 deferrals being the longest option now, as well as Apple not supporting all security patches for older OSes, staying up to date is the only realistic option. It’s a good change overall, but much quicker than we are used to.”

Fridolin Koch wrote: “Users were quicker than usual to update, but Software Update woes made it challenging for Admins.”

Bart Reardon wrote: “Our users are pretty quick on upgrading, even without forcing it with software update commands.”

Rebecca Latimer wrote: “Quicker than usual, thanks to extensive testing with the Appleseed beta program. We were confident that all of our tools were ready for Ventura on day 1 and used Nudge to prompt for updates as soon as it was released to the public.”

Cameron Kay wrote: “With the improved MDM commands for forcing major macOS upgrades we’ve been able to achieve a much hight rate of adoption of macOS 13. But five months on, we’re still nowhere near the 100% we’d like to be.”

Joel Housman wrote: “100% of our staff were upgraded to Ventura by mid-December, 2022. With each new point release, we upgrade quickly, mostly due to security concerns.”

Marcus Ransom wrote: “Ventura posed fewer hurdles to adoption than previous upgrades. Coupled with the ability for standard users to perform upgrades and a limit of 90 day deferral, this saw fewer organizations needing to block, which was good as it is now more difficult than ever to stay on older versions beyond the deferral threshold.”

Todd Ness wrote: “We enforce minimum OS on all our Apple devices and when a zero-day problem comes out we’re on the latest within 7 days mostly, it may not be pretty for those that don’t see the updates on macOS but we get there.”

Brad Chapman wrote: “Users are upgrading to Ventura on their own, since the macOS deferrals have expired. No one has reported any major issues. We’ll do a larger rollout targeting Big Sur users to encourage them to upgrade. For this campaign, we’ll be using Erik Gomez’s Nudge tool. We also had to delay most of our plans due to year-end change freezes.”

Graham Gilbert wrote: “We only support the latest versions of macOS and iOS. This hasn’t changed – this is primarily down to Apple not fully patching anything older than the latest versions of its operating systems.”

Kevin Williams wrote: “We usually wait 90 days or so (and our MDM helps with that) before we start releasing updates. Most of the time, it’s waiting for app vendors to catch up. (I’m looking at you, Google…)”

Third-Party App Stores

Adam Tomczynski wrote: “Will third-party app stores require notarization and other Apple security models? If yes, then I do not see the need for 3rd party stores. If no, then you will be potentially opening up devices to exploits, malware, etc. Very bad decision in my opinion.”

John Welch wrote: “Third-party App stores solve exactly one problem: the logo on the front. They don’t change what has to happen to be safe and reliable. That’s still going to cost money, which will be charged to devs. This fantasy that third-party app stores will somehow be nirvana compared to the App Store is just the worst kind of jejune magical thinking. Competition is useful only if it is better, not just different.”

Charles Edge wrote: “We’ve used SetApp, and really like not only the people there but the product they deliver.”

Damien Barrett wrote: “Our Security team already sees iOS as more secure. Opening up this walled garden to a 3rd Party App Store would weaken that view. At this time, I cannot see our Security team allowing unvetted 3rd party apps to be installed on our many thousands of managed iPhones.”

Mischa van der Bent wrote: “I believe that downloading directly from the vendor, as demonstrated by tools like Installomator and Root3’s app catalog, is generally preferable. However, it’s important to keep in mind that different use cases may require different solutions. As for the potential benefits or risks of a third-party app store for macOS, iOS, iPadOS, and tvOS, I am uncertain. While I recognize the safe mechanism that Apple has built with the App Store, I think it’s important to consider the potential risks and benefits of alternative solutions.”

Rich Thomas wrote: “Probably not something we would consider for the majority of users. Too risky.”

Brad Chapman wrote: “We don’t see much of a business reason to allow third-party app stores on a company-owned device. Game developers are the major proponents of third-party stores, and mostly because they didn’t want to give their cut to Apple. Their scope might be expanded later on to include security-related tools that flirt with the idea of jailbreaking, and Cybersecurity teams may take issue with that.”

Bart Reardon wrote: “Third party stores would not be allowed. We barely allow the App store give how full it is of adware and scam apps.”

Luke Charters wrote: “Personally, I’m open to third-party stores if Apple aren’t going to relax certain App Store policies. Professionally, there’s no way I’m allowing them on my fleet.”

Jon Crain wrote: “We don’t do much with any App Store. However I would have less trust in an outside App Store.”

Shad Hass wrote: “Personally I’m inclined to supporting them, however, the ability to manage their use is important to me as a sysadmin.”

Dennis Logue wrote: “We don’t allow students (the large majority of our Apple users) access to the App Store. We are trying to nudge staff towards managed Apple IDs as well.”

Cameron Kay wrote: “We definitely don’t want third-party app store and would want to block them.”

Kale Kingdon wrote: “Strongly against. This move is often framed by its advocates as increasing choice for users. However, it actually restricts their safety. Should Apple be forced into accepting 3rd party app stores, we would block or disable such functionality as it would be a vector for malicious attack. However, should apps required for the business migrate out of the App Store, and into an undesired method of distribution, IT departments may have little effective choice in the matter – which is why we also hope this possibility will not come to pass.”

Joel Housman wrote: “I’m all for allowing side loading on iOS devices via the user jumping through several hoops in order to do it. However, I do not want the greedy Facebooks and Epics of the world, and their narcissistic CEOs to open up their own App Stores and force users to download their popular apps through these stores, thus opening iOS devices up to all sorts of security vulnerabilities potential security vulnerabilities. Yes, Apple does a poor job at curating their own App Store, but training users to become used to going to 3rd party stores not controlled by Apple with the lax rules these companies would likely use to police them, could turn iOS into the hellscape that is Android and app security.”

Nic Wendlowsky wrote: “There are pros and cons. A Pro is that Apple loses its stranglehold over app and in-app purchases, thus allowing devs to make more money for themselves. A Con is that having 3rd party app stores increases the attack surface for nefarious apps.”

James Stracey wrote: “The App Store contains various applications which simply do not meet our risk appetite (ie. they present an increase DLP risk). We’re also still unable to purchase subscription based applications.”

Daniel Woodcock wrote: “In the event that a third-party app store installation option is made available, it is imperative that a MDM process is established to block such installations. This process should be granular in nature, enabling us to allow for the installation of specific vendor app stores in exceptional circumstances. Having an absolutist approach to blocking would be devastating. However, not blocking these external stores would be equally destructive.”

James Corcoran wrote: “We trust Apple’s ecosystem and have no interest in third party App stores. You only need to look at Android to see what a security disaster the ecosystem is.”

Søren Theilgaard wrote: “We already use Setapp which could be said to work like a 3rd party App Store and it offers a tremendous value for money. I could imagine Adobe would create their own store, and then suddenly those apps could be much easier to deploy.”

Craig Doran wrote: “Security hardening protocols generally instruct to turn off App Store access. Which seems truly misguided and misunderstood.”

Adrian Stancescu wrote: “Unless a VERY specific app is available on a third party App Store, they will not be allowed.”

Marcus Ransom wrote: “While some of the challenges of a single app store can be frustrating, the security offered by this approach is one of the major benefits of iOS in the enterprise. I would expect that Apple will deliver a solution that allows enterprise customers to limit their exposure.”

Marcus Rowell wrote: “I’m very very concerned what third-Party App stores will do to the Apple eco-system. I see huge risks for privacy and security, along with loss of management. I believe that Apple will be forced to allow Third-Party Apps and this is because Apple has totally mismanaged the App Store.”

Alex Jones wrote: “We use Kandji’s self-service App Store to provide a kind of Managed App Store. I like that the apps are still coming from the Apple App Store and I trust that they will be properly vetted from as security perspective. I’d be less inclined to trust apps from a third-party store.”

Armin Briegel wrote: “Apple has not been a good curator of the App Stores. They are full of worthless apps with questionable, if not outright scammy, business practices. App Store ads have worsened this impression. Justified software often faces capricious and seemingly random hurdles in App review. Many types of tools and software are still excluded from the App Stores. On macOS, managed deployment through the App Stores is unreliable to the point of being useless. My hope for third-party app stores is that competition will force Apple to make the App Store into the well-working, well-curated garden which they claim it to be, with great conditions for users, developers, and admins, that competes on its merits and not because it is the only option. My fear is that we will all have to deal with several capricious and inconsistent stores with questionable security and privacy from multiple vendors instead.”

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.

Search Six Colors