By Jason Snell

April 17, 2024 2:42 PM PT

Apple in the Enterprise: A 2024 report card

In 2021, device-management startup Kandji approached Six Colors to commission a new entry in our Report Card series focusing on how Apple’s doing in large organizations, including businesses, education, and government. We formulated a set of survey questions that would address the big-picture issues regarding Apple in the enterprise. Then we approached people we knew in the community of Apple device administrators and asked them to participate in the survey. We are especially grateful to the members of the Mac Admins Slack for their participation.

This is our fourth year doing the survey. Over the last few weeks, we took the temperature of 128 admins, roughly half of whom report that they manage more than a thousand devices. They rated Apple’s performance in the context of enterprise IT on a scale from 1 to 5 in nine broad areas.

Below, you’ll see the survey results, plus choice comments from survey participants. Not all participants are represented; we gave everyone the option to remain anonymous and not be quoted. Though Kandji commissioned this survey—and we thank everyone there for doing so—it had no oversight over the survey results or the contents of this story, which was compiled by me, Jason Snell.

Overall scores

As it did last year, Apple’s strongest scores came in hardware—Apple silicon Macs are a big winner—and in the company’s commitment to security and privacy.

In most categories, our panel’s view of Apple in the enterprise was on an upswing. The company made large gains in the categories of deployment (which had taken a big hit last year) and macOS identity management. The only categories to show score drops, albeit small ones, were the top scorers—hardware reliability and security/privacy—which both dropped 0.1.

We also asked a few questions outside the traditional set. For the third straight year, we asked about the pace of operating-system adoption. And for the second straight year, the sense that OS adoptions were happening quicker than usual was up — from 37% in 2022 to 51% in 2023 to 56% this year.

We asked about Vision Pro adoption, understanding that a large portion of our panel is from outside the U.S. and therefore unable to deploy Vision Pro right now. Still, it was interesting to see that 10% of respondents said they were deploying Vision Pro today.

We also wanted to see how organizations were embracing next-generation technologies designed to eliminate passwords, such as Passkeys. A full third of our panel said they’re already deploying those technologies.

Finally, we asked about the current state of in-office, hybrid, and remote work in our panel’s organizations. Nearly half reported a mostly-hybrid organization and an impressive 81% reported some degree of hybrid work. Two smaller groups, both around 10%, reported either being all-in on office work or in organizations that are entirely remote.

Here’s what Tom Bridge of the Mac Admins Podcast had to say about this year’s results:

“It’s interesting to see the slight declines in security and hardware innovation. I wouldn’t have expected either. Neither is a substantial loss, but I suspect security may come down to the increased number of software updates to cover security issues.

“Deployment getting a boost is a pleasant surprise, likely owing to structural changes in the automated device enrollment framework released in Sonoma. I have the same reaction to the improvements in the identity management scores. With January’s updates to Apple Business Manager, any IDP with OpenID Connect, Shared signals framework and SCIM can power managed Apple IDs.”

Read on for category-by-category scores and comments from participants.

Enterprise programs

Grade: B (average score: 3.6, last year: 3.5)

Teg Bains wrote: “ABM sign up is still painful and slow.”

Henry Stamerjohann wrote: “Behind the scenes, Apple has made some notable enhancements, such as improvements to the Apple Software Lookup Service.”

Joel Housman wrote: “We haven’t made any changes in this area with any of the tools we use. Our MDM provider for Apple is JumpCloud and they’ve made a lot of improvements over the past year, but its hard to tell whether those improvements have came about because of anything Apple changed with their MDM APIs or whether JumpCloud is just improving upon what already exists.”

Adam Anklewicz wrote: “The enterprise programs are pretty good for what they are, but they’re pretty stagnant. While the Federated Apple IDs is a welcome and long overdue change, these programs have barely budged since first introduction. VPP continues to only work sporadically without any changes in years.”

Jeff Finlay wrote: “Listed programs are working well at my higher ed enterprise.”

Bart Reardon wrote: “Another year of incremental improvements. There’s still room to improve integration with Apple Business Manager, Applecare, Store for Business etc by making them all work together (and/or providing API’s so we can collect and collate this information ourselves).”

Dennis Logue wrote: “The efforts to improve software updates are appreciated but still not complete.”

Rebecca Latimer wrote: “It would be nice if Apple gave clearer timelines about API deprecations and documented when certain things will stop working. In one of the betas, any app that wasn’t using the newer ScreenCaptureKit API call (rather than a deprecated method) would display an error message repeatedly to the end user. If that change had made it to production, it would mean that every CEO who tried to share their screen via Zoom would have to deal with multiple popups, containing a confusing error that meant nothing to them. I cannot stress enough how poor of a user experience this is. Because Zoom had not updated to an API change that Apple vaguely said was being deprecated at some point, countless Mac Admins would deal with tickets and angry phone calls because Apple (presumably) wanted to put pressure on developers to update their API calls. The proper way to do this would be to document these changes through a roadmap distributed to developers, not to put Mac Admins in the unfortunate position of nagging developers and reassuring end users that this error (completely out of their control) would eventually be going away.”

Nate Felton wrote: “I believe some of the largest improvements in this category are around service availability and access controls for Managed Apple IDs (MAIDs). The introduction of iCloud Keychain and Passkeys for MAIDs is a huge step in the right direction. One current oversight of adding additional services to MAIDs is the lack of ability to increase the iCloud storage for a MAID, resulting in the free 5GB tier quickly being used up. With Apple Business/School Manager (AxM) finally allowing for federated authentication with a custom identity provider (meaning other than Google Workspace or Microsoft Entra ID), using MAIDs within the enterprise becomes a possibility for organizations that use other cloud identity providers (e.g. Okta or JumpCloud). Apple Business/School Manager (AxM) is still missing some much needed APIs to allow for external integrations, primarily around device management such as assigning (or unassigning) a device to a specific MDM server. The ability to define custom roles with granular access to AxM features would be a huge improvement as well. As others have mentioned in the past, in some cases, AxM has become the de facto device management portal for Apple, but some device information is still locked behind other services. Features that are available today via GSX, such as diagnostic tools and warranty information, should also be available as a part of AxM, and in turn, available via APIs to MDM vendors to access.”

Tony Williams wrote: “There could be improvements but it is pretty good.”

John Cleary wrote: “ABM/ASM are largely stagnant, yet many deficiencies remain. The UI is slow and clunky, creating classes in ASM is still a painful process of uploading CSVs with no ability to download the current account set as pre-populated CSVs meaning if you don’t keep a copy of the last set of CSVs you uploaded you may accidentally disable or remove accounts, and there’s still no way to buy storage for managed Apple IDs which means in they essentially can’t be really used if you need more than 5GB (ABM) or 200GB (ASM). And let’s be honest, neither of those limits are sufficient, but to not be able to expand them in inexcusable.”

Tom Bridge wrote: “Apple has invested heavily in Apple Business/School Manager in the last year, as well as in Managed Apple IDs, in new and important ways that empower enterprises to make better use of these core technologies. It is exciting to see Apple adapt these areas of their products for the needs of businesses of all sizes. There are still challenges here, and progress is often slow, sometimes even imperceptibly so, to get needed improvements and needed goals. Apple is a slow-moving ship in the channel, carrying a lot of programs, and it’s got a quality pilot, but sometimes the course is just a little off. Apple’s secrecy is part of its DNA, but the absence of better partners who are read into the plan means it takes longer for MDMs to adopt and adapt to the roadmap in Cupertino.”

Cameron Kay wrote: “It is getting better slowly but more work is required. Apple still really doesn’t get enterprises needs.”

Tanya Pfeffer wrote: “I would like API integration to read assets from ABM into ServiceNow, or another CMDB.”

Trevor Sysock wrote: “The additional services and controls added to MAIDs are very welcome.”

Mike Stirrup wrote: “Solid services with increased feedback from Apple’s engineering teams.”

John C. Welch wrote: “One of the few bright spots in terms of documentation from Apple.”

Michael Reinhart wrote: “Some of this is still not available in Canada.”

June Billings wrote: “Apple is focused on consumers and makes little or no effort to cater to Enterprises. e.g. no grace time for accepting updated T&Cs, no allowance for time for corporate legal teams to review.”

Paul Chernoff wrote: “We are a small company so we use only some of the programs. ABM works well for us. So does Apps & Books. I buy all software via ABM if possible. Combined with a MDM it makes it easy to distribute software. On the minus side, apps do not always install or upgrade as quickly as we would like. We started use of Managed Apple IDs in 2023. For now we don’t have much use for it but I plan on using it to help with remote support. The biggest negative for us is the Developer program, but we aren’t developers. We have some digital versions magazines and we are moving away from distributing them via apps to a simple web based approach.”

Jeff Richardson wrote: “Apple should have made MDM ready on the Apple Vision Pro even before Day 1 so that the big vendors like Microsoft could have MDM solutions in place when the product first shipped. Apple’s recent update finally enabled MDM, but who knows how long it will next take Microsoft and others (other than JAMF) to enable support.”

Nic Scott wrote: “I appreciate the improvements in ABM, MAIDs, and DDM in the last year but MAIDs are still not enough for our org to use them and DDM and MDM management has not been as reliable as I was hoping. Looking forward to macOS 15 to see more improvements.”

Fraser Hess wrote: “Apple Business Manager and Managed Apple IDs got big improvements this year. One of my feature requests was addressed: Custom IdP support in ABM.”

Jason Broccardo wrote: “There have been no major improvements in the last year, but there have not been any major faults either. Apple are generally running things at even pace now.”

Chris Schildhorn wrote: “What is offered is mostly well documented, and supported.”

Adam Rice wrote: “Steady strong improvements in what can be done with Managed Apple IDs. DDM looks to be the light at the end of the long dark Software Update tunnel.”

Mischa van der Bent wrote: “Apple’s failure to extend program availability beyond the US, particularly in regions like EMEIA, persists. For example, Apple Business Essentials is still not accessible in many areas. This lack of global inclusivity underscores the need for improvement.”

Ted Goranson wrote: “Why am I not using FaceTime instead of Teams?”

Marcus Rowell wrote: “The experience we can create with ABM, ADE and MDM so that a user can open the shrink-wrapped box of a new computer and get started without IT intervention is wonderful and so nurturing of the user experience. DDM is progressing sensibly and looks like it will be a great thing once complete. Can’t wait to see what WWDC2024 brings.”

Patrice Brend’amour wrote: “Some solid improvements in last year’s releases. The recent addition of Apple Vision Pro is a good first step, but should have been there from day one. Overall, MDM is still lacking features and cross platform support.”

Joel Anderson wrote: “Apple is making some progress here. An example would be finally allowing administrators to force a software update on iPadOS. That being said, the way it is implemented is still a bit convoluted and contingent on several steps and factors. And the Defer Software Update is still managed by number of days, and not actual OS version numbers. This requires admins to constantly change the number when updates are released for two different major OS versions within days of each other.”

Luke Charters wrote: “We finally have support for iCloud keychain and Continuity features for Managed Apple IDs! This, together with the improvements to permissions and controls for Managed Apple IDs, has made me very happy.”

Karsten Fischer wrote: “Seems fine so far.”

Armin Briegel wrote: “Apple Business Essentials is still only available in the US. The options for Apple Care and managed iCloud Storage are only available through Business Essentials. Apple admins still cannot volume purchase or manage App Store subscriptions or in-app purchases. I am all for being cautious, but this is too slow. Big improvements to Managed IDs last year, though there are still challenges to deployment.”

Allister Banks wrote: “There’s still no customer-facing API to AxM which would remove IT asset management toil and administrative overhead. There’s a general continued crackdown on having an enterprise developer account for those wanting to use an open source MDM. Signing certificates and entitlements for System Extension entitlements are slow (on the order of months in some cases) to the point that it’s hard to focus on advanced applications. Sufficient uptime and relative maintenance of docs doesn’t really earn high marks?”

Jim Zajkowski wrote: “AxM still does not have an API to help multi-server environments like you might find in a house-of-brands. Instead, staff have to manually assign and unassign every single serial number by hand, a task we do about 40 times a day, every day. MAIDs have slowly gotten better but still have substantial limitations—for example, you can’t use passkeys with your “work or school” Apple ID slot—and rolling out MAIDs to an enterprise where people have personal accounts at their work domain is complicated. Apple’s sales engineering teams have very little guidance on exactly how to turn on MAIDs for an organization, and the best source of information has come from conference talks from the community. MDM has had some improvements, but Apple needs to do a better job of getting MDM vendors to adopt new features. For example, Apple added a mechanism to have clients upgrade to a specific version by a certain date, but this new feature is only available through the DDM APIs, and VMware (Workspace One) has not built out this feature, and might never at this point. Jamf provides it only if you’re using their more expensive “Jamf Cloud” version, but if you have regulatory reasons – which would be workplaces where you’d really really want to bump updates – and are running Jamf Pro on site, you are out of luck. Similarly, Jamf Pro still doesn’t support device attestation for certificates on macOS, neither in on-prem nor with Jamf Cloud, as they have yet to implement ACME certificate payloads. Apple should have some kind of way of showing compliance with their features so that we can hold vendors accountable through a certification program. Of course, that would be best served by some way to actually let us move between MDMs, which is not possible without a great deal of on-the-ground engineering and helpdesk time. If Apple made it easier to change MDMs without boiling the ocean, that would enable a lot more competition and hopefully push vendors to work faster.”

Damien Barrett wrote: “Federating a domain with MAIDs remains problematic and difficult. While I appreciate Apple’s focus on privacy, and Apple does supply a number of affected users in your domain during the federation process, it refuses to supply a list of which users would be affected. Organizations are given little to no ability to customize the emails that are sent to affected users with branding, tagging, or information security/anti-phishing considerations. As Apple continues to increase the number of things that require a MAID for access, it continues to move away from Enterprise compatibility and more conventional integrations.”

Robby Barnes wrote: “Apple has made some progress in the last year, such as adding other identity providers to Apple Business Manager, and several welcome improvements to the MDM APIs. However, to me, it is still somewhat baffling how Apple seems somewhat oblivious to how most enterprise platforms operate and are missing several fairly key features that would benefit businesses and enterprises significantly.”

Craig Cohen wrote: “Additions of Federation options and updated Apps & Books show real growth.”

Adam Lacy wrote: “Significant work done this year for MDM APIs and some updates for Managed Apple IDs. I wish there had been meaningful updates for Apple Business Essentials. I would like to enroll, but even my Apple Store Reps have been confused about ABE’s feature set and if it could replace our current MDM.”

Daniel Ricci wrote: “Nobody understands Managed Apple IDs. As a school, students want to use their personal Apple IDs for iMessage (we allow this). This locks us out of using features with Apple Classroom Manager. Allowing Forced Updates in macOS 14 has been helpful. The fact that we can’t force enable screen sharing on school-owned devices is still concerning to us. Devices that don’t get rebooted for long periods of time still often fail MDM check-ins and don’t get updated policies. Apple has actively blocked workarounds to this like Addigy’s MDM Kickstart tool in 14.4, yet there is no solution in sight for an actual fix to this MDM problem.”

Charles Edge wrote: “The past year has probably not seen as many high-value net-new options as it’s seen cleaning up existing options that many consider table stakes. So updates haven’t garnered a lot of attention, and that’s a good thing!”

Enterprise Service and Support

Grade: B (average score: 3.7, last year: 3.7)

Jim Zajkowski wrote: “Significantly better than years before, but it’s still the iron curtain of silence.”

Joel Housman wrote: “I would say they’ve improved in this area. In the past year, I’ve been contacted several times about online or in-person webinar/training available to me. I’ve had more contact with our Apple rep, who meets with me quarterly.”

Joel Anderson wrote: “Good things here: Apple recently published a list of specs and downloads for its devices, and they have had good deployment and security documentation for several years. Calling into support is generally a good experience. But I tried purchasing a replacement power supply for an M1 iMac. I couldn’t just buy it like a replacement power supply for a MacBook. Very convoluted process of going through support, filling out fairly labor-intensive paperwork, multiple line items, a limit to how many could be purchased per support case. (I think the limit was like four, and each supply counted as two items.) And expensive!”

Fraser Hess wrote: “It’s time for a more mature and cooperative engagement with enterprise partners. Apple needs to publish roadmaps, score their vulnerabilities with CVSS, and provide more controls and documentation for new features. This year, we raced to understand how to manage the new video reactions, desktop, and screen saver features. Too often, the Mac admin lives at the intersection of spelunking and whack-a-mole.”

Allister Banks wrote: “Same as every year, Apple has great people and good updates being pushed out in totally hidden-in-plain-sight docs and a bitbucket where feedback goes.”

Charles Edge wrote: “We’ve seen iterative improvements in documentation and more content that’s more widely accessible. I’ve been most impressed with the ability to now interface with much of this content programmatically, through APIs and GitHub.”

Jonathan Forsander wrote: “We don’t pay for any enterprise support contracts from Apple besides the AppleCare+ we purchase for all our laptops. I really like the support they provide via the Apple Enterprise Support phone line: (866) 752-7753. It’s very easy for me to quickly set up mail-in repairs by calling that number. It’s a much quicker and more streamlined process than calling the main support line as a consumer.”

Tony Williams wrote: “I’ve always found that I get a swift response and help to fix my problem.”

Trevor Sysock wrote: “I don’t have access to Enterprise Support. However, I have found numerous inaccuracies and conflicting documentation regarding MDM profile keys. Some were fixed upon filing feedback, and some have gone unanswered. I also do not like the new beta paradigm of requiring users to log in before being enrolled in a beta channel. It was unreliable in early Sonoma builds.”

Tom Bridge wrote: “Apple’s Documentation for Enterprise remains strong, and lately they are oftentimes delivering in excess of expectations. Timely and versioned documentation available through AppleSeed and public sources remains excellent. The only challenge here is how quickly those docs get revised.”

Anthony Reimer wrote: “Documentation for Mac Admins has really stepped up in the past few years, most notably the Apple Platform Deployment guide, which is regularly updated. Filing Feedback still feels like screaming into the void sometimes, but I have had some more obscure issues addressed via feedback in the past year, so I know they are at least reading them.”

Bart Reardon wrote: “Feedback Assistant is still a black hole, or at the very least seems that way from this side of the equation. Using ‘sideloading’ methods of gaining attention to an issue is still the best way to get it looked at. In other words, it’s not how you say it, it’s who you say it to (and also how you say it since you can’t just dump facts into a Feedback, you need to invent a user story on how XYZ change affects you and your business, etc).”

Marcus Rowell wrote: “The AppleSeed for IT Program and the associated community on the Mac Admins Slack appears to be working very well. As a community, we are all seeing the importance of filing feedback as early as we can. With guidance from within Apple, I feel the community is filing better feedback that appears to bring the changes we want and/or need. The Enterprise Team here in Australia has provided fantastic support to help the community with presentations at local meetups.”

John Cleary wrote: “This works pretty well, but the process for joining is still stuck in the early 2000s UI.”

Craig Cohen wrote: “Utilizing Apple Professional Services and the Apple Consultants Networks has given customers confidence that certified Apple support is available to the enterprise.”

Adam Tomczynski wrote: “As the only MDM admin for my organization, unfortunately I do not spend much time utilizing AppleSeed for IT. I do welcome the reach out from Apple in the private channel in MacAdmins Slack and do realize that this is one conduit to the community they use.”

Robby Barnes wrote: “If you have access to the right resources such as AppleCare Enterprise, they are top notch. They are extremely helpful and will help track down answers that they don’t immediately know. There is a little bit of a gap in the SMB space around support, but they seem to be at least thinking about that with some of the programs they have been working on.”

Mike Stirrup wrote: “Great work from the team in the UK with both the Appleseed and financial services meetings.”

Armin Briegel wrote: “In typical Apple fashion, they changed how developers and admins download and install system betas right before WWDC last year. Mac admins had to scramble to adapt their workflows and deployments. Other than that, not much has changed. The deployment user guides remain of high quality, even though the Security Guide has not been updated in nearly two years. What is encouraging is that Apple has management options for most new features (e.g. alternative App marketplaces) or will implement them fairly quickly on feedback. Though I would still prefer more clarity and directness, Apple is getting better at communicating their goals and direction to the developers and administrators.”

Rebecca Latimer wrote: “I said before and I will say again: Appleseed is an amazing resource. Feedback Assistant, on the other hand, feels like shouting into the void. I have noticed that feedback updates have gotten better in the last year, but there is still room for improvement.”

Patrice Brend’amour wrote: “The documentation is pretty good. Beyond that, there’s room for improvement, especially on the feedback side.”

Jason Broccardo wrote: “Submitting an issue through Feedback Assistant is still akin to yelling into a bottomless well. We do get engagement through Enterprise Support tickets, but any ticket we’ve submitted over the past year through Enterprises Support has been resolved by either being told to wait till the next OS update or having Support create product feedback on our behalf; it’s not necessarily technical support but more Feedback Assistant concierge service. I wish Apple would reconsider how users participate in the macOS and iPadOS betas. In an ideal world, we would be able to control access to the betas through configuration profiles and not have to rely on users signing in with AppleIDs. Apple has said for years that MDM and configuration profiles are the way of the future, so having to fall back to signing into System Settings seems like Apple is undercutting their own message. “.”

Nic Scott wrote: “I think they do a terrific job with the Appleseed program, some of the rebranding, interacting with admins in Slack, and always encouraging feedback. Feedback Assistant as a product has been a little wonky several times or crashed in betas to where you can’t submit feedback. Not a huge fan about the switch away from seedutil to enroll in the betas, but I’m used to it now.”

Henry Stamerjohann wrote: “Topics discussed in the community are reflected, and cases shared with Apple in the Enterprise Portal are also addressed in a detailed manner. For example, issuesFileVault activation during macOS enrollment.”

Cameron Kay wrote: “A lot more work is required. Enterprise OS support is expensive and frustrating, as you log bugs and feature requests, but they don’t go anywhere. Apple should have extra engineers working on fixing bugs and implementing feature requests for their enterprise customers. Documentation is getting better, but release notes are still as vague as ever. If Apple releases a new feature or a major improvement in an OS update, even if it’s a minor OS update, they should have some sort of tutorial on the new/updated enterprise features and what their implications are. Feedback Assistant is still a black hole. With the odd exception when Apple has really screwed something up that impacts everyone, filing feedback seems a pointless exercise.”

Michael Reinhart wrote: “Quality of support feels poorer in the last year or so.”

Damien Barrett wrote: “No complaints here. Every time I’ve reached out to Enterprise, I’ve been given access to very knowledgeable people. After I forwarded a Windows-focused coworker one of the response emails from Apple, he commented, “Wow, I wish all the vendors I work with would answer with this amount of detail and information.”

Nate Felton wrote: “Feedback Assistant continues to be a black hole. Well-written feedback can often take hours to complete, only for there to be zero response for months or years. It has left me discouraged to ever write feedback. Having said that, Apple’s continued focus and commitment to programs such as Appleseed for IT and the Enterprise Workflows team has had some great successes over the past year in discovering issues during Beta cycles and resolving them before final release to Public. Apple publicly publishing changes to device management schemas has been a big win. Rather than needing to discover what has changed, being able to see diffs helps to focus on the things that have been added or changed. The Apple Platform Deployment guide, the Apple Platform Security guide, and the ‘What’s New for Enterprise in macOS (Name)’ all continue to be invaluable sources of information that help with keeping up on changes to the platforms.”

Brad Chapman wrote: “The AppleSeed Beta program is running smoothly, but it must be said that it owes a large chunk of its success to the MacAdmins Slack, who work tirelessly to test issues, discuss findings with their peers, and submit feedback to Apple. Response times to feedback submitted via AppleSeed for IT have improved in the last year. Having said that, it still seems like the feedback triage team is not adequately tying similar reports together. It becomes clear from Slack that many of us are having issues, and we share feedback numbers, but the ‘similar reports’ count never rises.”

Ted Goranson wrote: “In Australia, it is hard to work on the basics of the hardware side. Really don’t like the third party (eg Kolide).”

Teg Bains wrote: “There are no security details or real changes detailed in OS updates.”

Mischa van der Bent wrote: “My experience with Apple’s enterprise services, support, beta programs, documentation, and Feedback Assistant remains excellent this year. I’ve had great experiences, bringing Apple closer to a perfect score. Their commitment to feedback is evident, reinforcing their dedication to improvement.”

Luke Charters wrote: “As someone who has to find and read a lot of enterprise documentation, the platform guides and Appleseed for IT is insanely great compared to other vendors. It still feels like you need to roll a natural 20 to get a response in Feedback Assistant.”

Tanya Pfeffer wrote: “It takes Apple too long to identify product issues, and then doesn’t remove those reports as tickets that count against or max threshold.”

Hardware Reliability and Innovation

Grade: A (average score: 4.3, last year: 4.4)

Luke Charters wrote: “In a year where Apple has introduced a new product line and way of computing, the most exciting feature announcement for me has been support for two external displays on MacBook Air. Pro/Max MacBook Pros are far too cost-prohibitive to purchase for all staff in K-12 environments just to get this feature. This removes one of the last roadblocks to going 100% Mac in our organization. I would have preferred two (or three) external screens with the lid open, but I’ll take what I can get at this point. Touch ID keyboards are about to get a big sales boost. I also need to call out 8GB of unified memory being the base spec on any Mac at this point, every year it continues, the more ridiculous it gets.”

Stephen Short wrote: “Macs are generally more reliable than PCs, and the gap has only grown wider since Apple Silicon debuted a few years ago. No notes; hardware reliability is excellent.”

Jeff Richardson wrote: “The iPhone and iPad are remarkably durable, and the iPhone is cutting-edge.”

Robby Barnes wrote: “Overall, I think hardware is in a really great place for the most part. The iPad line is a bit dated and really confusing at the moment, but Apple Silicon continues to shine on the Mac, and the iPhone 15 Pro with titanium has been a much bigger upgrade than I anticipated. I truly love this iPhone more than any other I’ve ever owned.”

Rebecca Latimer wrote: “The Vision Pro is truly amazing, and I can’t wait to see what the future holds in that space.”

Brad Chapman wrote: “Apple Silicon continues to exceed our wildest expectations for performance. It will not be a sad day when Apple drops support for Intel Macs. We’re a laptop-heavy fleet and have been actively pushing users to refresh their 2018-2020 Intel models.”

Peter Thorn wrote: “Our latest purchases are MacBook Air M2s, which are perfect and stable, but from 2023.”

John Cleary wrote: “Vast improvement since the Apple Silicon transition. Entry-level laptops are actually good enough to buy for the win!”

Tony Williams wrote: “It’s almost perfect. It could be faster.”

Ted Goranson wrote: “Reliability, not innovation, but we expect to use Vision Pro in the Teams-like space internationally.”

Dennis Logue wrote: “We continue to see very good hardware reliability from our Apple products, particularly when compared to other companies products.”

Joel Anderson wrote: “Apple devices last a long time, and generally do not fail in normal use. M1 iMacs are so thin and light, however, that they more easily tip over, causing more replacement screens than ever in my 26 years of purchasing devices for Apple Enterprise.”

Adam Lacy wrote: “My rating is solely based on the Mac and the Apple silicon transition. But my company has mostly been running on M1 MacBook Airs for the past 3 years with no hardware issues to speak of besides a few random Bluetooth bugs. And that’s probably software.”

Allister Banks wrote: “Apple’s entire innovation budget went into the goggles, it seems—no new iPads, Apple Watch feels very stagnant, Macs are allowed to coast after the good updates at a good clip, but there aren’t compelling enough reasons to upgrade.”

Gerald Horn wrote: “There seem to be too many new products with software/hardware issues from the beginning.”

Nate Felton wrote: “I believe we are in another golden age of Apple hardware with the Apple Silicon transition at the core of the success. The continued limitations on the number of supported external monitors on the base chips is a drag. This is slowly becoming less of a factor as the price of a single ultra-wide monitor gets closer to the price of dual monitors of the same screen real estate. With the reduced number of ports on the cheaper MacBook product lines, it would also be great to see Apple support Multi-Stream Transport (MST) to enable daisy-chaining multiple monitors together, while only requiring a single cable coming from the MacBook.”

Teg Bains wrote: “Most Apple hardware is nongradeable or repairable by 3rd party when compared to Dell or HP.”

Marcus Rowell wrote: “Apple Silicon continues to improve significantly year over year. Apple Silicon devices feel more robust and appear to be more reliable.”

Nic Scott wrote: “I still feel Apple is best in class for hardware.”

Fabrice Neuman wrote: “I would be hard-pressed to find a fault here. Devices I deploy in the small businesses I work with last for years. One annoyance? The most used letters on Apple-branded keyboards tend to disappear, which is disappointing considering the price tag.”

Damien Barrett wrote: “A++. Ever since Apple Siicon’s debut, the hardware has been exceptional. (Okay, perhaps that first generation of 13″ Pros with touchbar was some growing pains). In particular, the 14″ and 16″ MacBook Pros are among the best Apple laptops ever created — in all the 30 years I’ve been using Apple hardware. Battery life is beyond impressive. The build quality is very good. My end-users are ecstatic. I hope to remove the last of the Intel Macs from my fleet by the end of 2024.”

Mike Stirrup wrote: “Solid devices that have very few issues.”

Jeff Finlay wrote: “I’ve heard few complaints about hardware from our support and repair team. The new processors are solid and fast. Compatibility is no longer a concern.”

Daniel Ricci wrote: “We have not made many new hardware purchases in the last year, but the hardware we have continues to be reliable.”

Bart Reardon wrote: “Nothing to add. Hardware has been overwhelmingly rock solid.”

Chris Carr wrote: “For sure Apple’s top attribute.”

Fraser Hess wrote: “Apple’s latest round of MacBooks continue to be excellent and reintroducing multiple monitor support to the Air is welcome, even with caveats. But while the base has improved markedly since 2020, Apple has ceded ground at the high end and doesn’t have any offerings for high-performance computing, nor do they support the biggest GPUs. The lack of any new iPads this year means the “education model” is still the 9th generation from September 2021. Hopefully this will be addressed very soon.”

Jim Zajkowski wrote: “The base M3’s ability to drive two external screens when the lid is closed is a huge improvement. We appreciate that since Apple provides the OS and the hardware, we spend zero minutes worrying about device driver compatibility, which takes thousands of hours of engineering time on the PC side.”

John C. Welch wrote: “It’s hard to say. Compared to themselves, they’re doing a decent job. Compared to everyone else, they’re doing amazingly well. The biggest problem in my world are vendors like PTC and Dassault essentially ignoring macOS.”

Charles Edge wrote: “The Vision Pro release was seamless. We shipped our first app into TestFlight within days of getting our test unit. Our first Vision Pro had a problem, and we had multiple people from support calling to dig into what happened, asking questions about everything from the straps being used to the apps on the device. I’ve not heard of any other issues, and I was even the first person the Genius Bar had come in with a failure. I got mine back within a couple of days and was running new code. Problems can happen, but what you do when they happen says a lot, and it couldn’t have been a better experience.”

Cameron Kay wrote: “Was disappointed with the new Mac Pro. It seems like a stupidly overpriced and underpowered piece of junk—twice the cost of the Mac Studio with the same processor, and all you get are some underpowered PCI slots that you can’t put GPUs in. It was good to see the M3 Air can now support two external displays when the lid is shut, but they should give you the option of being able to turn off the internal screen and keep the lid open so you can use the keyboard and trackpad. Also annoyed there’s still no M3 Mac mini or M3 Mac Studio.”

Joel Housman wrote: “I can only speak for MacBook Pro, MacBook Air, iMac, and iPad mini, because that’s all we use at our org. We deployed ~40 M1 devices and ~40 M2 devices and three M3 devices so far. Over time, we’ve had hardware issues of some sort or other out of 4 or 5 M1 devices, and but only 1 M2 device. So far the M3s, albeit a small sample size, have been flawless. No issues out of our MBP, iMac, or iPads. One of the major things they’ve added with the M3 MacBook Airs is the ability to run a 2nd external monitor in clamshell mode. This is huge for us as I’ve spent the last two years removing monitors from desks in our DC office and swapping out those 2nd monitors for a laptop stand. Now I can slowly transition all our desks back to 2 monitor setups over time.”

Adam Rice wrote: “I have not had any major hardware issues that weren’t due to accidents in a long, long time. I am very pleased with the real-world performance and battery gains with the M chips; it’s great!”

Daniel Zamorano wrote: “Silicon Macs are offering the reliability we needed once again. Good aging computers.”

Jonathan Forsander wrote: “Hardware reliability is pretty great. Nothing like the awful days from 2015 – 2020 when they were shipping laptops with the butterfly keyboard.”

Bryan Heinz wrote: “The iPad’s stagnation is glaring. The rest of the lineup looks great.”

Armin Briegel wrote: “iPhones and MacBooks remain the best they have been. Mac mini with the Pro M-series chips is a great addition to the product line (but why no iMac with Pro M-series chips?). The introduction of the 15” MacBook Air and the MacBook Pro 14″ with the ‘plain’ M3 chip seems confusing as those two devices have very overlapping feature sets and prices. The Mac Pro seems a bit redundant now, except for that market that needs expansion slots that aren’t GPUs, which can’t be that big. The entire iPad line is, as of this writing, still the same as last year. It is still good, still confusing, and still hampered by an OS that does not live up to the hardware. I don’t expect the new hardware that is probably coming soon to change this. The displays are getting a bit long in the tooth, and I would love to see a 24″ display (an iMac without the iMac). Vision Pro and visionOS are definitely interesting and innovative, but they will not play a big role in Enterprise until their use cases are figured out.”

Paul Chernoff wrote: “The biggest problem I’ve seen is dying batteries on old MacBooks. Over the past 25 years, we’ve had many 5+ year old Macs in operation. At times, I wish they didn’t last this long; we should be refreshing more often for software reasons. We are now mostly M1 or newer Macs; there are no hardware problems with those. We have a few iPads—a couple have battery issues and don’t run current software, but there is nothing I can blame on Apple. We don’t supply iPhones or Watches to staff. I can just say I’ve been happy with mine, I tend to keep them for at least 4 years.”

Anthony Reimer wrote: “Being in Higher Ed, we will still have Intel Macs for a while longer (no matter how aggressively Apple tries to push these computers out of support), but the Apple Silicon Macs we do have are rock solid and excellent performers. The iPad line could use some love, however.”

Adam Anklewicz wrote: “Apple’s hardware keeps on getting better and better. The M3 is a fantastic upgrade to Mac products, and it’s nice to officially be post-Intel hardware. The reliability makes managing a large fleet of Macs easy. We’ve had very few hardware issues with our Macs.”

Mischa van der Bent wrote: “Apple’s Apple Silicon machines continue to amaze with their reliability and speed. The new M3 series is a testament to their ongoing innovation. Additionally, the introduction of the Apple Vision Pro showcases their commitment to groundbreaking technology. While not available in EMEIA yet, my firsthand experience with it leaves me eagerly anticipating future iterations. The progress is truly remarkable and revolutionary. And remember, this is the worst version. Amazing what the next version will bring. It’s mind-blowing!!”

Barry Caplan wrote: “MacBooks Pro and displays are unparalleled in their reliability and robustness.”

Patrice Brend’amour wrote: “Pretty solid improvements and innovations, especially the M3 line. AVP has massive potential, but needs a lot of work still. It also needs to ship outside the US soon—before competitors grab the market.”

Adrian Stancescu wrote: “The lack of iPad and Apple TV hardware updates in 2023 was disappointing.”

Adam Tomczynski wrote: “I continue to be very impressed with the quality of hardware coming out from Apple. The MacBook portfolio is rich in options. I’m very interested in how the future shakes for the Vision Pro. I believe it will be a niche product like the Mac Pro tower was when it first launched and will find its way into the universe. Version 2 or 3 of the Vision will be more mainstream. I think that we are all waiting for new iPads now. Both iPhone and Apple Watch are in a good space. Watch needs more software updates. When the watch is able to read blood sugar levels in real time, this will be a device for all of us. It will change the world, even in more ways than the iPhone did.”

Tom Bridge wrote: “Apple is doing some impressive work on the hardware front. The new M3 line of processors and Macs are absolutely amazing, and very very reasonably priced. Vision Pro is the future in a very expensive package. The hardware reliability and innovation is Apple’s bread and butter, and they continue to deliver.”

Software Reliability and Innovation

Grade: B- (average score: 3.4, last year: 3.3)

Luke Charters wrote: “Another year with AirPlay issues in tvOS at release. We had to wait until 17.2 for them to be resolved. It’s not ideal when we only use them for one thing, and it’s the one thing that’s broken.”

Jim Zajkowski wrote: “macOS 14 is better than 13. In particular, Software Update seems to work more reliably.”

Mischa van der Bent wrote: “I’m pleased to see progress in addressing my previous feedback. Last year, I highlighted the importance of innovation in bringing account-driven user enrollment to macOS, particularly in the context of BYOD workflows. This year, I’m delighted to note that Apple has taken this point seriously, extending account-driven user and device enrollment to iOS/iPadOS, macOS, and even VisionOS. This development signifies a step forward in enhancing productivity and personal workflows. Moreover, the stability of the beta versions has noticeably improved. Unlike last year, where I hesitated to run beta versions on my production machine until later iterations, this year’s betas have been remarkably stable.”

Cameron Kay wrote: “There’s been nothing truly earth-shattering in macOS or iOS in years. Window management on both macOS and iPadOS is a mess, and Stage Manager needs to be rethought on macOS. Overall reliability seems to be getting better. Siri is still a deaf and clueless pile of junk.”

Fraser Hess wrote: “In macOS 13.3-13.5, Apple fixed a number of networking bugs. After updating, we basically stopped receiving tickets for connectivity issues from our Mac users. Additionally, macOS Sonoma has had fewer reported bugs at our organization than previous releases.”

Robby Barnes wrote: “iOS has been rock solid for us. iPadOS is reliable but it feels really limited to me. I love the iPad hardware, but I still feel like any time I try to do real work I struggle to be productive on the iPad and either go back to iPhone or Mac, which is really disappointing given how capable the hardware is. macOS feels like it has improved in reliability, but there are still some rough parts that I really wish they would spend more resources resolving. For instance, being able to dictate software updates to macOS has been extremely rocky in the last few years. It has vastly improved of late, but it still is not quite where it should be.”

Adam Tomczynski wrote: “I saw way too many bugs (iCloud, passwords, print) in public releases. On top of this, Apple continues to suffer with Software Update mechanisms. Every year, I’m hopeful it will be fixed, and for the past five years, we have not been there.”

Bart Reardon wrote: “Software is hard. I think, at times, we are sitting in a mansion and complaining about how the food is served. That said, I do have issues with some of the design decisions being made and the lack of communication when it comes to removing features mid-OS cycle. And no, I don’t think it’s reasonable to say, “But we said it was deprecated X months/years ago, so you knew it was going away.” All I want is a damned date when the thing you said might be removed is being removed, and not mid-OS cycle, either. I don’t have an issue with removing outdated frameworks or whatever; I have an issue when I only get two or three weeks warning that it’s really going away this time. Planning is easy when you have a date to plan around. That said, I’m resigned to the fact that there is zero consideration for the poor admin whose work schedule is now disrupted when it comes to these matters.”

Brent David wrote: “Software updates are still a pain, and it seems even with the beta cycles, big issues are still cropping up with OS versions. Most recently, with 14.4, the USB hubs, Java, and other tools were not working as intended.”

Jason Broccardo wrote: “Overall, macOS Sonoma has been fine. We had over 98% install base across the fleet by the end of January 2024, and no major issues with compatibility with our existing tools or services. The place where we have encountered problems is with the macOS Sonoma betas. Apple has an unfortunate tendency to introduce changes in the middle of a beta cycle (for example, a system-level change is introduced in beta 4 versus appearing in beta 1) for the dot updates. This can be a problem because either third-party vendors might not test with each and every beta release in a dot update’s beta cycle or vendors don’t have time to respond to a change released late in the beta cycle before the OS update is publicly released. As an organization, we try to test each and every beta update against our major applications and services, but getting caught off-guard by a late-cycle change can be disruptive. Yes, macOS update betas are for testing new features, but it would be great if Apple was more forthcoming about those changes and didn’t backload them into the testing cycle.”

Patrice Brend’amour wrote: “There are some glitches here and there, but overall, it’s solid and secure. Maybe it feels a bit boring at times, but I don’t know whether that’s just me or a maturing market.”

Dennis Logue wrote: “iPadOS has stagnated, and there have been significant bugs in several releases this year that caused significant disruption for our users.”

Chris Carr wrote: ” It may be far from perfect, but macOS is still leaps and bounds ahead of any other desktop OS.”

Chris Schildhorn wrote: “iOS 17 and macOS 14 were quiet unstable releases in comparison to the last years. There were a lot of small or bigger issues everywhere and a lot of support cases at ACE.”

Daniel Zamorano wrote: “Ventura to Sonoma: as simple as it gets to update and to run existing software without issues.”

Reid Blondell wrote: “This year, I had no fear of deploying updates, including Sonoma, on release day. Kudos.”

Anthony Reimer wrote: “Changes to the login and lock screens as well as System Settings have caused loss of functionality. It’s as if when Apple rewrites certain things, they look at certain functionality and say, “nobody uses that,” and don’t implement it in the rewrite. Feedback submissions can work to address these, but my experience is that any functionality requests have to wait until the next major version of the OS if you make them in January or later. Yes, the window to address problems in the current OS is during the initial beta period and for about 3 months thereafter, even though it is the current OS for about 12 months. That’s not acceptable. While Sonoma solves some problems from Ventura, it definitely added bugs in others. Apple is not holding its proverbial head high regarding macOS 14.4, for example. I want to be running the latest, most secure operating system at all times, but Apple can really make it hard sometimes.”

Teg Bains wrote: “macOS Updates are not reliable. And you still can not uninstall an upgrade like Windows can.”

June Billings wrote: “macOS updates have been very buggy, e.g. Java issue on Sonoma 14.4, Bricking issue on Ventura 13.6.”

Karsten Fischer wrote: “I think some introspection might be a good thing before plowing forward regardless of the consequences.”

Barry Caplan wrote: “Timely updates and fixes. New features are welcomed to improve productivity.”

Bryan Heinz wrote: “I enjoy the novelty of Apple’s constant updates. However, through the enterprise lens, they’ve once again released breaking changes during the spring macOS update. Trying to keep up with yearly breaking upgrades is hard enough for my small-ish organization. Twice a year really takes away from other important work that we’re trying to get done.”

Michael Reinhart wrote: “Falling short in so many areas, particularly in a more connected world. And the hobby HomeKit software could really use some improvement. When will we see things like compounding conditions for Automations, and more?”

Henry Stamerjohann wrote: “Even if the key issues are addressed quickly, it would be great if they are solved in the beta phase and not stuck in a dot release. Not every org can update the whole fleet ahead to gain from a fix in the onboarding process. And not every MDM yet supports modern software enforcement (including enrollment).”

Tanya Pfeffer wrote: “Software is great overall, but I would like a more reliable cadence for business purposes (i.e., Patch Tuesday).”

Jolle Carlestam wrote: “Not bug-free but nice novelties.”

John Cleary wrote: “Less rough edges than previous years, thankfully!.”

Adrian Stancescu wrote: “The 2023 iOS and macOS releases have been far more stable than previous years. Overall, it has been a great year software-wise.”

Joel Housman wrote: “There are occasional hiccups with point releases on versions, but we’ve suffered no huge issues from any new software updates. I do wish they would bring back some of the old UI in macOS for notifications from the regressions we suffered 2 or 3 years ago when they limited our action choices on a pending notification.”

Tom Bridge wrote: “Rocky year on the update front. There have been escape defects in many of Apple’s software releases this year, resulting in 4 more releases of macOS 14 Sonoma to date than were needed for Ventura last year. An increased release cadence can be a blessing, but not when it comes with updates that are broken. Innovation in macOS and iOS remains only incremental at this point, without a lot of sea changes. There have been some bright spots — high-throughput screen sharing, for example — but very limited improvements in the management pane and no strong use cases for upgrades have made it less attractive to upgrade for reasons that aren’t security. Security is a feature, sure, but not the kind that moves users.”

Armin Briegel wrote: “iPad platform is still held back by the OS and the weird choices of functionality lacking from Pro apps. macOS Sonoma was a relatively good update until the 14.4 update.”

Tony Williams wrote: “We always seem to have a software problem of some sort.”

Peter Thorn wrote: “Software update via DDM looks promising. Our MDM (Filewave) hasn’t implemented it yet, but we look forward to it.”

Marcus Rowell wrote: “We still have a dismal user experience for notifications. I still have users who click ‘block’ on every notification request dialog without knowing the implications. The new DDM Scheduled Software updates are easy to ignore or quickly dismiss—at least they get quite persistent as the deadline approaches. Dialogs are still constrained to mobile-sized dimensions, especially bad when important information is truncated for no reason. My users are feeling some update fatigue but appreciate the need to install updates in a timely manner. The vast improvement in the speed of installation is appreciated but, ideally, should be reduced to just the time it takes to reboot. Windows Server is getting reboot-free updates – maybe Apple could bring that to their devices. “.”

Daniel Ricci wrote: “macOS updates continue to introduce new bugs. Apple continues to make major OS changes at “point releases” instead of major versions, which result in breaking functionality during routine software updates. Apple needs to have a clear published roadmap for the OS and focus on QA for a while instead of features. It would also be good if they completely separated feature updates from security updates.”

Nic Scott wrote: “There is a growing murmur in the admin community that we are the new Windows admins. Software updates have been unreliable; betas have had multiple releases to fix bugs; and there are multiple public updates on unexpected dates, catching admins off guard—only to have a 0.0.1 release a week later to fix an issue. Update fatigue in orgs is real, and the latest 14.4 issues with USB, printers, and Java is very frustrating when those issues were not seen in betas.”

Nate Felton wrote: “Apple continues to rewrite existing macOS features while adding new ‘features’ without regard for allowing granular (or any) management, especially from an Enterprise point of view. A good example of this is the use of gestures for the Reactions feature when in a video call. Apple released this feature enabled by default, with no management framework to control the feature. This resulted in some embarrassing balloons and fireworks during sensitive meetings. Existing Enterprise management features, such as managing settings with a profile, are presented as hostile or scary, using UI elements such as trianglebadge.exclamationmark. Apple continues to overburden users with notifications and dialogs, resulting in alert fatigue and causing important notifications to go ignored or unnoticed amongst the noise.”

Brad Chapman wrote: “Apple still seems focused on innovating features in the consumer space at the expense of overall reliability and dependability for enterprise customers. MacOS Ventura had above-average reliability, especially later in the release cycle (13.4 and later). The boot loop in 13.6.2, where ProMotion displays set to <120 Hz would cause the Mac to fail to boot, was a most unfortunate hiccup in an otherwise pleasant release. The elephant in the room has to be Rapid Security Responses. Apple had made a big fuss about them at WWDC, but the AppleSeed testers did not have a lot of time to test and validate the RSRs prior to release. They also required a reboot anyway—something Apple administrators were hoping to avoid and assumed that Apple would strive to achieve. The RSRs were a net negative for the platform; let’s just hope Apple has abandoned the grand experiment. macOS 14 Sonoma is innovating with some cool new features, like reactions that appear superimposed on your webcam’s feed when you use certain hand gestures, often with hilariously inappropriate consequences. Sonoma has been plagued with a number of strange bugs in different point releases, starting with the random time de-synchronization issue in early 14.x releases, and leading up to the most recent unpleasantness in 14.4 with USB hubs and Java that have been reported around the world in the trade presses. There is also a nascent issue of excessive requests to access Desktop and/or Documents when iCloud is signed in, and OneDrive’s “Known Folder Move” is also enabled. None of the above issues appeared during the 14.4 beta cycle, which leaves us to wonder if Apple’s Security team imposed code changes at the last minute to patch the 60+ CVEs disclosed in this cycle. I don’t know who could find fault Apple for trying to make the operating system more secure. If there’s anything to fault them for, it’s the apparent lack of quality control and failure to ask useful questions about the end-user experience. This was especially apparent in a more recent issue around Screen Capture that was so heinous that if the MacAdmins community had not acted swiftly and decisively to bury Apple with an avalanche of feedback, the issue would have caused widespread pandemonium on release and might have caused significant damage to Apple’s public perception. Lastly, Apple made a sudden change in the 14.4 RC to disallow certain ‘critical’ system services from being restarted with the command ‘launchctl kickstart.’ As a result of the unannounced changes in macOS 14.4, Addigy has had to retire their “Watchdog” product and made the entire thing open source. Using launchctl kickstart is a common and safe method to safely restart individual services. These are now restricted by System Integrity Protection. Instead, Apple’s official advice is to restart the computer in the event of this type of malfunction—even one that an end user would not necessarily notice.”

Paul Chernoff wrote: “macOS is much more stable than it was five years ago or longer. My issues are more with 3rd party applications/services. I wish Apple would improve on Safari and Passkeys when you store Passkeys in something other than Apple Keychain. Apple’s insistence on file sharing services using ~/Library/CloudStorage has resulted in major problems with paths to these files being different for every user.”

Fabrice Neuman wrote: “The main software problems I have are basically related to other vendors, Microsoft mainly. Office, Teams and OneDrive are not reliable, but is it Apple’s fault? I actually would like to know.”

Allister Banks wrote: “iPad and iOS feel stalled, innovation-wise. macOS for my environment has a corner-case bug on Apple Silicon causing complete data loss, so I’m not given the impression of reliability there, either.”

Joel Anderson wrote: “Not a whole lot happening on the innovation side of things. More than reasonably reliable. A few gotchas—macOS 14.4 in particular was not the best in reliability.”

Adam Lacy wrote: “We mostly haven’t had any major software bugs, but we do see software finickiness in dealing with Bluetooth, Bluetooth headsets, peripherals, and some third-party software issues on Sonoma. I would prefer a full first-party MDM implementation, but that’s more related to the other questions.”

Gerald Horn wrote: “The newer security technologies are becoming a detriment to supporting the Mac product. For a smaller business without using Apple Business Manager, it is getting harder to process Active Directory support.”

Security and Privacy

Grade: A- (average score: 4.1, last year: 4.2)

Paul Chernoff wrote: “I’m happy with Apple’s work, but too many pop-ups encourage people to just click OK.”

Robby Barnes wrote: “I think Apple cares about this a lot and puts a lot of effort into this. My only complaint is that I think, in some cases, they have started pushing things a little bit too far with how many prompts there are. Most customers we work with do not understand what most of them mean, so they just click through them, which is a bad user experience and negates the point Apple is trying to make. I think they need to focus on the experience for users more in the coming years and reduce the number of clicks and taps needed. As an Apple focused MSP and Apple Consultant, it would also be fantastic if there were more ways to support our customers, such as more easily being able to screen share. I understand the thinking behind the screen sharing restrictions, but there should be a way to more easily allow access on company owned Apple Business Manager enrolled devices. Customers are always confused by the Privacy Profile method, and either allow too many things that they don’t need or accidentally block us from being able to support them. I think there has to be a way to allow this workflow more seamlessly while preserving privacy and security.”

Daniel Ricci wrote: “While Security features like FileVault have improved for Enterprise, Apple needs to allow Enterprise/Education administrators to force settings such as Screen Recording for approved apps without user intervention. Users/Students need to be informed that they have no expectation of privacy on machines that they do not own, and we should not have to deal with the constant cat-and-mouse game of students unchecking screen sharing for monitoring apps generating tech support headaches.”

Jonathan Forsander wrote: “Apple is best in class in security and privacy. Although it’s kind of annoying having to manually allow apps access to the camera, microphone, screen recording, etc. in System Settings.”

Joel Anderson wrote: “I spend less time and have fewer worries about security on my Apple devices than on any other platform I manage. The security policies that I put in place on Apple devices are also easier to manage on Apple devices than on other platforms.”

Adam Tomczynski wrote: “This is where Apple is clearly going. As an organization admin, I would like more visibility into MAID. For example, I would like to extract a file from a user’s drive, similar to using Vault in a Google environment. It’s these enterprise-level access procedures that are missing in the Apple ecosystem.”

Allister Banks wrote: “Still waiting on rapid response updates to do more than save release engineers at Apple time, it was such a large deal that’s turned into an almost unnoticeable acceleration of patching. ChromeOS will always be where the bar is set, and the unpredictable and lengthy updates Apple still needs at a minimum to patch such a large swath of the system keeps holding them back. (Yes, I say it every year 😅).”

Mischa van der Bent wrote: “Security is the talk of the town; wherever you look, it’s about security and compliance. And yes, Apple makes their devices secure without compromising the user experience. That’s great, but it’s not only the device that needs to be secured; there are a lot of things that are a threat to the end user. And that’s the downside of becoming bigger; it makes you a target at the same time! Because of this, you see many vendors reacting to it. Do I like it? Not sure, but as an Apple Admin, we need to think about this more and more, and luckily, the available products are more compatible than they used to be.”

Damien Barrett wrote: “Apple remains steadfastly committed to a user’s privacy. In the Fortune 500 company I work for, this is important. I can confidently say to InfoSec and Cybersecurity that the data on our Mac endpoints is protected, several times over. Apple’s security documentation is very well written, and I’ve shared it many times with managers and leaders in my company. Microsoft continues to play catch-up.”

Jeff Richardson wrote: “Frequent operating system updates have kept Apple’s products safe. The only big security issue I can think of in recent memory was the one exposed by Joanna Stern, but that one involved social engineering to get your password. And now, Apple has even limited what bad actors can do even if they do have your password.”

Bryan Heinz wrote: “While Apple’s stance on security and privacy is great for home use, for Macs owned by a company, not being able to fully manage screen recording permissions is a consistent pain point for remote help and conference software.”

Henry Stamerjohann wrote: “The release frequency of Sonoma is on average 18 days after the last release, with an average of 27 CVEs fixed each release. The many external researchers, as well as the teams within Apple, do a great job of discovering and fixing vulnerabilities. We all know that no software is completely secure. So overall, I appreciate what Apple is doing in terms of security and privacy.”

June Billings wrote: “Why no facial recognition. Many enterprise employees work docked, but you leave no option to keep the built-in mic working when the lid is closed.”

Armin Briegel wrote: “I will repeat my reply from last year: Apple remains strong in this area. However, their focus on end-user privacy is often at odds with enterprise management requirements. Many features, like the new Advanced Data Protection for iCloud, are unavailable for managed Apple IDs. I don’t think user privacy and manageability have to be opposed. Apple could (and should) work harder to make all features available in managed environments. Several standard security options on macOS are still not able to be managed with profiles.”

Jason Broccardo wrote: “When a vulnerability is announced for a cross-platform service or tool that is also built into the OS, such as SSH, it would be appreciated if Apple more readily shared information about how the vulnerability does or does not impact macOS and, if it does, when an expected resolution will be available. Even something as simple as, “This issue will be addressed in macOS 14.7″ would be appreciated. Make it easier for IT to respond to the Security team’s queries.”

Tom Bridge wrote: “Apple’s commitment to Privacy and Security are a hallmark of their focus. No other vendor is as committed to both causes. But the tradeoffs that come with this mean manageability is often limited in return. Not the worst thing, sure, but not the best either.”

Mike Stirrup wrote: “What happened to rapid security responses?.”

Jim Zajkowski wrote: “In general, very good, but we get a lot of noise from vulnerability scanners complaining about versions of libraries and tools that are in the read-only OS version, such as Apache (httpd) being out of date. My team spends a lot of time discussing the limitations with Windows-first security teams here. “.”

Patrice Brend’amour wrote, “Apple’s investment in the security of its platforms shows a deep understanding and commitment to security. I especially love all the papers and documents they release.”

Teg Bains wrote: “The walled garden approach gives a false sense of security considering the amount of exploits.”

Nic Scott wrote: “Apple is great at individual users security but not great at giving enterprises security options. I totally understand the number of prompts, user-approved dialogs, and notification banners for consumers. But for machines in ABM with MDM management, we still can’t suppress some dialogs, pre-approve mic and camera for new hires so that Zoom and Slack open smoothly, or take screenshots with an enterprise DLP tool without our end users’ approval, or force installing a zero trust extension into Safari to enforce enterprise policies. Relying on users to opt-in to allowing permissions only to have them disable or remove them after IT is troubleshooting. There needs to be more management control for enterprises; these are not consumer machines, and we are regulated because we’re in the financial industry.”

Luke Charters wrote: “When it comes to privacy, Apple is in a league of its own compared to the competition. The only security feature I really want at this point is native FIDO key support at the login window.”

Chris Carr wrote: “Apple’s second best attribute.”

Adam Lacy wrote: “Some progress with Managed Apple IDs and Passkeys. I would really love to see a proper business suite using managed Apple IDs for inter-office communication, screen share access, shared password management, etc.”

Fraser Hess wrote: “The new DDM software update features boost the score here. But overall, Apple still struggles with the notion of the device owner and the device user being two different entities. Often, their privacy features want to protect the user from the owner. As mentioned above, Apple needs to score its vulnerabilities according to industry standards. It’s exhausting for both users and admins to assume that all releases mitigate at least one critical vulnerability.”

Nate Felton wrote: “Apple leads in this category. Apple’s platform security is among the top reasons we chose to deploy Apple devices to 95% of our company. There was a slight misstep (in my opinion) with Rapid Security Responses (RSRs), though there has not been another RSR since July 2023, so perhaps Apple agrees and has decided to silently discontinue them.”

Fabrice Neuman wrote: “It’s probably very good, and everybody seems to agree. But I’m annoyed by the deal with Google, for example, which makes me reconsider the whole story: I mean, Google is not known for respecting privacy, and still, Apple is OK to use their search engine, I suppose for the big amount of money. So, can we trust all the other things they say about privacy? It’s a big stain.”

Ted Goranson wrote: “Other than coddling Google Chrome, five stars.”

Marcus Rowell wrote: “I think Apple’s mishandling of the App Store has led to unnecessary government interventions that are going to undermine all the fantastic work they have done with Privacy and Security. We still see inconsistency in privacy controls and dialog fatigue. MDM managed devices should be able to override some user preferences. “.”

Cameron Kay wrote: “Apple needs to allow Screen Recording approval to be enabled via config profile on a fully supervised device. Managing a large number of shared Macs in teaching labs, there’s a real need to be able to remotely screen share to these devices when they are not in use to perform maintenance and fix issues. Having to physically go around each device after we’ve installed our enterprise screen sharing/remote assistance software is very time-consuming for our IT support staff. Apple also needs to implement additional config profile payloads so we can easily enforce all the rules in the commonly used security baselines such as CIS & NIST. And Apple needs to remove the old insecure version of Apache Web Server from macOS. There’s probably other old binaries they need to update or remove as well.”

Charles Edge wrote: “Improvements to iCloud Keychain, Passkeys, and Platform SSO continue to roll in. As do expanded API options for credential providers and endpoint security. The one place I’d like to see more is with the Screen Time APIs, but balancing telemetry and privacy is a challenge.”

John C. Welch wrote: “It’s not even close. Windows is a nightmare, and Linux management is 20 years behind.”

Bart Reardon wrote: “Apple set the benchmark for security and privacy and consistently exceeds it.”

Deployment

Grade: B (average score: 3.6, last year: 3.1)

Jason Broccardo wrote: “After several years of being problematic and painful, Software Update in macOS Sonoma has largely returned to a “just works” state. We are still using Nudge to encourage users to upgrade over the new built-in notification methods, as we feel like the deferral options are more user-friendly.”

Fraser Hess wrote: “Apple made big strides in this area, such as enforced software update and FileVault during enrollment. Declarative Device Management for software update has been a success at our organization. Unfortunately, most of the new features require MDM vendors to implement them.”

Paul Chernoff wrote: “Deployment improves for me every year. This is partly due to Apple improving the MDM infrastructure for makers of MDMs. I do not miss the days of using file images to set up Macs, I found keeping the images up to date too much work. These days, I boot up a new Mac, and it gets on the MDM, installs the basic software, and does some configurations. I then assign the Macs to groups, which results in more automation. As a small shop that often sets up just a Mac at a time, I don’t do as much automation as possible. What is missing is one-time settings. For example, in the old days, I could provide an initial setting to a user’s Dock, and then I or the person could customize it. Now, the Dock settings are persistent, so I don’t use them. What I haven’t experienced yet is the ability to set the order of software installs and make the installation more reliable.”

Daniel Zamorano wrote: “Rapid security response still needs to improve, especially when a restart is required. Automated device enrollment has been stellar in the last year. macOS still needs a more controlled way (in terms of choosing how and when) to deploy updates to managed computers via MDM platforms. 3rd party tools like Nudge are still needed in this scenario.”

Jonathan Forsander wrote: “Apple has made major improvements to Automated Device Enrollment (ADE) and OS update enforcement in the past year. I no longer have to worry about devices I deploy not enrolling in Kandji via ADE. Additionally, Kandji has adopted Apple’s new mechanism for enforcing OS updates, and it works great. In the past, I would have to nag about a third of my users to manually update to the latest OS after an enforcement deadline had passed. Now, I can enforce an update via Kandji and will always have 100% compliance within 1 – 2 business days after the enforcement deadline. It’s a game changer.”

Trevor Sysock wrote: “DDM is a very welcome addition, and I like the direction of requiring a minimum OS for MDM Enrollment and FileVault at enrollment.”

Charles Edge wrote: “No one seems to really complain about software update anymore!”

Mischa van der Bent wrote: “It’s great to see progress in addressing past feedback. Last year, I highlighted the need for the ability to update to a specific macOS version before continuing with enrollment. This year, I’m pleased to see improvements in this area, showing that Apple is responsive to user concerns. I’m especially impressed by the extension of account-driven user and device enrollment to iOS/iPadOS, macOS, and even VisionOS. This expansion is a significant step forward in improving productivity and personal workflows. However, there are still areas that need attention. Despite progress, the availability of Apple programs is still limited, only covering around 70 countries. This could pose challenges for global companies in their enrollment strategies and operations. Overall, while Apple has made positive strides in enterprise deployments, there’s still room for improvement, particularly in making programs available to a broader global audience.”

Patrice Brend’amour wrote: “Software update management is still a problem in the enterprise market.”

Nic Scott wrote: “The team has done a huge amount with software updates—thank you! I haven’t used kickstart in almost a year. I won’t fault Apple for MDM providers’ lack of investment in app deployment. Jamf is probably the best, and app installers are still a mess for us, and deploying Mac App Store apps is just black magic. So we package and deploy our own apps. I’d love to stop doing this, but it takes vendors multiple years after Apple publishes the APIs. What’s the disconnect? Is Apple not partnering with vendors for adaptation? DDM is promising, but it has not been the hype that was promised. We have multiple issues where machines ignore DDM updates. There’s no way to actually manage them with MDM providers. You can push the command, but then there’s no way to check progress, cancel a command, issue a new command, etc.”

Henry Stamerjohann wrote: “Silly me, I still wish we had an official API for ABM. The latest addition to DDM and having various options to enforce software updates now has vastly improved. It feels great to have this ‘live’ in our own MDM solution. We use this with an extra spin – so it’s more or less set and doesn’t need to be adjusted over and over again.”

Brad Chapman wrote: “Despite the numerous bugs in Sonoma, the actual managed and unmanaged software updates have gotten easier and are more reliable.”

Teg Bains wrote: “We still can not deploy any 3rd party OS to extend the lifespan of hardware. Nor downgrade iOS.”

Daniel Ricci wrote: “I do not feel that Apple’s automated device enrollment is reliable enough to depend on, at least on macOS. We still manually run through the enrollment on machines before issuing them to end users. There are too many things that cannot be set during enrollment, such as the default browser. Our remote support software TeamViewer, and Classroom Management software via Mosyle, both need screen recording permission set manually. Also, the MDM does not check to make sure the profiles it sends during enrollment are actually received and installed, so if there is any kind of hiccup in the process, entire apps or profiles can get missed and must be manually resent via the MDM.”

John Cleary wrote: “I’m dinging Apple here for software updates still being harder than they need to be for devices. e.g. an MDM managed, supervised device that you can’t schedule an update for as an admin is a bit shit (user needs to approve).”

Tony Williams wrote: “There’s always room for improvement, but overall it does just seem to work. They are always improving things.”

Robby Barnes wrote: “There have been some improvements in this in the last year, but it is still a little flaky in some scenarios. This has become far more reliable than it used to be, however.”

Adam Lacy wrote: “Automated Device Enrollment seems to be progressing well, though managing OS updates through MDM is still a bit of a hassle.”

Anthony Reimer wrote: “If I compare where my deployments were five years ago with where they are now, there is a lot to love. When I get a new Mac for my computer labs, it’s simple enough to restore macOS to the current IPSW for our labs, enroll it via MDM, and let the automation setup in my MDM do the rest. That is both simpler and quicker than it used to be. Software Update is still not where it needs to be, but it’s good to see Apple apply effort here; timed software updates via DDM will be a killer functionality for our computer labs, when we can actually implement it.”

Mike Stirrup wrote: “Solid service with no issues on Apple’s part.”

Adam Tomczynski wrote: “Automated Device Enrollment is perfect and works great with my MDM. Software updates and OS upgrades, however, are notorious for failures. I leverage third-party tools (for which I’m very thankful) to accomplish something that should be baked in. Software Updates are where Apple continues to be very weak.”

Cameron Kay wrote: “Software Update is got a lot better in macOS 14. At this point, it’s more the implementation bugs the MDM vendors have than macOS that’s causing issues. Apple still needs to implement bootstrap tokens for iOS so we can force OS updates on devices with a passcode set. And Apple needs to add a way to wipe and automatically re-enroll a Mac over WiFi like they can do now over Ethernet. An MDM command to make a device reboot into DFU mode would be very helpful as well. And there’s still no way to deploy downloadable content for VPP apps or manage subscriptions.”

Stephen Short wrote: “User self-service for redeploying Macs is a bit smoother with Erase Assistant, but automatically updating to the latest macOS would be a welcome feature addition. Software update in general seems to be in a perpetual state of ‘two steps forward, one step back.’ Mac admins were excited last WWDC when support for enforcing a minimum macOS in Setup Assistant was announced, but we’re on 14.4.1 and it’s still not available as a feature for most MDMs. It’s unclear if this is more of an Apple issue, or with each MDM vendor.”

Craig Cohen wrote: “The addition of Declarative Device Management for Software updates finally allows a proven repeatable solution for mass updates for security compliance.”

Michael Reinhart wrote: “Gets a little better each year.”

Dennis Logue wrote: “As an organization, we support far more iPads than Macs, and the deployment workflows for iOS and iPadOS work very well for us.”

Marcus Rowell wrote: “DDM driven Software updates seem to be working well from the OS Side. Delivering the DDM request and updating is still problematic, but that is the MDM.”

Joel Anderson wrote: “Apple’s new declarative device management has the potential to be a real game changer, and it can’t get here soon enough! Managing software updates on both macOS and iPadOS continues to be much harder than it needs to be, and Apple continues to work on it, but it shouldn’t take this long to have models that do what administrators want to do easily and reliably. Apple’s focus on security and privacy can get in the way of managing enterprise devices and applications (think about installing an app like Zoom, and what kinds of privileges Zoom asks for); the tools used to manage how administrators can deploy software need improvement.”

Rebecca Latimer wrote: “I wish we weren’t stuck waiting for vendor support on a lot of the new cool things in enterprise deployment, like true declarative device management and platform SSO.”

Allister Banks wrote: “You’d think competition from Business Essentials would bear fruit upstream and the improvements trickling down would teach MDM folks they can’t continue to offer piss-poor deployment, yet Jamf continues to only support one zip app deployment – for their VNC-ish remote support tool they snuck onto their customers managed computers (with no opt-out, quality vendors open sockets and phone home without telling you). SimpleMDM and Zentral (and JumpCloud and Fleet and TwoCanoes as the upstarts with aspects of the total package orgs need) are the only ones doing right by themselves and the MacAdmins community. Apple always thought ‘tier zero’ meant end user self-support was the answer, and shocker, you get what you give when you don’t value end users’ time or the day-one experience.”

Bart Reardon wrote: “Overall very solid. There are some great features now for MDM enrollment, keeping things enrolled, getting them back. Declarative MDM is the bee’s knees. Rolling out and enforcing macOS updates is still confusing, though it’s getting better. Big ❤️ to those working on those features—you put up with a lot of crap from us admins.”

Luke Charters wrote: “Enforced Automated Device Enrollment has been a very welcome feature. Return to Service shaved an enormous amount of time off our iPad redeployments in preparation for the new school year. Enforcing a minimum version of macOS during Setup Assistant would save us a lot of time and deployment headaches if our MDM provider would only implement it.”

Tanya Pfeffer wrote: “I love Automated Device Enrollment, but would like more logging capability to identify issues.”

Nate Felton wrote: “There have been some major improvements in this category that might seem like small things but really help with ensuring the security of our fleet at the time of onboarding. macOS Sonoma introduced a new feature allowing MDMs to enforce a minimum macOS version when enrolling devices using Automated Device Enrollment, ensuring the device is upgraded to our preferred version of macOS prior to enrollment. macOS Sonoma 14.4 also added the ability to enforce FileVault for standard users during Setup Assistant, ensuring FileVault is enabled earlier in the onboarding process and not delayed longer than it should be. While still not perfect, enforcing software updates with a DDM declaration is a huge improvement in the right direction for keeping our fleet updated.”

Reid Blondell wrote: “Declarative software updates are beautiful.”

Armin Briegel wrote: “The improvement for managed software updates seems solid, as do some other welcome additions to the deployment workflow (required software updates and FileVault in Setup Assistant). Apple is chipping away slowly but surely, and there are some pain points here.”

June Billings wrote: “Patching is awful for Enterprise. We have had to leverage Nudge with our MDM solution to try and address the gaps. Microsoft does this so much better. Allows users to schedule a time for the update/reboot.”

Adam Anklewicz wrote: “Some very welcome upgrades to the deployment process. Being able to force a minimum OS version would be amazing, if our MDM would roll out that feature. OS updates have been the bane of the Mac Admin, and that’s getting better. DDM is allowing us to force updates a bit better, but it’s still not fully there with features we would like and are still using Nudge to accomplish this.”

Bryan Heinz wrote: “A huge hole with Apple’s device enrollment is how hard it is to move MDMs. It is a monumental lift for any IT department to migrate MDMs, which creates artificial lock-in.”

Damien Barrett wrote: “macOS 14.4 was a little rough around the edges, but that’s mostly not Apple’s fault. For some reason, several third-party vendors did not do much testing against 14.4 and we saw some incompatibilities arise. These have since been fixed, but it meant there was a period of time when I had to put a deferral in place, which has become increasingly less necessary. Declarative Device Management continues to mature. I’m looking forward to controlling more pieces of my domain with DDM.”

macOS Identity Management

Grade: B (average score: 3.6, last year: 3.3)

June Billings wrote: “Would like to have the option to federate without iCloud.”

Daniel Ricci wrote: “We really don’t see how this has trickled down to us in Education. We federate with both Google Workspace and Microsoft Azure but rely on our MDM’s ‘Mosyle Auth’ feature to inject itself into the login window process to allow cloud login access. I have not seen any way to do this with the built-in OS tools. Managed Apple IDs are also pretty much useless to us, as we allow students to use their personal Apple ID on the Mac so they can sync to iCloud or use iMessage.”

Mike Stirrup wrote: “PSSO Framework looks promising, and I’d like to get it working. However, to my knowledge, only Okta has it working, and Microsoft is still in beta until Q3 24.”

Robby Barnes wrote: “I’m glad this exists and Apple is thinking about this, but as of right now, the process is incredibly cumbersome, and even when it’s implemented, in my opinion, it does not really embrace what SSO is meant to do and solve. I was incredibly excited when this started getting announced but the actual implementation leaves a lot to be desired. I hope Apple works on this further and is able to get 3rd party solutions on board with this.”

Jason Broccardo wrote: “My team hopes to be able to at least trial Platform SSO in our organization this year. Due to other projects and waiting for full support from Okta, our IdP, this is still something in our backlog. Platform SSO with Okta looks promising.”

Joel Housman wrote: “Again, I think the benefits we take advantage of are coming to us mainly through what JumpCloud provides to us: connecting our Google Workspace environment with the user accounts of our staff on their macOS machines via the MDM. It has worked well in the past and continues to do so.”

Allister Banks wrote: “There are respectable implementations, but most of the huge vendors are just an iota better than turning a local password interception into a cloud bypass. Apple has been making strides in providing a basic password manager, but creating an account and auth’ing has remained almost unchanged since the dawn of NeXT.”

Ted Goranson wrote: “Excellent. Leads the industry.”

Fraser Hess wrote: “Platform SSO getting user creation is a big improvement. And Apple still needs to get more IdPs inside the tent.”

Tanya Pfeffer wrote: “I am still unable to federate Apple IDs with Okta – it is finally in beta, though.”

Patrice Brend’amour wrote: “I don’t know enough about this tbh.”

John Cleary wrote: “Until Login Window natively supports cloud IdP solutions (Entra, Google, Okta, etc.) and we don’t need to stuff around maintaining password sync, which is incredibly user-hostile (e.g., with Jamf Connect or Xcreds), this will get my lowest rating.”

Daniel Zamorano wrote: “We use Microsoft SSO and have had no issues in the past year.”

Stephen Short wrote: “There are marginal improvements in how Desktop SSO can assist with password syncing or account creation using IdP credentials, but actual MDM vendor support for these features is lacking. Apple really needs to take ownership of this space and provide robust ‘it just works’ first-party support for cloud directory authentication and integration. Stop farming out this feature to MDM vendors!.”

Marcus Rowell wrote: “I see good things on most fronts: eSSO is working well. MAIDs are getting some needed features, though more work is required. Federation with other identity providers appears covered now. I’ve changed my opinion on the identity used for login. I now think Platform SSO is a dead end, unless it becomes available at the FileVault prompt. It looks like “everyone” is ok with a device PIN for iOS/iPadOS, and those devices contain access to almost all corporate data available on macOS. I’m running with the idea that the local device password should be treated like an iOS PIN and should NOT be your Enterprise SSO credentials. It is simpler, more robust and easier for both users and admins.”

Cameron Kay wrote: “Apple still doesn’t get what enterprise needs for Identity Management. We need to be able to log in to the Mac with our Enterprise Cloud Identity Provider using MFA and create a local user account whose credentials are kept in sync with the Cloud IdP. This requires being able to join an Enterprise WiFi network at the login window of the Mac so it can contact the Cloud IdP. The configuration of the connection to the Cloud IdP on the Mac also needs to be fully automated via the MDM (config profiles and app installation) so you don’t have to log in to the Mac as a local user first and manually set things up.”

Armin Briegel wrote: “Apple is not trying to be a party in the Enterprise Identity Management space and is finally providing some hooks and APIs for third parties to provide this service at various levels in macOS and services. However, as welcome as those improvements are, there still seems to be a lot of work necessary to improve these integrations.”

Teg Bains wrote: “Glad the AzureAD connections work.”

Henry Stamerjohann wrote: “It’s not just Apple that is lagging a little behind in fulfilling the wishes of the community/customers, the major IdP and SW providers on the market are also moving rather slowly, so we’re not quite there yet.”

Mischa van der Bent wrote: “Last year, I emphasized the importance of Apple working closely with Identity Providers to ensure a seamless integration process and optimal end-user experience for their Single Sign-On (SSO) platform. While Apple’s Platform Single Sign-On (PSSO) was a significant step forward, its success still depends heavily on Identity Providers’ implementation. Apple continues to lay the foundations for a robust identity solution. Supporting Open ID Connect (OIDC) within the Apple Business and school manager programs demonstrates their commitment to advancing SSO capabilities. However, patience is key as we await further improvements. Collaboration and feedback from IT teams remain crucial for Apple and IdPs, to refine their SSO platform into something truly exceptional. Although we’re not there yet, the future looks promising.”

Reid Blondell wrote: “I appreciate taking their time to get PSSO right.”

Jonathan Forsander wrote: “We’re not using most of these features. But we do leverage Okta’s Device Trust integration with Kandji, and it works great. This integration allows Macs we manage to sign in to resources we secure via Okta (Google Workspace, Jira, Slack, Zoom, etc…). Unmanaged Macs and PCs are not allowed to sign in to Okta. We do allow unmanaged iOS and Android devices to access our resources, as long as they meet our minimum security standards: OS up to date, biometrics and passcode enabled, not jailbroken or rooted.”

Trevor Sysock wrote: “OpenIDP for federation is great. I wish Platform SSO was actually available and working.”

Jeff Finlay wrote: “I look forward to support for Platform SSO in our Microsoft environment, but that lack of support is not Apple’s fault.”

Adam Lacy wrote: “Finally being able to get rid of all bound Macs in the building and moving to Kandji passport with Okta to facilitate access to Active Directory has been a game changer.”

Joel Anderson wrote: “The fact that Apple has even built an Extensible Enterprise Single Sign-on framework and SSO hooks is something! We can federate Apple School/Business Manager against both Microsoft and Google, and there are integration tools for other options. That being said, we use Mosyle Auth against Google to log into our Macs, and it does not respect the ‘remember this device’ checkbox. Is this Apple’s, Mosyle’s, or Google’s fault?”

Adrian Stancescu wrote, “There has been a huge improvement, especially with regard to the ESSO and Microsoft’s Intune/EntraID, which has made the deployment of new Macs a breeze.”

Dennis Logue wrote: “Platform SSO is promising, but the roll out seems to have been very slow.”

Tom Bridge wrote: “Slow progress is better than no progress. Federated Managed Apple IDs arrived in the year following announcement, with few supported vendors and MDMs. Platform SSO, and the SSO Extension models have proven difficult to adopt technologies due to their slow progress and limited applicability. There’s much potential here, but Apple needs to continue to invest and partner to make it more productive.”

Bart Reardon wrote: “Still a way to go. The ‘paradise island’ of IDP is authentication at the FileVault login screen with biometrics. Also less reliance on ‘it’s up to the vendors to build the thing’—spin up a reference design and tie it in with a managed Apple ID.”

Luke Charters wrote: “Finally we have support for Managed Apple ID federation with custom IdPs! Apple has been doing well with rolling out these identity features. IdPs have been lagging behind with supporting them.”

Nate Felton wrote: “Platform Single Sign-on (PSSO) is probably the largest feature that I’m eagerly awaiting to become fully baked and supported by MDM and IdP vendors. The dream is to enable a first-party macOS integration with cloud IdPs at the login window, much like Macs joined to an Active Directory domain used to work, with no need for third-party authentication tools (e.g. Jamf Connect or Kandji Passport). The addition of Managed Device Attestation and the creation of hardware-bound private keys for certificates issued using the ACME protocol continue to show how Apple is releasing features that may not be heavily adopted at first, but will eventually be core to the security of the platform.”

Brad Chapman wrote: “Smaller businesses with MDM would benefit from a smoother onboarding experience if Apple continued to innovate on the Platform SSO extension and refine the “whole login window” experience with SSO integrations. The best login window replacement is still Jamf Connect.”

Jim Zajkowski wrote: “Platform SSO is still not there, and we continue to rely on login window shims like XCreds to do what Apple should be able to do out of the box.”

Damien Barrett wrote: “I have yet to test eSSO and pSSO (other than Microsoft’s solution). I think I’m waiting for it to mature more. In the meantime, Jamf Connect still works. So does Apple’s own KerbSSO extension. The pipe dream, of course, is a first-party IdP connector that can natively communicate with Entra ID during Setup Assistant and then at the FileVault login window.”

MDM protocol and infrastructure

Grade: B (average score: 3.7, last year: 3.6)

Mischa van der Bent wrote: “This year, I’ve witnessed gradual progress in integrating declarative device management functionalities into our toolkit. Notably, many MDM vendors have implemented the software update command, signaling advancements in this area. However, tools like Nudge and Superman are still prevalent, possibly due to concerns about the stability of DDM functionality. Undoubtedly, embracing declarative device management represents a significant shift in IT workflows. Trust in this new approach is crucial as it revolutionizes how IT manages devices. Establishing the reliability and stability of DDM functionalities is vital for successful implementation and seamless transitions. While DDM offers promising benefits, such as streamlined processes and enhanced efficiency, building confidence in its reliability is key. IT professionals must collaborate closely with vendors, monitor performance, and address concerns promptly to ensure stability and reliability in DDM workflows. Despite the challenges, my optimism about the future of device management on Apple devices remains steadfast. Though the journey may be long, I believe in the potential for improvement and encourage perseverance. Together, we can navigate this evolving landscape and fully leverage the benefits of declarative device management.”

Anthony Reimer wrote: “I am looking forward to being able to use DDM and for it to gain even more functionality. Traditional MDM commands, including app updates via Apps and Books, are still not reliable enough. Much like Apple Feedback, MDM commands get sent out into the world, and you just have to hope that they succeed. When it does work, it is marvelous. When it doesn’t, it is very difficult to troubleshoot.”

Adam Lacy wrote: “As far as I can tell with our Kandji / Okta setup, it all just works, and that’s what we’re looking for.”

Mike Stirrup wrote: “DDM is great for enforcing OS updates. However some of the features in the MDM protocol (minimum OS for enrollment – Jamf) have still to be implemented by vendors.”

Cameron Kay wrote: “Software Updates via DDM was a good start but we need to be able to do all the common admin tasks via DDM. I want all app installs to be pushed back to the MDM as soon as they occur so the device inventory on the MDM is up to date. I’d like to be able to see the progress of OS and app installs/updates reported back as well.”

Allister Banks wrote: “We appreciated the feeling of greater remote access to Apple engineers via Slack during WWDC last year, and there were some great ideas on display—you can now regex a password policy—but since Lion you can’t configure anything else as a range nor as a single-use default the end user can override. MDM has always been about shoehorning a locked-down config into an opened-up world. Engineers get the go-ahead to ship an Appley version of features and often ship the first two betas with either no MDM support whatsoever or no way to successfully test new controls. It’s still very obvious they take the hint of good ideas and go in their own direction until it’s very late to get them to change course.”

Luke Charters wrote: “Most MDM issues experienced over the last year have been on the MDM provider side rather than Apple themselves. Reliability of declarative software updates hasn’t been great so far.”

Adam Codega wrote: “Declarative Device Management has been a great step forward by Apple.”

Bart Reardon wrote: “Improvements have improved MDM. 🎉 Would like to see their business essentials MDM opened to non-US based organizations (free for < 10 devices even 🙂 ) and have their implementation be updated with the latest in MDM shenanigans so we can play with them in detail rather than wait for $vendor MDM to implement them.”

Patrice Brend’amour wrote: “Very solid basis, but lacks some features compared to other platforms.”

Karsten Fischer wrote: “I’d love to see vendors adopt DDM more aggressively and openly, but that’s hardly Apple’s fault. Apple could probably push it by deprecating the MDM command superseded by the DDM counterparts, but boy, that would raise hell.”

Chris Carr wrote: “It seems to work better this year, and more improvements are coming in the future.”

Nate Felton wrote: “Apple has released some amazing features and capabilities with Declarative Device Management (DDM). I’m hopeful that MDM vendors will be able to utilize these new features and capabilities sooner than later. It’s clear that this is the direction that Apple will be going with management in the future, and a faster rate of adoption by MDM vendors is going to be required. I often realize that MDM vendors learn of these new features at the same time the public does during WWDC sessions, so perhaps Apple could work on improving its relationship with MDM vendors to ensure that they have more advanced knowledge of upcoming changes to MDM/DDM to ensure that they have more time to work on them to release them to the public alongside the release of a new version of macOS. It would be great to see Apple enable a workflow that allows for better transitions between MDM products. As the MDM landscape continues to change, with old incumbents wavering (such as Workspace ONE UEM [AirWatch] with Broadcom’s acquisition of VMware) and increased feature parity between market leaders, the complexity of transitioning from one MDM to another is often a large enough deterrent to allow for proper competition.”

Armin Briegel wrote: “Apple was very vocal about DDM being the way forward for MDM developers at WWDC last year. Some features and workflows are already improving because with DDM, but overall, Mac admins still have to wait for the MDM devs to fully enable the advances and features in their products and workflows.”

Adam Anklewicz wrote: “For the most part, the MDM protocol works very well. Where it struggles is with a few machines within a fleet that cannot renew the MDM certificate and thus lose management capabilities.”

Tanya Pfeffer wrote: “I want an easier way to migrate between MDMs.”

Jason Broccardo wrote: “If Apple is going to introduce additional PPPC controls into the OS, then administrators need the ability to manage those PPPC controls via configuration profiles. Having to explain to users that it’s OK to click on that dialog does not scale, nor is it a good security practice. Company staff should be allowed some measure of privacy on their endpoints, but at the end of the day, it is a company-owned and managed device, so fleet administrators should have control over how and when PC dialogs and mechanisms are presented or activated. Users should be able to control their cameras and microphones, but they likely don’t care that one app needs access to another app’s sandboxed data and are just frustrated they have to interact with a system dialog; let IT admins fully manage PPPC for their fleet unless there is an explicit user impacting control in scope. As it currently exists, MDM encourages vendor lock-in. There is not an admin or user-friendly way to move between MDMs. Users do not care about how their Mac or iPad is being managed, but if a company wants to switch MDM management tools or have to migrate systems between MDMs (e.g. Macs from an acquired company moving into the new parent company’s existing management system), users have to be forced to go through a migration process. Not being able to easily/silently move systems from one MDM to another impacts administrators and users in ways that seem contrary to Apple’s user-centered methods. MDM migrations or moves should be something that can be handled entirely on the backend without having to get the user involved or forcing IT to interact with each device in some fashion.”

Henry Stamerjohann wrote: “Overall, DDM is great and we are lucky to be able to use it extensively in our MDM. But there is still a lot of legacy MDM going on, so we are hoping for a big leap forward in the next major operating system released in the fall.”

Charles Edge wrote: “The MDM protocol and especially Declarative Device Management have continued to improve slowly but surely. I expect to see more and more added to DDM in the next year, but what has been added so far is working better than I had expected.”

Paul Chernoff wrote: “This is a topic dear to me, but since we are still on Ventura for reasons (a third-party publishing system is to blame), I haven’t been able to try out the goodies Apple has released with Sonoma.”

Brad Chapman wrote: “Apple adding MDM control for Vision Pro less than 30 days after launch was a genuine surprise to the community, but they’re too quick to celebrate. This is a small win; they have a long way to go to providing the kind of controls that admins still crave. And if they’re reading this and asking, ‘What does he want?’ then they’re not reading their feedback or talking to their customers.”

Damien Barrett wrote: “DDM continues to mature. I’m looking forward to great things.”

Tom Bridge wrote: “Declarative Device Management is a marvel of technology, but it’s also not as mature as it needs to be to drive adoption. The broad framework has few valuable use cases today to make it a compelling upgrade over MDM, given the requirements to adopt. I look forward to a broader application of the technology with more benefits to help spur adoption and drive forward the state of the art.”

Jeff Richardson wrote: “Same comment as above: Apple should have made MDM ready on the Apple Vision Pro even before Day 1 so that the big vendors like Microsoft could have MDM solutions in place when the product first shipped. Apple’s recent update finally enabled MDM, but who knows how long it will next take Microsoft and others (other than JAMF) to enable support.”

Tony Williams wrote: “They are doing good work.”

Adrian Stancescu wrote, “The only miss has been the removal of launchctl kickstart, which broke many Enterprise Mac deployments once macOS 14.4 was released.”

Joel Anderson wrote: “Things are improving. The number of Profiles and options in Profiles is increasing. Declarative Device Management promises great improvements in day-to-day management tasks; I wish it would be fully implemented faster!”

Daniel Ricci wrote: “The best use I have seen for DDM is for macOS 14’s forced software upgrades. That said, we still see machines that aren’t getting the latest update profile forced to it. This seems to be in line with students and staff not rebooting their machines for long periods and the background MDM processes getting stuck. Apple needs to figure out how to make their MDM commands reliable for machines that students and staff don’t reboot often.”

Robby Barnes wrote: “This is in pretty good shape. I have no specific complaints other than the difficulty of troubleshooting this in the rare cases something does go wrong. Some improvements could be made, but this is in great shape.”

June Billings wrote: “On MDM-managed Enterprise devices, we should be able to deliver profiles completely silently without users having to Accept the profile.”

Adam Tomczynski wrote: “I await when my MDM is better with DDM. I am very frustrated that the top-of-the-line MDM solution is lacking.”

The Future of Apple in the Enterprise

Grade: B+ (average score: 3.9, last year: 3.9)

June Billings wrote: “Apple’s track record indicates it does not care to cater to Enterprise customers. It’s Apple’s way or the Highway.”

Adam Rice wrote: “They’ve hired a great internal team who’s empowered to connect with the Mac admin community. IT concerns are heard and addressed in beta cycles. It’s great!.”

Teg Bains wrote, ” Hardware becomes obsolete is too soon. Vendor OS lock-in is a problem as well.”

Joel Housman wrote: “I think they’re pushing their Business Essentials service a lot, which just does not fulfill our needs. And that’s fine – it’s not for everyone.”

Tanya Pfeffer wrote: “Apple is doing better, but still has a very ‘individualistic’ approach to device use.”

Luke Charters wrote: “The future for Apple in the Enterprise feels brighter than ever. I’m looking forward to the What’s new in managing Apple devices session at WWDC than I am for the keynote.”

Daniel Zamorano wrote: “Considering how most people work nowadays (web-based and remote), I am sure Apple’s security and privacy development is a big plus for companies. Long battery life and cooler, quieter computers are also a big plus here.”

Anthony Reimer wrote: “There is no tech space I would rather be in than the Apple space. The hiring of Mac Admins to key positions inside Apple helps get our message across. That doesn’t mean there aren’t challenges, but I like the general direction.”

Adam Tomczynski wrote: “I do see solid future and growth for Apple.”

Nate Felton wrote: “I’m cautiously optimistic about the future of Apple in the Enterprise. They have shown some great strides and improvements over the past year, but there have still been a few missteps.”

Marcus Rowell wrote: “I’m still concerned about the impact of CloudOS, where all your data and app live in the cloud, on Apple. The Browser as the endpoint OS is a thing. Apple needs to be making sure that developing native apps is worth the effort. Their behavior around the App Store seems to provide good reasons not to develop natively.”

Brent David wrote: ” It seems that Apple is finally listening to Enterprise admins, and we are finally going in the right direction.”

Jonathan Forsander wrote: “The future looks bright. After a rough couple of years from 2018 – 2022(ish), Apple has made significant improvements to its MDM protocol and related features to support a stable deployment of Apple devices in businesses. This demonstrates Apple’s commitment to serving business needs and iterating on the capabilities it provides to businesses over time.”

Tony Williams wrote: “It is always getting better. You would be hard-pressed to find an enterprise without some sort of Mac fleet.”

Armin Briegel wrote: “There is a solid foundation of protocols and APIs for Enterprise support in all of Apple’s platforms, including watchOS and visionOS, and as long they keep chipping away at the pain points, and users keep choosing Apple devices over the competition when given a choice, Apple in the Enterprise will be fine.”

Damien Barrett wrote: “The crystal ball is still quite hazy here. I’m hoping to see a well-defined roadmap at WWDC in June, but I am not holding my breath. In Enterprise, we plan 1-year, 3-year, and 5-year (some places do even longer) roadmaps. I can look one year ahead at Apple in the Enterprise. Three is much harder. Five is virtually impossible. The landscape shifts and changes too rapidly (not Apple’s fault). However, a roadmap that showed direction, velocity, and potential could be useful.”

Robby Barnes wrote: “Apple will continue to thrive in Enterprise because of the products and the open nature of web / SaaS-based apps that enterprises rely so heavily on, but honestly, it feels like Apple devotes extremely limited resources to Enterprise. I would love to see them take this space more seriously, particularly as Windows continues to get more and more bloated and ad-ridden. I think Apple could make significant headway in Enterprise if they took it more seriously.”

Jason Broccardo wrote: “Apple is not doomed yet.”

Paul Chernoff wrote: “I’ve seen a lot of progress in the past five years, so I am hopeful. It’s just that Apple takes its eyes off the ball.”

Karsten Fischer wrote: “Some things I’d like Apple to provide: cloud storage for Enterprise, regardless of platform (I mean, getting rid of Dropbox would be a personal win for me). Also, get more into the IdP market as well.”

John C. Welch wrote: “They need to partner with major software VARs, especially in manufacturing. Apple would be ideal for that world, but they need key application suites like Solidworks and Creo. Getting more Autodesk products would help.”

Allister Banks wrote: “I’m cautiously optimistic about DDM, but otherwise, the upheaval of tech jobs that overwhelmingly offer Macs/iOS may wax and wane while the new heroin crypto, the AI/Musk-style mismanagement siren call that continues to lure the C-level.”

Henry Stamerjohann wrote: “Apple has a lot of great people on board who are listening, so I’m confident we’ll see improvements on both ends: the product side, and the growing adoption of the platform including the Mac in enterprise and business.”

Patrice Brend’amour wrote: “Their efforts are showing. Most big enterprises these days offer their employees Apple devices as options. Not just because employees love them, but also because they work well in an enterprise environment and even make financial sense in the long run.”

Jim Zajkowski wrote: “Nowhere near enough people on the Enterprise Workflows team who work in a marginalized sub-unit in San Diego.”

Brad Chapman wrote: “Apple computers remain solidly in demand for a wide range of industries. Meanwhile, Microsoft seems to be staking its future not on its Windows operating system but rather on Copilot: they tried to court OpenAI’s Sam Altman but got Mustafa Suleyman from DeepMind. Apple knows that Siri and ML are just one part of their whole vision, and they cannot put their eggs in one basket. But the money they wasted chasing Project Titan ($10B) could have been used to hire more engineers focused on the Enterprise, education, and government.”

Bart Reardon wrote: “There are people at Apple that live this stuff, drive the conversation, and strive to make Apple platforms work as best as they can in Enterprise. I love those people. There are also people whose thoughts stop at “consumer” and those people seem to make a lot of decisions around direction. I’d like to know how to communicate with those people. Overall, I feel Apple still has the best desktop and mobile platforms. They dominate the mobile space. They have the most advanced desktop OS. Are they working on the future of the desktop in Enterprise? Yes. Could they do more? Yes. Do they need to? Market cap would suggest they don’t, but I’d love it if they would.”

Fraser Hess wrote: “Apple’s Enterprise Workflow team continues to be a great boon for enterprise, but that team needs more discretion for sharing relevant information.”

John Cleary wrote: “Apple Silicon has rejuvenated Apple in the Enterprise. If they could just get MS to start building native apps again (e.g., Teams), they’d do even better! 😂.”

Daniel Ricci wrote: “I still do not feel that Apple values Enterprise or Education. When we are responsible for the well-being of students, especially in a boarding school environment, we need to be able to monitor the devices, especially during study hall periods when they are learning to be independent. I do not feel that macOS Automated Device Enrollment is reliable or flexible enough for our needs. Managed Apple IDs are a mess – nobody understands them, and they do not play nicely with situations where we want to allow users to also use their personal Apple IDs. Apple continues to have problems with Macs with long uptimes failing to check in with MDMs, so time-sensitive or security-sensitive profiles cannot be reliably pushed to Macs.”

Adam Lacy wrote: “Very confident. I’m mostly interested in at what point they expand their in-house MDM tools and how well it’s adopted over third parties.”

Mischa van der Bent wrote: “Apple continues to enhance its enterprise offerings each year, spanning hardware, software, and services. However, it remains crucial for Apple to actively listen to the needs of larger organizations and further refine its device management capabilities to align with their requirements. While there’s still progress to be made, Apple is steadily advancing in this domain. Notably, Apple’s expansion within the enterprise market is noteworthy. The concept of ‘Employee choice,’ once a mere buzzword, has now become a reality for many organizations. The increasing adoption of such programs signifies a significant victory for Apple as it strengthens its presence in the enterprise sector. The growing readiness of companies to embrace these initiatives underscores the evolving application landscapes, further solidifying Apple’s foothold in the enterprise market.”

Tom Bridge wrote: “There’s never been a better time to be a Mac Admin. The ecosystem is substantially mature, there are a number of different price points and functionality spectra for tools. It has never been easier to go deep with Apple’s technology in a corporate world, and thanks to key stakeholders at all levels, it’s never been a better investment for business.”

Joel Anderson wrote: “Apple is more popular than ever in Enterprise. ChromeOS is king in education, however.”

Adrian Stancescu wrote, “Apple is in a very good position, and I forsee increasing adoption in the Enterprise in the coming years.”

Ted Goranson wrote: “We will continue to be Apple-based, against headwinds.”

Fabrice Neuman wrote: “It seems that Apple’s inability to play well in a mixed environment makes it difficult. As soon as a new team member comes in with a PC, things start to hit the fan.”

Cameron Kay wrote: “I’m hoping Apple’s starting to get what Enterprise needs and it’s just taking them a long time to implement it. They clearly need to expand their engineering team to implement stuff faster. They have 1000 engineers working on the iPhone camera—they should have 500 working on Enterprise Device Management.”

OS Adoption

Gerald Horn wrote: “We cannot purchase new computers at the rate at which macOS versions are released.”

Reid Blondell wrote: “As stated above, this year I had no fear of deploying updates, including Sonoma, on release day.”

Allister Banks wrote: “Our CISO just realized that even more than the writing being on the wall and in the docs, the raw numbers of Critical and High CVE’s plummets once on the latest OS.”

Damien Barrett wrote: “We adopted Sonoma faster than we adopted Ventura. I think this trend will continue. Perhaps we may never get to ‘Day One Readiness’ but we get closer and closer every year and this is because Apple keeps making OS upgrades a smoother process. I was surprised at how little broke in my environment between Ventura and Sonoma.”

June Billings wrote: “Excellent, as we deployed Nudge.”

Adam Anklewicz wrote: “Getting our fleet up to macOS 14 was easier than it’s ever been.”

Nic Scott wrote: “We’re aggressive with updates and have been using Nudge. We have tried to switch to DDM updates, but it’s not ready. The notifications are not customizable by orgs, words are cut off in the banners, half the time they don’t show to the end users, and deadlines are not actually enforced. Not to mention, not all of our machines support DDM across macOS, iOS, and iPadOS.”

Anthony Reimer wrote: “For our computer labs, we have had to hold off deploying Ventura because the change in Lock Screen behavior means that a new user to that computer cannot log in (via a directory service, like Active Directory) if another user is already logged in and the Lock Screen is active. We always have to hold off adopting the new major version of macOS for at least a few months because Apple releases them in the middle of an academic Term, but this is the first time we’ve had a showstopping regression hold us back further.”

Chris Carr wrote: “No one seems in a hurry.”

Adam Codega wrote: “Updates on Apple Silicon Macs are largely faster and more reliable, making updating easier.”

Marcus Rowell wrote: “The need to be on the latest OS to have the most secure device is real. That drives us to begin testing the next OS as early as we can, so that we are ready as soon as possible after release. It is a massive ongoing effort, but needs to be done.”

Robby Barnes wrote: “We have been pretty aggressive at forcing updates whenever possible. The mechanism is more functional now, so maybe it is a bit faster than previous years because the reliability has improved, but I would say about the same as we were pretty aggressive previously as well.”

Adam Rice wrote: “As an MSP, I moved clients to Sonoma way sooner than I rolled out earlier versions of macOS – November/December vs February/March.”

Daniel Ricci wrote: “We pushed macOS 14 out to the 90-day limit. Ideally we would like to be able to hold off major updates to the summer months. When we were finally ready for updates, we still had a lot of students on macOS 13 as it had no way to force updates. Hopefully, once we get more on macOS 14, we will be able to use the DDM to keep the machines current.”

Tony Williams wrote: “We had a blocker with 14 and Xcode that took a while to be resolved.”

Trevor Sysock wrote: “We have fully embraced the ‘no delays, no blocks’ in all possible cases.”

Jonathan Forsander wrote: “100% of our Macs are already on macOS Sonoma 14.4, the latest OS. However, it’s starting to make me a little nervous seeing numerous reports of major bugs in this release.”

Jason Broccardo wrote: “With both macOS Ventura and macOS Sonoma, we’ve had pretty much 100% adoption by February of the following year.”

Nate Felton wrote: “We continue to support new major versions of macOS with release day support and will push the latest minor version within 14 days of release. Continuously running the latest beta version throughout the year has helped with this rate of adoption.”

Paul Chernoff wrote: “Our issue with macOS has been a third-party publishing platform, but that should be fixed within the next month. As soon as that is done, I expect us to adopt Sonoma quickly.”

Fabrice Neuman wrote: “Quicker than usual to adopt the iCloud Password sharing feature, which is awesome and a good alternative to 1Password or BitWarden. And, hopefully, a good way to introduce Passkeys at some point….”

Cameron Kay wrote: “I think the month earlier release of macOS 14 is a factor in the much higher percentage of the fleet now running the new OS compared to this time last year. We do still have an annoyingly large number of Macs that are broken somehow and just won’t upgrade from old versions of macOS, and we’ve tried both MDM commands and downloading full installers via softwareupdate and using startosinstall. To get these Macs upgraded, IT support is going to have to physically get ahold of those Macs and erase & reinstall them. This is a very costly process and very disruptive to users. Hopefully this will be less of an issue once all the fleet is running macOS 14 for the upgrade to macOS 15.”

Daniel Zamorano wrote: “In our case, the problem relied on MacOS, but, after Big Sur, every new OS has managed to get rolled out in less than six months to around 90% of our fleet.”

Fraser Hess wrote: “We are deploying macOS Sonoma quicker than macOS Ventura, which was quicker than macOS Monterey. Next year should be faster again when we can use Declarative Software Update for a major upgrade.”

Patrice Brend’amour wrote, “We’re pushing people quite heavily towards the latest versions. It makes sense from a security standpoint and also limits support.”

Mischa van der Bent wrote: “It’s good to see more organizations upgrading to the latest macOS, iOS, and iPadOS versions for better device security with the latest patches. Just like last year, this trend continues, with organizations quickly adopting new versions and patches. It’s becoming hard to slow down this trend, as staying updated is crucial for device security. As organizations focus on security and keep their systems up-to-date, they play a big role in making devices safer. Moreover, it’s not just the operating systems; software vendors are also stepping up their game. They’re ensuring their apps are compatible with the latest versions as soon as possible. This means there’s no need to hold off on updating just because a core application isn’t compatible. Now, they’re adopting at the same pace, ensuring smoother transitions to new OS versions.”

Adam Lacy wrote: “I’ve been able to manage updates a lot more efficiently with our current MDM than in years past.”

Bryan Heinz wrote, “Apple doesn’t really give us a choice anymore. At best, we get 90 days to adopt the latest and greatest before our users can upgrade anyway, regardless of potential OS-level bugs, whether the software that we need to support works on the OS, or anything else that might be going on.”

Brad Chapman wrote: “We were able to release macOS Sonoma within 60 days of release after help from our internal beta testers. Last year, we waited well over 90 days.”

Adam Tomczynski wrote: “Due to many bugs in public release I have delayed new OS adoption cadance.”

Joel Housman wrote: “Our stance is for staff to install the updates immediately. Because of the nature of our work, some of our staff are potential targets. We want those security updates immediately.”

Vision Pro

Luke Charters wrote: “I could see us purchasing one or two for students to experience and play with, but I can’t see widespread adoption happening in the K-12 space any time soon.”

Chris Carr wrote: “We have one, and it is fascinating but has very small utility as of yet.”

Charles Edge wrote: “We’ve extended all of our apps to Vision Pro. We recompiled the credential provider from our iPadOS version for Vision Pro, and it mostly worked. However, we filed some requests, and others must have done the same, because just last week, there were updates to add native passkey support for Optic ID. It took less than half an hour to get it all working. I loved that!”

Rebecca Latimer wrote: “The fact that Vision Pro needs to be specially fitted and outfitted with custom inserts really limits its use as an enterprise device.”

Tanya Pfeffer wrote: “The tie to an Apple ID makes it difficult to use in a shared enterprise environment.”

Ted Goranson wrote: “Spatial reasoning will be breakout.”

Robby Barnes wrote: “We support lots of Apple customers as an MSP, and we’ll need to eventually help support customers with Vision Pro. I’m personally very excited about the possibilities of the platform, but it is very early on. We have not seen any business interest yet from our customers but I expect that to change in the future.”

Joel Housman wrote, “The product is just not ready for mainstream adoption in a workplace yet. I won’t rehash what many have already said on hundreds of other podcasts, but the AVP is like the Apple Watch Series 0 (though decidedly a lot better performing). I don’t think it will “catch on” until Series 3 or 4. And even then, I’m not convinced yet that it’s anything more than an entertainment consumption device. And yes, I own one.”

Fraser Hess wrote: “While we have no plans, it’s awesome that Apple has implemented MDM management of Vision Pro so early in its life. I take this as an indication that Apple sees Vision Pro as a business tool.”

Paul Chernoff wrote: “Unless someone has a compelling reason to publish our magazine on The Apple Vision Pro with a custom app, I don’t see us adopting it for the next few years, if ever. That reflects our business, not anything bad about the technology.”

Jim Zajkowski wrote: “Waiting on our MDM vendor to implement what’s there. As of today, I don’t see a lot of ways to tailor the Vision Pro for enterprise use (e.g., single-user design).”

Joel Anderson wrote: “Expensive. Not easily shareable. Fragile. Prescriptions.”

Bart Reardon wrote: “We’d love to deploy these, but they aren’t available in my country yet. We’ve imported a few, so we’re playing around with the tech but are limited in any real-world testing due to app store account requirements. We will want to make them available to those who want them as soon as we are able to, presuming management capability is up to it.”

John C. Welch wrote: “For manufacturing, the VP is an amazing device.”

Jeff Richardson wrote: “These are still very early days for the Apple Vision Pro, but it is great that Apple is selling a product so that we can start to envision future uses by lawyers and other professionals.”

Teg Bains wrote: “Overpriced iOS device. Cannot run apps not allowed by Apple. We should pay to beg Apple to let us use the device. Nope.”

Damien Barrett wrote: “Our Emerging Tech people are giddy about the possibilities, having been forced to design their AR/VR/MR stuff around Meta’s offering. While still in the early stages, I am expecting to see amazing applications of Vision Pro’s technology in the next 12 months. Gen 2 and 3 of this thing are going to be very interesting. I’m bullish on the future of mixed reality and augmented reality and the new paradigm shift in how humans interact with technology.”

Jason Broccardo wrote: “Until an exec asks for one, it will likely never enter our organization. Even then, an Apple Vision Pro would likely have a limited use case as it cannot be fully managed like an iPad or Mac yet.”

Passkeys/passwordless

Joel Anderson wrote: “I can’t wait for passwords to go away! But this is not quite mainstream enough for us right now.”

Marcus Rowell wrote: “I love the idea of removing as many passwords as possible. Apple’s Passkey implementation is great. But there are still too many rough edges in other services yet – hopefully, this year, that will change.”

Joel Housman wrote: “We’ve been issuing Yubikeys to staff since 2018. We’re starting to adopt passkeys, too.”

Adrian Stancescu wrote: “The main issue is the lack of Passkey export. There is no standardized mechanism in place that currently allows this, and it is, therefore, a showstopper.”

Adam Anklewicz wrote: “We support passkeys through our password manager, though we’re looking to further roll out to our Identity Management solution.”

Jeff Richardson wrote: “Moving beyond passwords is a great way to improve security, and the iPhone has a vital role to play in this process.”

Adam Rice wrote: “In my very limited testing, I can’t get this to work as advertised using 1Password as my primary password manager and Safari as my browser on any platform.”

Mischa van der Bent wrote: “Personally, I’ve been using passkeys through services like iCloud and 1Password, and I’m impressed with their seamless implementation across compatible sites. I’m excited about the prospect of passkeys being integrated into Identity and Access Management (IAM) platforms. This would enable organizations to provide and manage passkey authentication options to end users, enhancing security and user experience simultaneously. I would love to see what Apple is going to do in this area.”

Allister Banks wrote: “As part of a ‘zero-trust architecture’ initiative, our org now requires ‘phishing-resistant multi-factor auth’. While that still involves a password at deploy time, a hardware token and passkey credential takes the friction out of subsequent and frequent session extensions.”

Charles Edge wrote: “We use them wherever possible. We’re also looking for ways to force their use with third-party software.”

Cameron Kay wrote: “I can’t see how we can go passwordless and still use FileVault. I wish Apple had a way to FileVault unlock your Mac from your Apple Watch or iPhone. We haven’t looked at updating any of our enterprise systems to support Passkeys. I think that would need to be something that our Cloud IdP would need to implement first.”

Robby Barnes wrote: “Passkeys are nearly magic when they work, and we do deploy and use them internally. The support from sites is pretty limited, and it’s a bit frustrating how siloed iCloud Keychain is and how buggy some other 3rd party solutions can be in this space, but this will continue to improve. I hope the rate of adoption continues to rapidly improve, and that 3rd party clients are able to improve reliability with Passkeys across browsers.”

James Brown wrote: “Very eager for this. Hoping for cross-platform interoperability.”

Nic Scott wrote: ” The fact they are tied to hardware or iCloud is not great. I would love to see Apple lead a vendor-neutral, hardware-agnostic approach.”

Jim Zajkowski wrote: “Not my part of the organization. Lack of experience with Passkeys among Windows and Android users limits excitement for using them.”

Paul Chernoff wrote: “I’m playing with it right now. I was ready to go ahead with staff, but 1Password and Safari are not playing smoothly together, and Apple needs to fix it. I am far from convinced that Passkeys will improve security in the short term as long as (1) passwords can still be used to log into the account and (2) someone can easily reset the password. If someone can access your email it is game over. Almost every service bends over backward to help people with log-in problems, but devious people can use these same mechanisms to break into accounts. So I end up turning off password recovery for users where possible and have to make them go through IT to reset passwords. I don’t see Passkeys closing this back door.”

Jonathan Forsander wrote: “We use Okta FastPass for passwordless authentication to most internal resources. It works great.”

Peter Thorn wrote: “We are slowly implementing.”

Fabrice Neuman wrote: “Companies are made with real people who are slowly getting into password manager thanks to iCloud password management and sharing. The passkey notion is totally unknown and not understood.”

John Cleary wrote: “We already use passwordless where we can (e.g. SSH key pairs). Passkeys adoption is hamstrung by the lack of a real password management interface on Mac / iPad. If Apple actually built one (e.g. 1Password-like interface for iCloud Keychain), it’d go a long way to helping. Maybe this year? 🤔.”

Jason Broccardo wrote, “We’re not opposed to passkeys as an organization, but we need to see cross-platform support and have a mechanism to use them that is not reliant on iCloud Keychain.”

Office work style

Adam Anklewicz wrote: “We are remote-first, and current plans are to stay that way.”

Mischa van der Bent wrote: “In my opinion, a mix of working from home and going to the office is necessary. Collaboration in the office is different from remote sessions, especially for group discussions. At home, you miss out on casual conversations and learning opportunities that happen spontaneously. For junior roles, learning alongside seniors in person is crucial for growth. Working remotely can be isolating, even for introverts. It’s important to have face-to-face interactions to exchange ideas and gain different perspectives. In the end, we work with people! And yes, we are working on computers; however, we are working on improving end-user experiences (or our own experiences/automations)!”

Jolle Carlestam wrote: “We are very open to remote, calling it the new normal.”

Fraser Hess wrote: “With most employees working remotely, drop-shipping computers to users is a priority at our organization.”

Patrice Brend’amour wrote, “The board is pushing for hybrid and RTO. I expect a bunch of people to leave soon.”

Adam Tomczynski wrote: “During COVID, we proved that we are remote capable. My leaders do not believe in remote or hybrid work. So often, during my drive to work, stuck in traffic, I question this in my head as my home office setup mirrors my work setup.”

Karsten Fischer wrote: “Really? While I — sometimes — enjoy being in the office, I don’t see any benefit. Even if commuting time would be considered work time, I would rather stay at my place and do my job instead of negotiating train schedules and them being obsolete while getting pissed off. Luckily, I’m paid for delivering results, not appearance.”

Pete Curtner wrote: “Commutes are a waste of time, effort, and energy. RTO is counter-productive and archaic.”

Paul Chernoff wrote: “We went completely remote in March 2020. We had the basics in place, though we had to replace the VPN three months later after moving into a new office, but it wasn’t that difficult. We are now two days a week in the office, but some staff still work from home 98% of the time. I see benefits to seeing my co-workers face-to-face, as they are more likely to ask me questions if they see me. Our CEO is pushing for more face-to-face but accepted back in 2020 that we would never be a 100% in-office company. Our union is resisting any more required time in the office.”

Joel Housman wrote: “We’ve been 100% remote since March 13, 2020. We do have some staff that come into the office to collect the mail, etc. We do have plans to start using the office more in the coming months, on a person-by-person basis, as their job requirements warrant their doing so. Though, pre-COVID, we had 60+ people in our office, and during the past four years, as natural attrition has occurred and we’ve rehired for those roles, many of those positions aren’t local anymore. We only have ~35 “local” people anymore. Everyone is spread out around the country.”

Tanya Pfeffer wrote: “We were remote pre-pandemic. We have offices, but employees are not required (overall) to come in. Obviously, some teams need to be in the office.”

Adrian Stancescu wrote: “Hybrid requirements are honestly quite small at one day per week.”

Rebecca Latimer wrote: “100% remote, and I wouldn’t have it any other way. I live in a beautiful small town near my family, and remote work makes that possible. A return-to-office mandate would mean that I would have to quit my job.”

Tony Williams wrote: “It is a little too cut and dried; the enterprise needs to be more open to variation from the one hybrid model.”

Bart Reardon wrote: “In our org, people can be 100% remote or 100% in the office or anywhere in between. I’m three days in, two days remote because I like to do that. Plenty of people I know are 100% remote and work better that way. I’m very happy that it’s an option.”

Jason Broccardo wrote: “The company has always been remote friendly, but staff, especially in IT, have been encouraged to be in an office if we have an office in their home city.”

Chris Carr wrote: “We had already chosen to be an in-office company before COVID, but we have embraced a hybrid workweek (3 in-office, 2 at-home), and folks can take remote work ‘leaves’ of up to 30-45 days.”

If you appreciate articles like this one, support us by becoming a Six Colors subscriber. Subscribers get access to an exclusive podcast, members-only stories, and a special community.