Your Apple Fleet, Automated from Unboxing

Jamf Pro is enterprise-grade with advanced scripting, custom profiles, detailed reporting, and deep integrations—most powerful but requires admin expertise. Jamf School is simplified for primary and secondary schools with classroom tools and lower pricing. Mosyle is Apple-only, popular in NZ education for pricing and teacher features. JumpCloud combines device management with identity (SSO, MFA, directory) in one platform—excellent for unified Mac/Windows/Linux management. Microsoft Intune works if you're licensed for M365 and need cross-platform management. We evaluate your environment, team capability, and budget to recommend the right platform—then configure it properly.

New organizations with brand-new devices can be operational in 2-3 weeks: Apple Business Manager setup, MDM configuration, policy design, testing, and go-live. Organizations migrating existing devices typically take 4-8 weeks depending on device count and complexity. We design phased migrations: IT team devices first (to catch issues), then departments one at a time. Most users experience zero downtime—they just approve a new MDM profile and continue working. Shared devices (iPads, Apple TVs, lab Macs) may require factory resets for proper enrollment. We provide a detailed timeline after your discovery session.

Yes. Apple supports two enrolment types: Device Enrolment (for organisation-owned devices with full management) and User Enrolment (for BYOD with privacy protections). Device Enrolment gives you full control—enforce encryption, deploy apps, wipe the device if needed. User Enrolment creates a separate managed partition for work data/apps but can't access personal data, photos, or messages. Most organisations use Device Enrolment for organisation-owned Macs and iPads, and User Enrolment for personal iPhones accessing work email. We design policies that match your security requirements whilst respecting staff privacy for BYOD scenarios.

Yes. MDM uses Apple Push Notification Service (APNs) to communicate with devices, but devices cache configurations locally. If your MDM server is offline, users can still log in, use apps, and work normally. They just won't receive new policies or app deployments until connectivity is restored. Cloud-hosted MDM platforms (Jamf Cloud, Mosyle, JumpCloud, Intune) have 99.9%+ uptime SLAs, so outages are rare. For on-premise Jamf Pro deployments, we design high-availability architectures with failover if uptime is critical. The bigger risk is losing your APNs certificate (expires annually)—we configure automated renewal monitoring to prevent this.

When FileVault encryption is enabled via MDM, the recovery key is automatically generated and escrowed (uploaded) to your MDM platform without the user seeing it. Keys are encrypted in transit and at rest. Only designated MDM administrators can retrieve keys—typically via the admin console or API. This prevents users from losing keys (they never see them) and ensures IT can recover data if a user forgets their password or the device fails. We configure role-based access controls so only authorized admins can view keys, and all key retrievals are logged for audit compliance. This is required for most security frameworks (ISO 27001, SOC 2, Essential Eight).

Yes, with proper configuration. Modern MDM platforms support scheduled update policies: install updates overnight, require updates within X days of release, or allow users to defer updates for a grace period. For macOS, we typically configure: critical security patches auto-install within 72 hours, minor updates notify users with a 7-day deferral option, and major OS upgrades (e.g., macOS 14 to 15) require user consent unless devices are unattended (labs, shared devices). For iOS/iPadOS, updates can be forced during off-hours or blocked until your team validates app compatibility. We design update policies that balance security (patches deployed quickly) with user productivity (no surprise reboots during presentations).

Investment depends on platform choice and deployment complexity. Platform licensing typically ranges from $2-12/device or user per month depending on features needed. The real value is what you gain: eliminate manual device setup (saving hours per device), enforce encryption and compliance automatically (reducing security incidents), enable self-service app deployment (reducing helpdesk tickets), and get complete fleet visibility without spreadsheets. Most organisations see ROI within 6-12 months through reduced admin overhead and faster device provisioning. We provide fixed-price quotes after discovery based on your specific requirements—no surprises. All prices exclude GST.

MDM works alongside your identity system—it doesn't replace it. Jamf Pro integrates with JumpCloud, Okta, Entra ID, or Google Workspace for user-based app deployment and SSO. With Jamf Connect, users log into their Mac using their cloud identity password (JumpCloud, Okta) instead of a separate local password. Intune has native Entra ID integration for conditional access—only compliant, enrolled devices can authenticate. If you're still on Active Directory, Jamf can bind Macs to AD, but we typically recommend cloud identity for better remote work support and security. We design the integration to match your existing identity architecture—whether that's cloud-native, hybrid, or legacy AD.

Absolutely. We build and sign custom installers as part of most MDM deployments—we're registered Apple Developers, so we can properly code-sign packages for Gatekeeper compliance. MDM platforms support deploying .pkg installers, .dmg disk images, scripts (bash, Python, zsh), and custom configuration profiles. Common use cases: internal tools, VPN clients, print drivers, browser extensions, security agents, monitoring tools, and automated configuration scripts. For App Store apps, you use VPP (Volume Purchase Programme). For your internal apps, we create signed packages that deploy via MDM to device groups or users. Scripts can run on-demand, at check-in intervals, or triggered by events (e.g., certificate renewal when device joins your Wi-Fi). Custom deployment automation is part of our standard MDM implementations—not an add-on.

Both—you choose what fits your team. Some clients want us to manage everything ongoing: user provisioning, app deployment, policy updates, compliance monitoring, and incident response. Managed service retainers start at $1,500/month and scale with fleet size and complexity. Other clients prefer to run MDM in-house after launch—we provide full documentation, runbooks, admin training, and on-call support for when you need it. Many clients start with managed service for the first 3-6 months whilst their team learns the platform, then transition to self-operation with our support for complex changes. Either model works—we design handover based on your team's capability and capacity, not what makes us the most money.