Apple Management Glossary

Whether you’re a seasoned Apple Deployment master or a brand new one, you might run into many terms and expressions that are unclear. We are ourselves constantly discovering new terms, acronyms and abbreviations so we’ve tried to accumulate a list.

They include terms from Deployment, genereal business lingo and generel IT terms that are often used in conjunction with Apples technologies.

A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

A

Account-Driven User Enrollment
A lightweight enrollment intended for personally owned devices in an organisations Management system. It requires that the organisation is using Apple Business Manager and Managed Apple IDs as these are needed for the enrollment. After enrollment a separate encrypted volume is created a used for storing all managed settings and data, keeping personal and organisation data separated. The possible management options are also somewhat limited compared to organisation owned devices.

Active Directory
Windows Active Directory is a directory service that provides centralized management of network resources. It allows administrators to manage user accounts, computer accounts, and other network resources from a single, centralized location. Active Directory is commonly IT environments and for many years the preferred method of integrating Mac computers was to BIND them to the domain, as with Windows computers. This is no longer considered best practice. It is better to create a local user account and use the Kerberos SSO Extension so gain the required functionalities on macOS.

Apple Business Manager
A web-based portal that allows organizations to manage and deploy Apple devices, applications, and content across their entire organization. It provides a simple, streamlined way to enroll devices, purchase and distribute apps and books, and manage accounts and devices. It works in combination with an MDM system to provide Automated Device Enrollment.

Apple Push Notification service (APNs)
A worldwide service provided by Apple that delivers push notifications to Apple devices.

Apple School Manager
Apple School Manager is a web-based portal that allows educational institutions to manage their Apple devices and content. It provides a central location for managing device enrollment, creating and managing Apple IDs, and purchasing and distributing apps and books. It can create classes with attached students and instructors. It works in combination with an MDM system to provide Automated Device Enrollment.

B

Bootstrap Token
An MDM-based feature that is used to help with granting a secure token to both mobile accounts and to the optional device enrolment–created administrator account (“managed administrator”). In macOS 11 or later, the bootstrap token can grant a secure token to any user logging in to a Mac computer, including local user accounts. With new macOS releases, additional capabilities have been added to the Bootstrap Token allowing the MDM to perform tasks like managing software updates, ownership and Local Policies.

BYOD
BYOD stands for "Bring Your Own Device," which refers to the practice of employees using their personal devices (such as smartphones, tablets, or laptops) for work purposes. This can be advantageous for both employees and employers, as it allows for greater flexibility and convenience, but it can also present security and management challenges. Apple has create an enrollment type for this specific situation called Account-driven User Enrollment

C

CIS Benchmarks
CIS (Center for Internet Security) benchmarks are a set of best practices for securing various types of systems and applications. The benchmarks cover a wide range of topics, including operating systems, web browsers, databases, and network devices. They provide specific guidance on how to configure these systems to reduce the risk of cyber attacks and other security incidents.

D

DFS (Distributed File System)
Distributed file system on Windows is a feature that allows multiple servers to share a single namespace and file/folder structure. This makes it easier to manage files across multiple servers and allows users to access files from any server in the namespace. Does typically not work with the Kerberos SSO extension, and is still one of the only reasons to BIND your macOS computers instead of using Kerberos SSO.

E

Endpoint
Simply another name for device. In Apple Deployment, an iPhone, iPad, Mac or Apple TV.

F

FileVault
The Full volume Encryption System on macOS. On a normal client it can be activated by a user that’s been granted the Secure Token. In a Deployment scenario, typically the client escrows a Bootstrap Token with the MDM upon enrollment, so the MDM can manage the FileVault settings including the Personal Recovery Key.

K

Kerberos SSO
Apples first party SSO Extension to use with Windows Active Directory. If an organisation is using AD as the Directory Service, the Kerberos SSO will allow users to get a Kerberos ticket they can use to authenticate for internal services like fileshares, printers and internal websites without having to type their username and password everytime. It can also warn users of expirering passwords and keep the AD password and local user password syncronised.