Apple device management

DTS seeks to provide the best technological environment to support LSE in its learning, teaching, research, and administration. As a part of that we need to ensure that we are providing a safe network and secure devices for people to use, protecting the integrity and confidentiality of our systems and data, helping contribute to a vibrant teaching and research environment and meeting enhanced security requirements many of our data suppliers and course commissioners expect us to meet at minimum. An important element in getting the balance of these goals is securing our devices from attack, with Higher Education being one of the primary targets for cyber-attacks from both nation states and criminal gangs. A key part of this involves making sure we can maintain and update all LSE-owned devices that access our systems and services, so we can ensure operating systems are up to date, applications patched and critical vulnerabilities that attackers can exploit on- or off-campus are removed. This work is known as device management (or sometimes mobile device management or MDM), and DTS are in the process of extending this process initially to all Apple devices, and then later to Windows devices owned by the School. 

The existing solution for Apple devices has reached its end of life and is no longer fit for purpose – existing Apple devices are not able to receive updates to various applications and operating systems resulting in users missing out on the latest functionality, security updates and vulnerability patches.  

The key deadline we have is that our old management software is in extended support to Oct 2024. If we've made good progress with migration, we hope the supplier will extend this support further, but functionality will continue to degrade and impact users over time. Realistically, we'll need to be fully migrated by the start of academic year 2024/25. 

The new cloud-based management system (dataJAR.mobi) is the current version of our previous management solution (JAMF Pro). Unfortunately, due to restrictions imposed by Apple, the management system does not allow a straightforward migration, this means the devices need to be rebuilt from scratch when they are migrated. 

The new management solution will provide the same capabilities including the retention of admin rights post-migration.  

• For people who have admin access on their existing Macs or who will need it on new Macs to carry out their roles, admin access will continue to be granted when requested. (The security standards that we need to apply limit use of admin rights to when they are essential. Even with local admin rights certain actions, such as changing some security settings, will be restricted. As we roll out other security related technologies how these additional access rights are granted will change.)
• The LSE Store provides a comprehensive range of existing applications via the DataJAR.mobi self-service portal. We add to it on a daily basis, as we continue to engage with people to ascertain the applications they require. Please see our current list of applications 

It also provides these benefits: 

• Compatibility with the latest macOS, ensuring optimal performance and functionality. 
• Applications will be updated to the latest versions within 7 days to ensure changes to the latest functionality after some initial testing – please note on occasion we will retain a specific version of software if required for teaching purposes, or to retain OS compatibility. 
• Applications will be patched with the latest security patches automatically and where vulnerabilities are identified will be securely updated as soon as possible.  
• New applications that are requested by users will usually be available within 24 hours. Further information on requesting new applications 

However, there are also some changes; one side effect of registering computers in the management system is that the standard Apple store can no longer be used, and the software you need is delivered via an LSE App Store (dataJAR.mobi portal). As outlined above we've already packaged most of the software you should need and will continue to add to this catalogue. We have already provisioned nearly 200 applications in dataJAR.mobi self-service portal since deployment with more being added every day. Over the last month we had over 7500 installs from self-service. 

DTS monitor for cyber threats, vulnerabilities and performance/errors that may indicate there's an issue we need to investigate. This is mainly automated, and alert based - e.g. traffic is going to a known cyber attacker’s IP address, DTS scan for instances for known vulnerabilities in software, or we pick up alerts that a component is failing. 

Trend Micro Apex One, currently being rolled out to Mac and Windows desktops and laptops, monitors for malicious code and malicious behaviour (by malicious behaviour we mean the signs that an attacker has taken over the laptop and is using it to deploy malicious code or move laterally through our network, not the signs of ordinary computer use). It’s an antimalware package used by many organisations that is designed to protect users, their data, and the machine itself.  This replaces our previous solutions from other vendors, that performed similar tasks. 

A small number of devices across our network are also running a pilot project using the Microsoft Defender Vulnerability Management application as a part of LSE’s CyberEssentials Plus certification. 

We don’t monitor staff use of computers outside the automated detection of, and alerting to, malicious activity. We’re not monitoring what programs are running at any point, what data is being used, what's being done on a machine. DTS can see a list of applications that are installed on the device – ensuring that any potentially malicious, vulnerable, or non-compliant software can be removed in conjunction with the user of the device. Once again, user activity is not monitored or logged through the application list. 

For further details, refer to our Monitoring and Logging policy: https://info.lse.ac.uk/staff/services/Policies-and-procedures/Assets/Documents/internal/staffAndStudents/monLogPol.pdf

The proposed approach DTS will take to upgrade both the Apple management software and replace out of support hardware is: 

• We're moving to a department-based approach, starting with Department of Finance as our initial proof of concept, for our academic colleagues. Similarly, we are working with several of the divisions with specialised requirements. We will plan the schedule with you. 

• Our target is to have covered 75% of all Macs by May 2024. We expect to be working through the remaining excepted devices into the summer. 

Our aim is to ensure we have the right support in place so that: 

• All devices are properly backed-up before they are migrated, including bookmarks and passwords. 

• Software that is needed is available for install upon migration. 

• Users who need additional permissions to do their work have this available to them. 

• DTS staff are available in-situ to ensure migrations have been completed successfully. 

LSE iMacs at home (off campus) - We are currently working on a plan on how to safely migrate iMacs currently off campus i.e. at home offices. Once the plan has been finalised DTS will work with individuals via their departments to agree individual migrations.

Devices that are unable to be migrated - Some of the Apple devices in use within the LSE environment are no longer able to run a currently supported version of OSX (Monterrey 12, Ventura 13 or Sonoma 14) which means that they do not meet the required minimum-security standards. Any devices not meeting the minimum standards cannot be migrated and will need to be replaced (if still required) and paid for locally. Unsupported devices will need to be returned to DTS to be safely disposed of through a 3rd party that wipes the data off them. We currently don't have the capacity to clean and sell machines to staff members. DTS has a list of all devices which are not compliant and is currently working with departmental managers, centre manages, and professional service leads to identify at a local level which devices need to be retired or replaced.

DTS will keep running drop-in sessions for those MacBook users who would like to just pop in at their convenience but will otherwise tackle the rest of these alongside the desktops that we will plan with individual departments. The aim is to both improve the migration experience, and work to a schedule that accommodates individual’s diary commitments.

By starting with Department of Finance we will be able to properly plan out both staffing levels, and time needed to complete the migration. This will also allow us to identify specific concerns/issues that are raised.  

Migration for laptop devices (MacBooks) is done via a drop-in clinic: 

• Dates: every Monday - Friday 
• Time: 9:30am – 4pm 
• Location: Room 5.01P, 5th floor, LRB (Lionel Robbins Building) 
• Morning drop-off appointments: Please book a 10-minute drop-off slot via the booking form and select (Macbook Drop Off for dataJAR Migration). 

Please note that an appointment is required in order to drop off your device. Without a scheduled appointment, we will not be able to process your device for migration.

Migration for iMac/Mini/Studio:

To migrate your non-portable device please book an appointment with the migration team using this booking form and select (iMac dataJAR Migration)

Our commitment of how we are going to support you: 

• DTS support staff will be available prior to visiting the clinic for migration or we will meet with you in your department as we migrate you in consultation with your departmental manager or nominated divisional contact, as part of a department / division migration. 

• Migration will not take place without consultation and confirmation that all data has been backed up safely. 

• We have assigned a dedicated team to provide continuous assistance throughout the migration process via dts.apple.mdm@lse.ac.uk (this is separate from the main DTS Service Desk, who will continue to provide support on other IT related matters in the normal way). 

• Applications (Management and Updates): 

• We will ensure regular updates for applications (accessible within 7 days of release). 

• We will facilitate prompt adoption of new macOS versions (available within 14 days of release). 

• Where new devices are required, improvements in the process of ordering these include a streamlined approach, offering a purchasing link with real-time stock availability.

Applications: 

• Check all the Applications you require are already available in the DataJAR.mobi portal 

• Compile a list of any additional applications installed on your device that you will require, along with their corresponding license keys (if applicable) DTS can help you with this if required. If an app you have is not already available, please let us know and add it to DataJAR.mobi self-service. – We have already nearly 200 applications in dataJAR.mobi self-service with more being added every day. If you require assistance with the audit, kindly inform us via emailing dts.apple.mdm@lse.ac.uk. 

Back up: 

• Ensure files and folders are backed up by migrating them to OneDrive. It is crucial to complete backups just before migration, as any changes made between backup and migration won't be available. 

• Perform a Time Machine backup (if applicable). Please note that we cannot restore full Time Machine system backups to a newly migrated devices – they can only be used to recover files or folders you may have forgotten to back up to OneDrive. 

• Back up your bookmarks across browsers such as Safari, Chrome, Firefox, and Edge (if these aren’t already set to synchronise).  

• Back up OneNote Notebook. 

• Backup your device keychain 

• Passwords – Ensure you have backed up your device passwords and web browser passwords.  

• Full guidance on how to do all of the above is available here: How to back up your Mac before migration 

Emails / Shared Drives 

• Compile a list of current shared mailboxes that you have access to. These will need to be re-added post migration, but all permissions will be retained. 

• Copy email signature(s) 

• Compile a list of shared drives that you have access to as these will need to be re-mapped post migration (e.g. your P: drive). All permissions will be retained. 

 A few final things to consider: 

• Very important: Make sure you know your LSE email and password (aka MS365/Office365 login) as you will need it to login to your device post migration. If you are uncertain about your credentials, you can verify them through the webmail (https://mail.lse.ac.uk/) 

• Peripheral devices like Bluetooth keyboards, mice, and headphones will continue to work, provided they support macOS Ventura or a higher version. If these peripherals require specific software configuration, kindly inform us, and we'll assist in getting them operational. 

• Remote access to your device: If you have an agreement in place to remote access to your device, please do let us know, as this may need to be reconfigured using standardised software and network firewall permissions updated. 

• Make sure your device is fully charged. In most cases we will not require your charger, however if it is not fully charged, then we cannot start the migration until there is sufficient battery power in your laptop to allow for updates. 

• Either visit the drop-in clinic or as we engage with individual departments, book a session with a support technician. 

• DTS staff will confirm with you that all data has been backed up, that you have a full list of everything you need to access post-migration, and you are comfortable to proceed. 

• The device will be completely wiped. 

• The device will be updated to the latest MacOS version compatible with your device, this will usually be Sonoma MacOS 14.2 or higher. 

• We will enrol the device into the new Apple Device Management system (DataJAR.mobi). 

• Reinstate admin rights where requested. 

• Upon completion, you can collect your device and log in using your LSE email credentials. 

• Set up biometric use (Touch ID) to login/unlock device. 

• The initial login will apply all necessary settings – it can take up to 30 minutes for all configuration settings to be applied. During setup you will need to sign-in to both eduroam and the Microsoft Intune Company Portal 

• Assistance is available for users who may need help, whether for standard setup or advanced configurations. 

• If you prefer to complete the configuration of your device, you will be provided with a comprehensive setup guide covering common steps. Click here for the logging into your new mac guide. 

• The entire process typically takes 2 to 4 hours. For example, newer devices may take 30 minutes to 90 minutes, while older devices like Intel Macs may require significantly more time. This is also dependent on your network connection as software and applications are downloaded from Apple, as well as LSE’s local caches of these. 

• The setup process installs some applications by default including Office365 (Outlook, Word, Excel, PowerPoint and Teams) - these will be available from the Launchpad / Finder in the normal way. 

• Other standard applications usually take around 30 minutes to become operational, whereas certain applications, such as MATLAB, may have longer setup times. You may need to restart your Mac for applications to finish installation completely.  

• Configure OneDrive and synchronise/restore data. 

• Restore bookmarks from backup. 

• Restore OneNote notebooks. 

• Retrieve and reinstate password from keychain. 

• Install any applications not available in DataJAR.mobi self-service, and apply licenses as needed. 

• Configure Outlook and reconnect to shared mailboxes. 

• Re-establish links to shared drives. 

• Establish links to the MFDs and any network or individual printers. 

If users require support post migration, they can visit the drop-in clinic where a member of DTS will be able to assist them or if we are migrating a department or division, staff will be on hand to assist. 

User Guides:  

• Mac First Sign In guide (how to set up your new Mac)

• Using DataJAR.mobi self service
  
  

• List of current packaged apps
  

• We have assigned a dedicated team to provide continuous assistance throughout the migration process via dts.apple.mdm@lse.ac.uk. 

• As of January 2024, the team have already migrated users from over 40 academic depts and centres, and 17 professional services divisions. 

• DTS have already enrolled over 660 MacOS devices into DataJAR.mobi. 

• DTS have migrated 45% of MacBooks from the old system to DataJAR.mobi. 

We acknowledge that this project has been a learning process and based on user feedback we have made a number of changes to our migration approach and how we communicate the changes that need to be undertaken. If you feel further improvements could be made, please reach out to us via dts.apple.mdm@lse.ac.uk.