Manage Your Chromebooks and MacBooks

Manage Your Chromebooks and MacBooks

Financial constraints, strategy, and your user base dictate the need for Chromebooks and MacBooks – now you have to manage them in your environment.

Analyst Perspective

Managing MacBooks and Chromebooks is similar to managing Windows devices in many ways and different in others. The tools have many common features, yet they struggle to achieve the same goals.

Until recently, Windows devices dominated the workplace globally. Computing devices were also rare in many industries such as education. Administrators and administrative staff may have used Windows-based devices, but Chromebooks were not yet in use. Most universities and colleges were Windows-based in offices with some flavor of Unix in other areas, and Apple devices were gaining some popularity in certain circles.

That is a stark contrast compared to today, where Chromebooks dominate the classrooms and MacBooks and Chromebooks are making significant inroads into the enterprise environment. MacBooks are also a common sight on many university campuses. There is no doubt that while Windows may still be the dominant player, it is far from the only one in town.

Now that Chromebooks and MacBooks are a notable, if not significant, part of the education and enterprise environments, they must be afforded the same considerations as Windows devices in those environments when it comes to management. The good news is that there is no lack of available solutions for managing these devices, and the endpoint management landscape is continually evolving and improving.

P.J. Ryan
Research Director, Infrastructure & Operations
Info-Tech Research Group

Executive Summary

Your Challenge

• You modernized your end-user computing strategy and now have Windows 10 devices as well as MacBooks.
• Virtual desktop infrastructure (VDI) and desktop as a service (DaaS) are becoming popular. Chromebooks would be ideal as a low-cost interface into DaaS for your employees.
• You are responsible for the management of all the new Chromebooks in your educational district.
• Windows is no longer the only option. MacBooks and Chromebooks are justified, but now you have to manage them.

Common Obstacles

• Endpoint management solutions typically do a great job at managing one category of devices, like Windows or MacBooks, but they struggle to fully manage alternative endpoints.
• Multiple solutions to manage multiple devices will result in multiple dashboards. A single view would be better.
• One solution may not fit all, but multiple solutions is not desirable either, especially if you have Windows devices, MacBooks, and Chromebooks.

Info-Tech's Approach

• Use the tools at your disposal first – don't needlessly spend money if you don't have to. Many solutions can already manage other types of devices to some degree.
• Use the integration capabilities of endpoint management tools. Many of them can integrate with each other to give you a single interface to manage multiple types of devices while taking advantage of additional functionality.
• Don't purchase capabilities you will never use. Using 80% of a less expensive tool is economically smarter than using 10% of a more expensive tool.

Info-Tech Insight

Managing end-user devices may be accomplished with a variety of solutions, but many of those solutions advocate integration with a Microsoft-friendly solution to take advantage of features such as conditional access, security functionality, and data governance.

Insight Summary

Insight 1

Google Admin Console is necessary to manage Chromebooks, but it can be paired with other tools. Implementation partnerships provide solutions to track the device lifecycle, track the repair lifecycle, sync with Google Admin Console as well as PowerSchool to provide a more complete picture of the user and device, and facilitate reminders to return the device, pay fees if necessary, pick up a device when a repair is complete, and more.

Insight 2

The Google Admin Console allows admins to follow an organizational unit (OU) structure very similar to what they may have used in Microsoft's Active Directory environment. This familiarity makes the task of administering Chromebooks easier for admins.

Insight 3

Chromebook management goes beyond securing and manipulating the device. Controls to protect the students while online, such as Safe Search and Safe Browsing, should also be implemented.

Insight 4

Most companies choose to use a dedicated MacBook management tool. Many unified endpoint management (UEM) tools can manage MacBooks to some extent, but admins tend to agree that a MacBook-focused endpoint management tool is best for MacBooks while a Windows-based endpoint management tool is best for Windows devices.

Insight 5

Some MacBook management solutions advocate integration with Windows UEM solutions to take advantage of Microsoft features such as conditional access, security functionality, and data governance. This approach can also be applied to Chromebooks.

Chromebooks

Chromebooks had a respectable share of the education market before 2020, but the COVID-19 pandemic turbocharged the penetration of Chromebooks in the education industry.

Chromebooks are also catching the attention of some decision makers in the enterprise environment.

"In 2018, Chromebooks represented an incredible 60 percent of all laptop or tablet devices in K-12 -- up from zero percent when the first Chromebook launched during the summer break in 2011."
– "Will Chromebooks Rule the Enterprise?" Computerworld

"Chromebooks were the best performing PC products in Q3 2020, with shipment volume increasing to a record-high 9.4 million units, up a whopping 122% year-on-year."
– Android Police

"Until the pandemic, Chrome OS' success was largely limited to U.S. schools. Demand in 2020 appears to have expanded beyond that small but critical part of the U.S. PC market."
– Geekwire

"In addition to running a huge number of Chrome Extensions and Apps at once, Chromebooks also run Android, Linux and Windows apps."
– "Will Chromebooks Rule the Enterprise?" Computerworld

Managing Chromebooks

Start with the Google Admin Console (GAC)

GAC is necessary to initially manage Chrome OS devices.

GAC gives you a centralized console that will allow you to:

• Create organizational units
• Add your Chromebook devices
• Add users
• Assign users to devices
• Create groups
• Create and assign policies
• Plus more

GAC can facilitate device management with features such as:

• Control admin permissions
• Encryption and update settings
• App deployment, screen timeout settings
• Perform a device wipe if required
• Audit user activity on a device
• Plus more

Device and user addition, group and organizational unit creation and administration, applying policies to devices and users – does all this remind you of your Active Directory environment?

GAC lets you administer users and devices with a similar approach.

Managing Chromebooks

Use Active Directory to manage Chromebooks.

• Enable Active Directory (AD) management from within GAC and you will be able to integrate your Chromebook devices with your AD environment.
• Devices will be visible in both the GAC and AD environment.
• Use Windows Group Policy to manage devices and to push policies to users and devices.
• Users can use their AD username and password to sign into Chromebook devices.
• GAC can still be used for devices that are not synced with AD.

Chromebooks can also be managed through these approved partners:

• Cisco Meraki
• Citrix XenMobile
• IBM MaaS360
• ManageEngine Mobile Device Manager Plus
• VMware Workspace ONE

Source: Google

You must be running the Chrome Enterprise Upgrade and have any licenses required by the approved partner to take advantage of this management option. The partner admin policies supersede GAC.

If you stop using the approved partner admin console to manage your devices, the polices and settings in GAC will immediately take over the devices.

Microsoft still has the market share when it comes to device sales, and many administrators are already familiar with Microsoft's Active Directory. Google took advantage of that familiarity when it designed the Google Admin Console structure for users, groups, and organizational units.

Chromebook Deployment

Chromebook deployment becomes a challenge when device quantities grow. The enrollment process can be time consuming, and every device must be enrolled before it can be used by an employee or a student. Many admins enlist their full IT teams to assist in the short term. Some vendor partners may assist with distribution options if staffing levels permit. Recent developments from Google have opened additional options for device enrollment beyond the manual enrollment approach.

Enrolling Chromebooks comes down to one of two approaches:

1. Manually enrolling one device at a time
   • Users can assist by entering some identifying details during the enrollment if permitted.
   • Some third-party solutions exist, such as USB drives to reduce repetitive keystrokes or hubs to facilitate manually enrolling multiple Chromebooks simultaneously.
2. Google's Chrome Enterprise Upgrade or the Chrome Education Upgrade
   • This allows you to let your users enroll devices after they accept the end-user license agreement.
   • You can take advantage of Google's vendor partner program and use a zero-touch deployment method where the Chromebook devices automatically receive the assigned policies, apps, and settings as soon as the device is powered on and an authorized user signs in.
   • The Enterprise Upgrade and the Education Upgrade do come with an annual cost per device, which is currently less than US$50.
   • The Enterprise and Education Upgrades come with other features as well, such as enhanced security.

Chromebooks are automatically assigned to the top-level organizational unit (OU) when enrolled. Devices can be manually moved to another OU, but admins can also create enrollment policies to place newly enrolled devices in a specific OU or have the device locate itself in the same OU as the user.

Chromebooks in Education

GAC is also used with Education-licensed devices

Most of the settings and features previously mentioned are also available for Education-licensed devices and users. Enterprise-specific features will not be available to Education licenses. (Active Directory integration with Education licenses, for example, is accomplished using a different approach)

• Groups, policies, administrative controls, app deployment and management, adding devices and users, creating organizational units, and more features are all available to Education Admins to use.

Education device policies and settings tend to focus more on protecting the students with controls such as:

• Disable incognito mode
• Disable location tracking
• Disable external storage devices
• Browser based protections such as Safe Search or Safe Browsing
• URL blocking
• Video input disable for websites
• App installation prevention, auto re-install, and app blocking
• Forced re-enrollment to your domain after a device is wiped
• Disable Guest Mode
• Restrict who can sign in
• Audit user activity on a device

When a student takes home a Chromebook assigned to them, that Chromebook may be the only computer in the household. Administrative polices and settings must take into account the fact that the device may have multiple users accessing many different sites and applications when the device is outside of the school environment.

Chromebook Management Extended

An online search for Chromebook management solutions will reveal several software solutions that augment the capabilities of the Google Admin Console. Many of these solutions are focused on the education sector and classroom and student options, although the features would be beneficial to enterprises and educational organizations alike.

These solutions assist or augment Chromebook management with features such as:

• Ability to sync with Google Admin Console
• Ability to sync with student information systems, such as PowerSchool
• Financial management, purchase details, and chargeback
• Asset lifecycle management
• 1:1 Chromebook distribution management
• Repair programs and repair process management
• Check-out/loan program management
• Device distribution/allocation management, including barcode reader integration
• Simple learning material distribution to the classroom for teachers
• Facilitate GAC bulk operations
• Manage inventory of non-IT assets such as projectors, TVs, and other educational assets
• Plus more

"There are many components to managing Chromebooks. Schools need to know which student has which device, which school has which device, and costs relating to repairs. Chromebook Management Software … facilitates these processes."
– VIZOR

MacBooks

• MacBooks are gaining popularity in the Enterprise world.
• Some admins claim MacBooks are less expensive in the long run over Windows-based PCs.
• Users claim less issues when using a MacBook, and overall, companies report increased retention rates when users are using MacBooks.

"Macs now make up 23% of endpoints in enterprises."
– ComputerWeekly.com

"When given the choice, no less than 72% of employees choose Macs over PCs."
– "5 Reasons Mac is a must," Jamf

"IBM says it is 3X more expensive to manage PCs than Macs."
– Computerworld

"74% of those who previously used a PC for work experienced fewer issues now that they use a Mac"
– "Global Survey: Mac in the Enterprise," Jamf

"When enterprise moves to Mac, staff retention rates improve by 20%. That's quite a boost! "
– "5 Reasons Mac is a must," Jamf

Managing MacBooks

Can your existing UEM keep up?

Many Windows unified endpoint management (UEM) tools can manage MacBooks, but most companies choose to use a dedicated MacBook management tool.

• UEM tools that are primarily Windows focused do not typically go deep enough into the management capabilities of non-Windows devices.
• Admins have noted limitations when it comes to using Windows UEM tools, and reasons they prefer a dedicated MacBook management solution include:
  • Easier to use
• Faster response times when deploying settings and policies
• Better control over notification settings and lock screen settings.
• Easier Apple Business Manager (ABM) integration and provisioning.
• Note that not every UEM will have the same limitations or advantages. Functionality is different between vendor products.

Info-Tech Insight

Most Windows UEM tools are constantly improving, and it is only a matter of time before they rival many of the dedicated MacBook management tools out there.

Admins tend to agree that a Windows UEM is best for Windows while an Apple-based UEM is best for Apple devices.

Managing MacBooks

The market for "MacBook-first" management solutions includes a variety of players of varying ages such as:

• Jamf
• Kandji
• Mosyle
• SimpleMDM
• Others

MacBook-focused management tools can provide features such as:

• Encryption and update settings
• App deployment and lifecycle management
• Remote device wipe, scan, shutdown, restart, and lock
• Zero touch deployment and support
• Location tracking
• Browser content filtering
• Enable, hide/block, or disable built-in features
• Configure Wi-Fi, VPN, and certificate-based settings
• Centralized dashboard with device and app listings as well as individual details
• Data restrictions
• Plus more

Unified endpoint management (UEM) solutions that can provide MacBook management to some degree include (but are not limited to):

• Intune
• Ivanti
• Endpoint Central
• WorkspaceOne

Dedicated solutions advocate integration with UEM solutions to take advantage of conditional access, security functionality, and data governance features.

Jamf and Microsoft entered into a collaboration several years ago with the intention of making the MacBook management process easier and more secure.

Microsoft Intune and Jamf Pro: Better together to manage and secure Macs
Microsoft Conditional Access with Jamf Pro ensures that company data is only accessed by trusted users, on trusted devices, using trusted apps. Jamf extends this Enterprise Mobile + Security (EMS) functionality to Mac, iPhone and iPad.
– "Microsoft Intune and Jamf Pro," Jamf

Endpoint Management Selection Tool
Activity

There are many solutions available to manage end-user devices, and they come with a long list of options and features. Clarify your needs and define your requirements before you purchase another endpoint management tool. Don't purchase capabilities that you may never use.

Use the Endpoint Management Selection Tool to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

1. List out the desired features you want in an endpoint solution for your devices and record those features in the first column. Use the features provided, or add your own and edit or delete the existing ones if necessary.
2. List your selected endpoint management solution vendors in each of the columns in place of "Vendor 1," "Vendor 2," etc.
3. Fill out the spreadsheet by changing the corresponding desired feature cell under each vendor to a "yes" or "no" based on your findings while investigating each vendor solution.
4. When you have finished your investigation, review your spreadsheet to compare the various offerings and pros and cons of each vendor.
5. Select your endpoint management solution.

Related Info-Tech Research

Modernize and Transform Your End-User Computing Strategy
This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

Best Unified Endpoint Management (UEM) Software 2022 | SoftwareReviews
Compare and evaluate unified endpoint management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best unified endpoint management software for your organization.

Best Enterprise Mobile Management (EMM) Software 2022 | (softwarereviews.com)
Compare and evaluate enterprise mobile management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best enterprise mobile management software for your organization.

Bibliography

Bridge, Tom. "Macs in the enterprise – what you need to know". Computerweekly.com, TechTarget. 27 May 2022. Accessed 12 Aug. 2022.
Copley-Woods, Haddayr. "5 reasons Mac is a must in the enterprise". Jamf.com, Jamf. 28 June 2022. Accessed 16 Aug. 2022.
Duke, Kent. "Chromebook sales skyrocketed in Q3 2020 with online education fueling demand." androidpolice.com, Android Police. 16 Nov 2020. Accessed 10 Aug. 2022.
Elgin, Mike. "Will Chromebooks Rule the Enterprise? (5 Reasons They May)". Computerworld.com, Computerworld. 30 Aug 2019. Accessed 10 Aug. 2022.
Evans, Jonny. "IBM says it is 3X more expensive to manage PCs than Macs". Computerworld.com, Computerworld. 19 Oct 2016. Accessed 23 Aug. 2022.
"Global Survey: Mac in the Enterprise". Jamf.com, Jamf. Accessed 16 Aug. 2022.
"How to Manage Chromebooks Like a Pro." Vizor.cloud, VIZOR. Accessed 10 Aug. 2022.
"Manage Chrome OS Devices with EMM Console". support.google.com, Google. Accessed 16 Aug. 2022.
Protalinski, Emil. "Chromebooks outsold Macs worldwide in 2020, cutting into Windows market share". Geekwire.com, Geekwire. 16 Feb 2021. Accessed 22 Aug. 2022.
Smith, Sean. "Microsoft Intune and Jamf Pro: Better together to manage and secure Macs". Jamf.com, Jamf. 20 April 2022. Accessed 16 Aug. 2022.