Apple @ Work: How zero-touch enrollment killed the market for stolen corporate devices

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.

There was a time when a stolen iPad or MacBook was a double nightmare for an IT department. You had to worry about the data, but you also knew the physical hardware was gone forever and would have to be replaced. A thief could wipe the device, reinstall the OS, and sell a perfectly good machine on Facebook Marketplace. However, with the maturity of the Apple Business platform and zero-touch enrollment, Apple has mostly destroyed the financial incentive for stealing corporate Macs and iPads.

About Apple @ Work: Bradley Chambers has been an Apple IT admin since 2009. Through his experience deploying and managing firewalls, switches, a mobile device management system, enterprise-grade Wi-Fi, 1000s of Macs, and 1000s of iPads, Bradley will highlight ways in which Apple IT managers deploy Apple devices, build networks to support them, train users, share stories from the trenches of IT management, and ways Apple could improve its products for IT departments.

In the early days of managing technology, physical theft was a highly profitable enterprise. If a smash-and-grab thief took a stack of laptops from a car or an office, they knew exactly how to fence them. As long as they could boot to a recovery drive or use a USB installer, they could format the disk. All traces of the original company would be erased. The device became a blank slate that could easily be sold on FB Marketplace or at a pawn shop.

We relied heavily on firmware passwords to prevent this, but those were cumbersome to manage at scale. If a device was lost, IT had to write off the entire cost of the hardware. The secondary market thrived on these stolen goods because buyers had no way of knowing the device was stolen until it was too late. I managed IT for an organization in 2011 that lost 10+ iPads over a weekend break-in. This was during the days when we were setting up iPads via iTunes (pre Apple Configurator).

Everything changed with the introduction of Automated Device Enrollment, which was tied directly to Apple Business Manager (now known as Apple Business). When an organization purchases an iPhone, iPad, or Mac from Apple or an authorized enterprise reseller, the device’s serial number is permanently mapped to the company portal at activation.

From the Apple Business console, IT assigns that serial number to their device management platform. This is what creates the magic of zero-touch enrollment. When an employee unboxes a brand-new Mac and connects it to Wi-Fi, the device securely checks in with Apple activation servers, recognizes it belongs to the company, and automatically downloads all management profiles, apps, and security policies.

That exact same zero-touch workflow is what makes stealing these devices incredibly frustrating for thieves. Let us say a thief steals a managed MacBook Pro. Their first instinct is to wipe the drive and reinstall macOS.

The moment that a freshly wiped Mac connects to the internet to complete the setup assistant, it pings Apple. The device is immediately hit with a Remote Management screen that demands corporate login credentials. There is no way to skip it. There is no combination of key commands to bypass it. The Mac is hardcoded to belong to your organization at the server level at activation.

Combine this with managed Activation Lock, and the stolen device is effectively bricked. The thief cannot use it, and they certainly cannot sell it to a knowledgeable buyer. The only remaining value is stripping the device down for unserialized spare parts, which drastically reduces the profit margin of the theft.

Apple has quietly built one of the most effective hardware theft deterrents in the world by tying the physical hardware to cloud activation. As an IT admin, there is tremendous peace of mind knowing that if a device is lost or stolen, your data is protected by FileVault, and the hardware itself is useless to the person who took it.

If you are managing Apple devices in an enterprise or K-12 environment and are not using Apple Business with Automated Device Enrollment, you are leaving your hardware exposed. Buying devices off the shelf at a retail store and manually managing them means you lack that server-level ownership. Th

Apple @ Work is exclusively brought to you by Mosyle, the only Apple Unified Platform. Mosyle is the only solution that integrates in a single professional-grade platform all the solutions necessary to seamlessly and automatically deploy, manage, and protect Apple devices at work. Over 45,000 organizations trust Mosyle to make millions of Apple devices work-ready with no effort and at an affordable cost. Request your EXTENDED TRIAL today and understand why Mosyle is everything you need to work with Apple.