Earlier this month, Apple unveiled its newest generation of MacBook Pros; all feature a significant bump in performance, a redesigned butterfly keyboard, the arrival of "Hey Siri" commands and a second generation of Apple's T-series chips. The T2 chip works to improve performance and includes a Secure Enclave for encryption operations to secure the laptops and power Apple's TouchID as well as the Touch Bar. (The T2 chip is already in Apple's iMac Pro.)
One of the big narratives around the new MacBook Pro - and the T2 chip, in particular - is that they are true professional-level machines with IT-friendly security capabilities that help protect everything from the SSD storage to the start-up process to the apps being used. (This last item is important since users can install apps from outside of the Mac App Store, which is curated by Apple.)
This powerful combination is a strong argument for moving a company or specific departments to Apple laptops. There's incredible performance for demanding tasks, multilayered security built into pretty much every layer of operation, and access to FileVault encryption. With FileVault in use, it becomes next to impossible to get data off a Mac's SSD because of the level of encryption and the fact that the Mac itself signs the encryption keys.
For most laptops, a thief doesn't need to do much to hack into them if they're stolen: Simply yank the hard drive or SSD and "recover" the data on it while bypassing security mechanisms normally applied when the OS loads/boots.
But with drive encryption tied to a specific Mac through FileVault, that same process won't allow for access to the encrypted data on the drive. That alone is a compelling argument for using Macs in enterprise environments, particularly in regulated industries where its critical to ensure data is secure on the device (and in transit) at all times.
Strong security as a double-edged sword
This does, however, raise an issue IT professionals should keep in mind: If a Mac fails, cannot boot properly and needs to be replaced, any stored data might not be accessible to technicians. You can't simply swap the drive into another Mac, or even connect it to another Mac and use Time Machine or third-party backup tools to access or transfer the contents.
This approach to security isn't unique to the new MacBooks Pros. Apple instituted a similar security layer in iOS when it introduced TouchID and the Secure Enclave technology that stores critical data on an iOS device. Any iPhone or iPad with TouchID or FaceID pairs its encryption to its Secure Enclave during production. This is why using the fingerprint sensor/home button of one iPhone on another typically fails. The sensor is paired to the device it shipped with.
That makes this security functionality a bit of a double-edged sword for businesses. Your data becomes so secure that a hardware failure can make it completely inaccessible. It also means that backing up data - either locally or to the cloud - becomes paramount. Because if a MacBook Pro fails, you'll be relying on those backups much more than with earlier Macs.
Embracing a cloud solution should be the first option since corporate data will be stored securely off the device, and thus it can be accessed or recovered if there is a hardware failure. There are, of course, plenty of advantages to cloud solutions over network-based backups. In the hyper-mobile world, there are a variety of situations where users will be working outside the network - at home, during travel, or perhaps in meetings at client or prospective client locations. Relying on a backup that only occurs automatically in the office or connected by older technologies like VPN may not be enough for users who are primarily remote or who take their Macs out of the office for long periods.
Whether web- or app-based, cloud solutions for storage and collaboration need to be the default option wherever possible for MacBook Pro users. In this way, the Mac is now becoming a mobile- and cloud-first platform in business (and education). In many ways, the questions that arose with Chromebooks, and to some extent mobile devices, now apply to Apple's laptops.
Other IT concerns with the new MacBook Pros
While encryption and data access are something IT needs to consider when planning to deploy these notebooks, they're not the only things. These are the first Macs that don't support Apple's NetBoot/NetInstall functionality. This means organizations will need to refocus their procurement and deployment processes when rolling out these devices.
For more than a generation, the simplest way to configure Macs for deployment was to create a basic system, create an image of that system's startup drive, and automate the process of booting a Mac and installing that image (typically replacing the stock contents of the drive). This approach, which pre-dates the release of OS X/macOS, often relied on a NetBoot/NetInstall (sometimes alone and sometimes using deployment tools such as those from JAMF, the leading company in the Mac management and deployment space). They allow the target Mac(s) to boot over the network, locate the appropriate image and install.
Apple has been slowly deprecating this process, which can be rather time and labor intensive, over the past several years. But it has remained available and in use by a range of companies, schools and other organizations.
With Mac OS X 10.7 "Lion", Apple began to shift its Mac deployment and management model toward the MDM model used for managing iOS devices. That system is more lightweight, scalable and automated in its own right. It is also a tack that other players, including Microsoft, have begun to implement.
Used in combination with Apple's Device Enrollment Program, the MDM system allows iOS devices (and Macs) to enroll themselves with an organization's MDM solution of choice and apply settings, apps, access, restrictions, and other management parameters automatically. Doing so skips multiple parts of the setup assistant because devices receive the correct information via MDM. For IT, the process is completely automated and zero-touch. Macs can now be considered the same way.
Apple also supports the ability to include app configuration details and system settings for macs using MDM. IT can add packages for software, files/documents and configuration data for items beyond Apple's macOS install and setup routines. While this functionality initially felt a little clumsy for experienced Mac admins when Apple began to shift to MDM, the experience has become rock solid over the years. Apple has been positioning it as the preferred deployment method for quite some time.
One of the advantages to this approach - beyond streamlining deployments and letting users turn on a new company-owned Mac and have it properly configured in short order - is that it allows organizations to select management tools that best meet their needs and integrate into the rest of their infrastructure. The robustness and maturity of providers in the enterprise mobility (EMM) market means a truly tailored, integrated solution is possible and infrastructure can now manage most devices and platforms within modern enterprise environments.
The bottom line for enterprise IT
Many companies that have been using solutions from JAMF, VMWare/Airwatch, Mobile Iron, and even Microsoft to power their EMM infrastructure will be able to adopt the new machines with relative ease. Those that rely on older tactics - including Apple's own macOS Server (which is generally required if you want to use NetBoot/NetInstall) - or still do manual imaging of machines (which can work for smaller deployments but doesn't scale well) should consider moving to the MDM/EMM model Apple has been promoting.
This transition will be easiest for organizations that have embraced EMM to deal with mobile devices, because the tools and processes are already in place to manage and deploy Macs the same way. For companies that haven't moved into mobile management, this is another compelling reason to adopt mobile (and increasingly desktop) management.
Put very simply, mobile management now includes Macs and will increasingly include PCs and other Windows-powered devices. It is now a critical component of the enterprise IT stack.
A lot has been said about how Apple is making macOS Mojave more similar to iOS. By adopting the security approach pioneered on the iPhone, the new MacBook Pros demonstrate that Apple is moving in a way to create even more common ground between its platforms. Ultimately, that should make the lives of developers and IT pros easier since they can approach macOS and iOS as a single "Apple platform" - even if Apple never goes so far as to merge them into a single OS.