How SAP manages over 100,000 Apple devices

With the emergence of iPhone and iPad , the distribution of Apple devices in the enterprise sector is growing steadily. The ability to be productive everywhere through the delivery of innovative cloud and mobility solutions has not only helped SAP deliver a partnership with customers through an Apple-based partnership since 2016, but is also supporting them in their own businesses. With the effect that his team now manages a whopping 17,500 Macs, 83,000 iOS devices, and 170 Apple TVs, Martin Lang, vice president of IT services, Enterprise Mobility, talks to SAP at CW.

Just a few years ago, the world at SAP looked a bit different, recalls Lang. In 2011, around 22,000 Blackberrys were still in use, but only a few employees used iPhones or Apple devices at the time. The turnaround came when in the same year the Walldorf-based software company outfitted the entire sales force with 20,000 iPads at one go - probably the biggest deal Apple pulled ashore at the time.

"When they put the devices into operation, staff quickly realized they could do much more with Apple tablets than with their Blackberrys," says Lang - and the Enterprise Mobility department he led began developing applications, specifically for the sales team and internal processes to further extend the utility of the devices.

Interdisciplinary Apple @ SAP team

Previously, the area was still working on pure app development. In 2015, the MDM (Mobile Device Management) team joined the specialist department. At the end of 2015/16, Mac® SAP was also taken over, managing the growing number of Apple computers in the Group. As a result, the company has a dedicated interdisciplinary Apple @ SAP team dedicated to device management, security, technical support, and the development of Mac and iOS applications.

Martin Lang demonstrates together with an SAP employee how quickly and easily a new iPhone can be put into operation. Photo: JAMF

So far, mobile devices have been managed through the in-house mobile device management system, and in the summer of 2018 they made the strategic decision to switch to a new MDM. In a proof of concept, the company then tested three solutions: Microsoft Intune, VMware Workspace ONE (better known as Airwatch) and Jamf Pro, which SAP has been using since 2010 to manage its Mac machines.

VMware / Airwatch and Jamf were shortlisted in the end, explains the SAP manager. The decision to manage Apple devices at SAP with Jamf fell because they had had good experience with the solution for eight years. "Airwatch has a similar range of functions, but the introduction would have taken longer because we had to build more knowledge," said the Mobility specialist.

User-friendliness in focus

Ultimately, the choice was also on Jamf, because the manufacturer put a strong focus on usability - a subject that Lang according to the SAP CIO Thomas Saueressig very dear. In addition, SAP benefits from the integration of Jamf with Microsoft EMS (Enterprise Security + Mobility). The solution enables the software company to use the Conditional Access feature to ensure that only trusted users of compliant devices and approved applications access corporate data.

As Lang explains, one is already far on the Mac suite, but not yet on iOS. However, SAP has the best prerequisites, since the group works a lot with certificates and uses the SAP Cloud Connector for accessing company data on the SAP Cloud Platform instead of individual VPNs. And thanks to the link between the Apple Business Manager ( formerly VPP and DEP ) with Jamf Pro, the deployment of a new iOS device and the distribution of apps are also easy and without the IT department having to put hands on the iOS device (Zero Touch Deployment): The user turns on the system, enters his password, the rest goes automatically.

Airwatch, a VMware solution, has been introduced to manage the approximately 7,000 Android devices, predominantly smartphones, and has been live since October 2018. As Lang admits, the support of Android in his company can hardly be economically justifiable, as it consumes almost as many resources as the 87,000 iOS devices. However, the Android community is quite stable and also very passionate, many users also need Android for their work (App Development).

The large but slowly declining number of 85,000 Windows devices is still managed classically with Microsoft SCCM at SAP. Intune will be evaluated because SAP is also a big Office 365 and Azure customer, explains Lang.

TCO of Apple devices probably lower

The IT man assumes that the 17,500 Macs used at SAP are just the beginning. The purchase price is somewhat steep, but as far as the total cost of ownership (TCO) is concerned, Apple devices in the form of Macs are cheaper because they need less support for three years, seen seen. "Currently this is more of a gut feeling," said Lang, but SAP wanted to gather facts.

In addition to the hard facts, the soft factors also played a role, because "when new employees come to SAP today, they often want a Mac, and if they do, they can do whatever they want from a business perspective." explains Lang. "Because of the high expectations of the employees, I do not believe that we have any choice but to offer this flexibility."

Choose your own device

The selection and ordering of mobile devices and desktops - for legal reasons, all company devices in Germany, often also COPE and ByoD devices abroad - is done via a catalog of the subsidiary Ariba. Since SAP used the Knox Mobile Enrollment feature to set up the devices, here in the Android section, the selection before switching to Workspace ONE / Airwatch was limited to some Samsung models, reports Lang. Now there would be more choice with Android Enterprise, such as Google Pixel smartphones, various Nokia or Blackberry devices with keyboard. In addition, every large SAP subsidiary with more than 1,000 employees has a so-called Mobile Solutions Center, in which devices can be touched and tried before ordering ("try before you buy"), which are comparable to an Apple Store, reports Lang.

Try before you buy: In the IT Link Center of SAP in Walldorf devices of all kinds are ready to be viewed and tested. Photo:

SAP SAP has set up a native AppStore with Jamf Self Service for equipping the devices. It gives SAP employees instant access to resources, content and trusted applications - independently, without the help of IT and with one click on their Mac or iOS device. As the mobility specialist tells, SAP, in contrast to traditional customers, works a lot with native in-house apps - about 60 units - plus Microsoft Office, VPN and applications for personnel and travel management (Success Factors and Concur respectively).

iOS first - also in the app development

Speaking of apps: When the app development was intensified at SAP in 2011/12, the company was still broadly positioned with Blackberry, Android , iOS and Windows Mobile. As the focus has shifted significantly towards iPhones, it is now being developed for iOS, then for Android. There is a magic limit, reports Lang: Only if an app is intended for more than 1000 employees, then they also exist for Android. In general, use is the main factor, as feedback for the success of an application is therefore measured intensively, how often an app is used.

In the Self Service App, SAP employees see the available apps. Photo: SAP

However, Jamfs Self Service only provides downloads for an app, but access to SAP Cloud Platform can be tracked, the Mobility specialist adds. However, the whole thing happens very sensitively so as not to conflict with the works council (keyword performance control), but is broken down, for example, to the countries.

In order to promote the secure development of apps - even in individual business units - SAP also has the App Playground in operation. This has different categories and ensures a fast distribution of API files. At the same time, everyone knew that they were only test applications that were not officially approved, for example because no security features had been integrated yet.

While SAP has around 70 internally developed iOS applications, the number of Mac applications is significantly lower. But that should change according to Lang. "We are curious what will happen next year in terms of using iOS apps on a Mac," says the SAP man, referring to Apple's marzipan project , which will significantly streamline the porting of iOS apps to the Mac in 2019 should facilitate. "We have a lot of iPad apps that would just work great on a Mac."