From e0579c5bdd9182f0c180d3514572437a54a35571 Mon Sep 17 00:00:00 2001
From: Allister Banks <arubdesu@me.com>
Date: Thu, 28 Mar 2024 17:55:55 +0900
Subject: [PATCH 1/4] new defintions .md, typos, .gitignore

New .md file to define the criteria, typo fixes, gitignore
---
 .gitignore                     |  1 +
 Apple/MDM Table Definitions.md | 77 ++++++++++++++++++++++++++++++++++
 README.md                      |  4 +-
 3 files changed, 80 insertions(+), 2 deletions(-)
 create mode 100644 .gitignore
 create mode 100644 Apple/MDM Table Definitions.md

diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..5509140
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+*.DS_Store
diff --git a/Apple/MDM Table Definitions.md b/Apple/MDM Table Definitions.md
new file mode 100644
index 0000000..f7d241d
--- /dev/null
+++ b/Apple/MDM Table Definitions.md	
@@ -0,0 +1,77 @@
+### MDM Table Definitions
+
+| **Feature ** | **Category** | **OS** | **Definition** |
+|---|---|---|---| 
+| **Local agent/binary** | Agent | macOS | MDM functionality-related GUI value-add, device or user-focused/facing |
+| **CLI for local agent/binary** | Agent | macOS | Command line interface of vendor-maintained/deployed code that provides status/inventory or interaction with admin actions |
+| **Native Teams Integration** | Alerts | Server Infrastructure | More than zero 'batteries included' capability provided to do as little as get admin status messages or as much as approval/creation/updating/deleting actions via 'chatops' | 
+| **Native Slack Integration** | Alerts | Server Infrastructure | Same as above |
+| **Email Alerts** | Alerts | Server Infrastructure | More than zero 'batteries included' capability to have alerts 'pushed' from the MDM |
+| **Generic Outgoing Webhook** | Alerts | Server Infrastructure | Near-realtime, 'consequential'/practically useful and configurable outbound HTTP POSTs in at least json if not protobuf/rpc format |
+| **EDR/Antivirus product** | Antivirus | macOS | Either running locally on the computer or able to cause the MDM to use non-customer 'sourced' intelligence to detect/respond to malware etc. |
+| **EDR/Antivirus product** | Antivirus | iOS/iPadOS | Non-customer 'sourced' intelligence to detect/respond to malware etc. |
+| **Self Service App** | App Delivery | macOS | Device/user-focused/facing 'store' or way for end users to interact with info, 'curated' apps and/or scripts |
+| **Self Service App** | App Delivery | iOS/iPadOS | Device/user-focused/facing 'store' or way for end users to interact with info or 'curated' apps |
+| **Custom Cloud Content Distribution Network (CDN)** | Content Delivery | Server Infrastructure | At least some redundancy (multiple data center/region) capability to distribute at least apps if not also configs |
+| **Custom On-Premises Content Distribution** | Content Delivery | Server Infrastructure | Some if not all MDM resources can be 'cached' and hosted within a trusted address space |
+| **Apple Business/School Manager (ABM) VPP Token** | Apple Business Manager | Server Infrastructure | Minimally can access and account for app licenses purchased via 'AxM' (either program) |
+| **Custom Configuration Profile support** | Configuration | macOS | Configuration profiles with arbitrary keys can be loaded in and distributed |
+| **Custom Configuration Profile support** | Configuration | iOS/iPadOS | Same as above |
+| **Built-in Notifications to end-user** | App Update | macOS | Without unreasonable admin effort can send practically useful notifications to enrolled computers |
+| **Built-in Notifications to end-user** | App Update | iOS/iPadOS | Same as above but limited to notifications like at least app badging |
+| **Forced App Installs (within MDM limitations)** | App Delivery | macOS | Assuming reasonable criteria for 'installed', can ensure the action occurs at least once (without VPP) |
+| **Forced App Installs (within MDM limitations)** | App Delivery | iOS/iPadOS | Can ensure an app is 'locked' on a supervised device |
+| **Forced App Updates (within MDM limitations)** | App Update | macOS | Can ensure when an app is already considered present it can be updated to a functional 'latest' version (without VPP) |
+| **Forced App Updates (within MDM limitations)** | App Update | iOS/iPadOS | Can ensure a non-latest app version is updated to 'latest' |
+| **Declarative Device Management support** | Device Management | macOS | Can leverage the updated protocol commands supported by Apple as defined in the [Apple Platform Deployment](https://support.apple.com/guide/deployment) guide |
+| **Declarative Device Management support** | Device Management | iOS/iPadOS | Same, for iOS/iPadOS |
+| **Declarative Device Management support** | Device Management | watchOS | Same, for watchOS |
+| **Declarative Device Management support** | Device Management | visionOS | Same, for visionOS |
+| **Apple TV support** | Apple TV | tvOS | Can manage Apple TV devices |
+| **Apple Watch support** | Apple Watch | watchOS | Can manage Apple Watch devices |
+| **Apple Vision Pro support** | Apple Vision Pro | visionOS | Can manage Apple Vision Pro devices |
+| **API - Public Documentation** | Automation | Server Infrastructure | Provides usable documentation for an API without undue access restrictions |
+| **API - REST standards** | Automation | Server Infrastructure | API is built with reasonable industry standard design, e.g. supporting [CRUD](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) interactions |
+| **API - Swagger Documentation** | Automation | Server Infrastructure | Provides API documentation using the [Swagger](https://swagger.io/) or a similar browser-based way to simulate interactions |
+| **API - Non-standard** | Automation | Server Infrastructure | While not RESTful, an API surface is provided in a reasonably consumable format at all |
+| **Offline mode** | Agent | macOS | When 'air-gap'd or otherwise without server connectivity, can use local agent/binary to enforce some (non-config profile) policies |
+| **Blueprint Configuration framework** | Configuration | Server Infrastructure | A working abstraction is present to make configuration/tasks reusable across devices, resources, and/or users/groups |
+| **Device Group Membership - Automatic sync** | Configuration | Server Infrastructure | Calculation of device group membership happens in near-to-constant time, based on practical attributes |
+| **Device Group Membership - Interval sync** | Configuration | Server Infrastructure | Device group membership is recalculated on a scheduled interval, rather than close-to-realtime |
+| **User Group Membership - Automatic sync** | Configuration | Server Infrastructure | Calculation of user group membership happens in near-to-constant time, based on practical attributes |
+| **User Groups Membership - Interval sync** | Configuration | Server Infrastructure | User group membership is recalculated on a scheduled interval, rather than close-to-realtime |
+| **User Groups - Directory Service group membership** | Configuration | Server Infrastructure | Can be linked to a user database like LDAP/Active Directory to automatically sync at least the administrator access group |
+| **Shared iPad Mode support** | Shared iPad Mode | iPadOS | Can configure and manage devices in Shared iPad Mode |
+| **App Lock - Single App Mode** | Configuration | iOS/iPadOS | Can lock a device into a single approved app, including management to update the app without disruption |
+| **Custom Scripts deployed from Admin Portal** | Configuration | Server Infrastructure | Provides a secure way to distribute arbitrary code in common scripting languages on enrolled devices |
+| **Restrictions - App Block List** | Configuration | Server Infrastructure | Can reasonably intercept or prevent the execution of identified unwanted app bundles |
+| **Supervise Device** | Configuration | macOS | Can establish a supervision 'relationship' with a device to provide enhanced MDM features and enable configuration profile payloads |
+| **Supervise Device** | Configuration | iOS/iPadOS | Same, for iOS/iPadOS devices |
+| **Apple Business/School Manager (ABM/ASM) MDM Token** | Apple Business Manager | Server Infrastructure | Conforms to all reasonably required parts of the spec needed to integrate with and leverage an ABM/ASM MDM token, including VPP |
+| **Automated Device Enrollment (ADE) support** | Enrollment | macOS | Can support the enrollment and configuration of iOS/iPadOS devices using Device Enrollment |
+| **Automated Device Enrollment (ADE) support** | Enrollment | iOS/iPadOS | Same, but for iOS/iPadOS devices |
+| **Admin-created ADE Package support** | Enrollment | macOS | Allows admins to provide arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment |
+| **ADE Automatic User Creation from Identity Provider (IdP), like OIDC, Entra ID, Okta, Google Workspace,etc)** | Enrollment | macOS | The MDM can mark or designate a device as being associated with a user account in the external database |
+| **Directory Integration - Okta** | Configuration | Server Infrastructure | Can integrate and sync with Okta for at least some group member visibilty and user authentication |
+| **Directory Integration - Google Workspace ** | Configuration | Server Infrastructure | Same as above, but with Google Workspace as the external user/group database |
+| **Directory Integration - Microsoft Entra ID** | Configuration | Server Infrastructure | Same as above, but with Microsoft Entra |
+| **Admin Portal - SSO Login** | Identity | Server Infrastructure | Admin inteface supports SSO login via IdP like SAML, OAuth |
+| **Login Window replacement with IdP** | Identity | macOS | Has offering to replace the native macOS login window with one integrated with an IdP |
+| **IdP Password Sync with local account** | Identity | macOS | Has offering to sync passwords from an IdP with the local macOS user account |
+| **Extension Attributes or equivalent** | Inventory | Server Infrastructure | Can at least display arbitrary inventory criteria, e.g. by enabling the running of custom code |  
+| **Migration agent or package from previous MDM** | Migration | macOS | Provides meaningful end-user facing assistance to migrate devices from another MDM |
+| **OS Updates** | OS Update | macOS | Can send commands that force devices to new minor or major macOS versions |
+| **OS Updates** | OS Update | iOS/iPadOS | Same, but for iOS/iPadOS versions |
+| **OS Updates** | OS Update | tvOS | Sames, but for tvOS versions |
+| **Admin Portal - Custom Access Roles (RBAC)** | Configuration | Server Infrastructure | Can allow/restrict R/W access to admin portal features granularly |
+| **Admin Portal - Pre-configured Roles (RBAC)** | Configuration | Server Infrastructure | Abstraction of groups in MDM can allow/restrict collections of features |
+| **Reporting - Built in to Admin Portal (no need to export data for manipulation)** | Reporting | Server Infrastructure | Basic reasonable configurations or modifications to display data like e.g. sorting columns are built-in | 
+| **Reporting - Customize within Admin Portal** | Reporting | Server Infrastructure | The ability to configure high-level metrics or visualizations of the data for optimized decision making can be stored as at least a single user preference |
+| **Local Admin Password Solution (LAPS)** | Security | macOS | Can manage rotation of local admin account passwords |
+| **Baselines (Hardening) Pre-built configs** | Compliance | Server Infrastructure | Regulated industry compliance/security-related baseline configurations are built-in and can be applied to device groups without significant admin effort |
+| **Compliance Control** | Compliance | Server Infrastructure | Explicit capabilities in agent to continuously enforce compliance controls |
+| **Security Templates** | Security | Server Infrastructure | Foundational set of controls are built-in, distinguished as being good basic security hygiene for non-personal devices but not as strict as a regulated industry would demand | 
+| **Sandbox instance** | Sandbox | Server Infrastructure | (Within reason) has offering that supports/provides access to evaluating stable functionality and/or preview new releases with a resonable approximation of 'production' configs/resources |
+| **Microsoft Conditional Access support** | Security | Server Infrastructure | Can assist in enabling and enforcing Microsoft conditional access policies |
+| **Okta Device Trust support** | Security | Server Infrastructure | Can assist in enabling and enforcing device trust policies from Okta |
+| **Other conditional access support** | Security | Server Infrastructure | Either supports other 3rd parties or significantly enables similar policy engine-style access controls |
diff --git a/README.md b/README.md
index 06a1c27..9c84de2 100644
--- a/README.md
+++ b/README.md
@@ -10,9 +10,9 @@ $${\color{red}New!}$$
 
 If you're lucky (unlucky?) enough to get to choose an MDM product for your organization, whether starting new or migrating from an existing one, you need to figure out what your true needs are.
 
-Being prepared to make concessions on superflous items while holding firm on high-priority features is a delicate balance. Ultimately, most admins will have to balance cost, functionality, and learning curve.
+Being prepared to make concessions on superfluous items while holding firm on high-priority features is a delicate balance. Ultimately, most admins will have to balance cost, functionality, and learning curve.
 For more info, check out my blog on Sysmansquad: [Evaluating Apple MDM Products](https://sysmansquad.com/2022/05/03/2022-05-03-evaluating-apple-mdm-products/).
 
 
 ### Managing Apple Devices
-To start, check out this [MDM Comparison Table](https://github.com/hkystar35/MDM/blob/main/Apple/MDM%20Comparison%20Table.md) for some mediume-to-high-level info on features of a few leading MDM products.
+To start, check out this [MDM Comparison Table](https://github.com/hkystar35/MDM/blob/main/Apple/MDM%20Comparison%20Table.md) for some medium-to-high-level info on features of a few leading MDM products.

From d1a59448a20766f112025a0869a2d831dbbd21e8 Mon Sep 17 00:00:00 2001
From: Allister Banks <arubdesu@me.com>
Date: Mon, 7 Oct 2024 23:09:33 +0900
Subject: [PATCH 2/4] back out introduction of definitions md, convert to
 <detail>s

Another pass at editing the definitions themselves while placing inline in table, hopefully this is closer/better
---
 Apple/MDM Comparison Table.md  | 145 ++++++++++++++++-----------------
 Apple/MDM Table Definitions.md |  77 -----------------
 2 files changed, 72 insertions(+), 150 deletions(-)
 delete mode 100644 Apple/MDM Table Definitions.md

diff --git a/Apple/MDM Comparison Table.md b/Apple/MDM Comparison Table.md
index 3906834..b400f50 100644
--- a/Apple/MDM Comparison Table.md	
+++ b/Apple/MDM Comparison Table.md	
@@ -27,76 +27,75 @@ ___
 
 | **Feature** | **Category** | **OS** | **Meraki SM** | **Jamf** | **Kandji** | **Mosyle** | **Addigy** | **JumpCloud** | **Intune** | **Workspace ONE** |
 |---|---|---|---|---|---|---|---|---|---|---|
-| **Local agent/binary** | Agent | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **CLI for local agent/binary** | Agent | macOS | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |
-| **Native Teams Integration** | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: |
-| **Native Slack Integration** | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: |
-| **Email Alerts** | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark::asterisk: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Generic Outgoing Webhook** | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
-| **EDR/Antivirus product** | Antivirus | macOS | :grey_question: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
-| **EDR/Antivirus product** | Antivirus | iOS/iPadOS | :grey_question: | :x: | :x: | :x: | :white_check_mark::heavy_dollar_sign: | :x: |
-| **Self Service App** | App Delivery | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| **Self Service App** | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
-| **Custom Cloud Content Distribution Network (CDN)** | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Custom On-Premises Content Distribution** | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
-| **Apple Business Manager (ABM) VPP Token** | Apple Business Manager | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Custom Configuration Profile support** | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Custom Configuration Profile support** | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Built-in Notifications to end-user** | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| **Built-in Notifications to end-user** | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
-| **Forced App Installs (within MDM limitations)** | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Forced App Installs (within MDM limitations)** | App Delivery | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Forced App Updates (within MDM limitations)** | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Forced App Updates (within MDM limitations)** | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Declarative Device Management support** | Device Management | macOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| **Declarative Device Management support** | Device Management | iOS/iPadOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: beta |
-| **Declarative Device Management support** | Device Management | watchOS | :grey_question: | :x: | :x: | :x: |
-| **Declarative Device Management support** | Device Management | visionOS | :grey_question: | :x: | :x: | :x: |
-| **Apple TV support** | Apple TV | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Apple Watch support** | Apple Watch | watchOS | :white_check_mark: | :x: | :x: | :x: |
-| **Apple Vision Pro support** | Apple Vision Pro | visionOS | :x: | :x: | :x: |
-| **API - Public Documentation** | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **API - REST standards** | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **API - Swagger Documentation** | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: |
-| **API - Non-standard** | Automation | Server Infrastructure | :white_check_mark: |
-| **Offline mode (cached enforcement by local agent/binary separate from Config Profiles)** | Agent | macOS | :x: | :white_check_mark: | :x: | :x: | :grey_exclamation: | :x: |
-| **Blueprint Configuration framework** | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: |
-| **Device Groups - Attribute-based  membership - Automatic updates** | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: |
-| **Device Groups - Attribute-based  membership - Interval  updates** | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
-| **User Groups - Attribute-based  membership - Automatic updates** | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **User Groups - Attribute-based  membership - Interval  updates** | Configuration | Server Infrastructure | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
-| **User Groups - Directory Service group membership** | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Shared iPad Mode support** | Shared iPad Mode | iPadOS | :grey_exclamation: Education only | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
-| **App Lock - Single App Mode** | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| **Custom Scripts deployed from Admin Portal** | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Restrictions - App Block List** | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: |
-| **Supervise Device** | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Supervise Device** | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Apple Business Manager (ABM) MDM Token** | Apple Business Manager | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Automated Device Enrollment (ADE) support** | Enrollment | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Automated Device Enrollment (ADE) support** | Enrollment | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **ADE Package support** | Enrollment | macOS | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
-| **ADE Automatic User Creation from Identity Provider (IdP), like OIDC, Entra ID, Okta, Google Worksapce,etc)** | Enrollment | macOS | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: |
-| **Directory Integration - Okta** | Configuration | Server Infrastructure | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
-| **Directory Integration - Google Workspace ** | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
-| **Directory Integration - Microsoft Entra ID** | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Admin Portal - SSO Login** | Identity | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Login Window replacement with IdP** | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| **IdP Password Sync with local account** | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| **Extension Attributes or equivalent** | Inventory | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| **Migration agent or package from previous MDM** | Migration | macOS | :x: | :x: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | :x: | :x: | :grey_exclamation: |
-| **OS Updates** | OS Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **OS Updates** | OS Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **OS Updates** | OS Update | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Admin Portal - Custom Access Roles (RBAC)** | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| **Admin Portal - Pre-configured Roles (RBAC)** | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| **Reporting - Built in to Admin Portal (no need to export data for manipulation)** | Reporting | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: |
-| **Reporting - Customize within Admin Portal** | Reporting | Server Infrastructure | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
-| **Built-In - Local Admin Password Solution (LAPS)** | Security | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| **Baselines (Hardening) Pre-built configs** | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: |
-| **Compliance Control** | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| **Security Templates** | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| **Sandbox instance** | Sandbox | Server Infrastructure | :x: | :white_check_mark: | :grey_exclamation: | :x: | :x: | :x: | :white_check_mark: |
-| **Microsoft Conditional Access support** | Security | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | :white_check_mark: |
-| **Okta Device Trust support** | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| **Other conditional access support** | Security | Server Infrastructure | :x: | :white_check_mark: | | | | | | :white_check_mark: |
+| <details><summary>**Local agent/binary**</summary>A vendor-provided GUI app for installation on the local Mac, used to provide capabilities beyond Apple's Device Management framework or notifications. Uses the vendors communication protocol rather that APNS</details> | Agent | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1 |
+| <details><summary>**CLI for local agent/binary**</summary>Command line interface of vendor-maintained/deployed code that provides status/inventory or interaction with admin actions</details> | Agent | macOS | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |
+| <details><summary>**Native Teams Integration**</summary>'Batteries included' capability to send as little as admin/monitoring/status messages or as much as approval/creation/update/deletion actions via 'chatops'</details> | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: |
+| <details><summary>**Native Slack Integration**</summary>Same detail as above</details> | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: |
+| <details><summary>**Email Alert**</summary>'Batteries included' capability to have 'messages 'pushed' from the MDM</details> | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark::asterisk: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Generic Outgoing Webhook**</summary>Near-realtime, 'consequential'/to some extent practically useful, outbound HTTP POSTs in at least json if not protobuf/rpc format</details> | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
+| <details><summary>**EDR/Antivirus product**</summary>Either running locally on the computer or able to cause the MDM to use non-customer 'sourced' intelligence to detect/respond to malware etc.</details> | Antivirus | macOS | :grey_question: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
+| <details><summary>**EDR/Antivirus product**</summary>Non-customer 'sourced' intelligence to detect/respond to malware etc.</details> | Antivirus | iOS/iPadOS | :grey_question: | :x: | :x: | :x: | :white_check_mark::heavy_dollar_sign: | :x: |
+| <details><summary>**Self Service App**</summary>Device/user-focused/facing 'store/catalog' or way for end users to interact with info, 'curated' apps/scripts</details> | App Delivery | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Self Service App**</summary>Device/user-focused/facing 'store/catalog' or way for end users to interact with info or 'curated' apps/functions</details> | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom Cloud Content Distribution Network (CDN)**</summary>Vendor-facilitated hosting with at least some redundancy (multiple data center/region), to distribute apps/assets/configs</details> | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom On-Premises Content Distribution**</summary>Some applicable resources can be 'cached' and hosted within a known network/cloud provider region/address space</details> | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
+| <details><summary>**Apple Business/School Manager (AxM) VPP Token**</summary>Can access and account for app licenses purchased via either applicable program</details> | Apple Business Manager | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom Configuration Profile/Declaration/Command support**</summary>At least custom configuration profiles (containing arbitrary domains/keys/values/'depths'/data structures, as long as valid in the spec/XML) can be loaded in and distributed with some parity to other 'baked-in' payloads/commands</details> | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom Configuration Profile/Declaration/Command support**</summary>Same detail as above</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Built-in Notifications to device**</summary>'Batteries included' capability to send practically useful notifications to enrolled computers</details> | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Built-in Notifications to device**</summary>Same as above but within platform constraints e.g. vendor's app badging/'toaster' banners</details> | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Enforced Installs**</summary>Assuming reasonable criteria for success, can ensure installation occurs when app not present & without MDM protocol/VPP</details> | App Delivery | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Enforced Installs**</summary>Within platform limitations, ensure an app is 'locked' on a managed/supervised device</details> | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Enforced Updates**</summary>Can ensure when an app is already considered present it can be updated to a functional desired version (without VPP)</details> | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Enforced Updates**</summary>Can ensure a non-latest app version is updated to functional desired version</details> | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Declarative Device Management support**</summary>Can leverage the updated protocol commands supported by Apple as defined in the [Apple Platform Deployment](https://support.apple.com/guide/deployment) guide</details> | Device Management | macOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | iOS/iPadOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: beta |
+| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | watchOS | :grey_question: | :x: | :x: | :x: |
+| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | visionOS | :grey_question: | :x: | :x: | :x: |
+| <details><summary>**Apple TV support**</summary>Can manage applicable platform</details> | Apple TV | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Apple Watch support**</summary>Can manage applicable platform</details> | Apple Watch | watchOS | :white_check_mark: | :x: | :x: | :x: |
+| <details><summary>**Apple Vision Pro support**</summary>Can manage applicable platform</details> | Apple Vision Pro | visionOS | :x: | :x: | :x: |
+| <details><summary>**API - Public Documentation**</summary>Provides usable documentation/browser for API endpoints without undue access restriction</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**API - REST standards**</summary>API is built with reasonable industry standard design, e.g. versioned with consistent URL structure, supports [CRUD](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) interactions, is not e.g. SOAP or arcane</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**API - Interactive browser/executable support**</summary>Provides confirmation/browsing of some API functionality via a browser like [Swagger](https://swagger.io/)/[Postman](https://www.postman.com) or a similar way to simulate/perform interactions</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: |
+| <details><summary>**API - Non-standard**</summary>While not RESTful, an API 'surface' is provided in a reasonably consumable format at all for practically useful needs</details> | Automation | Server Infrastructure | :white_check_mark: |
+| <details><summary>**Offline mode**</summary>When 'air-gap'd or otherwise without server connectivity, can use local agent/binary to enforce (non-config profile) configurations</details> | Agent | macOS | :x: | :white_check_mark: | :x: | :x: | :grey_exclamation: | :x: |
+| <details><summary>**Blueprint Configuration framework**</summary>A working abstraction is present to make configuration/assets/tasks reusable across devices, resources, and/or users/groups</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Device Groups - Attribute-based  membership - Automatic updates**</summary>Calculation of device group membership happens in near-to-constant time, based on practical attributes</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: |
+| <details><summary>**Device Groups - Attribute-based  membership - Interval  updates**</summary>Device group membership is recalculated on a scheduled interval</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**User Groups - Attribute-based  membership - Automatic updates**</summary>Calculation of user group membership happens in near-to-constant time, based on practical attributes</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**User Groups - Attribute-based  membership - Interval  updates**</summary>User group membership is recalculated on a scheduled interval</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
+| <details><summary>**User Groups - Directory Service group membership**</summary>Server-side group membership can be linked to a database like LDAP/Active Directory</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Shared iPad Mode support**</summary>Can configure and manage devices in Shared iPad Mode</details> | Shared iPad Mode | iPadOS | :grey_exclamation: Education only | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**App Lock - Single App Mode**</summary>Can lock a device into a single approved app, including handling to update the app with minimal disruption</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Custom Scripts Deployment**</summary>Provides a secure way to distribute and orchestrate execution of arbitrary code in common scripting languages to (applicable) enrolled devices</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Restrictions - App Block List**</summary>Can reasonably intercept/prevent the execution of identified unwanted processes</details> | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: |
+| <details><summary>**Supervise Device**</summary>Can establish a supervision 'relationship' with a device to provide enhanced MDM features like specific configuration profile payloads</details> | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Supervise Device**</summary>Same as above, for iOS/iPadOS devices</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Automated Device Enrollment (ADE) support**</summary>Can support the enrollment and configuration of macOS devices using Device Enrollment</details> | Enrollment | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Automated Device Enrollment (ADE) support**</summary>Same as above, for iOS/iPadOS devices</details> | Enrollment | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**ADE Package support**</summary>Allows admins to provide their own arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment</details> | Enrollment | macOS | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
+| <details><summary>**ADE Automatic User Creation via Identity Provider (IdP)**</summary>The MDM can ensure device authentication at time of provisioning is associated with a user account in an external database/via an identity provider, like (generically) OIDC, Okta, OneLogin, Entra ID, Google Workspace, etc.</details> | Enrollment | macOS | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Directory Integration - Okta**</summary>Zooming in on specific vendor support, can integrate and sync with Okta for at group/user visibilty/authentication</details> | Configuration | Server Infrastructure | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
+| <details><summary>**Directory Integration - Google Workspace **</summary>Same as above, for Google Workspace</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Directory Integration - Microsoft Entra ID**</summary>Same as above, for Entra ID</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Admin Portal - SSO Login**</summary>Admin interface supports SSO login via IdP/SAML/OAuth</details> | Identity | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Login Window replacement with IdP**</summary>Has supported offering to *replace* the native macOS login window with an interface for authenticating to an IdP</details> | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: |
+| <details><summary>**IdP Password Sync with local account**</summary>Has offering to sync passwords from an IdP with the local macOS user account</details> | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: |
+| <details><summary>**Admin-Custom Inventory Collection**</summary>Has mechanism to collect/display admin-provided custom/arbitrary inventory criteria, e.g. by enabling the running of scripts/binaries</details> | Inventory | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Migration agent or package from previous MDM**</summary>Provides meaningful end-user facing/backend assistance to migrate/re-enroll devices previously enrolled in another MDM</details> | Migration | macOS | :x: | :x: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | :x: | :x: | :grey_exclamation: |
+| <details><summary>**OS Updates**</summary>Follows spec to send commands that force devices to new minor or major macOS versions</details> | OS Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**OS Updates**</summary>Same as above, for iOS/iPadOS devices</details> | OS Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**OS Updates**</summary>Same as above, for tvOS devices</details> | OS Update | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Admin Portal - Custom Access Roles (RBAC)**</summary>Can arbitrarily allow/restrict R/W access to admin portal features for identified groups/users</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Admin Portal - Pre-configured Roles (RBAC)**</summary>Groups pre-determined elsewhere can allow/restrict collections of features</details> | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Reporting - Pre-canned**</summary>Basic reasonable display of practically useful/relevant data to operating the service without forcing export of logs for external visualizations</details> | Reporting | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: |
+| <details><summary>**Reporting - Customize within Admin Portal**</summary>Capability to configure persistent metrics or visualizations of the relevant service data</details> | Reporting | Server Infrastructure | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
+| <details><summary>**Built-In - Local Admin Password Solution (LAPS)**</summary>Can manage/rotate local admin account passwords</details> | Security | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |
+| <details><summary>**Baseline (Hardening) Pre-built Configs**</summary>Compliance/security-related baseline configuration adherence is natively handled and can be determined/targeted without undue admin effort</details> | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: |
+| <details><summary>**Compliance Control**</summary>Explicit capabilities to enforce specific compliance controls on devices</details> | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Security Templates**</summary>Foundational/commonly-named security-specfic controls are built-in for applying without undue admin effort</details> | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |
+| <details><summary>**Sandbox instance**</summary>Supports/provides access to another instance of the service as an environment for isolating/validating service concerns or otherwise</details> | Sandbox | Server Infrastructure | :x: | :white_check_mark: | :grey_exclamation: | :x: | :x: | :x: | :white_check_mark: |
+| <details><summary>**Microsoft Conditional Access support**</summary>Directly powers/supports enabling/enforcing Microsoft conditional access policies</details> | Security | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | :white_check_mark: |
+| <details><summary>**Okta Device Trust support**</summary>Directly powers/supports enabling/enforcing Okta Device Trust</details> | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Other conditional access support**</summary>Significantly enables similar policy engine-style access controls</details> | Security | Server Infrastructure | :x: | :white_check_mark: | | | | | | :white_check_mark: |
diff --git a/Apple/MDM Table Definitions.md b/Apple/MDM Table Definitions.md
deleted file mode 100644
index f7d241d..0000000
--- a/Apple/MDM Table Definitions.md	
+++ /dev/null
@@ -1,77 +0,0 @@
-### MDM Table Definitions
-
-| **Feature ** | **Category** | **OS** | **Definition** |
-|---|---|---|---| 
-| **Local agent/binary** | Agent | macOS | MDM functionality-related GUI value-add, device or user-focused/facing |
-| **CLI for local agent/binary** | Agent | macOS | Command line interface of vendor-maintained/deployed code that provides status/inventory or interaction with admin actions |
-| **Native Teams Integration** | Alerts | Server Infrastructure | More than zero 'batteries included' capability provided to do as little as get admin status messages or as much as approval/creation/updating/deleting actions via 'chatops' | 
-| **Native Slack Integration** | Alerts | Server Infrastructure | Same as above |
-| **Email Alerts** | Alerts | Server Infrastructure | More than zero 'batteries included' capability to have alerts 'pushed' from the MDM |
-| **Generic Outgoing Webhook** | Alerts | Server Infrastructure | Near-realtime, 'consequential'/practically useful and configurable outbound HTTP POSTs in at least json if not protobuf/rpc format |
-| **EDR/Antivirus product** | Antivirus | macOS | Either running locally on the computer or able to cause the MDM to use non-customer 'sourced' intelligence to detect/respond to malware etc. |
-| **EDR/Antivirus product** | Antivirus | iOS/iPadOS | Non-customer 'sourced' intelligence to detect/respond to malware etc. |
-| **Self Service App** | App Delivery | macOS | Device/user-focused/facing 'store' or way for end users to interact with info, 'curated' apps and/or scripts |
-| **Self Service App** | App Delivery | iOS/iPadOS | Device/user-focused/facing 'store' or way for end users to interact with info or 'curated' apps |
-| **Custom Cloud Content Distribution Network (CDN)** | Content Delivery | Server Infrastructure | At least some redundancy (multiple data center/region) capability to distribute at least apps if not also configs |
-| **Custom On-Premises Content Distribution** | Content Delivery | Server Infrastructure | Some if not all MDM resources can be 'cached' and hosted within a trusted address space |
-| **Apple Business/School Manager (ABM) VPP Token** | Apple Business Manager | Server Infrastructure | Minimally can access and account for app licenses purchased via 'AxM' (either program) |
-| **Custom Configuration Profile support** | Configuration | macOS | Configuration profiles with arbitrary keys can be loaded in and distributed |
-| **Custom Configuration Profile support** | Configuration | iOS/iPadOS | Same as above |
-| **Built-in Notifications to end-user** | App Update | macOS | Without unreasonable admin effort can send practically useful notifications to enrolled computers |
-| **Built-in Notifications to end-user** | App Update | iOS/iPadOS | Same as above but limited to notifications like at least app badging |
-| **Forced App Installs (within MDM limitations)** | App Delivery | macOS | Assuming reasonable criteria for 'installed', can ensure the action occurs at least once (without VPP) |
-| **Forced App Installs (within MDM limitations)** | App Delivery | iOS/iPadOS | Can ensure an app is 'locked' on a supervised device |
-| **Forced App Updates (within MDM limitations)** | App Update | macOS | Can ensure when an app is already considered present it can be updated to a functional 'latest' version (without VPP) |
-| **Forced App Updates (within MDM limitations)** | App Update | iOS/iPadOS | Can ensure a non-latest app version is updated to 'latest' |
-| **Declarative Device Management support** | Device Management | macOS | Can leverage the updated protocol commands supported by Apple as defined in the [Apple Platform Deployment](https://support.apple.com/guide/deployment) guide |
-| **Declarative Device Management support** | Device Management | iOS/iPadOS | Same, for iOS/iPadOS |
-| **Declarative Device Management support** | Device Management | watchOS | Same, for watchOS |
-| **Declarative Device Management support** | Device Management | visionOS | Same, for visionOS |
-| **Apple TV support** | Apple TV | tvOS | Can manage Apple TV devices |
-| **Apple Watch support** | Apple Watch | watchOS | Can manage Apple Watch devices |
-| **Apple Vision Pro support** | Apple Vision Pro | visionOS | Can manage Apple Vision Pro devices |
-| **API - Public Documentation** | Automation | Server Infrastructure | Provides usable documentation for an API without undue access restrictions |
-| **API - REST standards** | Automation | Server Infrastructure | API is built with reasonable industry standard design, e.g. supporting [CRUD](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) interactions |
-| **API - Swagger Documentation** | Automation | Server Infrastructure | Provides API documentation using the [Swagger](https://swagger.io/) or a similar browser-based way to simulate interactions |
-| **API - Non-standard** | Automation | Server Infrastructure | While not RESTful, an API surface is provided in a reasonably consumable format at all |
-| **Offline mode** | Agent | macOS | When 'air-gap'd or otherwise without server connectivity, can use local agent/binary to enforce some (non-config profile) policies |
-| **Blueprint Configuration framework** | Configuration | Server Infrastructure | A working abstraction is present to make configuration/tasks reusable across devices, resources, and/or users/groups |
-| **Device Group Membership - Automatic sync** | Configuration | Server Infrastructure | Calculation of device group membership happens in near-to-constant time, based on practical attributes |
-| **Device Group Membership - Interval sync** | Configuration | Server Infrastructure | Device group membership is recalculated on a scheduled interval, rather than close-to-realtime |
-| **User Group Membership - Automatic sync** | Configuration | Server Infrastructure | Calculation of user group membership happens in near-to-constant time, based on practical attributes |
-| **User Groups Membership - Interval sync** | Configuration | Server Infrastructure | User group membership is recalculated on a scheduled interval, rather than close-to-realtime |
-| **User Groups - Directory Service group membership** | Configuration | Server Infrastructure | Can be linked to a user database like LDAP/Active Directory to automatically sync at least the administrator access group |
-| **Shared iPad Mode support** | Shared iPad Mode | iPadOS | Can configure and manage devices in Shared iPad Mode |
-| **App Lock - Single App Mode** | Configuration | iOS/iPadOS | Can lock a device into a single approved app, including management to update the app without disruption |
-| **Custom Scripts deployed from Admin Portal** | Configuration | Server Infrastructure | Provides a secure way to distribute arbitrary code in common scripting languages on enrolled devices |
-| **Restrictions - App Block List** | Configuration | Server Infrastructure | Can reasonably intercept or prevent the execution of identified unwanted app bundles |
-| **Supervise Device** | Configuration | macOS | Can establish a supervision 'relationship' with a device to provide enhanced MDM features and enable configuration profile payloads |
-| **Supervise Device** | Configuration | iOS/iPadOS | Same, for iOS/iPadOS devices |
-| **Apple Business/School Manager (ABM/ASM) MDM Token** | Apple Business Manager | Server Infrastructure | Conforms to all reasonably required parts of the spec needed to integrate with and leverage an ABM/ASM MDM token, including VPP |
-| **Automated Device Enrollment (ADE) support** | Enrollment | macOS | Can support the enrollment and configuration of iOS/iPadOS devices using Device Enrollment |
-| **Automated Device Enrollment (ADE) support** | Enrollment | iOS/iPadOS | Same, but for iOS/iPadOS devices |
-| **Admin-created ADE Package support** | Enrollment | macOS | Allows admins to provide arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment |
-| **ADE Automatic User Creation from Identity Provider (IdP), like OIDC, Entra ID, Okta, Google Workspace,etc)** | Enrollment | macOS | The MDM can mark or designate a device as being associated with a user account in the external database |
-| **Directory Integration - Okta** | Configuration | Server Infrastructure | Can integrate and sync with Okta for at least some group member visibilty and user authentication |
-| **Directory Integration - Google Workspace ** | Configuration | Server Infrastructure | Same as above, but with Google Workspace as the external user/group database |
-| **Directory Integration - Microsoft Entra ID** | Configuration | Server Infrastructure | Same as above, but with Microsoft Entra |
-| **Admin Portal - SSO Login** | Identity | Server Infrastructure | Admin inteface supports SSO login via IdP like SAML, OAuth |
-| **Login Window replacement with IdP** | Identity | macOS | Has offering to replace the native macOS login window with one integrated with an IdP |
-| **IdP Password Sync with local account** | Identity | macOS | Has offering to sync passwords from an IdP with the local macOS user account |
-| **Extension Attributes or equivalent** | Inventory | Server Infrastructure | Can at least display arbitrary inventory criteria, e.g. by enabling the running of custom code |  
-| **Migration agent or package from previous MDM** | Migration | macOS | Provides meaningful end-user facing assistance to migrate devices from another MDM |
-| **OS Updates** | OS Update | macOS | Can send commands that force devices to new minor or major macOS versions |
-| **OS Updates** | OS Update | iOS/iPadOS | Same, but for iOS/iPadOS versions |
-| **OS Updates** | OS Update | tvOS | Sames, but for tvOS versions |
-| **Admin Portal - Custom Access Roles (RBAC)** | Configuration | Server Infrastructure | Can allow/restrict R/W access to admin portal features granularly |
-| **Admin Portal - Pre-configured Roles (RBAC)** | Configuration | Server Infrastructure | Abstraction of groups in MDM can allow/restrict collections of features |
-| **Reporting - Built in to Admin Portal (no need to export data for manipulation)** | Reporting | Server Infrastructure | Basic reasonable configurations or modifications to display data like e.g. sorting columns are built-in | 
-| **Reporting - Customize within Admin Portal** | Reporting | Server Infrastructure | The ability to configure high-level metrics or visualizations of the data for optimized decision making can be stored as at least a single user preference |
-| **Local Admin Password Solution (LAPS)** | Security | macOS | Can manage rotation of local admin account passwords |
-| **Baselines (Hardening) Pre-built configs** | Compliance | Server Infrastructure | Regulated industry compliance/security-related baseline configurations are built-in and can be applied to device groups without significant admin effort |
-| **Compliance Control** | Compliance | Server Infrastructure | Explicit capabilities in agent to continuously enforce compliance controls |
-| **Security Templates** | Security | Server Infrastructure | Foundational set of controls are built-in, distinguished as being good basic security hygiene for non-personal devices but not as strict as a regulated industry would demand | 
-| **Sandbox instance** | Sandbox | Server Infrastructure | (Within reason) has offering that supports/provides access to evaluating stable functionality and/or preview new releases with a resonable approximation of 'production' configs/resources |
-| **Microsoft Conditional Access support** | Security | Server Infrastructure | Can assist in enabling and enforcing Microsoft conditional access policies |
-| **Okta Device Trust support** | Security | Server Infrastructure | Can assist in enabling and enforcing device trust policies from Okta |
-| **Other conditional access support** | Security | Server Infrastructure | Either supports other 3rd parties or significantly enables similar policy engine-style access controls |

From d38f1410254b6546245e233fb33f6de65643dc27 Mon Sep 17 00:00:00 2001
From: Allister Banks <arubdesu@me.com>
Date: Mon, 7 Oct 2024 23:30:05 +0900
Subject: [PATCH 3/4] re-sync interim changes from other MRs

Should make my fork in step with other merges, although I did tweak the 'Forced' ones to start with 'Enforced' and made it consistent that iOS/iPad always comes after macOS
---
 Apple/MDM Comparison Table.md | 159 +++++++++++++++++-----------------
 1 file changed, 79 insertions(+), 80 deletions(-)

diff --git a/Apple/MDM Comparison Table.md b/Apple/MDM Comparison Table.md
index b400f50..43b0a5b 100644
--- a/Apple/MDM Comparison Table.md	
+++ b/Apple/MDM Comparison Table.md	
@@ -2,13 +2,13 @@ ___
 > Check out my Blog that started this all: [Evaluating Apple MDM Products | SysManSquad](https://sysmansquad.com/2022/05/03/2022-05-03-evaluating-apple-mdm-products)
 ___
 
-
 # Simple table comparing some basic features of Apple MDM products
 
-### Key
+## Key
 
-| **:white_check_mark:**    | **Yes**                                           |
+| **Icon/Term**             | *Description*                                     |
 |---------------------------|---------------------------------------------------|
+| **:white_check_mark:**    | Yes                                               |
 | **:x:**                   | No                                                |
 | **:grey_exclamation:**    | Maybe or Partial                                  |
 | **:heavy_minus_sign:**    | Not Applicable                                    |
@@ -18,84 +18,83 @@ ___
 | **macOS**                 | Feature for macOS                                 |
 | **iOS/iPadOS**            | Feature for iOS flavors: iPhoneOS, iPadOS, iPodOS |
 | **tvOS**                  | Feature for tvOS (Apple TV)                       |
-| **Server Infrastructure** | Infrastructure feature, not OS-specific           |
 | **watchOS**               | Feature for watchOS (Apple Watch)                 |
 | **visionOS**              | Feature for visionOS (Apple Vision Pro)           |
+| **Server Infrastructure** | Infrastructure feature, not OS-specific           |
 
+## MDM Comparison Table
 
-### MDM Comparison Table
-
-| **Feature** | **Category** | **OS** | **Meraki SM** | **Jamf** | **Kandji** | **Mosyle** | **Addigy** | **JumpCloud** | **Intune** | **Workspace ONE** |
-|---|---|---|---|---|---|---|---|---|---|---|
-| <details><summary>**Local agent/binary**</summary>A vendor-provided GUI app for installation on the local Mac, used to provide capabilities beyond Apple's Device Management framework or notifications. Uses the vendors communication protocol rather that APNS</details> | Agent | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | 1 |
-| <details><summary>**CLI for local agent/binary**</summary>Command line interface of vendor-maintained/deployed code that provides status/inventory or interaction with admin actions</details> | Agent | macOS | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: |
-| <details><summary>**Native Teams Integration**</summary>'Batteries included' capability to send as little as admin/monitoring/status messages or as much as approval/creation/update/deletion actions via 'chatops'</details> | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: |
-| <details><summary>**Native Slack Integration**</summary>Same detail as above</details> | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: |
-| <details><summary>**Email Alert**</summary>'Batteries included' capability to have 'messages 'pushed' from the MDM</details> | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark::asterisk: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Generic Outgoing Webhook**</summary>Near-realtime, 'consequential'/to some extent practically useful, outbound HTTP POSTs in at least json if not protobuf/rpc format</details> | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: |
-| <details><summary>**EDR/Antivirus product**</summary>Either running locally on the computer or able to cause the MDM to use non-customer 'sourced' intelligence to detect/respond to malware etc.</details> | Antivirus | macOS | :grey_question: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
-| <details><summary>**EDR/Antivirus product**</summary>Non-customer 'sourced' intelligence to detect/respond to malware etc.</details> | Antivirus | iOS/iPadOS | :grey_question: | :x: | :x: | :x: | :white_check_mark::heavy_dollar_sign: | :x: |
-| <details><summary>**Self Service App**</summary>Device/user-focused/facing 'store/catalog' or way for end users to interact with info, 'curated' apps/scripts</details> | App Delivery | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Self Service App**</summary>Device/user-focused/facing 'store/catalog' or way for end users to interact with info or 'curated' apps/functions</details> | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Custom Cloud Content Distribution Network (CDN)**</summary>Vendor-facilitated hosting with at least some redundancy (multiple data center/region), to distribute apps/assets/configs</details> | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Custom On-Premises Content Distribution**</summary>Some applicable resources can be 'cached' and hosted within a known network/cloud provider region/address space</details> | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
-| <details><summary>**Apple Business/School Manager (AxM) VPP Token**</summary>Can access and account for app licenses purchased via either applicable program</details> | Apple Business Manager | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Custom Configuration Profile/Declaration/Command support**</summary>At least custom configuration profiles (containing arbitrary domains/keys/values/'depths'/data structures, as long as valid in the spec/XML) can be loaded in and distributed with some parity to other 'baked-in' payloads/commands</details> | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Custom Configuration Profile/Declaration/Command support**</summary>Same detail as above</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Built-in Notifications to device**</summary>'Batteries included' capability to send practically useful notifications to enrolled computers</details> | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Built-in Notifications to device**</summary>Same as above but within platform constraints e.g. vendor's app badging/'toaster' banners</details> | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Enforced Installs**</summary>Assuming reasonable criteria for success, can ensure installation occurs when app not present & without MDM protocol/VPP</details> | App Delivery | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Enforced Installs**</summary>Within platform limitations, ensure an app is 'locked' on a managed/supervised device</details> | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Enforced Updates**</summary>Can ensure when an app is already considered present it can be updated to a functional desired version (without VPP)</details> | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Enforced Updates**</summary>Can ensure a non-latest app version is updated to functional desired version</details> | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Declarative Device Management support**</summary>Can leverage the updated protocol commands supported by Apple as defined in the [Apple Platform Deployment](https://support.apple.com/guide/deployment) guide</details> | Device Management | macOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | iOS/iPadOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: beta |
-| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | watchOS | :grey_question: | :x: | :x: | :x: |
-| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | visionOS | :grey_question: | :x: | :x: | :x: |
-| <details><summary>**Apple TV support**</summary>Can manage applicable platform</details> | Apple TV | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Apple Watch support**</summary>Can manage applicable platform</details> | Apple Watch | watchOS | :white_check_mark: | :x: | :x: | :x: |
-| <details><summary>**Apple Vision Pro support**</summary>Can manage applicable platform</details> | Apple Vision Pro | visionOS | :x: | :x: | :x: |
-| <details><summary>**API - Public Documentation**</summary>Provides usable documentation/browser for API endpoints without undue access restriction</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**API - REST standards**</summary>API is built with reasonable industry standard design, e.g. versioned with consistent URL structure, supports [CRUD](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) interactions, is not e.g. SOAP or arcane</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**API - Interactive browser/executable support**</summary>Provides confirmation/browsing of some API functionality via a browser like [Swagger](https://swagger.io/)/[Postman](https://www.postman.com) or a similar way to simulate/perform interactions</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: |
-| <details><summary>**API - Non-standard**</summary>While not RESTful, an API 'surface' is provided in a reasonably consumable format at all for practically useful needs</details> | Automation | Server Infrastructure | :white_check_mark: |
-| <details><summary>**Offline mode**</summary>When 'air-gap'd or otherwise without server connectivity, can use local agent/binary to enforce (non-config profile) configurations</details> | Agent | macOS | :x: | :white_check_mark: | :x: | :x: | :grey_exclamation: | :x: |
-| <details><summary>**Blueprint Configuration framework**</summary>A working abstraction is present to make configuration/assets/tasks reusable across devices, resources, and/or users/groups</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: |
-| <details><summary>**Device Groups - Attribute-based  membership - Automatic updates**</summary>Calculation of device group membership happens in near-to-constant time, based on practical attributes</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: |
-| <details><summary>**Device Groups - Attribute-based  membership - Interval  updates**</summary>Device group membership is recalculated on a scheduled interval</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
-| <details><summary>**User Groups - Attribute-based  membership - Automatic updates**</summary>Calculation of user group membership happens in near-to-constant time, based on practical attributes</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**User Groups - Attribute-based  membership - Interval  updates**</summary>User group membership is recalculated on a scheduled interval</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :x: | :white_check_mark: | :x: |
-| <details><summary>**User Groups - Directory Service group membership**</summary>Server-side group membership can be linked to a database like LDAP/Active Directory</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Shared iPad Mode support**</summary>Can configure and manage devices in Shared iPad Mode</details> | Shared iPad Mode | iPadOS | :grey_exclamation: Education only | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**App Lock - Single App Mode**</summary>Can lock a device into a single approved app, including handling to update the app with minimal disruption</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| <details><summary>**Custom Scripts Deployment**</summary>Provides a secure way to distribute and orchestrate execution of arbitrary code in common scripting languages to (applicable) enrolled devices</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Restrictions - App Block List**</summary>Can reasonably intercept/prevent the execution of identified unwanted processes</details> | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: |
-| <details><summary>**Supervise Device**</summary>Can establish a supervision 'relationship' with a device to provide enhanced MDM features like specific configuration profile payloads</details> | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Supervise Device**</summary>Same as above, for iOS/iPadOS devices</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Automated Device Enrollment (ADE) support**</summary>Can support the enrollment and configuration of macOS devices using Device Enrollment</details> | Enrollment | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Automated Device Enrollment (ADE) support**</summary>Same as above, for iOS/iPadOS devices</details> | Enrollment | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**ADE Package support**</summary>Allows admins to provide their own arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment</details> | Enrollment | macOS | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
-| <details><summary>**ADE Automatic User Creation via Identity Provider (IdP)**</summary>The MDM can ensure device authentication at time of provisioning is associated with a user account in an external database/via an identity provider, like (generically) OIDC, Okta, OneLogin, Entra ID, Google Workspace, etc.</details> | Enrollment | macOS | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: |
-| <details><summary>**Directory Integration - Okta**</summary>Zooming in on specific vendor support, can integrate and sync with Okta for at group/user visibilty/authentication</details> | Configuration | Server Infrastructure | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: |
-| <details><summary>**Directory Integration - Google Workspace **</summary>Same as above, for Google Workspace</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
-| <details><summary>**Directory Integration - Microsoft Entra ID**</summary>Same as above, for Entra ID</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Admin Portal - SSO Login**</summary>Admin interface supports SSO login via IdP/SAML/OAuth</details> | Identity | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Login Window replacement with IdP**</summary>Has supported offering to *replace* the native macOS login window with an interface for authenticating to an IdP</details> | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| <details><summary>**IdP Password Sync with local account**</summary>Has offering to sync passwords from an IdP with the local macOS user account</details> | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| <details><summary>**Admin-Custom Inventory Collection**</summary>Has mechanism to collect/display admin-provided custom/arbitrary inventory criteria, e.g. by enabling the running of scripts/binaries</details> | Inventory | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Migration agent or package from previous MDM**</summary>Provides meaningful end-user facing/backend assistance to migrate/re-enroll devices previously enrolled in another MDM</details> | Migration | macOS | :x: | :x: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | :x: | :x: | :grey_exclamation: |
-| <details><summary>**OS Updates**</summary>Follows spec to send commands that force devices to new minor or major macOS versions</details> | OS Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**OS Updates**</summary>Same as above, for iOS/iPadOS devices</details> | OS Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**OS Updates**</summary>Same as above, for tvOS devices</details> | OS Update | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Admin Portal - Custom Access Roles (RBAC)**</summary>Can arbitrarily allow/restrict R/W access to admin portal features for identified groups/users</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Admin Portal - Pre-configured Roles (RBAC)**</summary>Groups pre-determined elsewhere can allow/restrict collections of features</details> | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
-| <details><summary>**Reporting - Pre-canned**</summary>Basic reasonable display of practically useful/relevant data to operating the service without forcing export of logs for external visualizations</details> | Reporting | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: |
-| <details><summary>**Reporting - Customize within Admin Portal**</summary>Capability to configure persistent metrics or visualizations of the relevant service data</details> | Reporting | Server Infrastructure | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
-| <details><summary>**Built-In - Local Admin Password Solution (LAPS)**</summary>Can manage/rotate local admin account passwords</details> | Security | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| <details><summary>**Baseline (Hardening) Pre-built Configs**</summary>Compliance/security-related baseline configuration adherence is natively handled and can be determined/targeted without undue admin effort</details> | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: |
-| <details><summary>**Compliance Control**</summary>Explicit capabilities to enforce specific compliance controls on devices</details> | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| <details><summary>**Security Templates**</summary>Foundational/commonly-named security-specfic controls are built-in for applying without undue admin effort</details> | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: |
-| <details><summary>**Sandbox instance**</summary>Supports/provides access to another instance of the service as an environment for isolating/validating service concerns or otherwise</details> | Sandbox | Server Infrastructure | :x: | :white_check_mark: | :grey_exclamation: | :x: | :x: | :x: | :white_check_mark: |
-| <details><summary>**Microsoft Conditional Access support**</summary>Directly powers/supports enabling/enforcing Microsoft conditional access policies</details> | Security | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | :white_check_mark: |
-| <details><summary>**Okta Device Trust support**</summary>Directly powers/supports enabling/enforcing Okta Device Trust</details> | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: |
-| <details><summary>**Other conditional access support**</summary>Significantly enables similar policy engine-style access controls</details> | Security | Server Infrastructure | :x: | :white_check_mark: | | | | | | :white_check_mark: |
+| **Feature** | **Category** | **OS** | **Meraki SM** | **Jamf** | **Kandji** | **Mosyle** | **Addigy** | **JumpCloud** | **Intune** | **Workspace ONE** | **Rippling** |
+|---|---|---|---|---|---|---|---|---|---|---|---|
+| <details><summary>**Local agent/binary**</summary>A vendor-provided GUI app for installation on the local Mac, used to provide capabilities beyond Apple's Device Management framework or notifications. Uses the vendors communication protocol rather that APNS</details> | Agent | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**CLI for local agent/binary**</summary>Command line interface of vendor-maintained/deployed code that provides status/inventory or interaction with admin actions</details> | Agent | macOS | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Native Teams Integration**</summary>'Batteries included' capability to send as little as admin/monitoring/status messages or as much as approval/creation/update/deletion actions via 'chatops'</details> | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: | :white_check_mark: |
+| <details><summary>**Native Slack Integration**</summary>Same detail as above</details> | Alerts | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :grey_exclamation::asterisk::heavy_dollar_sign: | :x: | :x: | :x: | :white_check_mark: |
+| <details><summary>**Email Alert**</summary>'Batteries included' capability to have 'messages 'pushed' from the MDM</details> | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark::asterisk: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Generic Outgoing Webhook**</summary>Near-realtime, 'consequential'/to some extent practically useful, outbound HTTP POSTs in at least json if not protobuf/rpc format</details> | Alerts | Server Infrastructure | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: | :x: | :x: | | :white_check_mark: |
+| <details><summary>**EDR/Antivirus product**</summary>Either running locally on the computer or able to cause the MDM to use non-customer 'sourced' intelligence to detect/respond to malware etc.</details> | Antivirus | macOS | :grey_question: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: |
+| <details><summary>**EDR/Antivirus product**</summary>Non-customer 'sourced' intelligence to detect/respond to malware etc.</details> | Antivirus | iOS/iPadOS | :grey_question: | :x: | :x: | :x: | :white_check_mark::heavy_dollar_sign: | :x: | | | :x: |
+| <details><summary>**Self Service App**</summary>Device/user-focused/facing 'store/catalog' or way for end users to interact with info, 'curated' apps/scripts</details> | App Delivery | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Self Service App**</summary>Device/user-focused/facing 'store/catalog' or way for end users to interact with info or 'curated' apps/functions</details> || App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Custom Cloud Content Distribution Network (CDN)**</summary>Vendor-facilitated hosting with at least some redundancy (multiple data center/region), to distribute apps/assets/configs</details> | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom On-Premises Content Distribution**</summary>Some applicable resources can be 'cached' and hosted within a known network/cloud provider region/address space</details> | Content Delivery | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | | | :x: |
+| <details><summary>**Apple Business/School Manager (AxM) VPP Token**</summary>Can access and account for app licenses purchased via either applicable program</details> | Apple Business Manager | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom Configuration Profile/Declaration/Command support**</summary>At least custom configuration profiles (containing arbitrary domains/keys/values/'depths'/data structures, as long as valid in the spec/XML) can be loaded in and distributed with some parity to other 'baked-in' payloads/commands</details> | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Custom Configuration Profile/Declaration/Command support**</summary>Same detail as above</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Built-in Notifications to device**</summary>'Batteries included' capability to send practically useful notifications to enrolled computers</details> | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | |:white_check_mark: |
+| <details><summary>**Built-in Notifications to device**</summary>Same as above but within platform constraints e.g. vendor's app badging/'toaster' banners</details> | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | | :x: |
+| <details><summary>**Enforced Installs**</summary>Assuming reasonable criteria for success, can ensure installation occurs when app not present & without MDM protocol/VPP</details> | App Delivery | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Enforced Installs**</summary>Within platform limitations, ensure an app is 'locked' on a managed/supervised device</details> | App Delivery | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Enforced Updates**</summary>Can ensure when an app is already considered present it can be updated to a functional desired version (without VPP)</details> | App Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Enforced Updates**</summary>Can ensure a non-latest app version is updated to functional desired version</details> | App Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Declarative Device Management support**</summary>Can leverage the updated protocol commands supported by Apple as defined in the [Apple Platform Deployment](https://support.apple.com/guide/deployment) guide</details> | Device Management | macOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :white_check_mark: |
+| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | iOS/iPadOS | :grey_question: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: beta | :x: |
+| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | watchOS | :grey_question: | :x: | :x: | :x: | | | | | :x: |
+| <details><summary>**Declarative Device Management support**</summary>Same, for applicable platform</details> | Device Management | visionOS | :grey_question: | :x: | :x: | :x: | | | | | :x: |
+| <details><summary>**Apple TV support**</summary>Can manage applicable platform</details> | Apple TV | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :x: |
+| <details><summary>**Apple Watch support**</summary>Can manage applicable platform</details> | Apple Watch | watchOS | :white_check_mark: | :x: | :x: | :x: | | | | | :x: |
+| <details><summary>**Apple Vision Pro support**</summary>Can manage applicable platform</details> | Apple Vision Pro | visionOS | :x: | :x: | :x: | | | | | | :x: |
+| <details><summary>**API - Public Documentation**</summary>Provides usable documentation/browser for API endpoints without undue access restriction</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**API - REST standards**</summary>API is built with reasonable industry standard design, e.g. versioned with consistent URL structure, supports [CRUD](https://en.wikipedia.org/wiki/Create,_read,_update_and_delete) interactions, is not e.g. SOAP or arcane</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: |
+| <details><summary>**API - Interactive browser/executable support**</summary>Provides confirmation/browsing of some API functionality via a browser like [Swagger](https://swagger.io/)/[Postman](https://www.postman.com) or a similar way to simulate/perform interactions</details> | Automation | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | |
+| <details><summary>**API - Non-standard**</summary>While not RESTful, an API 'surface' is provided in a reasonably consumable format at all for practically useful needs</details> | Automation | Server Infrastructure | :white_check_mark: | | | | | | | | |
+| <details><summary>**Offline mode**</summary>When 'air-gap'd or otherwise without server connectivity, can use local agent/binary to enforce (non-config profile) configurations</details> | Agent | macOS | :x: | :white_check_mark: | :grey_exclamation: Parameters only | :x: | :grey_exclamation: | :x: | | | :white_check_mark: |
+| <details><summary>**Blueprint Configuration framework**</summary>A working abstraction is present to make configuration/assets/tasks reusable across devices, resources, and/or users/groups</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: | | | | |
+| <details><summary>**Device Groups - Attribute-based  membership - Automatic updates**</summary>Calculation of device group membership happens in near-to-constant time, based on practical attributes</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Device Groups - Attribute-based  membership - Interval  updates**</summary>Device group membership is recalculated on a scheduled interval</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :white_check_mark: |
+| <details><summary>**User Groups - Attribute-based  membership - Automatic updates**</summary>Calculation of user group membership happens in near-to-constant time, based on practical attributes</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | :white_check_mark: |
+| <details><summary>**User Groups - Attribute-based  membership - Interval  updates**</summary>User group membership is recalculated on a scheduled interval</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :x: | :white_check_mark: | :x: | | | :white_check_mark: |
+| <details><summary>**User Groups - Directory Service group membership**</summary>Server-side group membership can be linked to a database like LDAP/Active Directory</details> | Configuration | Server Infrastructure | :x: | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Shared iPad Mode support**</summary>Can configure and manage devices in Shared iPad Mode</details> | Shared iPad Mode | iPadOS | :grey_exclamation: Education only | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**App Lock - Single App Mode**</summary>Can lock a device into a single approved app, including handling to update the app with minimal disruption</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: | :x: |
+| <details><summary>**Custom Scripts Deployment**</summary>Provides a secure way to distribute and orchestrate execution of arbitrary code in common scripting languages to (applicable) enrolled devices</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Restrictions - App Block List**</summary>Can reasonably intercept/prevent the execution of identified unwanted processes</details> | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Supervise Device**</summary>Can establish a supervision 'relationship' with a device to provide enhanced MDM features like specific configuration profile payloads</details> | Configuration | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Supervise Device**</summary>Same as above, for iOS/iPadOS devices</details> | Configuration | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Automated Device Enrollment (ADE) support**</summary>Can support the enrollment and configuration of macOS devices using Device Enrollment</details> | Enrollment | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Automated Device Enrollment (ADE) support**</summary>Same as above, for iOS/iPadOS devices</details> | Enrollment | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**ADE Package support**</summary>Allows admins to provide their own arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment</details> | Enrollment | macOS | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | |
+| <details><summary>**ADE Automatic User Creation via Identity Provider (IdP)**</summary>The MDM can ensure device authentication at time of provisioning is associated with a user account in an external database/via an identity provider, like (generically) OIDC, Okta, OneLogin, Entra ID, Google Workspace, etc.</details> | Enrollment | macOS | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | | :x: |
+| <details><summary>**Directory Integration - Okta**</summary>Zooming in on specific vendor support, can integrate and sync with Okta for at group/user visibilty/authentication</details> | Configuration | Server Infrastructure | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Directory Integration - Google Workspace **</summary>Same as above, for Google Workspace</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :x: |
+| <details><summary>**Directory Integration - Microsoft Entra ID**</summary>Same as above, for Entra ID</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**Admin Portal - SSO Login**</summary>Admin interface supports SSO login via IdP/SAML/OAuth</details> | Identity | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Login Window replacement with IdP**</summary>Has supported offering to *replace* the native macOS login window with an interface for authenticating to an IdP</details> | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: |
+| <details><summary>**IdP Password Sync with local account**</summary>Has offering to sync passwords from an IdP with the local macOS user account</details> | Identity | macOS | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :x: | :x: | :x: |
+| <details><summary>**Admin-Custom Inventory Collection**</summary>Has mechanism to collect/display admin-provided custom/arbitrary inventory criteria, e.g. by enabling the running of scripts/binaries</details> | Inventory | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | |
+| <details><summary>**Migration agent or package from previous MDM**</summary>Provides meaningful end-user facing/backend assistance to migrate/re-enroll devices previously enrolled in another MDM</details> | Migration | macOS | :x: | :x: | :white_check_mark: | :grey_exclamation: | :white_check_mark: | :x: | :x: | :grey_exclamation: | :x: |
+| <details><summary>**OS Updates**</summary>Follows spec to send commands that force devices to new minor or major macOS versions</details> | OS Update | macOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**OS Updates**</summary>Same as above, for iOS/iPadOS devices</details> | OS Update | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
+| <details><summary>**OS Updates**</summary>Same as above, for tvOS devices</details> | OS Update | tvOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | | | :x: |
+| <details><summary>**Admin Portal - Custom Access Roles (RBAC)**</summary>Can arbitrarily allow/restrict R/W access to admin portal features for identified groups/users</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Admin Portal - Pre-configured Roles (RBAC)**</summary>Groups pre-determined elsewhere can allow/restrict collections of features</details> | Configuration | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |
+| <details><summary>**Reporting - Pre-canned**</summary>Basic reasonable display of practically useful/relevant data to operating the service without forcing export of logs for external visualizations</details> | Reporting | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark::heavy_dollar_sign: | | :white_check_mark: |
+| <details><summary>**Reporting - Customize within Admin Portal**</summary>Capability to configure persistent metrics or visualizations of the relevant service data</details> | Reporting | Server Infrastructure | :x: | :grey_exclamation: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | | :white_check_mark: |
+| <details><summary>**Built-In - Local Admin Password Solution (LAPS)**</summary>Can manage/rotate local admin account passwords</details> | Security | macOS | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :white_check_mark: |
+| <details><summary>**Baseline (Hardening) Pre-built Configs**</summary>Compliance/security-related baseline configuration adherence is natively handled and can be determined/targeted without undue admin effort</details> | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :x: |
+| <details><summary>**Compliance Control**</summary>Explicit capabilities to enforce specific compliance controls on devices</details> | Compliance | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :x: |
+| <details><summary>**Security Templates**</summary>Foundational/commonly-named security-specfic controls are built-in for applying without undue admin effort</details> | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :x: | | :white_check_mark: |
+| <details><summary>**Sandbox instance**</summary>Supports/provides access to another instance of the service as an environment for isolating/validating service concerns or otherwise</details> | Sandbox | Server Infrastructure | :x: | :white_check_mark: | :grey_exclamation: | :x: | :x: | :x: | :white_check_mark: | | :x: |
+| <details><summary>**Microsoft Conditional Access support**</summary>Directly powers/supports enabling/enforcing Microsoft conditional access policies</details> | Security | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | :white_check_mark: | :x: |
+| <details><summary>**Okta Device Trust support**</summary>Directly powers/supports enabling/enforcing Okta Device Trust</details> | Security | Server Infrastructure | :x: | :x: | :white_check_mark: | :x: | :white_check_mark: | :x: | | | :x: |
+| <details><summary>**Other conditional access support**</summary>Significantly enables similar policy engine-style access controls</details> | Security | Server Infrastructure | :x: | :white_check_mark: | | | | | | :white_check_mark: | :white_check_mark: |

From 5f29ceb1af759df3151de229d04de18438c835cc Mon Sep 17 00:00:00 2001
From: Allister Banks <arubdesu@me.com>
Date: Tue, 8 Oct 2024 11:32:07 +0900
Subject: [PATCH 4/4] typo

visibility
---
 Apple/MDM Comparison Table.md | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/Apple/MDM Comparison Table.md b/Apple/MDM Comparison Table.md
index 43b0a5b..fb52a02 100644
--- a/Apple/MDM Comparison Table.md	
+++ b/Apple/MDM Comparison Table.md	
@@ -75,7 +75,7 @@ ___
 | <details><summary>**Automated Device Enrollment (ADE) support**</summary>Same as above, for iOS/iPadOS devices</details> | Enrollment | iOS/iPadOS | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 | <details><summary>**ADE Package support**</summary>Allows admins to provide their own arbitrary executable code (e.g. contained in a package) to be delivered at time of ADE enrollment</details> | Enrollment | macOS | :white_check_mark: | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | | |
 | <details><summary>**ADE Automatic User Creation via Identity Provider (IdP)**</summary>The MDM can ensure device authentication at time of provisioning is associated with a user account in an external database/via an identity provider, like (generically) OIDC, Okta, OneLogin, Entra ID, Google Workspace, etc.</details> | Enrollment | macOS | :white_check_mark::heavy_dollar_sign: | :white_check_mark::heavy_dollar_sign: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | | :x: |
-| <details><summary>**Directory Integration - Okta**</summary>Zooming in on specific vendor support, can integrate and sync with Okta for at group/user visibilty/authentication</details> | Configuration | Server Infrastructure | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
+| <details><summary>**Directory Integration - Okta**</summary>Zooming in on specific vendor support, can integrate and sync with Okta for at group/user visibility/authentication</details> | Configuration | Server Infrastructure | :x: | :x: | :white_check_mark: SCIM | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | :white_check_mark: | :x: |
 | <details><summary>**Directory Integration - Google Workspace **</summary>Same as above, for Google Workspace</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: | | :x: |
 | <details><summary>**Directory Integration - Microsoft Entra ID**</summary>Same as above, for Entra ID</details> | Configuration | Server Infrastructure | :x: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :x: |
 | <details><summary>**Admin Portal - SSO Login**</summary>Admin interface supports SSO login via IdP/SAML/OAuth</details> | Identity | Server Infrastructure | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: | :white_check_mark: |