SSH (Secure Shell)

SSH is a cryptographic network protocol for secure remote command-line access. In MDM and macOS management, SSH is used for remote administration of Macs, servers, and network infrastructure, enabling advanced troubleshooting and script execution.

What to Know

SSH enables secure command-line access to Macs for troubleshooting scenarios beyond MDM’s capabilities. While MDM excels at policy deployment and standard management tasks, complex troubleshooting often requires direct shell access to examine logs, test configurations, or execute commands interactively. SSH’s encrypted communication protects sensitive data and credentials during remote sessions, making it vastly superior to legacy protocols like Telnet. SSH key-based authentication eliminates password transmission, improving security and enabling automated remote management scripts.

SSH is essential for managing macOS servers, development workstations, and kiosk systems where direct console access isn’t practical. IT teams use SSH for tasks like reviewing system logs, restarting services, installing packages via command line, and executing diagnostic commands. However, SSH access requires careful security controls — unrestricted SSH access creates security risks, so organizations typically restrict SSH to specific administrator groups, require key-based authentication, and monitor SSH access logs for unusual activity.

Common Scenarios

Enterprise IT: Corporate IT enables SSH on macOS servers and critical workstations for remote administration, using SSH keys rather than passwords for authentication. SSH access policies restrict which networks can initiate SSH connections (internal networks only, or via VPN) and which user accounts have SSH access. IT uses SSH for emergency troubleshooting when devices experience issues preventing normal MDM communication. SSH bastions/jump hosts provide audited access paths for privileged SSH sessions to production systems.

MSP: MSPs use SSH for advanced troubleshooting on client Mac devices and servers, typically accessing devices through secure tunnels or VPN connections. MSPs should document which client devices have SSH enabled, maintain SSH key inventories, and implement SSH logging for compliance and audit purposes. Emergency access procedures may involve temporarily enabling SSH via MDM script when devices experience issues preventing remote screen sharing or other management tools from functioning.

Education: School IT departments typically disable SSH on student devices for security reasons, but enable SSH on teacher workstations and IT administrative Macs for support purposes. Computer labs and shared resources often have SSH enabled for remote management and classroom control. Education IT should implement SSH access controls that limit access to IT staff networks and use SSH key authentication rather than passwords to prevent unauthorized access attempts.

In Addigy

Addigy doesn’t rely on SSH for standard device management operations, using Apple’s MDM protocol instead. However, admins can enable SSH on managed devices through configuration profiles or scripts deployed via Addigy, then use SSH for advanced troubleshooting scenarios. Addigy’s remote terminal feature provides secure command-line access to managed Macs without requiring separate SSH configuration, offering similar capabilities with integrated authentication and session logging.

When SSH access is needed, admins can deploy profiles or scripts via Addigy to enable the SSH service, configure access controls, and deploy SSH authorized keys to managed devices. For security, SSH should only be enabled on devices requiring remote command-line access, with access restricted to specific administrator accounts. Addigy’s script execution capabilities often eliminate the need for SSH by allowing admins to run commands remotely through the MDM channel without maintaining persistent SSH access.