Learn how Apple Device Enrollment Program (DEP) enables zero-touch deployment of Macs. Learn what DEP enrollment is. Learn how computers become a part of a DEP account and the unique purchase methods supported by DEP. Understand the conceptual shift from MCX management (or managed clients for OS X management) to mobile device management (MDM). Download and install Apple Configurator 2 from the Mac App Store. You will require a Mac with OS X 10.6.6 or later. Pre-requisites: Create a WiFi profile; Create a Blueprint and add WiFi profile. When you boot up the device, the MDM enrollment configuration, the WiFi profile, the Supervision settings and all of that you had set up.

Author:Robert Terakedis

Robert is a solutions architect for VMware End-User Computing (EUC).

The release of macOS High Sierra 10.13.2 introduces User Approved Mobile Device Management (MDM) enrollment. This enrollment flow requires the end-user to approve device enrollment before an administrator can manage its security-sensitive settings.

To qualify as a user-approved enrollment type, the MDM profile must install one of the following ways.

  • User-Initiated Profile Installation – Performed through the profiles preference panel, this method ensures the user agrees to management and approves the particular system performing the management. However, this method prevents automated installation of the MDM enrollment profile through scripting, remote screen sharing, or other methods.
  • DEP Enrollment – As a corporate-owned enrollment flow, DEP enrollment is considered user-approved.
  • Automated Enrollment with Manual Approval – This method uses automation to install the MDM enrollment profile. Post-enrollment, the user navigates to the profiles preference panel to manually approve the enrollment profile.

    Figure 1: Non-User Approved MDM Enrollment Pending User Approval

  • Pre-Upgrade Enrollment ­– Devices that enrolled in MDM before upgrading to macOS 10.13.2, get categorized as User Approved MDM by default. However, once unenrolled or wiped, these devices must reenroll using one of the three previously mentioned flows to be user-approved.

User Approved MDM with VMware AirWatch

VMware AirWatch supports all current mechanisms for User Approved MDM enrollment. However, strongly consider implementing Apple DEP as the primary enrollment mechanism for User Approved MDM on macOS. If DEP is not an option right now, use the Web enrollment flow.

The VMware AirWatch Agent for macOS version 2.4.3 and later fully supports User Approved MDM. However, for VMware AirWatch Agent 2.4.2 or earlier, the enrollment process is not user-approved. In these cases, the user must additionally approve the enrollment profile in the profiles preference panel.

Mdm Profile Mac

Additional Considerations for User Approved MDM

Mdm Enrollment Profile Download Mac Os X

Currently, User Approved MDM is a requirement for one macOS profile payload. This payload, the Kernel Extension Policy, manages user-approved kernel extension loading.

If you are unfamiliar with KEXTs, you might be installing or using them unknowingly – especially if you install hardware drivers and/or software for security/compliance, audio/video, and/or virtualization.

Without the Kernel Extension Policy payload in place, administrators must rely on end-users to manually approve KEXT loading. Many would argue this is a recipe for overburdened help desks, late nights, and angry bosses!

[Learn More: macOS High Sierra User-Approved Kernel Extension Loading]

Related

The following links provide more detail on DEP and iOS deployments:

Note: The MDM profile can be removed when using this method.

Mac Mdm Server

Device Enrollment Program (DEP) is preferred as its the only way to prevent the MDM profile being removed from devices:

Prerequisites for URL Enrollment

  • iOS 5+
  • macOS 10.8+

Enrolment URL

Step 1

Navigate to the level where you would like to enroll the device.

The Enroll Device button can be found in Home, School or Group > Device Management > Devices:

Step 2

Press the Enroll Device button to open the following page:

Step 3

Type the Individual Enrollment URL circled into Safari on the device you wish to enroll, proceed to install the profile.

The Individual Enrollment URL generated from the Enroll button is unique for every group in your organization.
Note: iOS 12.2+ the Install Profile process has changed slightly:


The Reenroll Device button

This buttons functionality differs from the Enroll button.

If a user removes the MDM profile the device will still be shown in Mobile Manager, but it will need to be re-enrolled again to restore communication.
Press the Reenroll button (at any level), type the Individual Enrollment URL into Safari on the device that had its profile removed, same process as above.

However, no matter what level you press the Reenroll Device button from, the Individual Enrollment URL will be exactly the same as the device should already exist in Mobile Manager - we will simply need to restore the connection to it.

Remove mdm profiles mac

The device will not be added to any additional groups.

Note:
If you use the Individual Enrollment URL generated by the Reenroll Device button to initially enroll the device into Mobile Manager, the device will enroll into the Home level.


Enrollment Settings

Your organization may have enabled additional Password or User Authentication settings on enrollments.

For more information about these features, see the following article: