macOS

To manage macOS devices in Endpoint Management, you set up an Apple Push Notification service (APNs) certificate from Apple. For information, see APNs certificates.

Endpoint Management enrolls macOS devices into MDM mode.

A general workflow for starting macOS device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure macOS device policies.

  4. Enroll macOS devices.

  5. Set up device and app security actions. See Security actions.

For supported macOS devices, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for macOS devices:

Method Supported
Apple Device Enrollment Program (DEP) Yes
Apple School Manager DEP Yes
Apple Configurator No
Manual enrollment Yes
Enrollment invitations Yes

Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Device Enrollment Program (DEP) for device enrollment and management in Endpoint Management. That program is for iOS, macOS, and Apple TV devices. See Deploy devices through Apple DEP.

For education accounts, you create an Apple School Manager account. Apple School Manager unifies the Device Enrollment Program (DEP) and Volume Purchase Program (VPP). Apple School Manager is a type of Education DEP. See Integrate with Apple Education features.

You can use the Apple Device Enrollment Program (DEP) to bulk enroll iOS, macOS, and Apple TV devices. You can purchase those devices directly from Apple, a participating Apple Authorized Reseller, or a carrier.

Configure macOS device policies

Use these policies to configure how Endpoint Management interacts with devices running macOS. This table lists all device policies available for macOS devices.

     
AirPlay mirroring App inventory Calendar (CalDAV)
Contacts (CardDAV) Control OS update Credentials
Device name Exchange FileVault
Firewall Font Import iOS & macOS profile
LDAP Mail Passcode
Profile removal Restrictions SCEP
VPN Webclip WiFi

Enroll macOS devices

Endpoint Management provides two methods to enroll devices that are running macOS. Both methods enable macOS users to enroll over the air, directly from their devices.

  • Send users an enrollment invitation: This enrollment method enables you to set any of the following enrollment modes for macOS devices:

    • User name + password

    • User name + PIN

    • Two Factor

    When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.

  • Send users an enrollment link: This enrollment method for macOS devices sends users an enrollment link, which they can open in Safari or Chrome browsers. A user then enrolls by providing their user name and password.

    To prevent the use of an enrollment link for macOS devices, set the server property, Enable macOS OTAE to false. As a result, macOS users can enroll only by using an enrollment invitation.

Send macOS users an enrollment invitation

  1. Add an invitation for macOS user enrollment. See Send an enrollment invitation.

  2. After users receive the invitation and click the link, the following screen appears in the Safari browser. Endpoint Management fills in the user name. If you chose Two Factor for the enrollment mode, another field appears.

    Image of Safari browser root certificate message

  3. Users install certificates as necessary. Whether users see the prompt to install certificates depends on whether you configured the following for macOS: A publicly trusted SSL certificate and a publicly trusted digital signing certificate. For information about certificates, see Certificates and authentication.

  4. Users provide the requested credentials.

    The Mac device policies install. You can now start managing Macs with Endpoint Management just as you manage mobile devices.

  1. Send the enrollment link https://serverFQDN:8443/instanceName/macos/otae, which users can open in Safari or Chrome browsers.

    • serverFQDN is the fully qualified domain name (FQDN) of the server running Endpoint Management.
    • Port 8443 is the default secure port. If you configured a different port, use that port instead of 8443.
    • The instanceName, often shown as zdm, is the name specified during server installation.

    For more information about sending installation links, see To send an installation link.

  2. Users install certificates as necessary. If you configured a publicly trusted SSL certificate and digital signing certificate for iOS and macOS, users see the prompt to install certificates. For information about certificates, see Certificates and authentication.

  3. Users sign on to their Macs.

    The Mac device policies install. You can now start managing Macs with Endpoint Management just as you manage mobile devices.

Security actions

macOS supports the following security actions. For a description of each security action, see Security actions.

     
Certificate renewal Full Wipe Lock
Notify Revoke/Authorize Selective Wipe