XenMobile Server

macOS

To manage macOS devices in XenMobile, you set up an Apple Push Notification service (APNs) certificate from Apple. For information, see APNs certificates.

XenMobile enrolls macOS devices into MDM. XenMobile supports the following enrollment authentication types for macOS devices in MDM.

  • Domain
  • Domain plus one-time password
  • Invitation URL plus one-time password

Requirements for trusted certificates in macOS 15:

Apple has new requirements for TLS server certificates. Verify that all certificates follow the new Apple requirements. See the Apple publication, https://support.apple.com/en-us/HT210176. For help with managing certificates, see Uploading certificates in XenMobile.

A general workflow for starting macOS device management is as follows:

  1. Configure macOS device policies.

  2. Enroll macOS devices.

  3. Set up device and app security actions. See Security actions.

For supported operating systems, see Supported device operating systems.

Apple host names that must remain open

Some Apple host names must remain open to make sure proper operation of iOS, macOS, and Apple App Store. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, see https://support.apple.com/en-us/HT201999.

Supported enrollment methods

The following table lists the enrollment methods that XenMobile supports for macOS devices:

Method Supported
Apple Deployment Program Yes
Apple School Manager Yes
Apple Configurator No
Manual enrollment Yes
Enrollment invitations Yes

Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Deployment Program for device enrollment and management in XenMobile. That program is for iOS and macOS devices. See Deploy devices through Apple Deployment Program.

For education accounts, you create an Apple School Manager account. Apple School Manager unifies the Deployment Program and volume purchase. Apple School Manager is a type of Education Apple Deployment Program. See Integrate with Apple Education features.

You can use the Apple Deployment Program to bulkly enroll iOS and macOS devices. You can purchase those devices directly from Apple, a participating Apple Authorized Reseller, or a carrier.

Configure macOS device policies

Use these policies to configure how XenMobile interacts with devices running macOS. This table lists all device policies available for macOS devices.

     
AirPlay Mirroring App Inventory Calendar (CalDAV)
Contacts (CardDAV) Control OS Update Credentials
Device Name Exchange FileVault
Firewall Font Import iOS and macOS Profile
LDAP Mail Passcode
Profile Removal Restrictions SCEP
VPN Web clip Wi-Fi

Enroll macOS devices

XenMobile provides two methods to enroll devices that are running macOS. Both methods enable macOS users to enroll over the air, directly from their devices.

  • Send users an enrollment invitation: This enrollment method enables you to set any of the following enrollment security modes for macOS devices:

    • User name + password
    • User name + PIN
    • Two-factor authentication

    When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.

  • Send users an enrollment link: This enrollment method for macOS devices sends users an enrollment link, which they can open in Safari or Chrome browsers. A user then enrolls by providing their user name and password.

    To prevent the use of an enrollment link for macOS devices, set the server property Enable macOS OTAE to false. As a result, macOS users can enroll only by using an enrollment invitation.

Send macOS users an enrollment invitation

  1. Add an invitation for macOS user enrollment. See Create an enrollment invitation.

  2. After users receive the invitation and click the link, the following screen appears in the Safari browser. XenMobile fills in the user name. If you chose Two Factor for the enrollment security mode, another field appears.

    Safari browser root certificate message

  3. Users install certificates as necessary. Whether users see the prompt to install certificates depends on whether you configured the following for macOS: A publicly trusted SSL certificate and a publicly trusted digital signing certificate. For information about certificates, see Certificates and authentication.

  4. Users provide the requested credentials.

    The Mac device policies install. You can now start managing macOS devices with XenMobile just as you manage mobile devices.

  1. Send the enrollment link https://serverFQDN:8443/instanceName/macos/otae, which users can open in Safari or Chrome browsers.

    • serverFQDN is the fully qualified domain name (FQDN) of the server running XenMobile.
    • Port 8443 is the default secure port. If you configured a different port, use that port instead of 8443.
    • The instanceName, often shown as zdm, is the name specified during server installation.

    For more information about sending installation links, see Send an enrollment invitation.

  2. Users install certificates as necessary. If you configured a publicly trusted SSL certificate and digital signing certificate for iOS and macOS, users see the prompt to install the certificates. For information about certificates, see Certificates and authentication.

  3. Users sign on to their Macs.

    The Mac device policies install. You can now start managing macOS devices with XenMobile just as you manage mobile devices.

Security actions

macOS supports the following security actions. For a description of each security action, see Security actions.

     
Revoke Lock Selective Wipe
Full Wipe Certificate renewal  

Lock macOS devices

You can remotely lock a lost macOS device. XenMobile locks the device. It then generates a PIN code and sets it in the device. To access the device, the user types the PIN code. Use Cancel Lock to remove the lock from the XenMobile console.

You can use the Passcode device policy to configure more settings associated with the PIN code. For more information, see macOS settings.

  1. Click Manage > Devices. The Devices page appears.

    The Device page

  2. Select the macOS device that you want to lock.

    Select the checkbox next to a device to show the options menu above the device list. You can also click anywhere else on a listed item to show the options menu on the right side of the list.

    The options menu

    The options menu

  3. In the options menu, click Secure. The Security Actions dialog box appears.

    The Security Actions dialog box

  4. Click Lock. The Security Actions confirmation dialog box displays.

    The Security Actions confirmation

  5. Click Lock Device.

Important:

You can also specify a passcode instead of using the code that XenMobile generates. The lock action fails if the code specified does not meet the code requirements of the device or existing work profile.

macOS