macOS
To manage macOS devices in XenMobile, you set up an Apple Push Notification service (APNs) certificate from Apple. For information, seeAPNs certificates.
XenMobile enrolls macOS devices into MDM. XenMobile supports the following enrollment authentication types for macOS devices in MDM.
- Domain
- Domain plus one-time password
- Invitation URL plus one-time password
Requirements for trusted certificates in macOS 15:
Apple has new requirements for TLS server certificates. Verify that all certificates follow the new Apple requirements. See the Apple publication,https://support.apple.com/en-us/HT210176. For help with managing certificates, seeUploading certificates in XenMobile.
A general workflow for starting macOS device management is as follows:
Set up device and app security actions. SeeSecurity actions.
为supported operating systems, seeSupported device operating systems.
Apple host names that must remain open
Some Apple host names must remain open to ensure proper operation of iOS, macOS, and Apple App Store. Blocking those host names can affect the installation, update, and proper operation of the following: iOS, iOS apps, MDM operation, and device and app enrollment. For more information, seehttps://support.apple.com/en-us/HT201999.
Supported enrollment methods
The following table lists the enrollment methods that XenMobile supports for macOS devices:
| Method | Supported |
|---|---|
| Apple Deployment Program | Yes |
| Apple School Manager | Yes |
| Apple Configurator | No |
| Manual enrollment | Yes |
| Enrollment invitations | Yes |
Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Deployment Program for device enrollment and management in XenMobile. That program is for iOS and macOS devices. SeeDeploy devices through Apple Deployment Program.
为education accounts, you create an Apple School Manager account. Apple School Manager unifies the Deployment Program and volume purchase. Apple School Manager is a type of Education Apple Deployment Program. SeeIntegrate with Apple Education features.
You can use the Apple Deployment Program to bulk enroll iOS and macOS devices. You can purchase those devices directly from Apple, a participating Apple Authorized Reseller, or a carrier.
Configure macOS device policies
Use these policies to configure how XenMobile interacts with devices running macOS. This table lists all device policies available for macOS devices.
Enroll macOS devices
XenMobile provides two methods to enroll devices that are running macOS. Both methods enable macOS users to enroll over the air, directly from their devices.
Send users an enrollment invitation:This enrollment method enables you to set any of the following enrollment security modes for macOS devices:
- User name + password
- User name + PIN
- Two-factor authentication
When the user follows the instructions in the enrollment invitation, a sign-on screen with the user name filled in appears.
Send users an enrollment link:This enrollment method for macOS devices sends users an enrollment link, which they can open in Safari or Chrome browsers. A user then enrolls by providing their user name and password.
To prevent the use of an enrollment link for macOS devices, set the server property,Enable macOS OTAEtofalse. As a result, macOS users can enroll only by using an enrollment invitation.
Send macOS users an enrollment invitation
Add an invitation for macOS user enrollment. SeeCreate an enrollment invitation.
After users receive the invitation and click the link, the following screen appears in the Safari browser. XenMobile fills in the user name. If you choseTwo Factorfor the enrollment security mode, another field appears.
Users install certificates as necessary. Whether users see the prompt to install certificates depends on whether you configured the following for macOS: A publicly trusted SSL certificate and a publicly trusted digital signing certificate. For information about certificates, seeCertificates and authentication.
Users provide the requested credentials.
The Mac device policies install. You can now start managing macOS devices with XenMobile just as you manage mobile devices.
Send macOS users an installation link
Send the enrollment link
https://serverFQDN:8443/instanceName/macos/otae, which users can open in Safari or Chrome browsers.- serverFQDNis the fully qualified domain name (FQDN) of the server running XenMobile.
- Port8443is the default secure port. If you configured a different port, use that port instead of 8443.
- TheinstanceName, often shown as
zdm, is the name specified during server installation.
为more information about sending installation links, seeSend an enrollment invitation.
Users install certificates as necessary. If you configured a publicly trusted SSL certificate and digital signing certificate for iOS and macOS, users see the prompt to install certificates. For information about certificates, seeCertificates and authentication.
Users sign on to their Macs.
The Mac device policies install. You can now start managing macOS devices with XenMobile just as you manage mobile devices.
Security actions
macOS支持以下安全操作。为a description of each security action, seeSecurity actions.
| Revoke | Lock | Selective Wipe |
| Full Wipe | Certificate renewal |
Lock macOS devices
You can remotely lock a lost macOS device. XenMobile locks the device. It then generates a PIN code and sets it in the device. To access the device, the user types the PIN code. UseCancel Lockto remove the lock from the XenMobile console.
You can use thePasscodedevice policy to configure more settings associated with the PIN code. For more information, seemacOS settings.
ClickManage > Devices. TheDevicespage appears.
Select the macOS device you want to lock.
Select the check box next to a device to show the options menu above the device list. You can also click anywhere else on a listed item to show the options menu on the right side of the list.
In the options menu, clickSecure. TheSecurity Actionsdialog box appears.
ClickLock. TheSecurity Actionsconfirmation dialog box displays.
ClickLock Device.
Important:
You can also specify a passcode instead of using the code that XenMobile generates. The lock action fails if the code specified does not meet the code requirements of the device or existing work profile.