Apple Device Management
Apple Device Management, previously Mac Device Management, supports Apple's enhanced macOS security posture for both MacOS (10.13.2+) and iOS (iPhones and iPads) while ensuring our applications continue functioning with minimal user intervention.
Mac Monitoring Agent 3.4.0 or later is required for Apple Device Management.
Enrollment of Virtual Machines (VMs) in Apple Device Management is not tested or supported.
Apple Device Management enables you to send Apple Configuration Profiles to devices to ensure consistent device configuration and to grant the access required by our applications by:
- Silently configuring the computer's security and privacy controls for our software
- Applying the required permissions to any deployment or update to our applications in the current and future versions of the Operating System
With Dashboard v2020.12.15 or later, you use Apple Configuration Profiles to deploy settings securely and remotely from the Dashboard to the following devices that are enrolled in Apple Device Management:
- macOS (10.13.2+) computers
- iOS devices (iPhones and iPads)
Apple Configuration Profiles are not supported on devices using macOS 10.12 or earlier. You cannot push Apple Configuration Profiles to those devices.
Apple Device Management requires the following actions:
- You must Add a new Apple Push Notification Certificate (includes certificate renewal) to your Dashboard
- The end-user is prompted to enroll their device in our Apple Device Management service. After enrollment, the related Apple Configuration Profile is applied.
To ensure the end-user knows the source of the enrollment request, the prompt dialog contains your Dashboard company name and Agent branding (where selected).
Enrolling the computer in Apple Device Management is a one-time process for the end-user.
Before using Apple Device Management, we recommend you review your Dashboard Roles and Permissions to ensure the Dashboard users have the required access level for their role. For example, ensure Dashboard users with that role can manage certificates or deploy profiles and perform actions in Apple Device Management. See Comparison of System Roles to view the default permissions for the system roles.
Beginning with macOS 10.13.2, Apple began changing its security posture to prevent third-party applications from unauthorized interaction with the computer. These Apple changes had the following implications for our applications:
- The security and privacy control settings defaulted to blocked. This forced end-users to grant the required permissions for our applications to access the computer.
- These privacy and security settings are not remotely configurable through a remote assistance tool so end-users must approve each request. The number of request notifications and configuration requirements can be daunting to end-users. For example, the numerous requests from new software installations or requests for re-authorization on previously permitted applications after an Operating System update can be overwhelming to end-users.
- If end-users do not grant the required permissions, our applications may not run or they may run but with restricted functions.
To reduce the impact of these implications on our applications, we use Apple's Mobile Device Management (MDM) framework. Beginning with Mac Monitoring Agent 3.4.0 RC and onwards, we use Apple's MDM framework to reduce the volume of end-user notifications from our software and ensure all our installed applications have the required permissions.
What do you want to do?
- Add a new Apple Push Notification Certificate (includes certificate renewal)
- Renew the Apple Push Notification Certificate
- Review the macOS End-User Apple Device Management Enrollment process
- Relaunch Apple Device Management Enrollment on a macOS device (Optional)
- Add iPhones and iPads to Mobile Device Management
- iOS Mobile Device Management provisioning
- Learn About Apple Configuration Profiles
- Issue commands to macOS and iOS devices
- Remove an MDM Enrollment Profile from Apple device as part of the macOS Agent uninstall
- Choose to Automatically enroll macOS devices