Before VMware Workspace ONE UEM version 9.3, Workspace ONE UEM Staging for macOS required a macOS to be domain joined to a directory service (Multi-Staging or Single-Staging). After the staging enrollment, an end user logs into the macOS with Domain credentials. The device then gets checked out to the corresponding directory user within the UEM console.​

From VMware Workspace ONE UEM version 9.3, macOS admins are moving towards a deployment model without a domain join. VMware Workspace ONE UEM now supports this deployment model by providing a new single staging enrollment flow for a local user with the pre-registration in the UEM console. Because Workspace ONE UEM MDM can only manage one local user, the new enrollment flow to map the staging user APNs token to the directory user that is pre-registered to the device is created.

Use Cases for Single-Staging with Pre-Registration

  • Admin needs the device before the end user, but does not want to domain join and use the existing local account.
  • Admin does not want to domain join, but uses Enterprise Connect or NoMAD to keep the password synced.​
  • Admin wants the device for setup, then integrate the API to an internal device checkout system.​
  • Admin creates their own custom GUI authentication dialog box which calls a Workspace ONE UEM API to switch the device to the end user.​

Create Single-Staging Flow with Pre-Registration

Create a single-staging user in the UEM console before pre-registering the device.

Prerequisites

  • Pre-registration is only supported for Single-Staging​
  • Device must be assigned to a staging user before the pre-registration or API flow to work​

Procedure

  1. Create Single-Staging User.
  2. Pre-Register Device to the Enrollment User (basic or directory user in the UEM console).
  3. Enroll the device to the single staging user (DEP staging or Web enrollment or Hub enrollment).

Create Single-Staging User

The first step to pre-register macOS devices to the UEM console is to create a single-staging enrollment user.

  1. Navigate to Accounts > Users > List View and then select Add > Add User.
  2. Enter the general information such as Username, Password, Full name, email address in the General tab for a single staging user in the Add/Edit User page.
  3. In the Advanced tab, under Staging, enable Device Staging and Single User Devices.
  4. Select Save to save the enrollment user.

What to do next:

Once single staging user is created, the next step is to pre-register the macOS device.

Pre-Register Device to the Enrollment User

In the UEM console, pre-register the device through the device identifiers (such as serial, udid, and so on) to the directory or basic enrollment user.
  1. Navigate to Devices > Lifecycle > Enrollment Status. Select Add and then select Register Device.
  2. In the User tab, enter a basic user or directory user in the User's Search Text text box and select the user from the search list.
  3. Enable Show Advanced Device Information Options check box and enter the device identifiers of the device.
  4. Select Save.

What to do next:

After the pre-registration of the device is complete, the next step is to enroll device to the Workspace ONE UEM single-staging user.

Device Enrollment to the Single-Staging User

Log into the macOS device with a local user and enroll through DEP Staging, Hub Enrollment, Web Enrollment, or Apple Configurator with a Workspace ONE UEM single-staging user.

If using DEP, the managed local user must be the user created during Setup Assistant process. For more information, refer the enrollment sections. After enrollment completes, the UEM console automatically checks out the user from the staging use to the pre-registered basic user. All assigned user profiles, commands, or applications start installing onto the device.