macOS Device Enrollment

Each device in your organization's deployment must be enrolled in your organization's environment before it can communicate with Workspace ONE UEM and access internal content and features.

Prerequisites

• Apple device running macOS version 10.13 or later

• VMware Workspace ONE Intelligent Hub for macOS version 19.04 or later

• Workspace ONE UEM version 9.4 or later

Enrollment Methods

There are four ways to initiate enrollment for macOS devices:

• Hub-Based Enrollment - Enroll a device using the Workspace ONE Intelligent Hub

• Staging Enrollment - Enroll a device for later re-assignment to a different user

• Automated Enrollment - Utilize Apple Business Manager's Automated Enrollment

• Web-Based Enrollment - Enroll a macOS device using web-based enrollment

End user Enrollment Using the Workspace ONE Intelligent Hub

The Hub-based enrollment process secures a connection between macOS devices and your Workspace ONE UEM environment through the Workspace ONE Intelligent Hub app. The Workspace ONE Intelligent Hub application facilitates User-Approved Device Enrollment, and then allows for real-time management and access to device information and resources.

For more information, see:

• macOS Intelligent Hub in Apps for macOS Devices section.

• Enroll with macOS Intelligent Hub

Admin Enrollment Using a Sideloaded Staging Profile

Device Staging on the Workspace ONE UEM console allows a single admin to outfit devices for other users on their behalf, which can be particularly useful for IT admins provisioning a fleet of devices. Admins can sideload a staging profile for a single-user devices and multi-user devices.

Single-User Staging

Single-user staging allows an admin to stage devices, such as a company-issued laptop, for a single user. LDAP binding or pre-registration is required when staging devices for single users.

For more information, see Stage Single User Domain-Bound Agent-Based macOS Enrollment in Introduction to Managing macOS Devices.

Single Staging with Pre-Registration and Local User

Workspace ONE UEM also supports a new single staging enrollment flow for a local macOS user with pre-registration to help macOS admins who are moving towards a deployment model without domain join. For more information, see Pre-Register Single-User Staging Using Agent-Based Enrollment in Introduction to Managing macOS Devices.

Multi-User Staging

Multi-user device staging allows an admin to provision devices intended to be used by more than one user, such as a shared computing lab computer. Multi-user staging allows the device to dynamically change its assigned user as different network users log into that device.

For more information, see Stage Multi-User Domain-Bound macOS Enrollment in Introduction to Managing macOS Devices.

Bulk Enrollment with Apple Business Manager

Depending on your deployment type and device ownership model, you may want to enroll devices in bulk. Workspace ONE UEM provides bulk enrollment capabilities for macOS devices using the Apple Business Manager and Automated Enrollment.

Deploying a bulk enrollment through the Apple Business Manager's automated enrollment allows you to install a non-removable MDM profile on a device. You can also provision devices in Supervised mode to access additional security and configuration settings.

For more information about Apple Business Manager, see Integration with Apple Business Manager.

Enrollment with macOS Intelligent Hub

The Hub-based enrollment process secures a connection between macOS devices and your Workspace ONE UEM environment. Install the Workspace ONE Intelligent Hub application to facilitate the User-Approved enrollment process to enable real-time management and access to relevant device information and resources.

Download the Workspace ONE Intelligent Hub installer from https://getwsone.com. When the Workspace ONE Intelligent Hub is installed, the device begins prompting the user for the enrollment authentication. For different methods that are available to download Intelligent Hub, see macOS Workspace ONE Intelligent Hub Download.

Procedure

1. Navigate to https://getwsone.com and download the Workspace ONE Intelligent Hub installer on the device.

2. Open the pkg file and install the Intelligent Hub by following the system prompts. After installation completes, the Intelligent Hub enrollment screen appears shortly later, or click on the Intelligent Hub icon in the macOS Menu Bar and click Enroll.

3. Enter the enrollment URL and Group ID, or enter your email address.

   If the email autodiscovery is set up, select the email address option for authentication, instead of entering the enrollment URL and Group ID. For information about configuring autodiscovery, see the Autodiscovery Enrollment topic of the Managing Devices documentation.

   If your user account is not allowed or blocked because your account is denylisted and not approved for enrollment, you will get a message preventing enrollment from continuing.

4. Follow the system prompts in the Workspace ONE Intelligent Hub. For devices running macOS versions between 10.12.6 and 10.13.1, proceed to Step 7. For devices running macOS 10.13.2 and above, proceed to Step 5.

5. Enter the admin user name and password to install the MDM profile.

6. Once the process is complete, the Workspace ONE Intelligent Hub displays an Enrollment Complete screen and the device immediately begins receiving the configurations assigned by the administrator.

7. Follow the Onboarding Experience UI in Workspace ONE Intelligent Hub that displays the status information on the progress of active installation of apps and resources and notifies the user. The Onboarding Experience UI is displayed only if the admin has enabled Post-Enrollment Onboarding Experience in the console.

   For more information, see Enable Post Enrollment Onboarding Settings.

8. Click Continue to transition to the Hub's default Account screen.

   For more information on Workspace ONE Intelligent Hub for macOS and its deployment, see Enable the Workspace ONE Intelligent Hub Post-Enrollment Installation section.

macOS Workspace ONE Intelligent Hub Download

The quickest and the easiest option available for downloading the Workspace ONE Intelligent Hub is from getwsone.com. The most recent version of the Workspace ONE Intelligent Hub is present and requires no authentication. However, you can also download the Workspace ONE Intelligent Hub for macOS devices at any time by logging into UEM console.

Download options:

• Workspace ONE UEM console – Navigate to Groups & Settings > All Settings > Devices & Users > Apple > Apple macOS > Hub Application and select Download Hub.

If the hub is installed after the device enrollment, then the Hub icon appears in the macOS Menu Bar indicating it is active and no additional end-user interaction is necessary.

If the hub is installed before the device enrollment, then after the installation the device begins prompting the user for the enrollment authentication.

Enable the Workspace ONE Intelligent Hub Post-Enrollment Installation

If you are using web-based enrollment, enable the Workspace ONE Intelligent Hub to be installed on devices after enrollment through the Web.

If you are enrolling using a method that does not use the Workspace ONE Intelligent Hub such as web-enrollment or automated enrollment via Apple Business Manager, you can configure Workspace ONE to automatically install the Workspace ONE Intelligent Hub.

1. From the UEM console Dashboard, navigate to Devices > Device Settings > Apple > Apple macOS > Intelligent Hub Settings.
2. Click Enabled for Install Hub after Enrollment to automatically install Hub on devices after enrollment.
3. Select Save.

Enable Post Enrollment Onboarding Settings

For the past few years, administrators have been shifting from imaging-based workflows to just-in-time provisioning over-the-air. It is important to be able to inform end-users of what's happening while their device is getting set up. Workspace ONE Intelligent Hub now displays and notifies the status of applications that are actively being downloaded and installed when enrolling a macOS device. This feature also provides administrators a basic way to customize an experience to greet the user during setup.

Enable and Customize the Post-Enrollment Onboarding Experience

This feature can only be activated or deactivated at an Organization Group level.

1. Navigate to the Enrollment Settings page. Navigate through Settings>Devices & Users> General> Enrollment> Optional Prompt> macOS> Enable Post-Enrollment Onboarding Experience.

2. Click Enable.

3. Customize the Header, Subheader, and Body Text fields as necessary. Use UEM lookup values for personalization.

4. Configure and assign some Internal Apps or Apple Business Manager (VPP) apps with Deployment Type set to Auto.

5. Enroll a device with Workspace ONE Intelligent Hub 21.04 and later.

   Note: Enrolling through Intelligent Hub is not required. This feature works for any enrollment method, including Apple Business Manager (DEP) or Web Enrollment. When installed, Intelligent Hub, will automatically detect the enrollment and automatically launch the experience.

Directly after enrollment, Intelligent Hub will automatically launch, displaying your customizations and tracking all apps which are set to Automatic deployment.

Stage Single User Domain-Bound Web-Based macOS Enrollment

Single-User Device Staging on the Workspace ONE UEM Console allows a single administrator to outfit devices for other users on their behalf, which can be useful for IT administrators provisioning a fleet of devices.

Prerequisites

• Create a basic user account enabled for Single User Staging.
• Create a basic user account or directory user account. See Basic User Accounts and Directory-Based User Accounts in Console Basics guide.

The following steps describe how to configure single-user staging for devices enrolling with Apple Business Manager:

1. Configure a macOS device profile with the Directory Payload assigned to your devices that must be staged. See Configure a Directory Profile in macOS Device Profiles section.

2. On your Mac device, create a local administrative macOS account.

3. Log in to macOS using the local macOS account and enroll with Safari using the staging credentials you created in Prerequisites section. See Enrollment with macOS Intelligent Hub.

4. To check if the device is domain bound, perform the following steps:

   1. Navigate to Terminal.app.

   2. Enter id '<intended user's AD username>`.

      The command returns information about the user.

5. Log out of the local administrative macOS account.

6. At the macOS Login Window, the end-user must log in with their domain-based username and password.

Workspace ONE UEM assigns the device to the end user and begins sending profiles and apps which are assigned to the user.

Stage Single User Domain-Bound macOS Enrollment Using Apple Business Manager

Configure single-user staging for devices enrolling with Apple Business Manager.

Prerequisites

• Create a basic user account enabled for Single User Staging.
• Create a basic user account or directory user account. See Basic User Accounts and Directory-Based User Accounts in Console Basics guide.
• Enable automated device enrollment. Sign up for Apple Business Manager in https://business.apple.com/. Enroll devices using Apple Business Manager. See Apple Business Manager - Device Enrollment Program in Apple Business Manager guide.

1. In your device enrollment profile, set the following options:

   • Authentication setting: ON
   • Await Configuration : ENABLED
   • Account Setup: SKIP
   • Create New Admin Account : YES and configure Admin Account details

2. Configure a macOS device profile with the Directory Payload assigned to your devices that must be staged. See Configure a Directory Profile in macOS Device Profiles section.

3. Start the Mac device to Setup Assistant and begin the enrollment process into Workspace ONE UEM when prompted.

   • Authenticate to Workspace ONE UEM using the user account configured for Single-User Staging (from Prerequisites section).
   • When the device enrolls during the Setup Assistant, the profile containing the directory payload is installed during the AwaitConfiguration phase. This binds macOS to your network-based directory service.
   • Any other profiles and apps assigned to the device using assignment group are sent to the device.

4. At the macOS login window, a green dot indicates that network accounts are avaible.

5. When the user logs in with their domain-based username and password, Workspace ONE UEM assigns the device to the end user and begins sending profiles and apps which are assigned to the user.

6. Validate the device record has synced from Apple Business Manager:

   • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
   • Ensure the device to be staged has synced from Apple Business Manager.
   • Ensure that Token Type is Apple Enrollment.
   • If the device has no Token Type, navigate to Devices > Devices Settings > Apple > Device Enrollment Programand click Sync Devices.

7. Validate the device record has the correct Device Enrollment profile:

   • Navigate to Devices > Lifecycle >Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
   • Ensure that the Profile Name matches the profile you created in Step b.
   • If Profile Name is incorrect, select the check box next to the devices to be enrolled and navigate to More Actions > Assign Profile > select the profile you created in while you created device enrollment profile > Save. Note: In single-user staging, only the first network-based user to log in will be the Workspace ONE managed user account. Any logins by subsequent or different network-based users will not receive user-based profiles and apps.

   Note: When the device is enrolled to the Single User Staging user, the logged-in user is not yet associated to the enrollment user. Once the first network directory-based account logs in to the Mac, Workspace ONE UEM associates the logged-in user to a user account in Workspace ONE UEM. The new directory account becomes both the enrollment user and managed user.

   It is not recommended to set the Authentication setting set to OFF in your DEP profile. For more information, see Best Practices using Apple Device Enrollment Program (DEP)

Stage Multi-User Domain-Bound macOS Enrollment

Multi-user device/shared device staging allows an IT administrator to provision devices intended to be used by more than one user. Multi-User staging allows the device to change its assigned user dynamically as the different network users log into that device.

Multi-User Staging Using Web-Based Enrollment

Configure multi-user staging for devices enrolling with Web-Based enrollment.

Prerequisites

• Apple device running macOS version 10.13.0 (High Sierra) or later
• Workspace ONE UEM version 9.4 or later
• Create a basic user account enabled for multi-user staging.

To configure Multi-User Staging Using Web-Based Enrollment, perform the Steps from 1-6 as described in Stage Single User Domain-Bound Web-Based macOS Enrollment.

Multi-User Staging Using Apple Business Manager Enrollment

Configure multi-user staging for devices enrolling with Apple Business Manager.

To configure multi-user staging using Apple Business Manager, perform the Steps 1-7 as in Stage Single User Domain-Bound macOS Enrollment Using Apple Business Manager.

Note: When the device is enrolled to the multi-user staging user, the logged-in user is not yet associated to the enrollment user. Once the first network directory-based account logs in to the Mac, Workspace ONE UEM associates the logged-in user to a user account in Workspace ONE UEM. The new directory account becomes both the enrollment user and managed user.

It is not recommended to set the Authentication setting set to OFF in your DEP profile. For more information, see Best Practices using Apple Device Enrollment Program (DEP).

Stage Single-User Non-Domain macOS Enrollment

When staging without domain binding, the only local macOS user account that can be managed by Workspace ONE UEM is the local user that installs the enrollment profile.

Pre-Register Single-User Staging Using Agent-Based Enrollment

By pre-registering a user-to-device manually or through batch import, the IT Admin can enroll the device and assign it to the user without needing to know the end user's directory credentials. In this way, the IT administrator delivers the device ready to go with only a known set of local macOS login credentials. Once the user logs into the known local macOS account given to them by the IT admin, they can change the password to match their directory credentials (or by using the built-in Kerberos SSO extension, the user can be guided through syncing the local account to their directory account).

Prerequisites

• Create a basic user account enabled for Single User Staging.
• Create a basic user account or directory user account. See Basic User Accounts and Directory-Based User Accounts in Console Basics guide.
• Enable automated device enrollment. Sign up for Apple Business Manager in https://business.apple.com/. Enroll devices using Apple Business Manager. See Apple Business Manager - Device Enrollment Program in Apple Business Manager guide.

Agent or Web Single-User Staging for Local Users with Pre-Registration

1. Bulk import Device-to-User registration record within the Devices > Lifecycle > Enrollment Status page:
   • Click Add > Batch Import and use the simple template and example for users and devices listed on the Batch Import page.
   • Modify the sample CSV by entering only the Username, FirstName, LastName, GroupID, Security Type (Directory or Basic), and DeviceSerial.
   • Note: Devices can be manually added individually from the Enrollment Status page by clicking Add > Register Device and enter the same required information described above.
2. On your Mac device, proceed through the Setup Assistant as normal. Ensure the local macOS account created is the username you want to give the end user of the machine.
3. Enroll with macOS Hub using the Staging User credentials you created in Step 1.
   • When the device enrolls, Workspace ONE UEM assigns the device from the staging user to the user you specified in Step 1 using bulk import.
   • Any profiles and apps assigned to the enrollment user (specified by bulk import) are sent to the device when the local macOS user account you used in Step 3 is logged-in.

Agent or Web Single-User Staging for Local Users with API

Note: The process to check out a device to an enrollment user can be used when the device-to-user assignments are not known. In this use case, the code mentioned in Step 6 is included in a larger onboarding workflow and native application.

1. Create a basic user account configured for single user staging in Workspace ONE UEM.
2. Create a local administrative macOS account.
3. Ensure that the local macOS account created is the username you want to give the end user of the machine.
4. Log into macOS with the newly created local user account.
5. Using the Staging User credentials you created in Step 1, enroll with macOS Intelligent Hub
6. While logged in as the user that enrolled in Step 5, call the Workspace ONE UEM REST API to check out the device to the correct enrollment user.

REST API details:

https://%3CAPI\_Server%3E/api/help/\#!/DevicesV2/DevicesV2\_CheckOutDeviceToUser

PATCH /api/mdm/devices/{id}/enrollmentuser/{enrollmentuserid}
* {id} - Workspace ONE UEM Device ID
* {enrollmentuserid} - Workspace ONE UEM Enrollment User ID
* Accept - application/json:version=2

Note: When the end-user logs in with the new local user, Workspace ONE UEM considers that macOS user to be the managed user and automatically sends any new apps/profiles targeted to the enrollment user.

Pre-Register Single-User Staging Using Apple Business Manager Enrollment

Configure single-user staging for local users with pre-registration using Apple Business Manager enrollment.

1. Apple Business Manager Single-User Staging for Local Users with Pre-Registration
   1. Create a basic Workspace ONE UEM user account configured for single-user staging.
   2. In your Device Enrollment profile, set the following options:
      • Authentication setting: OFF.
      • Staging Mode : Single User Device
      • Default Staging User : Basic User
      • Await Configuration : ENABLED.
      • Account Setup: DON'T SKIP
      • Optionally, set Create New Admin Account to YES and configure Admin Account details for a hidden IT administrator account.
   3. Validate the device record has synced from Apple Business Manager:
      • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
      • Ensure the device to be staged has synced from Apple Business Manager.
      • Ensure that Token Type is Apple Enrollment.
      • If the device has no Token Type, navigate to Devices > Devices Settings > Apple > Device Enrollment Programand click Sync Devices.
   4. Validate the device record has the correct Device Enrollment profile:
      • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
      • Ensure that the Profile Name matches the profile you created in Step b.
      • If Profile Name is incorrect, select the check box next to the devices to be enrolled and navigate to More Actions > Assign Profile > select the profile you created in Step b > Save.
   5. Bulk import the Device-to-User registration record within the Devices > Lifecycle> Enrollment Status
      • Click Add > Batch Import and use the simple template and example for users and devices listed on the Batch Import page.
      • Modify the sample CSV by entering only the Username, FirstName, LastName, GroupID, Security Type(Directory or Basic), and DeviceSerial.
      • Note: Devices can be manually added individually from the Enrollment Status page by clicking Add > Register Device and enter the same required information described above.
      • Reload the Enrollment Status page and ensure that device to be staged has a User name assigned and still has a Token Type of Apple Enrollment.
   6. On your Mac device, proceed with the enrollment process in Setup Assistant and when the device enrolls, Workspace ONE UEM automatically assigns the device from the staging user to the user you specified in Step e using bulk import (the enrollment user).
2. Apple Business Manager Single-User Staging for Local Users with API

   1. Follow the steps from Step a to Step d as described in Apple Business Manager Single-User Staging for Local Users with Pre-Registration.

   2. Use the Workspace ONE UEM REST API to check out the device from the staging user to the correct enrollment user.

      REST API details:

       https://%3CAPI\_Server%3E/api/help/\#!/DevicesV2/DevicesV2\_CheckOutDeviceToUser
      
      

      PATCH /api/mdm/devices/{id}/enrollmentuser/{enrollmentuserid}
      * {id} - Workspace ONE UEM
      * {enrollmentuserid} - Workspace ONE UEM Enrollment User ID
      * Accept - application/json:version=2
      

Apple Business Manager

Devices can also be staged through Apple Business Manager's Device Enrollment Program (DEP). DEP is a streamlined staging method that is best for corporate-owned devices.

DEP on macOS enables you to:

• Apply standard staging to devices.
• Configure Setup Assistant panes to skip during installation.
• Enforce enrollment for all end users.
• Customize and streamline the enrollment process to meet your organization's needs.
• Hold a device in the Awaiting Configuration state when it reaches the Setup Assistant screen.
• Create a local Hidden Admin account and allow end users to skip the Account Creation screen.

For additional Apple information, see the Apple Business Manager Guide or contact your Apple Representative.

Custom Bootstrap Packages for Device Enrollment

In a typical device enrollment, the Workspace ONE Intelligent Hub must be installed on a device before any other installer packages can be run. The Bootstrap Package allows installer packages to deploy to a device immediately after the device is enrolled.

Bootstrap Packages

Workspace ONE UEM uses the latest Apple MDM commands for deploying Bootstrap Packages. For enrolled devices on macOS 10.13.6 and higher, the InstallEnterpriseApplication command is used. For macOS 10.13.5 and lower devices the legacy InstallApplication command is used.

Historically, the Workspace ONE Intelligent Hub handles the download and installation of application files. Bootstrap Packages allow .pkg files to install immediately after enrollment whether or not the Workspace ONE Intelligent Hub is installed.

You may want to use alternative tools for device and application management. Bootstrap package enrollment comprises an enrollment flow paired with a bootstrap package that installs the alternative tooling and configures the device before the end user begins using the device.

Bootstrap Package Use Cases

Bootstrap Packages may be useful in certain deployment scenarios. This list is not exhaustive.

• You want to create a custom-branded end user experience, such as launching a window as soon as enrollment completes, to inform the user about the installation process and instruct them to wait to use the device until provisioning and installation complete.

• Your deployment does not include the Workspace ONE Intelligent Hub, but you still have critical software to deploy to devices.

• You want to use Munki for Application Management, and need the Munki client to install immediately after enrollment so the user can begin installing apps, rather than going through the Workspace ONE Intelligent Hub and AirWatch Catalog.

• Your deployment only uses MDM for certificate management and software management, and uses Chef or Puppet for configuration management. In this configuration, Chef or Puppet must be installed as soon as enrollment completes to finish configuring the device.

Bootstrap Package Creation

Bootstrap packages are deployed to the device as soon as enrollment completes. Bootstrap packages deployed from the Console will not deploy to existing enrolled devices unless the devices are specifically queued using the Assigned Devices list for the package.

You must create packages before you deploy them. There are several tools available that can create a package for use in the Bootstrap Package functionality. Created packages must meet two criteria:

• The package must be signed with an Apple Developer ID Installer Certificate. Only the package needs to be signed, not the app, since the Apple Gatekeeper does not check apps installed through MDM.
• The package must be a distribution package (product archive), not a flat component package.

When you have created a bootstrap package, you must deploy the package to your devices. For more information, see Deploy a Bootstrap Package.

Deploy a Bootstrap Package

Bootstrap packages allow you to make your end users' devices usable sooner after the device enrolls than a traditional enrollment. Once you have created a bootstrap package, you must deploy the package to your devices.

Prerequisites

You must create bootstrap packages before you deploy them. There are several tools available that can create a package for use in the Bootstrap Package functionality. For more information, see Custom Bootstrap Packages for Device Enrollment.

1. Navigate to Resources > Apps > Internal > Add Application.

2. Upload a .pkg file that meets these requirements:

   1. Package must be signed with an Apple Developer ID Installer certificate.

   2. Package must be a distribution package.

      For more information about the bootstrap package requirements, see Custom Bootstrap Packages for Device Enrollment

3. Select Continue and modify the items in the Details tab and the Images tab if necessary.

4. Select Save & Assign, and then select Add Assignment to configure the App Delivery Method.

   By default, the App Delivery Method is set to Auto. In this configuration, the assigned bootstrap package will only install on newly-enrolled devices.

   To install the bootstrap package on enrolled devices, select On Demand. On-Demand package deployments require you to manually push the package to devices.

   To manually deploy a bootstrap package to enrolled devices, navigate to Applications > Internal Apps > List View. Select the package you want to assign to open the Application Details. Use the Devices tab to select devices to push the package to.

Bootstrap Package Status Messages

Workspace ONE UEM displays the status that describes the bootstrap package installation progression.

To view the App status, Navigate to Apps tab in Device Details.

For each managed application, the following messages are displayed based on the assignment type when you hover the mouse over the App status:

Action	Assignment Type	App Status	Bootstrap Package Status
Install Command Dispatched	Auto/OnDemand	Bootstrap Package Assigned and Install command dispatched, Last Action Taken: Install Command Dispatched, Timestamp: Date/Time	Bootstrap Package assigned and install command acknowledged.
Install Command Ready For Device	Auto/OnDemand	Bootstrap Package assigned but install command not acknowledged yet, Last Action Taken: Install Command Ready for Device, Timestamp: Date/Time	Bootstrap Package assigned but install command not acknowledged yet.
None	Auto	Bootstrap Package assigned but device was already enrolled. It is available for on-demand deployment but has not been requested, Last Action Taken: None, Timestamp: None	Bootstrap Package assigned but device was already enrolled. It is available for on-demand deployment but has not been requested.
None	Auto/OnDemand	Bootstrap Package assigned for on-demand deployment but has not been requested, Last Action Taken: None, Timestamp: None	Bootstrap Package assigned for on-demand deployment but has not been requested.