Enroll Mac Computers with Automated Device Enrollment
The Automated Device Enrollment method is a great method to enroll your Mac Computers using Mosyle Manager, allowing you to configure all the necessary deployment configurations while taking all the advantages of the zero-touch deployment. It will improve your workflows as well as save you time.
In this section, you will learn how to deploy Mac computers that are associated with your Apple School Manager account.
- First, navigate to “My School” from the menu at the bottom and click on “Enrollment” from the Basic Setup area on the menu on the left. Then, select your Apple School Manager account and click on “New profile”.
- Name the profile and select the option you'd like to activate on the Mac computers when the Automated Device Enrollment profile is applied on the devices. The following options are checked by default:
Install MDM Profile (mandatory)
Do not allow manual removal of the MDM
- You can also enable the configurations:
Allow user-initiated Action Lock. Enabling this option will allow the device to be locked in the Activation Lock screen with the user’s Apple ID if “Find my Mac” is enabled by the user and the device is wiped. By default, supervised devices are not locked with User-Initiated Activation Lock. If needed, you can unlock a device locked in Activation Lock via the Device Info in Mosyle. Important note: this feature is only available for macOS 10.15+ on devices with Apple T2 Security Chip.
Allow Bootstrap Token. Before macOS Catalina, on first login of a Mobile Account, Administrator credentials with SecureToken are requested to enable SecureToken to the new user account. The Bootstrap Token eliminates this additional step when a network user is creating a mobile account on a Mac with an encrypted volume.
- Next, select the model of the deployment: Limbo, 1:1 users or Shared Groups. When choosing 1:1 users, you can choose the authentication method right away. You can check below how to proceed with configuring devices for Mac Labs.
After the enrollment allow device usage - devices will be placed in limbo until the user logs in. When choosing this option, we recommend using the Assign Devices feature available on the My School tab to assign the Mac computers to the users by uploading spreadsheets with the required information.
Required user authentication. When choosing this method, you can select to use the Mosyle Manager app to authenticate and assign the devices to users. If your school uses Active Directory, make sure to select the option "Authentication with AD during Setup Assistant".
Important note: to select the option "Authentication with AD during setup assistant", please make sure to integrate the Active Directory properly with Mosyle Manager. Check out how to do it in the section about Active Directory.
Heads up: on macOS 10.15+ , you can force user authentication with Mosyle credentials or your Identity Provider (Single Sign-On) during the Setup Assistant. To do that, you just need to enable "Customize Setup Assistant" and add the screen "Mosyle User Authentication" or "Single Sign-On Authentication".
- In the sequence, make sure to check the “Return devices to assignment model selected above after wipe” option.
- By default, after a device is wiped it will maintain the previous assignment. For example: if a device was enrolled and assigned as a 1:1 device to a student, after wiped, it will re-enroll and maintain the assignment to the student rather than using the assignment of the Device Enrollment Profile. By checking this option, if the device is wiped it will re-enroll in "Limbo" status, respecting the Device Enrollment Profile configuration.
- Next, configure the Customize Setup Assistant. This capability is available only for macOS 10.15+ . Set a customized screen during the Setup Assistant, adding an organization-based content and modern user authentication method. To do it, click “Manage Screens”
- Here you will be able to personalize the screens, by changing the font and color. It’s possible to add different steps to the Setup Assistant, including Welcome Screen, Set Enrollment Passcode, End User License Agreement Screen (EULA), Add to a Shared Group, Mosyle User Authentication and Single Sign-On Authentication. Use the “+ Add Screen” button to add the necessary steps e rearrange the order by using the drag and drop feature. When you are done, click the check icon at the top right of the window.
- In the sequence, select the devices that will receive the configurations. You can also check the option to make the Automated Device Enrollment profile a default profile and automatically assign it to all new devices and current devices without a profile assigned.
- Choose all the options you want to skip on the Setup Assistant when the end-user starts the Mac computer for the first time. We recommend skipping all of the options except “Skip Activation of location services”.
- Now, select the options for Account Configuration. On macOS 10.11 and later it's possible to configure the accounts during the Setup Assistant.
- You can choose to prompt the user to create an account. This will prompt the user to create a local account and auto login.
- Next, select the type of the user that will be created on the prompt. If you choose the Standard, keep in mind that macOS requires at least one Administrator user. For this reason, if you select this option you must create an additional local admin below.
- You can choose to Pre-fill account information using variables such as name and username/account name. It's possible to select the option to not allow the user to modify the pre-filled information above. If checked, the user will not be allowed to modify the account full name and/or account name as they will be read-only. This configuration is only available for devices running macOS 10.15+ .
- Finally, you can check the option "Create additional local admin during Automated Device Enrollment". Heads up if you are using Single Sign-On profile. Here you can indicate name, username and password for the user. If you would like to hide additional local admin account from users, check the box beneath it to hide the account.
- You can enter the phone number and email for your institution for support. This step is not mandatory.
- Finally, enter how you would like to rename the devices after enrollment, using the available variables.
Important note: If you have a Single Sign-On profile configured for Mosyle Auth, the Mosyle Auth will be automatically installed during the Setup Assistant replacing the Login Window with Mosyle Auth.
Heads up: to Mosyle Auth work properly on Setup Assistant, you must not check "Prompt user to create an account".
Mosyle Manager also offers advanced options of configurations to be installed on the devices during the enrollment process. You can check the option "Install the InstallApplication" PKG, which allows you to install any signed PKG from other management software (such as Munki). You can also configure NoMAD in this step. We provide all the details of this workflow within the Mosyle Manager platform.
Important Note: If the devices are still boxed, they will receive a Device Enrollment (DEP) configuration during the Setup Assistant steps on the device (first steps). If the devices have already been used, they must be formatted to receive this Device Enrollment (DEP) configuration.
If your devices are running macOS 10.12.4 or later, and you don’t want to format them, you can use the Terminal to apply this Device Enrollment (DEP) configuration profile running the command below.
- For Mac OS 10.12.4 through 10.13.4 use: sudo profiles -N
- For Mac OS 10.13.4 and later use: sudo profiles renew -type enrollment
Heads up: You must have Admin rights to the Mac in order to run this command.
Shared Mac for Mac Labs using Automated Device Enrollment
To enroll the Mac computers that are in your Apple School Manager account as Shared Macs, you should create the Shared Cart before configuring the Automated Device Enrollment profile.
- First, click "My School" from the bottom menu and select "Shared Macs" from the menu on the left.
- Click “+ Create new group” and name the group based on where or how it is used (for example, Building 12 Cart or 1st Grade Cart) and select if you want location information to be requested periodically.
- Choose the location(s) to which the Shared Mac Group belongs.
- Select the devices. If you have not yet enrolled any devices, just click "Save".
When configuring the Automated Device Enrollment management profile, choose the option Shared Macs when selecting the model of deployment and select the group you created to proceed with the configuration.