The Complete Guide to Mac Deployment for Schools

The Complete Guide to Mac Deployment for Schools

Mosyle Team
written by Mosyle Team

Mac computers, with their wealth of capabilities, are great for learning environments. In addition to the normal hurdles of deciding how to enroll, deploy and manage devices, IT departments may have macOS device-specific difficulties when compared to deploying iPad devices.

Following proper procedures for each step of the enrollment, deployment and management processes for macOS devices can help prevent any issues from these challenges. When you enroll, deploy and manage Apple devices correctly, you provide a better experience for your students and teachers, as well as save your IT department time and effort, especially with zero-touch deployment.

Based on feedback and frequently asked questions, Mosyle has pulled together information based around enrolling, deploying and managing macOS devices that can help your IT department better prepare for deployment. Continue reading to learn more about Mac Deployment in your school.


Table of Contents


1. What is Mac deployment?

Mac deployment is enrolling and setting up macOS devices, applying the configurations and integrations needed and deploying applications and software, as well as ensuring security compliance within a school or district’s environment using an MDM solution.

Mac computers are proving to be very powerful devices for education, especially in the 1:1 model for high school students or in school's Mac labs. Several schools using our Apple device management solution have already started scaling their Apple programs by integrating more of those devices in their classrooms.

The impact of Mac computers on education is to provide great learning outcomes. These Apple devices equip students and teachers with powerful tools and resources that inspire collaboration, support students in project development and develop critical skills that will be very important when they enter the workforce in the future.

We’re glad that you’re reading this guide to deploy Mac computers for K-12 in the easiest and most intuitive way. We’ll help you along your deployment journey!

All the information we share in this guide is general for Mac deployment, so we always recommend that you contact customer support for your specific MDM solution.

If you don't have a Mosyle Manager account, try our MDM solution made exclusively for education with the best personalized onboarding process and Support Team. Create a free Mosyle Manager account today.

Back to menu ↑

2. How do you prepare the MDM solution for your macOS devices?

When you’re getting ready for the school year, it’s important to add your end-users for ease of management, including teachers, students and staff. Importing your school’s hierarchy is easy. Depending on whether you already have a hierarchy or roster, there are a few different ways you can do this.

If you do have a list ready to be imported, you can either import your school’s hierarchy into the MDM solution by integrating Apple School Manager, or use other methods. If you don’t already have your list of users, you can create your roster directly in the MDM solution.

We’ll go over the ways you can complete this important step of your Mac deployment process, starting with Apple School Manager.

Integrate Apple School Manager

Apple School Manager (ASM) gathers all the information you need to deploy and manage your devices all in one web-based portal. It combines Automated Device Enrollment and the Apps and Books area, allowing you to automate supervision and enrollment.

If your school doesn't have an Apple School Manager account yet, just visit school.apple.com and submit your school’s information. If you already have an account, make sure you have properly set it up with the user accounts, and added your MDM server to the Apple School Manager account.

You can combine Mosyle's Single Sign-On (SSO) and Mosyle Auth solutions to the federated authentication for linking Apple School Manager to Microsoft Azure Active Directory (AD) to provide the easiest experience for students and teachers by leveraging their AD usernames and passwords as Managed Apple IDs. With one single credential, students and teachers can assign their Apple devices, log in to the Mac and access their resources.

Important note: When creating a link between Mosyle Manager and Apple School Manager, make sure that you first integrate ASM with Microsoft Azure AD and then integrate Microsoft Azure AD with Mosyle Manager.

Add school's hierarchy using other methods

You can also easily import your school’s hierarchy or roster by integrating Active Directory with your MDM solution. Doing it this way also makes it easier to authenticate your end-users because it seamlessly works with SSO, which we will cover later.

You can also download a CSV or XLSX file, add your users to the downloaded template and upload the hierarchy or roster to Mosyle Manager. For the CSV files, you can upload separate rosters for students, teachers and classes. For XLSX files, you can upload a single file with separate tabs for students, teachers and classes.

If you don’t already have a hierarchy or roster to import, you can easily create users within Mosyle Manager. In addition, when you’re creating user profiles for students, you can also assign them to grade levels and class periods. However, this manual import of users is not recommended for larger operations.

Another option is to connect data integration with other solutions through Mosyle Manager’s API capabilities. If you are considering using Mosyle’s API option, submit a ticket to our Support Team and we’ll provide you all the information you require to make your decision.

Next up, we’ll go over different ways to enroll your Mac computers.

Back to menu ↑

3. What are the methods for enrolling Mac computers?

One of the most important steps when deploying Macs at schools is enrolling them into the MDM solution and assigning to users (students, teachers and staff). In most cases, this must be done first before proceeding to any other part of the device management process. There are a few different ways in which you can enroll Macs using your MDM solution, and we’ll cover them in this section.

Enroll a Mac using Automated Device Enrollment in Apple School Manager

In the previous section, we went over how integrating Apple School Manager to the MDM solution automates device enrollment. This zero-touch Apple device deployment method for organization-owned devices is made possible with the integration of ASM, and it is perfect for large deployments. When it comes to streamlining the enrollment process, this method is the best.

Important note: In order to manage your Mac computers in an MDM solution using the Apple School Manager, your devices must be associated with your Apple service account. You can assign devices to your MDM servers within your Apple School Manager account using the device serial number or order number or by uploading a CSV file that contains a list of all unassigned device serial numbers.

When you’re configuring your Automated Device Enrollment profile, ensure that you make the proper selection for “The devices of this profile will be used in which model?” within the MDM solution. This is where you can specify whether your school is using the 1:1 device program, the shared device program or if your devices are still in limbo, which means that it is not assigned to any users yet. If your Macs will be used in labs, you can choose the Devices for Shared Users.

During the Automated Device Enrollment profile configuration, you can also integrate certain third-party software to further optimize your Mac deployment workflow. For example, you can upload a signed PKG from third-party softwares and it will be installed during the enrollment, providing a better, straightforward user experience for students.

Pro tip: In order for the necessary configuration settings to be applied to your Mac computers so they can be managed by the MDM, you must wipe and restart your devices if they are not new. See the detailed explanation in our Help Center.

Enroll a Mac computer using Manual Enrollment

Manual Enrollment uses a URL, provided by Mosyle Manager, which allows for individuals to manually enroll each device in the MDM solution. For Mac computers not enrolled in Apple School Manager, we suggest using the limbo enrollment method, which means that the devices have been enrolled but not yet assigned to a user (this can be done later). This enrollment method works best for small deployments and devices that are not in ASM. If you have more questions on Manual Enrollment, check out our article here.

Enroll a Mac computer using User Enrollment for BYOD

User Enrollment, meant for Bring Your Own Device (BYOD), uses Managed Apple IDs created through Apple School Manager to connect the user to the device in the MDM solution. As the devices are not owned by the institution, IT will have limited control over the restrictions and policies allowed on the devices. These restrictions and policies are linked to the Managed Apple ID instead of the device, which helps secure user information in BYOD situations.

What about the User Approved settings on Mac computers?

A User Approved (or UAMDM) gives added permissions to an MDM software that can go beyond what is allowed for the previous macOS MDM type of enrollment. This was created to improve the security on the Mac and was made available starting with macOS High Sierra (10.13.2).

User Approval is required to manage any type of Security settings on a Mac computer being managed by the MDM solution enrolled outside of Automated Device Enrollment in Apple School Manager. More detailed information on User Approved MDM Enrollment is available on our blog.

UAMDM also allows an Admin to whitelist the Kernel Extensions, or KEXTs for short, which are just modules of codes that connect into the OS of the Mac to perform various tasks. This is one of the main benefits of using the User Approved MDM option when managing Apple Devices.

In the next section, we’ll cover how to install applications and software onto your Mac computers.

Back to menu ↑

4. How do you push software onto Mac computers?

Having Mac computers in schools is a great way to provide teachers and students with the tools they need to succeed. However, that’s only one part of Mac deployment. It’s also necessary to give them access to the appropriate apps and software.

Installing software and apps onto Mac computers can be a time-consuming process when done manually or individually, but there’s an easier way to remotely install them to your school's Mac fleet. There are a few different installation methods that depend on where the app is hosted.

If the app is hosted on the Mac App Store, you can install those apps onto devices through Apple School Manager (ASM) in the Apps and Books area. If the application is not hosted on the Mac App Store, you can install a PKG profile for the application or software you need. For example, if you want to install Adobe softwares on your Mac computers, you can create an Install PKG profile to install it. More information and instructions on installing PKGs is available in our Help Center.

As with most profiles on Mosyle Manager, you can choose any combination of devices and/or users to assign the profile to. This provides a great amount of flexibility when it comes to installing applications and software for specific groups of users or devices.

Installing apps on Macs using Apps and Books

To make sure your Apple’s Apps and Books account is connected properly, make sure your Apple’s Apps and Books token is integrated with the MDM solution. When setting up your Apps and Books within Mosyle Manager, you can use separate accounts for different locations you created in Mosyle.

You can also choose to give teachers permission to install apps on student devices from the licenses purchased through Apple’s Apps and Books. This is particularly useful if teachers need to add applications during class for their students to use.

Tip: Check the amount of content licenses. Ensure that the number of licenses is enough for the number of users and devices. Otherwise, the command will not go through.

An app we recommend installing is the Mosyle Agent app or Self-Service app, which allows users to install apps and software, including PKGs, on their devices as well as help manage the devices.

How to install apps using PKGs

If the app is not available on the App Store, you can use PKG files or run scripts and custom commands to install apps and software on Macs using your MDM solution. The basic workflow when using this method is creating the PKG file using one Mac computer, hosting this file in a cloud host service and installing it remotely using your mobile device management software solution.

Mosyle Manager has an Install PKG tab to help make this process easier. When using this installation process, it’s important to generate and host the PKG first.

If you are choosing to generate the PKG file through Mosyle Manager, there are two options. The first is generating it on the Mac that you are on currently, which is the option we highly recommend. The second is to generate it remotely if the software is installed on another Mac device.

Distribute the file and choose whether you want to automatically set App info, which will host the PKG File on a public link with SSL or HTTPS, or manually set the App info. If you manually set up the App information, you will need the correct Version and Bundle ID of the application.

If you need more information on installing applications and software through Apps and Books or PKGs, check out our Help Center. There you will be able to find a wealth of information on these installation methods as well as step-by-step instructions for creating the necessary profiles.

In the following section we’ll go over how you can install apps and software in a way that gives you even more control over the installation process.

Back to menu ↑

5. How do you run scripts to apply configurations to Mac computers?

Running scripts is another way you can install applications and software onto Mac computers, and it is a key differentiator when deploying Mac computers versus iPad devices. You can also run scripts when you want to apply configurations or copy files from remote locations, such as network shares.

However, running scripts can be a complex process. There can be a lot of challenges when trying to complete this, so here are some tips to ensure that you are running your scripts properly. If you have any questions or issues, create a Ticket and our Support Team will help you solve your problems.

What is a script?

Scripts are codes that allow you to run certain commands in Terminal on macOS devices. There are a few script languages — AppleScript, JavaScript and other third-party scripting languages — that allow these commands to run. AppleScript and other third-party scripting languages are generally used for writing the script itself, while JavaScript is used for automation. For example, the AppleScript “% open -a Light.app” will open the Light application on the Mac computer. Keep in mind that scripts run on the Terminal level and can harm the device if it's not properly set, so be sure to double check your scripts or test them within Mosyle Manager’s Custom Commands profile.

Send tests of your scripts first

It’s important to test all scripts and custom commands on a single device before applying it to all your Mac devices. There are several ways you can do this, such as simply opening the device terminal application and running the script or command locally. We highly recommend that you test the command using our test panel by visiting this page and scrolling down to the custom command section.

With our MDM solution, you can remotely test the script in one of your devices first. Mosyle Manager provides a test panel in which you are able to select one or multiple devices and send the command, allowing you to test the script to make sure everything is smooth before sending the command to the rest of the fleet of Mac devices.

Run scripts at the correct scope level of the macOS device

There are certain scripts that need to be run at the user level in order to properly work on the Mac devices, while other scripts have to be applied at the system level and run as root instead of the logged user.

For example, if you want to run a script to change the preferences of the Mac device, you usually need to run it at the user level since they are stored within the user library. It might also occur in different scenarios with other scripts and custom commands. It's essential you make sure that the script is correctly coded according to the scope needed.

Organize scripts and their responses

Organizing all the scripts sent to devices as well as their responses is very difficult to do manually. It is especially difficult to do without the support of a tool that is able to keep track of the scripts responses and help you manage them more effectively across your Mac fleet.

It's hard to imagine how to manage this manually. Even using a virtual repository can be difficult at some point when you are deploying thousands of Mac devices. An MDM solution can help you with this task by allowing you to remotely run scripts into Mac computers as well as managing all those custom commands.

Mosyle Manager also provides you with the criteria-specific groups of devices feature in which you are able to set groups of devices that will be updated according to the scripts response. This will definitely help you save time and effort when running scripts in large-scale Mac deployments. Learn more about running scripts on your macOS devices and other advantages of our premium features.

Next, we’ll explain User Authentication using an MDM solution.

Back to menu ↑

6. How do you configure User Authentication for your macOS devices?

When deploying Mac computers for schools, one of the most important processes that must be configured is identity authentication for your end-users, such as teachers and students. This way, they can get access to the device and the appropriate materials based on their level of permissions. Built-in identity authentication features within an MDM solution can help you save time when it comes to device management.

Single Sign-On (SSO) is a type of identity authentication that allows end-users to log into a system using a single-unified login, eliminating the need to log in multiple times. When using this type of login, it’s important to have a trusted identity provider (IdP) such as Google or Microsoft Azure.

Mosyle Auth can be integrated with your IdP to provide an even better user experience.

Setting up Single Sign-On

Make sure that users are registered in Mosyle with the same email used to sign up, otherwise SSO will not be applied to the users, rendering them unable to log in to Mosyle. When using the Active Directory (AD) Identity Service, you must have your AD integration configured previously and select Active Directory integration.

For more detailed instructions on setting up SSO, read the step-by-step instructions in our Help Center.

Setting up Mosyle Auth

Mosyle Auth allows end-users to log in to Mac computers through a Login Window using the same credentials from the IdP service. Mosyle Auth only works on macOS 10.12 or higher (macOS Sierra).

You can take full advantage with zero-touch deployment by using Mosyle Auth with Automated Device Enrollment to make the end-user experience better and more efficient. We provide you with a few options when setting up Mosyle Auth and Automated Device Enrollment for this reason.

An option within the SSO profile specific to Mosyle Auth is the “Local Password Sync” option. This allows the Identity Service password to serve as the Local User password. If a password mismatch is detected, Mosyle Auth will request a new sync.

More detailed instructions are in our Help Center.

Up next is security & privacy, keep reading to see how you can protect your Macs and sensitive user data.

Back to menu ↑

7. What is the Security and Privacy Profile for your Mac computers and how do you configure it

One of the most important factors for schools to choose Mac computers is the powerful security settings. By using the MDM solution for your Mac deployment, you'll have even more features to ensure the security of your institution’s data.

There are several ways you can ensure the security of your Mac computers and keep your end-users safe. If you use Mosyle Manager as your MDM solution, you can configure FileVault settings, Firewall ports and Gatekeeper settings to protect the Mac fleet from apps downloaded from unknown sources. In this section, we’ll show you some options for this stage of Mac deployment.

Gatekeeper Restricting Installation to Trusted Software

You can configure a Security and Privacy profile within the MDM solution so that you can configure options such as Gatekeeper. Gatekeeper can be used to restrict the installation of downloaded apps, which will only allow trusted software to run on the devices. One of the features of Gatekeeper is if you attempt to open an application or other software that has malicious content, Gatekeeper will notify the user and ask them to move the software to the Trash. Mosyle Manager allows you to decide whether or not the user can override the specified Gatekeeper settings.

FileVault Encryption Tool

The school's administrator can configure FileVault 2, which offers full disk encryption so you can enable it to encrypt the entire content of the startup drive. If the Mac computer is powered off, the drive's data is fully unrecoverable without a password using the personal recovery key, which can be escrowed with an MDM such as Mosyle Manager or the institutional recovery key. This recovery key will help you access your data if you forget the password for the account.

Ensuring Safe Connections with Firewall

Another option is to configure Firewall using the management profiles available in Mosyle Manager to ensure that connections are safe. This can be used to enable macOS built-in firewalls to block incoming connections. All incoming connections (except for those required for basic internet services) can be blocked and instead, the school's administrator can create a list of apps that are allowed to receive incoming connections.

Maintaining Data Privacy on Devices

Using Mosyle Manager, you will also want to create a Privacy management profile in which you can create a configuration profile containing Privacy Preferences Policy Control Payloads. Code signed applications/binaries or code signed scripts are available on macOS 10.14 or later.

Passcode Policies for Securing Devices

Configuring the Passcode Policies management profile is another layer of security that specifies the parameters for user passcodes. This includes minimum password length and maximum number of failed attempts. Keep in mind, if you are using Mosyle Auth, the Passcode Policies specifications cannot be more complex than those set in Mosyle Auth.

Protecting your Networks with Wifi Authentication

You can use the Wifi Authentication profile to input your network settings and set a password for your users to log in with. In order for Mosyle Manager to work properly with devices, a good Internet connection is necessary. This profile is meant to ensure a secure connection for the flow of data from Mosyle Manager to devices over the set network. Wifi Authentication is a very important profile to configure on the MDM solution because of its ability to protect your school’s network infrastructure, as well as make it easy for the end-user to connect to your network. If you are using Mosyle Auth, we recommend choosing the WPA/WPA2 Personal Security Type.

Setting Up Kernel and System Extensions

Kernel extensions are a type of software that extends part of the OS on a Mac computer for systems like network filters. System extensions are very similar, but are more secure as they run in the userspace. Both of these extensions can be integrated with the MDM and your devices by creating a Kernel Extension Profile or System Extension Profile. If you want to learn more about this software, read our comparison here.

If you have any personalized questions about Security and Privacy, our Support Team can help along the way! Click here to see more about the most reliable Support service for MDM solutions.

Back to menu ↑

8. What is next for deploying your Mac computers?

Now that you know the basics for deploying Mac computers in your school, it's time to continue managing the devices at your school. Quite a few schools have been using Mac computers to further prepare their students for success beyond the classroom with the capabilities of a laptop in and out of the classroom.

Visit our website by clicking the button below to begin managing your Mac computers and make a difference in your students learning.

Get started with Mac Deployment

Back to menu ↑

A better way for managing Apple devices in your school

Save countless hours of IT effort while empowering teachers to manage iPad, Mac, and Apple TV devices in the classroom.

2020 Mosyle™ Corporation |  Trusted by 14,000+ educational institutions across the globe