Getting Started with Mosyle Business
Streamline macOS, iOS and tvOS device deployment within your organization with intuitive, easy-to-use and powerful tools using Mosyle Business. To make sure you get the smoothest deployment, we’ve prepared this Getting Started guide to support you. We will show you how easy it really is to make things happen with Mosyle Business!
You can speed up the deployment workflow by using the Enrollment Assistant, our special onboarding guide available within the Mosyle Business platform. It will help you get yourself familiar with our custom device enrollment workflows that meet your deployment-specific needs.
You can also check out our documentation available in the Help Center within your Mosyle Business account. We have the most effective Customer Success and Support Team that would love to assist you during this process, just submit a ticket!
Now, let’s get started!
Before You Start
Before you dive into deploying Apple devices in your organization, let’s go over a few important things to know first, so you can prepare your organization's digital environment, making sure you will accomplish the easiest deployment.
An MDM software solution can be a very beneficial tool for both the IT department and the employees, but there are several settings that are critical so the device management can work properly, benefiting the organization. The MDM communicates with devices through Push Commands that are sent by Apple’s servers as they are requested by the MDM, which is dependent on a valid Internet Connection.
That's why this infrastructure needs to be built and configured properly to avoid any headache or hiccup. In an effort to help you establish some best practices, we went ahead and made a guide to give you a hand about improving the network and get the MDM to work seamlessly.
iOS Supervised Mode
iOS and tvOS devices can be managed under two kinds of modes: Supervised and Unsupervised. If you don’t know the differences between these two modes and the benefits of supervising the iPad, iPhone and Apple TV devices, take a look at our article that explains this procedure. When supervising the devices, the company's IT administrator can apply many additional device management capabilities to the corporate devices.
Here's an overview of the tasks we'll cover in this Getting Started guide:
Initial Mosyle Business account setup
After opening your Mosyle Business account, you'll receive the activation email so you can get started with the mobile device management platform. To log into your account, access mybusiness.mosyle.com.
Mosyle Business empowers you and your IT team to deploy, configure and manage Apple devices, offering powerful MDM capabilities with the best-in-class security and the most intuitive interface.
Check out a quick overview of Mosyle Business so you get familiar with it:
Here you can see the information summary of the devices enrolled in your Mosyle Business account, according to each operating system (iOS, macOS and tvOS). You are also able to view all the important alerts across your device fleet. Explore the Enrollment Assistant to easily deploy your devices and configure the most used management profiles through the Quick Access.
This tab allows you to set up your organization’s user data. Import users from Apple Business Manager, Apple School Manager or from other integration platforms such as Active Directory and/or API. In this tab you are also able to manually create Administrators, End-Users and User Groups. Navigate to this tab to create the DEP profile for enrollment and manage your account Preferences too.
Here you can view detailed information about the managed devices, integrate your Apps and Books (VPP) account, as well as create customized Management profiles to automate applying corporate policies and restrictions. You can also register Device Groups to better organize your device fleet, being able to configure multiple device’s criteria to the group. This tab also allows you to setup Device Authentication with User and/or Generic User login too.
Here you can access our Help Center to get instructions on Mosyle Business workflows. It also allows you to submit a Ticket if you need any support. We’re here to help you!
The first step in order to manage your devices using Mosyle Business is creating your Apple Push Certificate.
Create Apple Push Certificate
Creating your Apple Push Certificate, or an APN, is the first step when it comes to setting up your mobile device management (MDM) solution. This is a required step in order for the MDM solution to communicate with the Apple devices you'll manage. The Push Certificate allows for a trusted connection between your devices and the Mosyle MDM server. Follow the steps below to create the Push Certificate:
- Navigate to "Organizations" and click "Push Certificate" from the menu on the left.
- Click "Create Push Certificate" and download the .CSR extension file.
- Next, access https://identity.apple.com/pushcert and log in using your organization's Apple ID.
Important: keep the Apple ID in a safe place. If you don’t remember it or lose it at the time of renewing the Push Certificate - which is required annually - you will have to start the entire enrollment process over from the beginning.
- Once you’re logged into the Apple portal, click on “Create a Certificate”. Read the Terms and Conditions, click the box stating that you agree and then select “Accept”.
- In the note field, we recommend to add “Mosyle Token” to keep track of APN’s tokens.
- Upload the file you've downloaded from Mosyle Business and download the .PEM file in the sequence.
- Go back to the Mosyle Business dashboard, upload the certificate (.PEM file) and click "Save".
As we mentioned earlier, keep the Apple ID in a safe place. We highly recommend that you enter the Apple ID in the field available in the Push Certificate area within Mosyle Business. Remember you need to use the same credentials when renewing the Push Certificate annually, otherwise you'll have to redo the enrollment process.
Integrations to import users to Mosyle Business
Apple Business Manager (ABM) or Apple School Manager (ASM)
Integrate Apple Business Manager (ABM) or Apple School Manager (ASM) to the mobile device management solution is one of the top choices of IT administrators, since it simplifies workflows, automates the enrollment process and streamlines the Apple deployment.
The process to integrate your DEP/ABM/ASM account with Mosyle Business is easy! After logging into your Mosyle account, go to the Organization area and download your Mosyle Business public key available under the Apple Integration tab.
Next, log into your ABM/ASM account and upload the file in the “MDM Servers” area. Download the generated file (p7m) extension, go back to your Mosyle Business account to upload the file in the Apple Integration tab and click “Save” to complete the integration.
Then, it's critical to assign your ABM/ASM/DEP devices to the Mosyle MDM Server so you can enjoy device enrollment with zero-touch deployment (DEP). After completing the integration, go to your ABM/ASM account and navigate to the Device Assignments area. Enter the serial number, order number, or upload a CSV file of the devices you want to assign to the Mosyle MDM Server.
After entering the serial number or order number, select Assign to Server and Mosyle MDM Server from the dropdown menus.
Done! You will see all users and devices from your ABM/ASM/DEP account in your Mosyle Business account. The next step is to configure the DEP profile so you can bootstrap enrollment workflows and assign the devices to users.
If you use the Active Directory server to organize users and verify user authentication, you are able to integrate it into Mosyle Business quickly. Go to the Organization tab, then navigate to the Active Directory area, where you can configure the Setup, Authentication and Synchronization of users information into Mosyle.
Start the integration on the Setup tab, entering the required information and releasing the IPs necessary for Mosyle to reach your AD server. Tip from our Support Team: if you are using LDAPS with SSL, you'll want to use port 636 instead of port 389 and be sure to upload the SSL certificate required for connection. You can find additional information in the Microsoft Support portal. If you are using LDAP, you can use port 389.
Configure whether or not you will have users authenticate with AD when logging in to their Mosyle account or when enrolling with DEP using AD authentication in the Authentication tab. In order for AD authentication to be successful, users must be registered in Mosyle with a User ID that matches their AD username. For example, if user Vanessa Smith has an AD username of vanessa.smith, their User ID registered in Mosyle must also be vanessa.smith
Be sure to enter the correct query in the field to ensure users can properly authenticate - you can use the test area provided to ensure the query entered is correct.
Finally, setup the synchronization of user data from your Active Directory server with your Mosyle Business account under the Synchronization tab by configuring, mapping information, and importing the data.
Configure: enter your AD info in the fields provided, selecting from the options available to automatically sync data.
Mapping: import Users and User Groups by mapping information, entering any filters or required attributes. Use the Preview User Groups Mapping button to preview the data to be imported.
Import: After completing the Setup and Mapping steps, you can Pull your Data to preview what will be imported into your Mosyle Business account.
Done! You will see all users and devices from your Active Directory server synced in your Mosyle Business account. The next step is to configure the DEP profile to enjoy zero-touch deployment or assign devices to users using the Assign Devices area.
By configuring the Single Sign-On and Mosyle Auth solutions, end-users have a single unified login to authenticate on their Apple device and have access to all the tools, apps, software, and configurations needed to be productive with direct access through Mosyle's Self-Service.
Important note: users must be registered in Mosyle with the same email. If you use Active Directory or Microsoft Azure AD, you can complete those integrations prior to configuring SSO to streamline the process. To configure this, navigate to "Organizations" and click "Single Sign-On" under the Integrations area.
You can select SSO to enable access to Mosyle Web Panel, Mosyle iOS app and Mosyle macOS app. You can also choose the Mosyle Auth solution for macOS, enhancing the Login Screen Window. Important note: Mosyle Auth works only on macOS 10.12 (macOS Sierra) or later.
Then, select the Identity Service from the dropdown menu: Microsoft, Google, ADFS, Active Directory LDAP or On-Premises Active Directory (available for Mosyle Auth only).
If you select Google or Microsoft, you’ll need to select who will be able to authenticate on the macOS. You can choose to allow only user email addresses previously registered on Mosyle or enter the specific domains of your educational institution, allowing all the emails from this domain to authenticate on devices.
To complete this configuration, select what users and/or devices will receive this profile.
Important note: When using the DEP enrollment method, make sure the profile assignment on the Single Sign-On profile matches the assignment configured on the DEP profile in order for the configurations to work properly.
Integrate your system to Mosyle Business API, automating devices, users and user group operations. Under the API integration tab, you are able to check out all the request parameters available in the API so you can accomplish the integration.
Microsoft Azure AD integration
You can integrate Microsoft Azure Active Directory to Mosyle Business, importing all users to the device management solution. If you’d like to use Microsoft Azure AD as the identity providers for the Single Sign-On solution, we recommend this integration is completed to automate the workflow. Go to Organization and click Microsoft Azure AD below the Integrations area.
If you’re not using any of the integrations to automate data import, you’ll want to use the spreadsheet registration in order to quickly import a large amount of data. Under the Spreadsheet area, you can find the CSV and XLSX templates to complete and upload to the Mosyle Business platform.
Deployment using Apple Business Manager
If you have an Apple Business Manager or Apple School Manager account, enrolling the devices using the DEP management profile is the easiest and quickest method. Under the DEP tab, select the operating system and click “New Profile” to continue.
Remember, in the case of DEP devices, the installation of the MDM profile is mandatory. However, you can choose if end-users will be allowed to manually remove the MDM profile from devices. Next, select the devices you wish to receive the configuration profile.
You'll want to streamline your deployment by selecting the option to allow device usage after the enrollment. In this case, devices will be enrolled as generic devices until the users log in, assigning the devices to themselves. If you would like to assign specific devices to specific users, configure the DEP profile and then go to the Assign devices tab and use the Manual Assignment tool.
When creating the DEP profile, you can also choose to require user authentication or AD authentication, if you use the Active Directory integration.
Streamline even more of your Apple deployment by selecting the steps from the Setup Assistant you wish to skip and/or add any bootstrapping PKG, like Munki and NoMAD in the case of deploying Mac devices using the MDM. By default, Mosyle Business checks some options from the Setup Assistant that can help you speed up your enrollment process, but feel free to select or deselect any you desire.
You can also choose the variables used to rename the devices after the enrollment process, such as name, user ID, organizations name, etc. To complete the enrollment process, just wipe/restart the devices (if used) or turn on (if brand new).
If your devices have previously been used, you'll need to wipe and restart them in order for the new DEP configuration profile to be applied. Are you migrating from another MDM solution? In this scenario, you may be able to send a remote wipe command from your former MDM platform to all of your devices. If you are enrolling macOS devices running 10.12.4+, you can use a Terminal Command to complete the DEP enrollment without having to wipe the Mac.
If the Apple devices are brand new, simply take the device out of the box and turn it on! All configuration settings from Mosyle Business MDM will be applied. After devices have been enrolled, you will see them listed in your Mosyle account in the Management area.
Deployment without Apple Business Manager
If you don’t have an Apple Business Manager, an Apple School Manager or a DEP account, you can use other methods to deploy and manage your organization’s devices using Mosyle Business.
Prior to the enrollment process, make sure you’ve created the users (administrators, end-users and/or user groups) needed, using the respective features in the Organization tab or you’ve completed the desired integration to import the users to the Mosyle platform. Then, you are able to enroll the devices as Generic Device, User Device or Device Group. Remember you can get familiar with the workflow by checking the Enrollment Assistant, our special onboarding.
You can enroll devices as a generic device, which means that it will not be assigned to any specific user. It allows you to manage the device as an organization’s generic device, it also allows you to assign the device to a user at a later time if needed.
To enroll the device as a generic one, open the Safari browser on the device and type the Enrollment URL available in the Organization > Settings tab.
If you are enrolling an iOS or a tvOS device, you can also enroll the device using Apple Configurator 2. When enrolling the device using AC2, you are able to choose to supervise the device, unlocking important management features.
If enrolling macOS devices, make sure to remove the management profile from your current MDM provider before starting the enrollment process. To do it, you can remove the profile using your current MDM solution, using the built-in Apple Recovery Utility or running the Terminal command.
A User Device is simply one device assigned to an end-user. You can streamline the deployment by enrolling all the devices as generic devices and assigning the devices to users later. After enrolling the devices as generic devices, you can use the Assign Devices tab to assign the device to the end-users - randomly or to specific end-users - or go to the specific user area in the End-user tab and simply click “Assign one device”.
A Device Group is one group of devices in which different users can log into using the Mosyle Business credentials. You can speed up the enrollment process by enrolling all the devices as generic devices and selecting the desired devices and their device criteria when creating the Device Group in the Management tab.
Here we will specify the assignment methods available in Mosyle Business:
You can assign devices individually to specific end-users in the Organization tab. Choose the user in the End-users area and click the “Assign one device”, selecting the device from the list available. When finished, click "Assign" to confirm.
Assign with Active Directory Authentication
Users can also be assigned to devices using Active Directory authentication. So long as the User ID registered in Mosyle matches the username in Active Directory, the user will then be assigned to the device upon logging in.
Automatic Assignment in Bulk
Using this assignment method, Mosyle Business will automatically and randomly pair one device with one user - a quick and good strategy for organizations deploying a 1:1 model where it doesn’t matter which device each user is assigned to. Before assigning the users, make sure you registered all the end-users and enrolled all devices as generic devices. To use this method, go to “Assign Devices” and choose the “Automatic Assignment” by clicking “Start” under this option.
Manual Assignment in Bulk
In this assignment method, you upload a CSV file indicating the assignment of each device, to each user. This is done by pairing the serial number with the User ID. This is a great option for organizations implementing a 1:1 model, where each user is assigned to a specific device. Before assigning the users, make sure you registered all the end-users and enrolled all devices as generic devices.
This assignment method can be used when enrolling devices using ABM/ASM/DEP if you need to assign specific devices to each user. To use this method, go to “Assign Devices” and choose the “Manual Assignment” then select “Start” under this option to download the CSV template. After entering device serial numbers and the corresponding User ID, upload the file in the available field.