The Automated Device Enrollment method is a great method to enroll your Mac Computers using Mosyle Business, allowing you to configure all the necessary deployment configurations while taking all the advantages of the zero-touch deployment. It will improve your workflows as well as save you time.
In this section, you will learn how to deploy Mac computers that are associated with your Apple Business Manager account.
First, navigate to “Organization” from the menu at the top and click on “Enrollment” from the Basic Setup area on the menu on the left. Then, select your Apple Business Manager account and click on “New profile”.
Name the profile and select the option you'd like to activate on the Mac computers when the Automated Device Enrollment profile is applied on the devices. The following options are checked by default:
- Install MDM Profile (mandatory)
- Do not allow manual removal of the MDM
You can also enable the configurations:
Allow user-initiated Action Lock
Enabling this option will allow the device to be locked in the Activation Lock screen with the user’s Apple ID if “Find my Mac” is enabled by the user and the device is wiped. By default, supervised devices are not locked with User-Initiated Activation Lock. If needed, you can unlock a device locked in Activation Lock via the Device Info in Mosyle. Important note: this feature is only available for macOS 10.15+ on devices with Apple T2 Security Chip.
Allow Bootstrap Token (macOS 10.15+)
Before macOS Catalina, on first login of a Mobile Account, Administrator credentials with SecureToken are requested to enable SecureToken to the new user account. The Bootstrap Token eliminates this additional step when a network user is creating a mobile account on a Mac with an encrypted volume.
"After the enrollment allow device usage - devices will be placed in limbo until the user logs in". When choosing this option, we recommend using the Assign Devices feature available on the Organization tab to assign the Mac computers to the users by uploading spreadsheets with the required information.
"Required user authentication". When choosing this method, you can select to use the Mosyle Business app to authenticate and assign the devices to users. If your organization uses Active Directory, make sure to select the option "Authentication with AD during Setup Assistant".
Heads up: on macOS 10.15+, you can force user authentication with Mosyle credentials or your Identity Provider (Single Sign-On) during the Setup Assistant. To do that, you just need to enable "Customize Setup Assistant" and add the screen "Mosyle User Authentication" or "Single Sign-On Authentication".
Next, configure the Customize Setup Assistant. This capability is available only for macOS 10.15+ . Set a customized screen during the Setup Assistant, adding an organization-based content and modern user authentication method. To do it, click “Manage Screens”
Here you will be able to personalize the screens, by changing the font and color. It’s possible to add different steps to the Setup Assistant, including Welcome Screen, Set Enrollment Passcode, End User License Agreement Screen (EULA), Add to a Shared Group, Mosyle User Authentication and Single Sign-On Authentication. Use the “+ Add Screen” button to add the necessary steps e rearrange the order by using the drag and drop feature. When you are done, click the check icon at the top right of the window.
In the sequence, select the devices that will receive the configurations. You can also check the option to make the Automated Device Enrollment profile a default profile and automatically assign it to all new devices and current devices without a profile assigned.
Choose all the options you want to skip on the Setup Assistant when the end-user starts the Mac computer for the first time. We recommend skipping all of the options except “Skip Activation of location services”.
Now, select the options for Account Configuration. On macOS 10.11 and later it's possible to configure the accounts during the Setup Assistant.
You can choose to prompt the user to create an account. This will prompt the user to create a local account and auto login.
Heads up: to Mosyle Auth work properly on Setup Assistant, you must not check "Prompt user to create an account".
Next, select the type of the user that will be created on the prompt. If you choose the Standard, keep in mind that macOS requires at least one Administrator user. For this reason, if you select this option you must create an additional local admin below.
You can choose to Pre-fill account information using variables such as name and username/account name. It's possible to select the option to not allow the user to modify the pre-filled information above. If checked, the user will not be allowed to modify the account full name and/or account name as they will be read-only. This configuration is only available for devices running macOS 10.15+ Beta.
Finally, you can check the option "Create additional local admin during Automated Device Enrollment". Heads up if you are using Single Sign-On profile. Here you can indicate name, username and password for the user. If you would like to hide additional local admin account from users, check the box beneath it to hide the account.
You can enter the phone number and email for your institution for support. This step is not mandatory.
Finally, enter how you would like to rename the devices after enrollment, using the available variables.
Mosyle Business also offers advanced options of configurations to be installed on the devices during the enrollment process. You can check the option "Install the InstallApplication" PKG, which allows you to install any signed PKG from other management software (such as Munki). You can also configure NoMAD in this step. We provide all the details of this workflow within the Mosyle Business platform.
If the devices are still boxed, they will receive a Device Enrollment (DEP) configuration during the Setup Assistant steps on the device (first steps). If the devices have already been used, they must be formatted to receive this Device Enrollment (DEP) configuration.
If your devices are running macOS 10.12.4 or later, and you don’t want to format them, you can use the Terminal to apply this Device Enrollment (DEP) configuration profile running the command below.
For macOS 10.12.4 through 10.13.4 use: sudo profiles -N
For macOS 10.13.4 and later use: sudo profiles renew -type enrollment
Heads up: You must have Admin rights to the Mac in order to run this command.