4.0 Enrolling Mac MDM using the OTA Profile
You can now securely enroll non-DEP devices into ZENworks using the OTA (over-the-air) Profile which deploys the enrollment profile without a reset of the device.
-
Devices that already have ZENAgent deployed, can onboard MDM without having to reset the device and go through ADE enrollment.
-
Devices in use can enroll in ZENworks without having to reset the device and go through ADE enrollment.
NOTE:To enroll Mac devices as MDM using OTA, you need to have Mac administrator permissions.
Before enrolling a macOS device, you need to ensure that the following prerequisites are met:
Prerequisites:
|
Task |
Details |
|---|---|
|
Enable Push Notifications |
For more information, see Enabling Push Notifications |
|
Configure MDM Servers and APNs |
For more information, see MDM Servers and APNs Configuration |
IMPORTANT:
-
To enroll a Mac device as MDM via OTA Profile in ZENworks, the device should be pre-approved in ZENworks either with its Serial Number or Mac Address or both for authenticating the device. For more information, see Adding Pre-approved Devices.
-
Pre-approval check will fail in case if the value is specified in the DNS Name device attribute and in the Device Matching Setting if both DNS Name and Enable Differentiation are selected.
-
As part of the MDM Enrollment Profile, the consent text can be set which is displayed to the user on the Mac device during profile installation. You can modify the default consent text in com.novell.zenworks.apple.plist.profileinfo.consent.text
The file is available in the following location:
On Windows Server:
C:/Program Files/microfocus/zenworks/resources/properties/com/novell/zenworks/apple/plist/profileinfo/ios_profile_<Locale>.properties
On Linux Server:
/opt/microfocus/zenworks/resources/properties/com/novell/zenworks/apple/plist/profileinfo/ios_profile_<Locale>.properties
Restart the microfocus-zenclient-mgmt service after updating the consent text.
-
Once the OTA profile enrolled, the following message is displayed:
This Mac is supervised and managed by: IT Organization
If you want to customize the organization before enrolling through OTA Profile, you should add a system variable in > > screen with value as
organization.name
(case-sensitive).
NOTE:
-
The macOS devices running Macintosh 11.x (Big Sur) or later versions can be enrolled as supervised devices.
-
If the DNS attribute is selected to uniquely identify a pre-approved device, the Mac enrollment using the OTA profile might fail.
Procedure:
-
In the Safari browser on a Mac device, specify the URL to download the ZENworks Trust Profile. The URL should be specified in the following format, for example: https://<ZENworks_server_address>/endpoint/apple/trust
ZENworks_server_address is the DNS name or IP address of the ZENworks MDM Server.
-
Navigate to the menu on the device and select > .
-
Click .
The ZENworks Trust Profile contains the certificate required for secure communication between the device and the ZENworks Server.
-
Double-click the profile and click Install…
-
Install the profile.
-
Specify the administrator password and click .
-
Enable the enrollment certificate on the device. To enable the certificate:
-
Navigate to > > .
-
Search for the ZENworks CA certificate and double-click the certificate.
-
Expand the details.
-
Select from the drop-down list.
-
Click .
-
Specify the administrator password and click .
-
-
Next, in the Safari browser on a MAC device, enter https://<ZENworks_server_address>/endpoint/apple/userlessOTAEnroll, where ZENworks_server_address is the DNS name or IP address of the ZENworks MDM Server. The ZENworks Enrollment Profile will be downloaded.
-
Navigate to > > .
-
Double-click . The ZENworks Device Enrollment Profile contains the MDM profile required for ZENworks to manage the device.
-
Click and follow the prompts to install the profile. Once the profile is successfully installed, the device will be supervised and managed by ZENworks.
-
Specify the administrator password and click .
