Configuring Basic macOS Management: Workspace ONE Operational Tutorial

Overview

VMware Workspace ONE® UEM provides a comprehensive management solution for macOS devices, supporting operating systems version 10.9 and higher. With the ability to manage Corporate-Dedicated, Corporate Owned or Employee Owned (BYOD) devices, Workspace ONE UEM offers enterprises the flexibility to meet their employees’ needs at any level.

Purpose of This Tutorial

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. In this tutorial, you will enroll a macOS device, configure a restrictions profile and a dock profile, configure a device lock, and deploy macOS volume-purchased apps.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, XML, and basic scripting is assumed.

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Enrolling macOS Devices

This section covers basic macOS administration using Workspace ONE UEM. This exercise helps you to install the Workspace ONE Intelligent Hub and enroll a macOS device into Workspace ONE UEM.

Prerequisites

Before you can perform the exercises in this tutorial, you must meet the following requirements.

• Workspace ONE UEM version 9.4 or later
• Apple device running macOS version 10.12.6 (Sierra) or later
• Retrieve the Group ID from Workspace ONE UEM Console
• Local macOS account with administrator permissions

This exercise requires admin and end user device authentication during enrollment. Gather the required account information and record it in the following tables. The account information provided in these tables is based on a test environment. Your account details will differ.

Local Administrator Account Information
User name	administrator
Password	VMware1!

User Account Information
User name	testuser
Password	VMware1!
Email address	testuser@company.com

Workspace ONE UEM Information
Server URL	hol.awmdm.com
Administrator username	administrator
Password	VMware1!

Installing the Workspace ONE Intelligent Hub

Start by downloading and installing Workspace ONE Intelligent Hub on your macOS device. This exercise will outline the steps to follow.

1. Log in to the macOS device with your administrator credentials.
   1. Enter the username. For example, administrator.
   2. Enter the password. For example, VMware1!.
   3. Click the arrow icon or press Enter.
2. Click the Safari icon (blue compass) to open the Safari browser.
3. Enter https://getwsone.com in the URL field, then press Enter.
4. Click Download Hub beneath macOS. The Workspace ONE Intelligent Hub begins to download and will save to the Downloads folder by default.

5. Launch the Intelligent Hub installer by clicking the Downloads folder in the dock (next to the Trash Bin).
6. Click the VMwareWorkspaceONEIntelligentHub.pkg file to begin the installer.
7. Review the Introduction. Click Continue.
8. Review and Accept the Licensing Terms by clicking Continue and then click Agree (to the license terms).
9. Click Install to perform a standard installation.
10. Enter the admin username, for example, Administrator.
11. Enter the password.
12. Click Install Software.
13. Click Close when the installer finishes.
14. Click Move to Trash to move the installer to the trash.

Onboarding using User-Initiated Agent-Based Workflow

In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a few ways to enroll the various platforms (macOS included), but for this exercise, we cover a basic enrollment scenario.

This enrollment flow is considered User-Approved per the functionality introduced in macOS High Sierra.

1. After the Workspace ONE Intelligent Hub finishes installing, the Enrollment Wizard should start automatically. From within the Enrollment wizard window, click Server Detail. 

Note: The Enrollment Wizard may take several minutes to launch. If you do not see the Enrollment Wizard immediately, be patient and wait for it to appear.

2. Enter your Workspace ONE UEM URL, for example, hol.awmdm.com.
3. Enter your Group ID.
   
   Note: You can find your Group ID in the Workspace ONE UEM console by navigating to Group & Settings. Click Groups, and then click Organization Groups. Select the Details view.
4. Click Continue.
5. Enter the enrollment username. For example, testuser.
6. Enter the enrollment user password. For example, VMware1!.
7. Click Continue.
8. Select the ownership type for the device. If the device is an employee-owned BYOD, select Employee Owned. If the device is a corporate-owned device, select Corporate owned. Click Next.
   
   Note: If you select Corporate owned, you will also need to specify if the device will be dedicated to one user or shared by multiple users.
9. Click Next to install Workspace Services. The installation and enablement of Device Management will begin.
10. When the Profile window is displayed, click Install to approve the User-Approved Enrollment Profile.

11. When prompted, click Install to confirm the installation.
12. When prompted, enter the password for your user account on the Mac. For example, VMware1!. 
13. Click OK.
14. When the installation is complete, close the Profiles panel by clicking the red dot. Then click Done.
15. You can validate the enrollment by clicking the Hub icon in the upper-right corner of your screen.
16. In the menu that appears, you can see the device’s status as Enrolled.

Configuring macOS Profiles

Profiles are the mechanism by which Workspace ONE UEM manages settings on a macOS device. All profiles are broken down into two basic sections: the General section and the Payload section.

• The General section defines the profile's name and assignment settings.
• The Payload sections define actions to be taken on the device.

Every profile must have all required fields in the General section properly filled out and at least one payload configured.

With Workspace ONE UEM, profile management for macOS can occur on the device level or on the user level.

Device-level profiles apply restrictions and settings to any user logged-on to the device. Device profiles are typically used to control settings that apply system-wide such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.

In contrast, user-level profiles apply settings and restrictions to the specific user logged-on to the device. User profiles typically control settings that apply to the enrolled user such as email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.

Prerequisites

Before you can perform the exercises in this tutorial, you must meet the following requirements.

• Workspace ONE UEM version 9.4 or later
• Apple device running macOS version 10.12.6 (Sierra) or later

Configuring a Restrictions Profile for macOS Devices

In this exercise, deactivate Allow Screen Capture and Allow Use of Built-in Camera settings on a macOS device by configuring a device-level restrictions profile. This exercise explores how to modify the macOS device behavior using profiles.

1. On your desktop, double-click the Google Chrome icon.
2. Go to the VMware Workspace ONE UEM Console.
   
   For example, go to https://<WorkspaceONEUEMHostname> where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console.
3. Enter your Username, for example, administrator.
4. Click Next. After you click Next, the Password text box is displayed.
5. Enter your Password, for example, VMware1!. Click Login.
   
   Note: If you see a Captcha, be aware that it is case sensitive.
6. In the Workspace ONE UEM console, select Resources. Then select Profiles & Baselines.
7. Select Profiles.
8. From the Add dropdown menu, select Add Profile.
9. Select Profile Platform by selecting macOS.
10. For the Context, select Device Profile.
11. Enter macOS Device Restrictions for the profile name.
12. Scroll down the list of payloads until you find Restrictions. Click Add.
13. Under Functionality, click the button next to Allow screen capture. The button, which is green by default, should turn gray.
14. Click the button for Allow use of Built-in Camera. The button, which is green by default, should turn gray.

15. Click Next.
16. Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Devices (your@email.shown.here).
17. Select Auto for the Assignment Type.
18. Click Save and Publish.
    
    You should now see your macOS Device Restrictions Device Profile within the list of the Profiles window.
    Note: If you need to edit the profile, this is where you would do so.
19. You can validate that the profile has been applied, by logging in to your macOS device.
20. Launch the Photo Booth application. The application reports that there is no connected camera.
    
    Note: This will only work on a macOS device that has a built-in camera.

21. Launch the Screenshot application, which is in the Utilities folder under Applications. If the macOS Device Restrictions profile created earlier is configured and applied correctly, the Screenshot application will not launch.

Configuring an Accessibility Profile for macOS Users

In this exercise, configure Accessibility settings for a specific, enrolled user on a macOS device by configuring a user-level profile.

1. In the Workspace ONE UEM console, select Resources. Then, select Profiles & Baselines.
2. Select Profiles.
3. From the Add dropdown menu, select Add Profile.
4. Select the Profile Platform by selecting macOS.
5. For the Context, select User Profile.
6. Enter macOS Accessibility for the profile name.
7. Scroll down the list of payloads until you find Accessibility. Click Add.
8. Click the button next to Use grayscale. The button, which is gray by default, should turn green.
9. Change the Cursor Size to Extra Large.

10. Click Next.
11. Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Users (your@email.shown.here).
12. Select Auto for the Assignment Type.
13. Click Save and Publish.
    
    You should now see your macOS Accessibility User Profile within the list of the Profiles window.
    
    Note: If you need to edit the profile, this is where you would do so.
14. You can validate that the profile has been applied, by logging in to your macOS device.
15. The screen will be displayed as grayscale, and the cursor will be extra-large.

Configuring Device Lock for macOS

Device lock for macOS devices causes the machine to reboot into a firmware-lock screen. This lock screen occurs at the firmware level prior to OS boot. This exercise helps you to configure a macOS device lock.

Prerequisites

Before you can perform the exercises in this tutorial, you must meet the following requirements.

• Workspace ONE UEM version 9.4 or later
• Apple device running macOS version 10.12.6 (Sierra) or later

Note: For Mac devices running Apple silicon, macOS version 11.5 or later is required. If you try to use this feature on a Mac with Apple silicon running a version of macOS before 11.5, the Mac will be deactivated, and a network connection and authentication with Secure Token will be required to re-enable the device.

Configuring Device Lock

Workspace ONE UEM supports a firmware-based device lock for macOS. The device cannot be booted until the device lock code has been entered. This exercise helps you to configure device lock for macOS.

1. Open the macOS Device Details by selecting Devices.
2. Select List View. Then, select your enrolled macOS device.
3. Lock the device by clicking Lock in the upper-right corner of the device details view.
4. When prompted, enter a Device Lock Code. For this exercise, enter 111111 as the firmware lock code.

5. Click Lock Device.
6. The device will reboot after a short delay and the firmware will be locked.
7. To unlock the device, enter 111111 at the System Lock screen.

Understanding macOS Software Delivery

Workspace ONE UEM supports a few different methods for delivering software to managed macOS devices. This section helps you to volume-purchase app licenses in Apple Business Manager, then assign them to enrolled devices in Workspace ONE UEM.

The following software delivery methods are available for macOS:

• Apple Business Manager or Apple School Manager — Delivers macOS App Store applications to devices as volume-licensed, purchased applications.
• Software Distribution — Delivers third-party, non-store applications as internal apps in Workspace ONE UEM 9.3 and later.  

The type of software being delivered determines appropriate delivery method. The following table lists different types of software, and their recommended delivery method.

	Store Apps	Non-Store Apps
Delivery Methods	Apple Business Manager	Software Distribution
Examples	xCode Slack Microsoft Remote Desktop Apple's iWork suite BBEdit Workspace ONE Tunnel iBooks Author Microsoft OneDrive Microsoft OneNote QuickBooks	Adobe Creative Suite Microsoft Office 2016 for macOS BlueJeans Camtasia Audacity Shell scripts, Python scripts

Prerequisites

Before you can perform the exercises in this tutorial, you must meet the following requirements.

• Workspace ONE UEM version 9.4 or later
• Apple device running macOS version 10.12.6 (Sierra) or later
• Apple Volume Purchase Program (VPP) is configured in Workspace ONE UEM

Deploying macOS Volume-Purchased Apps

This section shows how to volume-purchase applications through the Apple Business Manager and assign them to devices using device-based licensing. However, Workspace ONE UEM also supports non-store, third-party software management. For details, see Deploying Third-Party macOS Applications: VMware Workspace ONE Operational Tutorial.

Purchase App Licensing in Apple Business Manager

Before you can assign volume-purchased applications to devices, you will first purchase licenses within Apple Business Manager.

1. Log in to Apple Business Manager.
2. Click Apps and Books.
3. Set Type to Mac and enter Pages in the search field.

4. Click Pages in the results and, using the Assign to dropdown, assign this app to your Workspace ONE UEM instance.
5. Enter 10 in the Quantity field and click Get.

Configure App Assignments in Workspace ONE UEM

In this exercise, you will enable device assignment for an app, and assign the app to a group of single-user devices. Each device will receive one license, and an Apple ID on the device will not be required to receive the application.

1. In Workspace ONE UEM, click Resources.
2. Click Apps, and then select Native.
3. Click Purchased. Pages should be listed among your apps.
   
   Note: If Pages is displayed in your app list, click Sync Assets. This will sync your app license purchases with Apple Business Manager.

4. Place a check next to Pages. The More Actions menu will appear.
5. From the More Actions menu, select Enable Device Assignment.

6. Click Pages. Enter 2 for Licenses on hold.
7. Click Save & Assign.
8. Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All macOS Devices (your@email.shown.here).
9. Enter the number of licenses to allocate to the assignment group.
10. Click Create.
11. Click Save.
12. Click Publish.
13. Log in to your macOS device and launch Intelligent Hub.
14. Click Apps.
15. If Pages has not already installed automatically, you can click the Install button next to Pages to install the app on your macOS device.

Summary and Additional Resources

This operational tutorial provided basic administration steps to manage macOS with Workspace ONE UEM. Procedures included enrolling a macOS device, configuring a restrictions profile and a dock profile, configuring a device lock, and deploying macOS volume-purchased apps. 

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on macOS, see Understanding macOS Management.

Changelog

The following updates were made to this guide:

Date	Description of Changes
2022/08/19	Updated procedures to align with Workspace ONE UEM product changes Added procedures for volume-purchased apps, and app assignment to devices
2019/03/27	Guide was published

About the Authors

The latest version was written by:

• Michael Bradley, Senior Technical Marketing Architect, End-User-Computing Technical Marketing, VMware.

This tutorial was originally written by:

• Robert Terakedis, VMware alumni.

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.