Onboarding Options for macOS: Workspace ONE Operational Tutorial

VMware Workspace ONE UEM 9.4 and later

Overview

Introduction

VMware provides this operational tutorial to help you with your VMware Workspace ONE® environment. This operational tutorial covers a number of macOS enrollment workflows, including user-initiated enrollments, single-user and multi-user staging for network users, and single-user staging without domain binding.

Audience

This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments. 

Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, XML, and basic scripting is assumed.

Knowledge of additional technologies such as VMware Workspace ONE® Intelligence and VMware Workspace ONE® UEM is also helpful.

Understanding macOS Onboarding

Introduction

In this activity, learn about the different user types, and review the available onboarding options for macOS.

Understanding macOS User Types

MacOS inherently supports a number of discrete user accounts (each with their own data and settings). Although macOS is an inherently multi-user system, the mdmclient process built-in to macOS (leveraged by Workspace ONE UEM) is not multi-user capable unless the device is bound to a directory service (such as Active Directory).

As such, when discussing enrollment workflows for macOS, we must first define three different types of users.

  1. Workspace ONE UEM Enrollment User
    • If not staging a device, this is a user account (either basic or directory-based) within Workspace ONE UEM (under Accounts > Users > List View) whose credentials were entered at the time the device was enrolled.
    • If staging a device, this is the user account to which the device is assigned within Workspace ONE UEM (under Devices > Details View > User)
    • This is the user account Workspace ONE is using to determine membership within assignment groups.
    • In other words, this is the user account to which Workspace ONE UEM considers the device assigned.
  2. macOS Logged-On User  
    • This is a user account (either local to macOS or based from a directory service such as Active Directory) that is currently logged-on and active on the device.
  3. Workspace ONE Managed User  
    • This is the user account (either local to macOS or based from a Network Account Server) that was logged-on and active on the device when enrollment occurred.  
    • This is the macOS user account Workspace ONE UEM can target using Apple Push Notifications when it is also the logged-on user.
    • In other words, this is the user account that must be logged-on within macOS in order for Workspace ONE to deliver items assigned to the Workspace ONE UEM enrollment user.

It is important to note the subtle differences between these three types of users as we begin discussing enrollment scenarios.

Understanding Apple's Enrollment Types

Apple continues to expand macOS manageability.  As such, new capabilities and enrollment types have been introduced over the last few iterations of macOS from High Sierra (10.13) through Catalina (10.15).   This section of the tutorial aims to explain some of the newer enrollment types and the differences between each type.

1. User Enrollment

User Enrollment was introduced with iOS 13 and macOS Catalina as an enrollment type specifically targeted at Bring-Your-Own-Device (or BYOD) scenarios.   With User Enrollment, an end-user enrolls the device using a managed Apple ID from Apple Business Manager (or Apple School Manager).   The device then creates a dedicated, encrypted APFS partition to hold the user's managed data and applications (delivered from MDM).   Additionally, device-identifying information (such as the UUID, ActiveSync ID, etc) is obfuscated before reporting to the MDM.   Since the MDM server can't uniquely identify the device, this helps maintain the user's privacy.  Additionally, in a User Enrollment scenario, the MDM server is granted a reduced set of management capabilities and prevented from initiating functionality that could impact the user's private files (such as a a Device Wipe).

2. User-Approved MDM Enrollment

User-Approved MDM enrollment was introduced in macOS High Sierra as a way to prevent IT administrators (or malware attacks) from being able to silently gain full control over macOS.   This new enrollment state provides Apple a way to prevent some management functionality until the end-user acknowledges (and approves) the device management.   In other words, if the user does not "approve" the enrollment, some security-related management functionality is limited or prevented.

To qualify as a user-approved enrollment, the MDM profile must be installed in one of these ways:

  • Via the Profiles preferences panel by the user:    By forcing the user to install the MDM profile in the Profiles panel, administrators are ensured the user has agreed to their intent to be managed and approved the specific system performing management.  
  • Via the Profiles panel after non-UA enrollment:   If the MDM profile is installed via scripting or remote shell, the user can launch the Profiles preferences pane and manually click the Approve button on the Enrollment Profile.
  • Via Automated Enrollment with Apple Business Manager (or Apple School Manager):  Much like iOS, Automated enrollment via Apple Business (or School) Manager is considered a "corporate-owned" enrollment scenario and is therefore automatically considered user-approved.

3. Supervised (Automated) Enrollment

Supervision on macOS was a new concept introduced with macOS Catalina.  Going forward, Apple has stated some security and privacy-related features will require supervision in order to be manageable by IT administrators.   Apple considers a supervised macOS device different from a User-Approved MDM-enrolled device, as the Supervised device demonstrates a truly "corporate-owned" enrollment.  Put differently, User-Approved MDM enrollment is not equivalent to an Apple Business (or School) Manager supervised enrollment.  

NOTE:   Unlike iOS, macOS does not currently support manual supervision.

Some current macOS management payloads that require supervision include:

  • Activation Lock Management
  • Bootstrap Token
  • Some Classroom Restrictions
  • Native MDM-Initiated software update installation

Reviewing Onboarding Options

(workspace one macos, mdm protocol, macos management)

As detailed in the screenshot, users can enroll a macOS device in numerous ways. The following operational tutorial provides guidance on the different settings an administrator should configure to enable these workflows.  

Non-Staging, User-Initiated macOS Enrollment

Introduction

In a user-initiated enrollment (such as Bring Your Own Device), macOS device enrollment with a Workspace ONE UEM user's credentials (enrollment user) makes that currently logged in macOS user (logged-in user) the Workspace ONE managed user. In other words, the managed user is the macOS user account that enrolled with Workspace ONE credentials. 

This means that any profiles and applications targeting the user only apply when that specific macOS user is logged in. If the managed user logs out from a non-staged device and another macOS user logs in, Workspace ONE does not apply any user items to that new logged-in user. User profiles are not delivered/applied to the non-staged device until the managed user account logs in again. The user enrolling the device in a user-initiated enrollment workflow must have administrative permissions on the device. Administrative permissions are required to install the device management profile.  

A non-staged, user-initiated enrollment qualifies as a User-Approved MDM Enrollment flow for macOS High Sierra (and later) when performed through the Profiles preference pane or the VMware Workspace ONE Intelligent Hub for macOS.

Note: The reason for the one local user limitation can be found in Apple's MDM Protocol Documentation.

  • The local user that installed the profile will be managed.
  • No other local users will be managed. The server never receives requests from a local user other than the one that installed the enrollment profile.
  • Network users logging into the device will be managed if the server responds successfully to their UserAuthenticate messages .

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. 

  • Apple device running macOS version 10.12.6 (Sierra) or later
  • VMware Workspace ONE Intelligent Hub for macOS version 3.0 or later
  • Workspace ONE UEM version 9.4 or later

For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

You must also meet the following prerequisites, before configuring any type of macOS enrollment workflow:

  1. To manage an Apple device with Workspace ONE UEM, you must generate an APNS certificate for your Workspace ONE UEM environment.
  2. Create a basic user account or directory user account to Workspace ONE UEM as enrollment ties a device to an enrollment user account.
  3. To enable Device Enrollment integration, you must sign up for an Apple Business Manager (or Apple School Manager) account.
  4. To enroll devices using Apple Business Manager or Apple School Manager, you must perform the following:

Onboarding Using User-Initiated, Agent-Based Enrollment

The following video demonstrates a basic non-staged, user-initiated enrollment.

Note: The web-based enrollment flow is similar to agent-based, except that the user would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment in a web browser, (where deviceservices.url.com is the fully qualified domain name for your Workspace ONE UEM device services endpoint).

If the basic prerequisites have been met, Workspace ONE UEM by default can accommodate a user-initiated, agent-based enrollment.

Onboarding Using User-Initiated, Apple Business Manager Enrollment

The following high-level process helps you to successfully configure non-staging, user-initated enrollments for devices enrolling with Apple Business Manager.

  1. In your Device Enrollment Profile, set the following options:
    • Set Authentication setting to ON.
    • Set Await Configuration to Enabled.
    • Set Account Setup to Don't Skip.
    • Optionally, set Create New Admin Account to YES and pre-fill local administrator account details.
  2. Assign the Device Enrollment Profile to the device you will be testing.
  3. Unbox the macOS device and power it on.
  4. Proceed through the macOS Setup Assistant creating a local macOS user.

Important: The macOS user created during the Setup Assistant is the Workspace ONE managed user. Any profiles and applications assigned to the user account (provided to enroll the device) are delivered when the user account created during the Setup Assistant is logged in to the device.

Staging Single-User, Domain-Bound macOS Enrollment

Introduction

In a network-based user-staging scenario, Workspace ONE UEM receives a message from an LDAP-bound macOS device at a network user's login event. This notification allows Workspace ONE to correlate the newly logged-in user (a network user in macOS) to the enrollment user. Because the network account in macOS and Workspace ONE UEM are known to be the same (as they are both originating from the same source; LDAP), Workspace ONE UEM can change the managed user to be the new logged-on user. macOS also reports the APNS token for the Network User's mdmclient process to MDM, allowing Workspace ONE UEM to manage the user context in real time.

In single-user staging scenarios, Workspace ONE UEM associates the device to the enrollment user only for the first network user login (for example, the managed user). Subsequent network user login events are ignored, and the assigned user for the device is not modified. This means that any user-based assignments (user-level profiles and apps) are only sent to macOS when the managed user (matching the enrollment user) is logged in to the device.

Important: This is a critical concept to understand, as it directly affects the resultant behavior on a macOS device under MDM management. If a domain-bound macOS device is enrolled but not receiving user profiles/configurations, the logged-in user in macOS may not be the Workspace ONE UEM managed user.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. 

  • Apple device running macOS version 10.12.6 (Sierra) or later
  • VMware Workspace ONE Intelligent Hub for macOS version 3.0 or later
  • Workspace ONE UEM version 9.4 or later

For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

You must also meet the following prerequisites, before configuring any type of macOS enrollment workflow:

  1. To manage an Apple device with Workspace ONE UEM, you must generate an APNS certificate for your Workspace ONE UEM environment.
  2. Create a basic user account or directory user account to Workspace ONE UEM as enrollment ties a device to an enrollment user account.
  3. To enable Device Enrollment integration, you must sign up for an Apple Business Manager (or Apple School Manager) account.
  4. To enroll devices using Apple Business Manager or Apple School Manager, you must perform the following:

Single-User Staging Using Agent-Based Enrollment

The following high-level process helps you to successfully configure single-user staging for devices enrolling with Apple Business Manager:

  1. Create a basic Workspace ONE UEM user account configured for Single-User Staging.
  2. Configure a macOS Device Profile with the Directory Payload assigned to your devices that should be staged.
    • Note the Client ID field can be populated with a lookup value by clicking the [+] (plus sign).   Ensure you choose a field that contains data allowable for a computer name (for example, conforms to NetBios Naming Restrictions for Microsoft Active Directory), such as {DeviceSerialNumber}.
  3. Unbox the macOS device and power it on, then proceed through the Setup Assistant as normal.  
  4. Create a local, administrative macOS account as part of the Setup Assistant.
  5. Log in to macOS as the local macOS account created during Setup Assistant.
  6. Enroll with macOS Hub using the Staging User credentials you created in Step 1.
    • When the device enrolls, the profile containing the directory payload is installed. This binds macOS to your network-based directory service (such as Microsoft Active Directory).
    • Any other profiles and apps assigned to the device using assignment group is sent to the device.
  7. Validate the device is domain bound:
    • Open Terminal.app.
    • Enter the command id <intended user's AD username> and ensure the command returns information about the user.
  8. Log out of the local, administrative macOS account.
  9. At the login window, let the intended end-user log in with their domain-based username and password.
  10. Workspace ONE UEM assigns the device to the end user and begins sending profiles and apps which are assigned to the user.

Note: The web-based enrollment flow is relatively similar to agent-based, except that the admin would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment in a web browser, (where deviceservices.url.com is the fully qualified domain name for your Workspace ONE UEM device services endpoint).

Single-User Staging Using Apple Business Manager Enrollment

The following high-level process helps you to successfully configure single-user staging for devices enrolling with Apple Business Manager:

  1. Create a basic Workspace ONE UEM user account configured for Single-User Staging.
  2. In your Device Enrollment Profile, set the following options:
    • Set Authentication setting to ON.
    • Set Await Configuration to ENABLED.
    • Set Account Setup to SKIP (as you are forcing the end-user to log in with network credentials).
    • Set Create New Admin Account to YES and configure Admin Account details.
  3. Configure a macOS Device Profile with the Directory Payload assigned to your devices that should be staged.
  4. Unbox the macOS device and power it on, then proceed through the Setup Assistant and select to have the device managed by Workspace ONE UEM.
    • Authenticate to Workspace ONE UEM using the user account configured for Single-User Staging (from step 1).
    • When the device enrolls during the Setup Assistant, the profile containing the directory payload will be installed during the AwaitConfiguration phase. This binds macOS to your network-based directory service (such as Microsoft Active Directory).
    • Any other profiles and apps assigned to the device using assignment group are sent to the device.
  5. At the login window, ensure network accounts are available.  
  6. Let the intended end-user log in with their domain-based username and password.
  7. Workspace ONE UEM assigns the device to the end user and begins sending profiles and apps which are assigned to the user.

Note: As a reminder, at the point where the device is enrolled to the Single User Staging user, the logged-in user is not yet associated to the enrollment user. After the first network directory-based account logs in to the Mac, Workspace ONE UEM associates the logged-in user to a user account in Workspace ONE UEM. The new directory account becomes both the enrollment user and managed user.

Important: Although it is possible to set the Authentication setting set to OFF in your DEP profile, this is not recommended. This setting creates a potential security hole that would allow malicious actors to configure a virtual machine with a serial number of a device from your organization to obtain applications, certificates, and so on.  For more information, see Best Practices using Apple Device Enrollment Program (DEP).

Staging Multi-User, Domain-Bound macOS Enrollment

Introduction

In a network-based user-staging scenario, Workspace ONE UEM receives a message from an LDAP-bound macOS device at a network user's login event. This notification allows Workspace ONE to correlate the newly logged-in user (a network user in macOS) to the enrollment user. Because the network account in macOS and Workspace ONE UEM are known to be the same (as they are both originating from the same source; LDAP), Workspace ONE UEM can change the managed user to be the new logged-in user. macOS also reports the APNS token for the network user's mdmclient process to MDM, allowing Workspace ONE UEM to manage the user context in real time.

In multi-user staging scenarios, Workspace ONE UEM associates the device to a new enrollment user each time a network-based user account logs in (for example, the managed user). With each network user login, Workspace ONE UEM modifies the enrollment user to match the newly logged-in user account. Workspace One UEM also associates the new user's APNS token so that the new user account is managed in real-time.  As such, Workspace ONE UEM sends any apps and configurations assigned to the newly logged-in user.

Important: This is a critical concept to understand, as it directly affects the resultant behavior on a macOS device under MDM management. Multi-user staging is dependent on both the staging user configuration and the domain bind.

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. 

  • Apple device running macOS version 10.12.6 (Sierra) or later
  • VMware Workspace ONE Intelligent Hub for macOS version 3.0 or later
  • Workspace ONE UEM version 9.4 or later

For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

You must also meet the following prerequisites, before configuring any type of macOS enrollment workflow:

  1. To manage an Apple device with Workspace ONE UEM, you must generate an APNS certificate for your Workspace ONE UEM environment.
  2. Create a basic user account or directory user account to Workspace ONE UEM as enrollment ties a device to an enrollment user account.
  3. To enable Device Enrollment integration, you must sign up for an Apple Business Manager (or Apple School Manager) account.
  4. To enroll devices using Apple Business Manager or Apple School Manager, you must perform the following:

Multi-User Staging Using Agent-Based Enrollment

The following high-level process helps you to successfully configure multi-user staging for devices enrolling without Apple Business Manager:

  1. Create a basic Workspace ONE UEM user account configured for Multi-User Staging.
  2. Configure a macOS Device Profile with the Directory Payload assigned to your devices that should be staged.
    1. Note the Client ID field can be populated with a lookup value by clicking the [+] (plus sign). Ensure you choose a field that contains data allowable for a computer name (for example, conforms to NetBios Naming Restrictions for Microsoft Active Directory), such as {DeviceSerialNumber}.
  3. Unbox the macOS device and power it on, then proceed through the Setup Assistant as normal.  
  4. Create a local, administrative macOS account as part of the Setup Assistant.
  5. Log in to macOS as the local macOS account created during Setup Assistant.
  6. Enroll with macOS Hub using the Staging User credentials you created in Step 1.
    1. When the device enrolls, the profile containing the directory payload is installed. This binds macOS to your network-based directory service (such as Microsoft Active Directory).
    2. Any other profiles and apps assigned to the device using assignment group are sent to the device.
  7. Validate the device is domain bound:
    1. Open Terminal.app.
    2. Enter the command id <intended user's AD username> and ensure the command returns information about the user.
  8. Log out of the local, administrative macOS account.
  9. At the login window, let the intended end-user log in with their domain-based username and password.
  10. Workspace ONE UEM assigns the device to the end user and begins sending profiles and apps which are assigned to the user.
  11. Log out of the domain-based user, and log-in with another domain-based user.
  12. Workspace ONE UEM assigns the device to the new end user and begins sending profiles and apps which are assigned to the new user (if different from the previous logged-in user).

Note: The web-based enrollment flow is relatively similar to agent-based, except that the admin would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment in a web browser, (where deviceservices.url.com is the fully qualified domain name for your Workspace ONE UEM device services endpoint).

Multi-User Staging Using Apple Business Manager Enrollment

The following high-level process helps you to successfully configure multi-user staging for devices enrolling with Apple Business Manager:

  1. Create a basic Workspace ONE UEM user account configured for Multi-User Staging.
  2. In your Device Enrollment Profile, set the following options:
    1. Set Authentication setting to ON.
    2. Set Await Configuration to ENABLED.
    3. Set Account Setup to SKIP (as you are forcing the end-user to log in with network credentials).
    4. Set Create New Admin Account to YES and configure Admin Account details.
  3. Configure a macOS Device Profile with the Directory Payload assigned to your devices that should be staged.
    1. Note the Client ID field can be populated with a lookup value by clicking the [+] (plus sign). Ensure you choose a field that contains data allowable for a computer name (for example, conforms to NetBios Naming Restrictions for Microsoft Active Directory), such as {DeviceSerialNumber}.
  4. Unbox the macOS device and power it on, then proceed through the Setup Assistant as normal.  
    1. Authenticate to Workspace ONE UEM using the user account configured for Multi-User Staging (from step 1).
    2. When the device enrolls during the Setup Assistant, the profile containing the directory payload is  installed during the AwaitConfiguration phase. This binds macOS to your network-based directory service (such as Microsoft Active Directory).
    3. Any other profiles and apps assigned to the device using assignment group are sent to the device.
  5. At the login window, let the intended end-user log in with their domain-based username and password.
  6. Workspace ONE UEM assigns the device to the end user and begins sending profiles and apps which are assigned to the user.
  7. Log out of the domain-based user, and log in with another domain-based user.
  8. Workspace ONE UEM assigns the device to the new end user and begins sending profiles and apps which are assigned to the new user (if different from the previous logged-on user).

Note: As a reminder, at the point where the device is enrolled to the multi-user staging user, the device is currently checked-out to the multi-user staging user. After the first network directory-based account logs in to the Mac, Workspace ONE UEM associates the logged-in user to a user account in Workspace ONE UEM.  This is reflected in the Workspace ONE UEM console whereby the device is assigned to the network-based user. The new directory account becomes both the enrollment user (in Workspace ONE UEM) and managed user (in macOS). A subsequent network logout and login event re-assigns the device to the new enrollment user (in Workspace ONE UEM) and begins management of the newly logged-in macOS user (the managed user).

Important: Although it is possible to set the Authentication setting set to OFF in your DEP profile, this is not recommended. This setting creates a potential security hole that would allow malicious actors to configure a virtual machine with a serial number from your organization to obtain applications, certificates, and so on. For more information, see Best Practices using Apple Device Enrollment Program (DEP).

Staging Single-User, Off-Domain macOS Enrollment

Introduction

Typical, domain-based macOS staging workflows leverage the device's network-based user login event to trigger device assignment to the LDAP-based user. This function is enabled because macOS sends the GUID for the user account to Workspace ONE UEM as part of the UserAuthenticate request.

When staging without domain binding, the only user account that can be managed by Workspace ONE UEM is the local user that installs the enrollment profile. Per Apple's MDM Protocol Reference, the server will never get requests from a local user other than the one that installed the enrollment profile. Any staging scenario without domain binding must ensure the local macOS user account that installs the enrollment profile must be the local macOS user account the end-user will be using.

Important: Although it is possible to set the Authentication setting set to OFF in your DEP profile, this is not recommended. This setting creates a potential security hole that would allow malicious actors to configure a virtual machine with a serial number of a device from your organization to obtain applications, certificates, and so on. For more information, see Best Practices using Apple Device Enrollment Program (DEP).

Prerequisites

Before you can perform the procedures in this tutorial, you must satisfy the following requirements. 

  • Apple device running macOS version 10.12.6 (Sierra) or later
  • VMware Workspace ONE Intelligent Hub for macOS version 3.0 or later
  • Workspace ONE UEM version 9.4 or later

For more information, see the VMware Identity Manager Documentation and VMware Workspace ONE UEM Documentation.

You must also meet the following prerequisites, before configuring any type of macOS enrollment workflow:

  1. To manage an Apple device with Workspace ONE UEM, you must generate an APNS certificate for your Workspace ONE UEM environment.
  2. Create a basic user account or directory user account to Workspace ONE UEM as enrollment ties a device to an enrollment user account.
  3. To enable Device Enrollment integration, you must sign up for an Apple Business Manager (or Apple School Manager) account.
  4. To enroll devices using Apple Business Manager or Apple School Manager, you must perform the following:

Single-User Staging for Local Users with Pre-Registration Using Agent-Based Enrollment

This section helps you to configure single-user staging for local users with pre-registration using agent-based enrollment.

1. Agent/Web Single-User Staging for Local Users with Pre-Registration

  1. Create a basic Workspace ONE UEM user account configured for Single-User Staging.
  2. Bulk Import the Device-to-User registration record within the Devices > Lifecycle > Enrollment Statuspage:
    • Click Add > Batch Import and use the Simple template and example for users and/or devices listed on the Batch Import page.
    • Modify the sample CSV (starting in row 2 of the CSV template) by entering only the Username, FirstName, LastName, GroupID, Security Type (Directory or Basic), and DeviceSerial.
  3. Unbox the Mac and power it on. Proceed through the Setup Assistant as normal.  
    • Create a local, administrative macOS account as part of the Setup Assistant.  
    • ENSURE the local macOS account created is the username you want to give the end-user of the machine.
  4. Log in to macOS as the local macOS account created during Setup Assistant.  
  5. Enroll with macOS Hub using the Staging User credentials you created in step 1 of this section.
    • When the device enrolls, Workspace ONE UEM assigns the device from the staging user to the user you specified in step 2 using bulk import.
    • Any profiles and apps assigned to the enrollment user specified by bulk import are sent to the device when the local macOS user account you used in step 5 is logged-in.

Note: The web-based enrollment flow is similar to agent-based, except that the admin would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment in a web browser (where deviceservices.url.com is the fully qualified domain name for your Workspace ONE UEM device services endpoint).

2. Agent/Web Single-User Staging for Local Users with API Check-Out

(workspace one macos, mdm protocol, macos management)

Note: The process to check-out a device to an enrollment user can be used when the device-to-user assignments are not known ahead of time (for example, devices stored in a depot and subsequently assigned out to users). Generally speaking, this is an advanced use case where the code mentioned in step 5 is included in a larger onboarding workflow and/or native application.

  1. Create a basic Workspace ONE UEM user account configured for Single-User Staging.
  2. Unbox the Mac and power it on. Proceed through the Setup Assistant as normal.  
    • Create a local, administrative macOS account as part of the Setup Assistant.  
    • ENSURE the local macOS account created is the username you want to give the end-user of the machine.
  3. Log in to macOS as the local macOS account created during Setup Assistant.  
  4. Enroll with macOS Hub using the Staging User credentials you created in step 1 of this section.
  5. While logged in as the user that enrolled in step 4, call the Workspace ONE UEM Rest API to check-out the device to the correct enrollment user.

REST API Details:  https://<API_Server>/api/help/#!/DevicesV2/DevicesV2_CheckOutDeviceToUser

PATCH /api/mdm/devices/{id}/enrollmentuser/{enrollmentuserid}
* {id} - AirWatch Device ID
* {enrollmentuserid} - AirWatch User ID
* Accept - application/json:version=2
  • The API call is typically embedded in a workflow control application or script.
  • Every time the end-user logs in with the username created during the Setup Assistant, Workspace ONE UEM considers that local macOS user the managed user and sends apps/profiles targeted to the enrollment user.

Note: The web-based enrollment flow is similar to agent-based, except that the admin would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment in a web browser (where deviceservices.url.com is the fully qualified domain name for your Workspace ONE UEM device services endpoint).

Single-User Staging for Local Users with Pre-Registration Using Apple Business Manager Enrollment

This section helps you to configure single-user staging for local users with pre-registration using Apple Business Manager enrollment.

1. Apple Business Manager Single-User Staging for Local Users with Pre-Registration

  1. Create a basic Workspace ONE UEM user account configured for Single-User Staging.
  2. In your Device Enrollment Profile, set the following options:
    • Set Authentication setting to OFF.
    • Set Staging Mode to Single User Device.
    • Set the Default Staging User as the basic user configured for Single-User Staging.
    • Set Await Configuration to ENABLED.
    • Set Account Setup to DON'T SKIP.
    • Optionally, set Create New Admin Account to YES and configure Admin Account details for a hidden IT administrator account.
  3. Validate the device record has synced from Apple Business Manager or Apple School Manager:
    • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
    • Ensure the device to be staged has synced from Apple Business Manager by scrolling to the right.
    • Check the Token Type is Apple Enrollment.
    • If the device has no Token Type, navigate to Devices > Devices Settings > Apple > Device Enrollment Program and click Sync Devices.
  4. Validate the device record has the correct Device Enrollment profile:
    • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
    • Ensure the Profile Name matches the profile you created in step 2.
    • If the Profile Name is incorrect, select the check box next to the device(s) to be enrolled and navigate to More Actions > Assign Profile > Choose the profile you created in step 2 > Save.
  5. Bulk Import the Device-to-User registration record within the Devices > Lifecycle > Enrollment Status:
    • Click Add > Batch Import and use the Simple template and example for users and/or devices listed on the Batch Import page.
    • Modify the sample CSV (starting in row 2 of the CSV template) by entering only the Username, FirstName, LastName, GroupID, Security Type (Directory or Basic), and DeviceSerial.
    • After the Import completes, reload the Enrollment Status page. 
    • Ensure the device to be staged has a User name assigned and still has a Token Type of Apple Enrollment.
  6. Unbox the macOS device and power it on. Proceed through the Setup Assistant and select to have the device managed by Workspace ONE UEM:
    • When the device enrolls, Workspace ONE UEM assigns the device from the staging user to the user you specified in step 5 using bulk import (the enrollment user).
    • When the end-user logs in with the username created during the Setup Assistant, Workspace ONE UEM considers that local macOS user the managed user and sends apps/profiles targeted to the enrollment user.

2. Apple Business Manager Single-User Staging for Local Users with API Check-Out

  1. Create a basic Workspace ONE UEM user account configured for Single-User Staging.
  2. In your Device Enrollment Profile, set the following options:
    • Set Authentication setting to OFF.
    • Set Staging Mode to Single User Device.
    • Set the Default Staging User as the basic user configured for single-user staging.
    • Set Await Configuration to ENABLED.
    • Set Account Setup to DON'T SKIP.
    • Optionally, set Create New Admin Account to YES and configure Admin Account details for a hidden IT administrator account.
  3. Validate that the device record has synced from Apple Business Manager or Apple School Manager:
    • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
    • Ensure that the device to be staged has synced from Apple Business Manager by scrolling to the right.
    • Confirm that the Token Type is Apple Enrollment.
    • If the device has no Token Type, navigate to Devices > Devices Settings > Apple > Device Enrollment Program and click Sync Devices.
  4. Validate that the device record has the correct Device Enrollment profile:
    • Navigate to Devices > Lifecycle > Enrollment Status in the Workspace ONE UEM console and change the layout to Custom.
    • Ensure that the device to be staged has a Token Type of Apple Enrollment.
    • Ensure that the Profile Name matches the profile you created in step 2.
    • If the Profile Name is incorrect, select the check box next to the device(s) to be enrolled and navigate to More Actions > Assign Profile > Choose the profile you created in step 2 > Save.
  5. Unbox the macOS device and power it on. Proceed through the Setup Assistant and select to have the device managed by Workspace ONE UEM:
    • When the device enrolls, Workspace ONE UEM assigns the device to the staging user you created in step 1.
    • When the end-user logs in with the username they create during the Setup Assistant, Workspace ONE UEM does not send any applications/profiles targeted to users as the device is still assigned to the staging account.
  6. While logged in as the user that enrolled in step 5, call the Workspace ONE UEM Rest API to check-out the device to the correct enrollment user.

    REST API Details: https://<API_Server>/api/help/#!/DevicesV2/DevicesV2_CheckOutDeviceToUser

PATCH /api/mdm/devices/{id}/enrollmentuser/{enrollmentuserid}
* {id} - AirWatch Device ID
* {enrollmentuserid} - AirWatch User ID
* Accept - application/json:version=2
  • The API call is typically embedded in a workflow control application or script.
  • Every time the end-user logs in with the username created during the Setup Assistant, Workspace ONE UEM considers that local macOS user the managed user and sends apps/profiles targeted to the enrollment user.

Note: The process to check-out a device to an enrollment user can be used when the device-to-user assignments are not known ahead of time (for example, devices stored in a depot and subsequently assigned out to users). Generally speaking, this is an advanced use case where the previous code is included in a larger onboarding workflow and/or native application.

Summary and Additional Resources

Conclusion

This operational tutorial provided steps to enroll a macOS device using a number of enrollment workflows. These workflows included user-initiated enrollments, single-user and multi-user staging for network users, and single-user staging without domain binding.

 

Additional Resources

For more information about Workspace ONE, explore the VMware Workspace ONE Activity Path. The activity path provides step-by-step guidance to help you level-up in your Workspace ONE knowledge. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.

Additionally, you can check out the VMware Workspace ONE and VMware Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using VMware Workspace ONE and VMware Horizon. 

For more information on macOS, see Understanding macOS Management

About the Author

This tutorial was written by:

  • Robert Terakedis, Senior Technical Marketing Manager, End-User-Computing Technical Marketing, VMware

Feedback

Your feedback is valuable. 

To comment on this tutorial, contact VMware End-User-Computing Technical Marketing at euc_tech_content_feedback@vmware.com.

Associated Content

From the action bar MORE button.

Filter Tags

Workspace ONE Workspace ONE UEM Document Operational Tutorial Intermediate macOS Deploy Modern Management