Managing macOS Devices

Managing macOS Devices

Introduction

This section covers basic macOS administration using Workspace ONE UEM.  This exercise helps you to enroll a macOS device, create profiles, deploy an application, lock the device, and use Custom Attributes.  

Prerequisites

Before you can perform the procedures in this exercise, you must complete the following tutorials:

This exercise requires admin and end user device authentication during enrollment. Gather the required account information, and record it in the following table. The account information provided in the table is based on a test environment. Your account details will differ.


Example Account Information
Administrator Account Information
User name
administrator

Password VMware1!

User Account Information
User name
testuser

Password
VMware1!

Email
testuser@company.com

You must also satisfy the following requirements.

  • Apple device running macOS version 10.12.6 (Sierra) or later
  • A macOS app, such as feedly. To follow the instructions in this exercise, download a feedly installation file and save it in the Documents folder

Logging In to the Workspace ONE UEM Console

To perform most of the steps in this exercise, you must first log in to the Workspace ONE UEM Console.

1. Launch Chrome Browser

Launch Chrome Browser

On your desktop, double-click the Google Chrome icon.

3. Authenticate In to the Workspace ONE UEM Console

  1. Enter your Username. This is the name provided in the activation email.
  2. Enter your Password. This is the password provided in the activation email.
  3. Click the Login button.

Note: If you see a Captcha, be aware that it is case sensitive.

Retrieving the Group ID

Before enrolling your device, retrieve your Group ID from the Workspace ONE UEM Console.

1. Point to the Organization Group

Finding your Group ID

Select the email address you used to log in to the Workspace ONE UEM Console.

2. Copy the Group ID

Finding your Group ID

Copy the Group ID from the Organization Group tab.

Installing the Workspace ONE Intelligent Hub

In this exercise, download and install the Workspace ONE Intelligent Hub on your macOS device. 

1. Log In to the MacBook - If Needed

Login to the Mac - IF NEEDED

Login to the macOS device.  If you are using a VMworld provided device, the login details are below.

  1. Enter administrator for the username.
  2. Enter VMware1! for the password.
  3. Press the continue button or press ENTER.

2. Download the Agent

Open the Safari Browser on the Mac Book

Click the Safari icon (blue compass) to open the Safari browser.

2.1. Initiate Download

  1. Enter  https://getwsone.com in the URL field, then press ENTER.
  2. Click Download Hub for macOS. The Workspace ONE Intelligent Hub begins to download and will save to the downloads folder by default.

3. Install the Workspace ONE Intelligent Hub

  1. Click the Downloads folder in the dock (next to the Trash Bin).
  2. Click the VMwareWorkspaceONEIntelligentHub.pkg file to begin the installer.

3.1. Continue to Begin the Installer

Click Continue.

3.2. Continue and Agree to Terms

  1. In the Installer, click Continue. 
  2. Click Agree (to the license terms).

4. Select Destination for the Installer

Click Continue.

5. Define Install Location and Provide Administrator Credentials

  1. Click Install to perform a standard installation.
  2. Enter the admin user name, for example, Administrator.
  3. Enter the password.
  4. Click Install Software.

6. Close and Move to Trash

  1. Click Close when the installer finishes.
  2. Click Move to Trash to move the installer to the trash.

Enrolling a macOS Device

In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a number of ways to enroll the various platforms (macOS included), but for this exercise we cover a basic enrollment scenario.  

1. Enroll the macOS Device

This enrollment flow is considered User-Approved per the functionality introduced in macOS High Sierra.

1.1. Begin macOS Enrollment Process

The Enrollment Wizard should start automatically. From within the Enrollment wizard window, click Server Detail.

Note: The Enrollment Wizard may take several minutes to launch. If you do not see the Enrollment Wizard immediately, be patient and wait for it to appear.

1.2. Enter Enrollment Server Details

  1. Enter your Workspace ONE UEM URL, for example, hol.awmdm.com.
  2. Enter your Group ID. This was recorded in Retrieve the Group ID.
  3. Click the Continue button. 

1.3. Enter Enrollment Credentials

  1. Enter the staging enrollment username testuser, in username field.
  2. Enter the enrollment user password VMware1!, in the password field.
  3. Click the Continue button. 

1.4. Enable Device Management

Click Enable to enable device management.

1.5. Install Workspace Services

Click Install.

1.6. Install Profile for User-Approved Enrollment

Click Install.

1.7. Enter Administrative Credentials for Profile Install

Enter Administrative Credentials for Profile Install
  1. When prompted, enter the password VMware1! for your user account on the Mac.
  2. Click the OK button.

1.8. Quit Profiles Preference Panel

Click the red dot to close the Profiles panel.

1.9. Quit the Enrollment Wizard

2. Validate Mac Enrollment

Follow the next steps to verify that the Mac has been successfully enrolled.

In upper-right corner:

  1. Note the shield icon in the menu bar. Click the icon.
  2. Note the menu shows your device as Enrolled.
  3. Click Preferences and review the options available to you in the agent.

Key Takeaways

  • Agent-based macOS enrollment is streamlined and intuitive.
  • Workspace ONE UEM supports a number of enrollment methods for macOS devices: web-based, agent-based, staged (pre-installed agent), enrollment on-behalf, and enrollment using the Apple Device Enrollment Program.
  • Agent logs can be collected directly from the Workspace ONE Intelligent Hub. This eases helpdesk troubleshooting by allowing end-user to quickly send diagnostic information to helpdesk and/or administrative users.

Creating a Device Profile for macOS

This exercise explores how to modify the macOS device behavior using Profiles.

Profiles are the mechanism by which Workspace ONE UEM manages settings on a macOS device.  macOS profile management is done in two ways: device level and enrollment-user level. You can set appropriate restrictions and apply appropriate settings regardless of the logged-on user. You can also apply settings specific to the logged-on user on the device. 

All profiles are broken down into two basic sections, the General section and the Payload section.

  • The General section has information about the Profile, its name and some filters on what device will get it.
  • The Payload sections define actions to be taken on the device.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

Device Profiles are typically used to control settings that apply system-wide.  Device profiles can include items such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.   In this exercise, we create a profile that modifies the dock for all users on the machine.

1. Close System Preferences if opened

Close System Preferences if opened

This section helps you to create a device profile which will change some system preferences in your Mac. However, to see those changes take place, you must first close any existing System Preference sessions if they are already open.

If System Preferences are opened, click X to close.

2. Add a macOS Device Profile

Add a macOS Device Profile

In the Workspace ONE UEM console:

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Select Add
  5. Select Add Profile.

2.1. Select Profile Platform

Select Profile Platform

Select the macOS icon.

2.2. Select the Profile Context

Select the Profile Context

Select the Device Profile icon.

3. Profile General Settings

Profile General Settings

Configure the device profile as follows:

  1. Select General if it is not already selected.
  2. Enter macOS Device Restrictions for the profile name.
  3. Select Auto for the Assignment Type.
  4. Scroll down to view the Assigned Groups field, and click in the search box. This will pop-up the list of created Assignment Groups. Enter All Devices and select All Devices (your@email.shown.here).

    Note: You do not need to click Save or Save & Publish at this point.  This interface allows you to move around to different payload configuration screens before saving.

4. Select the Restrictions Payload

Select the Dock Payload
  1. Select Restrictions.
  2. Click the Configure button.

Note: When initially setting most payloads a Configure button will show to reduce the risk of accidentally setting a payload configuration.

4.1. Configure the Restrictions Payload

Configure the Dock Payload
  1. Select Restrict System Preference Panes
  2. Select Disable Selected Items
  3. Enable the Bluetooth checkbox.
  4. Enable the Energy Saver checkbox.

4.2. Save and Publish

Click Save and Publish

5. Publish the Device Profile

Click the Publish button.

6. Verify the Device Profile Now Exists

Verify the Device Profile Now Exists

You should now see your macOS Device Restrictions Device Profile within the list of the Profiles window.

Note: If you need to edit the Profile, this is where you would return in order to do so.

7. Validate Applied Profiles

  1. Click the Apple icon in the upper-left corner
  2. Click System Preferences.
  3. If System Preferences shows you a specific subpanel, such as Time Machine, click the back button.
  4. Note you cannot modify the settings for Bluetooth and Energy Saver as those icons are grayed-out.

Key Takeaways

  • You can use a combination of Device-level and User-level profiles for flexibility when configuring your macOS devices.
  • Profiles can be targeted against Assignment Groups for granular control.

Creating a User Profile for macOS

User Profiles are typically used to control settings that apply to the enrolled user. User profiles can include items such as Email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.  In this exercise, we create restrictions for system preferences panes for the enrolled user on this machine.

1. Add a macOS User Profile

Add an macOS User Profile
  1. Select Add.
  2. Select Add Profile.

1.1. Select Profile Platform

Select Profile Platform

Select Click on the macOS icon.

1.2. Select the Profile Context

Select the Profile Context

Select the User Profile icon.

2. Profile General Settings

Profile General Settings

Configure the profile as follows:

  1. Click on General if it is not already selected.
  2. Enter macOS User Dock in the Name text box.
  3. Ensure the assignment type is set to Auto.
  4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) Group.

Note: You do not need to click Save or Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

3. Select the Dock Payload

Select the Restrictions Payload
  1. Select Dock
  2. Click the Configure button.

3.1. Configure the Dock Payload

Configure the Restrictions Profile
  1. Change the Dock Size to be smaller
  2. Change the Dock Position to Left

3.2. Save & Publish

Click Save & Publish

4. Publish the User Profile

Publish the User Profile

Select the Publish button.

5. Verify the User Profile

You should now see your macOS User Dock User Profile within the List of the Profiles window.

Note: If you need to edit the Profile, this is where you would return in order to do so.

6. Validate Applied Profile

Validate the Dock has changed size and moved to the left side of the screen.

Reviewing New Payloads for macOS High Sierra Profile

All profiles are broken down into two basic sections, the General section and the Payload section.

  • The General section has information about the Profile, its name and some filters on what device will get it.
  • The Payload sections define actions to be taken on the device.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

1. Add a macOS Device Profile

Add a macOS Device Profile

In the Workspace ONE UEM console:

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Select Add
  5. Select Add Profile.

1.1. Select Profile Platform

Select Profile Platform

Select the macOS icon.

1.2. Select the Profile Context

Select the Profile Context

Select the Device Profile icon.

2. Configure Security & Privacy Payload

  1. Select Security & Privacy
  2. Click Configure.

3. Review Security & Privacy Payload Settings

  1. Select the Delay Updates check box.
  2. Note the box where you can specify how long (1 to 90 days) to delay updates.

Note: The delay starts from the day the update is released. For example, if Apple publishes an update and the device is offline for the first 30 days the update is released, a 90-day update delay period would end 60 days later (even though technically the device has only known about the update for 60 days).  

4. Review the Kernel Policy Extension Payload

In the same profile screen:

  1. Select the Kernel Extension Policy payload.
  2. Click Configure.

4.1. Review Kernel Extension Policy Settings

  1. Note the User Override setting. You can allow the user to add their own Kernel Extensions
  2. Click Add under Allowed Team Identifiers.
  3. Note the Allowed Team identifier setting. This allows all Kernel Extensions signed by that team identifier.
  4. Click Add under Allowed Kernel Extensions.
  5. Note the Allowed Kernel Extensions setting. You can enter a constrained list of Kernel Extension bundle IDs and their associated developer.

Note: The Kernel Extension Policy requires the device to be enrolled through User Approved MDM Enrollment methods.

Note: To facilitate admins discovering Kernel Extensions (KEXTs) in their environment, VMware created a script that writes details about kernel extensions found in three common folders to the Custom Attributes database.

Download the KEXT Custom Attributes via Products script from GitHub.  

4.2. Close Profile Window

  1. Click the X in the upper-right corner to close the Add Profile window.
  2. Click OK to confirm and discard your changes.

Configuring Device Lock

Device lock for macOS devices causes the machine to reboot into a firmware-lock screen. This lock screen occurs at the firmware level prior to OS boot.

1. Open macOS Device Details

  1. Select Devices.
  2. Select List View. 

2. Select macOS Device

Select your enrolled macOS device.

Note: In this exercise we are using MacBooks—ensure that you are selecting your enrolled macOS device.

3. Lock Device

Click Lock in the upper-right corner of your device details view.

4. Enter Device Lock Code

  1. Enter 111111 as the firmware lock code.
  2. Click Lock Device.

5. Device Reboot

Device Reboot

The device reboots after a short delay and the firmware will be locked.

6. Unlock The Device

Unlock The Device
  1. At the System Lock screen, enter the unlock code 111111.
  2. Click the Arrow (-->) to boot the device.

Device lock for macOS devices causes the machine to reboot into a firmware-lock screen.  This lock screen occurs at the firmware level prior to OS boot.

7. Key Takeaways

  • Workspace ONE UEM supports a firmware-based device lock for macOS
  • The device cannot be booted until the device lock code has been entered

Understanding macOS Application Management

Workspace ONE UEM supports a few different methods for delivering software to managed macOS devices.  In this section, learn about the software delivery methods that are available, and when each method is appropriate to use.

The following software delivery methods are available  for macOS:

  • Apple Business Manager or Apple School Manager — Delivers macOS App Store applications to devices as volume-licensed, purchased applications.
  • Software Distribution — Delivers third-party, non-store applications as internal apps in Workspace ONE UEM 9.3 and later.   
  • Product Provisioning — Deploys non-store applications and scripts as products in Workspace ONE UEM (or AirWatch) 9.2 and earlier.

The type of software being delivered determines appropriate delivery method. The following table lists different types of software, and their recommended delivery method.  


Store Apps
Non-Store Apps
Delivery Method
Apple Business Manager Software Distribution
Examples
  • xCode 
  • Slack 
  • Microsoft Remote Desktop
  • Apple's iWork suite
  • TextWrangler
  • F5 Access (VPN)
  • iBooks Author
  • Microsoft OneDrive
  • Microsoft OneNote
  • Quickbooks
  • VMware Tunnel

  • Adobe Creative Suite
  • Microsoft Office 2016 for macOS
  • BlueJeans
  • Camtasia
  • Audacity 
  • Shell scripts, Python scripts

Deploying macOS Volume-Purchased Apps

In this section, watch a video that shows how to purchase app licenses in Apple Business Manager, then assign them to enrolled devices in Workspace ONE UEM.

This section shows how to volume-purchase applications through the app store and assign to devices using device-based licensing. However, Workspace ONE UEM also supports non-store, third-party software management. Because this configuration is considered advanced, details on third-party non-store software management can be found in an Operational Tutorial on VMware TechZone.

Managing macOS Custom Attributes

Custom attributes enable administrators to extract particular values from a managed device and return it to the Workspace ONE UEM Console.  This can be particularly useful for device configuration auditing and Product sequencing.

1. Custom Attributes

Custom attributes are key-value pairs.  These key value pairs are generated by scripting/commands which execute on the device and whose values are returned to the console through the Workspace ONE UEM Agent.  The scripts/commands are delivered to the device using a custom attributes payload in a profile.  The profile also allows scheduling of the script/command to re-occur on a schedule or based on an event.  Additionally, custom attribute payloads execute in the root context on the device, which allows you to gather information about the device without requiring the enrolled user to have Administrative permissions.

2. Custom Attribute Profiles

Previously, custom attributes were sent to the console by creating a shell script to write values to a specific Plist file monitored by the agent. In AirWatch 8.2 and later, this functionality is now included as a profile and adds additional features such as scheduling.

2.1. Create Custom Attribute Profile

Add a macOS Device Profile

In the Workspace ONE UEM console:

  1. Select Devices.
  2. Select Profiles & Resources.
  3. Select Profiles.
  4. Select Add
  5. Select Add Profile.

2.2. Select Profile Platform

Select Profile Platform

Select the macOS icon.

2.3. Select the Profile Context

Select the Profile Context

Select the Device Profile icon.

2.4. Configure General Profile Settings

  1. Select General if it is not already selected.
  2. Enter macOS Device Custom Attributes in the Name text box.
  3. Copy the profile name in to the Description text box.
  4. Ensure the Assignment Type is set to Auto.
  5. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Enter All Devices and select the All Devices (your@email.shown.here) Assignment Group.
    Note: You may need to scroll down to find the Assigned Groups field.

Note: You DO NOT need to click Save or Save & Publish at this point. This interface allows you to move around to different payload configuration screens before saving.

2.5. Configure Custom Attributes Payload

Configure Custom Attributes Payload
  1. Scroll down the list of Payload Types on the left menu.
  2. Select Custom Attributes.
  3. Click Configure.

2.6. Enter Local Host Name Custom Attribute Command

Enter Local Host Name Custom Attribute Command
  1. Enter LocalHostName as the Attribute Name
  2. Enter the following command: /usr/sbin/scutil --get LocalHostName Be sure to use the correct slash, two hyphens, and proper capitalization.
  3. Select 1 Hour as the Reporting
  4. Click Save & Publish.

2.7. Publish to Device Assignment

Click Publish.

3. Locating Custom Attributes

After Workspace ONE UEM delivers a custom attributes profile/payload to a device, the agent will report the initial value of the Custom Attribute back to Workspace ONE UEM and begin the Schedule or Event monitoring. Custom attribute values that have been reported back to the console can be viewed in the device details.

3.1. Access Device List View

Access Device List View
  1. Select Devices.
  2. Select List View.

3.2. Select Your Device

Select Your Device

Select your device.

3.3. Access Custom Attributes

Access Custom Attributes
  1. Select More.
  2. Select Custom Attributes.

3.4. Review Custom Attributes

Review Custom Attributes
  1. Notice that the Source of the attributes is Device Sourced—this means the data was gathered from the device and sent to Workspace ONE UEM.
  2. Note the list of Attributes.  
  3. Note the value of each Attribute. These values were generated by the output of your command/script in the Custom Attributes payload.