Apple MDM

Mobile Device Management (MDM) is an Apple provided protocol for device management.  The client side agent is included in the operating system by Apple.  Third party vendors provide MDM services to interact with Apple devices.

In spring 2022 Lafayette College will be enrolling College owned macOS computers into Mosyle MDM.  Enrolling existing computers into MDM requires user interaction.  If you are using a College owned macOS computer you will be prompted to complete the enrollment into Mosyle.

Why is This Required?

Mobile Device Management (MDM), traditionally used to manage devices such as mobile phones and tablets, is an operating system protocol that now extends to laptop and desktop computers to enable the configuration, management, and deployment of software. As part of Apple’s commitment to security and privacy, MDM enrollment is required to manage macOS computers in an enterprise environment such as Lafayette College. Starting with macOS 10.13, Apple has moved to an increased reliance on an MDM platform to align with their enhanced security and privacy initiatives. Mosyle, an approved Apple MDM solution, provides ITS the capability to manage College macOS and iOS devices which includes the deployment and updating of the operating system, applications, security policy, and lifecycle management.

Having macOS devices enrolled in MDM will allow :

  • automatically allow system extensions like those used by Google Drive
  • ensure software like backup software is able to operate properly
  • streamline the delivery of college licensed software
  • reduce annoying dialogs and notifications

What do I Need to Do when Prompted for MDM Enrollment?

  1. When presented with this dialog box:Dialog box showing MDM Enrollment Requiredlook for the following notification, most likely in the upper right corner of your screen:Notification showing Device Enrollment information
    Note: there are some differences in the appearance of the notification and the following steps based on what version of macOS is installed on your machine.
  2. To complete enrollment, click Details.
  3. System Preferences will open, click [Allow] to complete the enrollment:Dialog showing Allow Device Enrollment
  4. Close out of System Preferences. The original dialog prompting you to enroll will close automatically once enrollment is completed.

What Do I Do If I See Manual Enrollment Required?

  1. If you are presented with this dialog, click [Manual Enrollment] for manual enrollment into Mosyle:Dialog box showing Manual Enrollment Required
    • If using Safari, you may be prompted to allow downloads, click Allow:Dialog asking to allow downloads
    • If using Firefox, you will be prompted to open the profile:Firefox dialog prompting to open a mobileconfig file
    • If using Google Chrome, you will be asked if you want to keep the profile:Chrome window prompting to keep mobileconfig file
  2. After the software downloads, click the profile to open:Chrome window showing downloaded profile
  3. If you are running macOS 10.15 or lower, opening the downloaded profile will automatically open up the Profiles Preference Pane in System Preferences.  Click [Install] to complete the enrollment:Dialog prompting to install "Mosyle Corporation MDM
  4. You may now be prompted to enter your computer password:Dialog prompting for password fro Rene Clouseau
  5. Once profile installation is completed, you may close out of System Preferences. The dialog prompting for manual enrollment will close automatically when the enrollment is complete.
  6. If you are running macOS 11 or higher, opening the profile will cause a notification to appear:Notification prompting to review profile in System Preferences
  7. Open System Preferences by using the Apple Menu -> System Preferences. Select the Profiles icon.System Preferences Window
  8. You will then be able to complete the installation of the profile by clicking [Install…]:Profile installation preference pane
  9. Close System Preferences.

Does This Replace Managed Software Center?

No.  Managed Software Center will continue be used to install software payloads to College owned macOS computers.

What is the Manager Application?

After enrollment you may notice Manager.app in you Applications folder.  This is Mosyle Manager which can provide some functionality beyond Apple’s MDM protocol.  As we already use Managed Software Center, you will not need to interact with Manager.

Does this mean ITS can track the location of my Mac laptop?

No.  MDM does not allow for location tracking for macOS devices.

MDM seems powerful. Does this mean a shift in the way ITS is managing Macs on campus?

College owned Macs are already managed.  Adding MDM is simply updating the toolset used to manage our Macs.  In some ways MDM is less powerful than existing management tools, but it does fill some gaps in functionality.  Our philosophy and practice of device management remains unchanged.

Tagged in: