Enrolling a Corporate Owned Mac (macOS) Device

To remotely manage your Mac devices, they need to be enrolled to the Scalefusion Dashboard. If you have procured your Mac devices under Apple's Device Enrollment Program (DEP) program then you can automate the enrollment right when the devices are unboxed for the first time. Please refer to our DEP guide on how to setup DEP and sync DEP devices.

However if you are using Mac devices that are not under DEP program, then you would have to manually enroll them to Scalefusion Dashboard. In this document we will see how to enroll your Mac device.

Before You Begin

  1. Complete the Configure APNs step.
  2. Create a macOS Device Profile.
  3. Create a Mac (macOS) Enrollment Configuration.
  4. Have physical access to a Mac device.

Understanding Device vs User Policies/Profiles

Before you enroll your first device, it will be handy to understand some fundamental concepts of Mac (macOS) device management.

  1. A single Mac machine might be used by multiple user accounts. Typically there is one administrator account and more than one standard user account on a Mac machine. It is quite common that there is only one user account on the device which is of type administrator.
    1. Additionally these users can be locally created users or Network users.
  2. Apple's macOS MDM protocol divides the policies into two categories,
    1. Device Level Policy: These are the types of policies which are applicable at a device level and hence apply to all the users of that machine.
    2. User Level Policy: These are the types of policies which are applicable to the users and can be selectively applied to the users of the machine.
  3. Scalefusion currently supports single user management, what this means is that Scalefusion installs the Device Level policies for all the users of the machine, however the user level policies are installed ONLY for the user from where the enrollment was done. For example, consider that you have a Mac device with two users, John Doe and Jane Doe. If the enrollment was done using John Doe user then the user policies are applied only when the user John Doe signs in to the computer. The device level policies are however applied to both the users.
  4. The following table details out the device level policies vs the user level policies.

Device Level Policies (applicable to all users)

User Level Policies (applicable ONLY to the enrolled users)

  1. All Restriction settings in Device Profile
  2. Parental Controls
  3. Wifi Configurations
  4. Security & Privacy
  5. Web Content Filtering aka Whitelist Websites
  1. Exchange & Email Settings
  2. Passcode Policy
  3. Web-Clips aka Web shortcuts.

Enrolling a Mac (macOS) Device

Scalefusion supports single user management. To understand the impacts please read the section Understanding Device vs User Policies/Profiles above.

  1. Power on the Mac device and Sign in to the user that you want to manage.
  2. Launch Safari. Sign In to Scalefusion Dashboard, navigate to Devices & User Enrollment > QR Code and copy the enrollment URL from the enrollment configuration.
  1. Open a new tab in Safari and paste the URL that you copied. This will download a *.mobileconfig file to your computer. Normally this is Downloads folder.
    1. If you are using Google Chrome, then you may see a warning asking you to confirm the download. Click on Keep to confirm the download.
    2. If you have enabled Auto-Open in Safari/Google Chrome, then once the download is complete, you will be automatically redirected to Step 5.
  2. Open a Finder window and navigate to the location where the *.mobileconfig file is downloaded. Double click on the file to start the enrollment.
  3. This will open the System Preferences pane and the following dialog will be shown. Click on Install to proceed with enrollment.
  4. You will be shown the details of the enrollment profile and asked to confirm the installation. Click Install
  5. If you are enrolling from a non-administrator user, you will be asked to enter administrator credentials to confirm the installation. Please enter the administrator credentials and Click OK.
  6. It will take around a minute or so for the enrollment to complete and you will see the following screen,
  7. It will take around 2-3 minutes for the enrollment to be complete and the following screen confirms that the enrollment is complete. As mentioned in the Device and User Policies section, you would see 3 Profiles that are installed,
    1. Device Profiles: This section lists all the Profiles/Policies that are applicable at a device level. The items marked 1 & 2 are device level profiles and the policies applied by these profiles are applied to all the users of this machine.
    2. User Profiles: This section lists all the Profiles/Policies that are applicable at a user level. Identified by the point 3 in the image below, these policies are applicable only to the Mac user account from where the enrollment was done.
  8. Now if you Login to the Scalefusion Dashboard and navigate to the Devices section you would see the newly enrolled device, confirming the successful enrollment.

Frequently Asked Questions

Question: We get an error while installing the *.mobileconfig file and the enrollment fails when installing the profile. What might be the reason?

Answer: Make sure that the device is not enrolled in any other test account that you might have created with Scalefusion. Also make sure that you have completed the APNs setup or renewed your APNs certificate if it has expired.

Question: Although the enrollment is complete, we see that none of the policies are applied and the device appears as Unnamed in Scalefusion Dashboard?

Answer: This can happen if you have not completed the APNs setup or if your APNs certificate has expired. Please complete the APNs setup or renew the certificate.

Now that you have enrolled your device, head over to Device Information & Actions document to see the device information that is collected and the various actions that can be performed.

How did we do?