macOS Endpoint Onboarding in Workspace ONE

 

macOS Endpoint Onboarding in Workspace ONE

 

Introduction

To help the admin with the VMware Workspace ONE environment, this article provides operational info. A number of macOS enrollment workflows, including single-user staging without domain binding, user-initiated enrollments, and single-user and multi-user staging for network users, are described in the following section.

 

Basic principles of macOS Endpoint Onboarding

Understanding macOS User Types

Mac OS inherently supports a number of discrete user accounts (each with its own data and settings) are. Although macOS is an inherently multi-user system unless the device is bound to a directory service (such as Active Directory), the MDM client process built-in to macOS (leveraged by Workspace ONE UEM) is not multi-user capable.

Let us first define three different types of users when discussing enrollment workflows for mac OS:

  1. Workspace ONE UEM Enrollment User
  • Workspace ONE UEM Enrollment User is a user account (either basic or directory-based) within Workspace ONE UEM (under Accounts, navigate to Users, and select List View). If not, staging a device whose credentials were provided at the time the device was enrolled.
    • Within Workspace ONE UEMThis is the user account to which the device is assigned if staging a device (under Devices, navigate to Details, go to View and click on User)
    • To determine membership within assignment groups, this is the user account Workspace ONE is using.
    • In other words, the device assigned is considered as this is the user account to which Workspace ONE UEM connects.
  1. macOS Logged-On User
  • This user account is currently signed in and active on the device(either based on a directory service such as Active Directory or local to macOS).
  1. Workspace ONE Managed User
  • This user account was signed in and active on the device when enrollment occurred (either based on a Network Account Server or local to macOS).
  • Using Apple Push Notifications, this is the macOS user account Workspace ONE UEM can target when it is also the logged-on user.
  • In other words, for Workspace ONE to deliver items assigned to the Workspace ONE UEM enrollment user, this is the user account that must be logged on within macOS.

Understanding Apple’s Enrollment Types

macOS manageability continues to expand within the apple. As such, over the last few iterations of macOS from High Sierra (10.13) through Catalina (10.15), new capabilities and enrollment types have been introduced. The following section helps in understanding some of the more unique enrollment types and the differences between each type.

 

User Enrollment

User Enrollment as an enrollment type specifically targeted at Bring-Your-Own-Device (or BYOD) scenarios and was introduced with iOS 13 and macOS Catalina. By utilizing a managed Apple ID from Apple Business Manager (or Apple School Manager), an end-user enrolls the device with User Enrollment. A dedicated, encrypted APFS partition is created by the device to hold the user’s managed data and applications (delivered from MDM). Additionally, before reporting to the MDM, the device-identifying information (such as the UUID, ActiveSync ID, etc.) is obfuscated. The user privacy is maintained since the MDM server can’t uniquely identify the device. Also, in a User Enrollment scenario, the MDM server is prohibited from commencing functionality that could affect the user’s private files (such as a Device Wipe) and is granted a reduced set of management capabilities.

 

User-Approved MDM Enrollment

As a way to prohibit IT administrators (or malware attacks) from being able to silently take complete control over macOS, in macOS High Sierra, user-approved MDM enrollment was introduced. A way to avoid some management functionality is provided to Apple by this new enrollment state until the end-user accepts (and approves) the device management. Alternatively, the MDM profile must be installed in one of these ways, some security-related management functionality is limited or prevented if the user does not “approve” the enrollment,

to qualify as a user-approved enrollment:

  • By the user via the Profiles preferences panel: In the Profiles panel, by forcing the user to install the MDM profile, administrators are ensured the user has approved the specific system performing management and agreed to their intent to be managed.
  • After non-UA enrollment via the Profiles panel: the user can manually click the Approve button on the Enrollment Profile and launch the Profiles preferences pane if the MDM profile is installed via scripting or remote shell.
  • With Apple School Manager(or Apple Business Manager) via Automated Enrollment: Automated enrollment via Apple Business (or School) Manager is much like iOS and is considered a “corporate-owned” enrollment scenario, therefore automatically considered user-approved.

Supervised (Automated) Enrollment

With macOS Catalina Supervision, on macOS was a new concept introduced. Moving forward, In order to be manageable by IT administrators, Apple has stated some privacy-related features and security features that will require supervision. As the Supervised device shows a truly “corporate-owned” enrollment, Apple considers a supervised macOS device different from a User-Approved MDM-enrolled device. Put differently, Apple Business (or School) Manager supervised enrollment is not equivalent to a User-Approved MDM enrollment.

NOTE: macOS does not currently support manual supervision, unlike iOS.

The macOS management payloads requiring supervision are:

  • Native MDM-Initiated software update installation
  • Some Classroom Restrictions
  • Bootstrap Token
  • Activation Lock Management

Staging Single-User, Domain-Bound macOS Enrollment

Introduction

Workspace ONE UEM gets a message from an LDAP-bound macOS device in a network-based user-staging scenario at a network user’s login event. Workspace ONE is enabled by this notification to correlate the newly logged-in user (a network user in macOS) to the enrollment user. Workspace ONE UEM can configure the managed user to be the new logged-on user because the network account in Workspace ONE UEM and macOS are taken to be identical (as they are both originating from the same source; LDAP). The APNS token is also reported by macOS for the Network User’s MDM client process to MDM, enabling Workspace ONE UEM to control the user context in real-time.

Workspace ONE UEM links the device to the enrollment user in single-user staging scenarios, only for the first network user sign in (for example, the managed user). For the device, the assigned user is not changed, and subsequent network user login events are ignored. Assignments that are user-based (user-level profiles and apps) are only received by macOS when the managed user (matching the enrollment user) is signed in to the device,

Important: The resultant behaviour is directly affected on a macOS device under MDM management and is, therefore, a critical concept to understand. The signed-in user in macOS may not be the Workspace ONE UEM managed user if a domain-bound macOS device is not receiving user profiles/configurations but enrolled.

Prerequisites

Satisfy the following requirements before performing the procedures.

  • Workspace ONE UEM version 9.4 or higher
  • VMware Workspace ONE Intelligent Hub running on macOS version 3.0 or higher.
  • Apple device with macOS version 10.12.6 (Sierra) or higher

 

  1. The admin must generate an APNS certificate for the Workspace ONE UEM environment to manage an Apple device with Workspace ONE UEM.
  2. In Workspace ONE UEM, as enrollment ties a device to an enrollment user account, a basic user account or directory user account is created.
  3. Integrate Workspace ONE UEM with the Directory Service to correlate the logged-on macOS user to a directory-based user account.
  4. Create an Apple Business Manager (or Apple School Manager) account to enable Device Enrollment integration.
  5. To enroll devices using Apple School Manager or Apple Business Manager, perform the following steps:
  • With Apple Business Manager, Download the Public Key to Integrate
  • The Apple Business Manager Portal
  • In Apple Business Manager, associate devices

 

Single-User Staging Using Agent-Based Enrollment

To successfully configure single-user staging for devices, the following high-level process helps the admin for enrolling with Apple Business Manager:

  1. A basic Workspace ONE UEM user account is created and configured for Single-User Staging.
  2. A macOS Device Profile is created with the Directory Payload assigned to the devices that should be staged.

Note: With a lookup value by clicking the [+] (plus sign), and the Client ID field can be populated with a field that contains data allowable for a computer name (for example, for Microsoft Active Directory conforms to NetBios Naming Restrictions), such as {DeviceSerialNumber}.

  1. The macOS device is unboxed, and turn it on, then go through the Setup Assistant as normal.
  2. As part of the Setup Assistant, a local, administrative macOS account is created.
  3. Sign in to macOS as the local macOS account created during Setup Assistant.
  4. Using the Staging User credentials created in Step 1, enroll with macOS Hub.
  • The profile having the directory payload is installed when the device enrolls. macOS is bound to the network-based directory service (such as Microsoft Active Directory) by this.
  • The device receives any other profiles and apps assigned to the device using the assignment group.
  1. The device is validated if it is domain bound.
  • The Terminal. app is opened.
  • Enter and ensure the command returns information about the user for the command id <intended user’s AD username>.
  1. Sign out of the local, administrative macOS account.
  2. The intended end-user logs in with their domain-based username and password at the login window.
  3. The device is assigned by the Workspace ONE UEM to the end-user and begins deploying apps and profiles which are assigned to the user.

 

Note: Except for the fact that in a web browser (for the Workspace ONE UEM device services endpoint where deviceservices.url.com is the fully qualified domain name ), the admin would start their enrollment by going to https://deviceservices.url.com/enrollment the web-based enrollment flow is relatively similar to agent-based.

 

Staging Multi-User, Domain-Bound macOS Enrollment

Introduction

From an LDAP-bound macOS device, Workspace ONE UEM receives a message in a network-based user-staging scenario at a network user’s login event. Workspace ONE is enabled by this notification to correlate the newly logged-in user (a network user in macOS) to the enrollment user. Workspace ONE UEM can configure the managed user to be the newly logged-in user as the network account in Workspace One UEM and macOS is known to be similar (as both of them are originating from the same source; LDAP). The APNS token for the network is also reported by macOS user’s MDM client process to MDM, enabling Workspace ONE UEM to control the user context in real-time.

Associate the device to a new enrollment user with Workspace ONE UEM in multi-user staging scenarios each time a network-based user account signs in (for example, the managed user). Workspace ONE UEM configures the enrollment user to match the newly logged-in user account with each network user login. The new user account is controlled in real-time as Workspace One UEM also associates the new user’s APNS token. As such, The newly logged-in user receive any apps and configurations assigned from Workspace ONE UEM.

Important: Multi-user staging is dependent on both the domain bind and staging user configuration and is a critical concept to be aware of, as it directly influences the resultant behaviour on a macOS device under MDM management.

Prerequisites

, Satisfy the following requirements before the admin can perform the procedures in this section.

  • Workspace ONE UEM version 9.4 or higher
  • VMware Workspace ONE Intelligent Hub running on macOS version 3.0 or higher
  • Apple device for macOS version 10.12.6 (Sierra) or higher

Prior to configuring any type of macOS enrollment workflow, also meet the following prerequisites:

  1. The admin must generate an APNS certificate for the Workspace ONE UEM environment to manage an Apple device with Workspace ONE UEM.
  2. For Workspace ONE UEM, as enrollment ties a device to an enrollment user account, a basic user account or directory user account is created.
  3. Integrate Workspace ONE UEM with the directory Service to correlate the signed-on macOS user to a directory-based user account.
  4. The admin must sign up for an Apple Business Manager (or Apple School Manager) account to enable Device Enrollment integration.
  5. Perform the following steps to enroll devices using Apple Business Manager or Apple School Manager:
  • The Public Key is downloaded to Integrate with Apple Business Manager.
  • The Apple Business Manager Portal is configured.
  • Devices in Apple Business Manager are associated.

Multi-User Staging Using Agent-Based Enrollment

For the admin to successfully configure multi-user staging for devices enrolling without Apple Business Manager, the following high-level process helps:

  1. A basic Workspace ONE UEM user account is created and configured for Multi-User Staging.
  2. With the Directory Payload, a macOS Device Profile is configured and assigned to the devices that should be staged.

Note: With a lookup value, the Client ID field can be populated by clicking the [+] (plus sign). Data allowable for a computer name contained within a field is ensured (for example, for Microsoft Active Directory conforms to NetBios Naming Restrictions ), such as {DeviceSerialNumber}.

  1. The macOS device is unboxed, and turn it on, then proceed through the Setup Assistant as normal.
  2. A local, administrative macOS account is created as part of the Setup Assistant.
  3. Sign in to macOS as the local macOS account which is created during Setup Assistant.
  4. With macOS, enroll Hub using the Staging User credentials, which were created in Step1.
  • The profile having the directory payload is installed when the device enrolls. macOS is bound by this to the network-based directory service (such as Microsoft Active Directory).
  • The device receives any other profiles and apps assigned to the device using the assignment group.
  1. The device is validated if it is domain bound:
  • The Terminal. app is opened.
  • Enter the command id and ensure the command returns information about the user <intended user’s AD username>
  1. Sign out of the local, administrative macOS account.
  2. Let the intended end-user log in at the login window with their domain-based username and password.
  3. The device is assigned to the end-user by Workspace ONE UEM assigns them and begins deploying apps and profiles which are assigned to the user.
  4. Sign out of the domain-based user, and sign in with another domain-based user.
  5. The device is assigned by Workspace ONE UEM assigns to the new end-user and begins deploying apps and profiles which are assigned to the new user (if different from the previously logged-in user).

Note: Except for the fact that within a web browser (for your Workspace ONE UEM device services endpoint where deviceservices.url.com is the fully qualified domain name ), the admin would begin their enrollment by going to https://deviceservices.url.com/enrollment the web-based enrollment flow is relatively similar to agent-based.

Multi-User Staging Using Apple Business Manager Enrollment

To successfully customize multi-user staging for devices enrolling with Apple Business Manager, the following high-level process helps the admin:

  1. A basic Workspace ONE UEM user account is created configured for Multi-User Staging.
  2. Set the following options In the Device Enrollment Profile:
  • Toggle Authentication setting to ON.
  • Toggle Await Configuration to ENABLED.
  • Toggle Account Setup to SKIP (as you are forcing the end-user to log in with network credentials).
  • Toggle Create New Admin Account to YES and customize Admin Account details.
  1. A macOS Device Profile is configured with the Directory Payload assigned to the devices that should be staged.

Note With a lookup value, the Client ID field can be populated by clicking the [+] (plus sign). Data allowable contained within a field for a computer name is ensured (for example, for Microsoft Active Directory conforms to NetBios Naming Restrictions ), such as {DeviceSerialNumber}.

  1. The macOS device is unboxed and turned on, then proceed through the Setup Assistant as normal.
  • With the user account configured for Multi-User Staging (from step 1), authenticate to Workspace ONE UEM.
  • The profile containing the directory payload when the device enrolls during the Setup Assistant is installed during the AwaitConfiguration phase. macOS is bound to the network-based directory service (such as Microsoft Active Directory).
  • The device receives any other profiles and apps assigned to the device using the assignment group.
  1. Let the intended end-user log in at the login window with their domain-based username and password.
  2. The device to the end-user is assigned by Workspace ONE UEM and begins deploying profiles and apps which are assigned to the user.
  3. Sign out of the domain-based user, and sign in with another domain-based user.
  4. The device is assigned to the new end-user Workspace ONE UEM and begins deploying apps and profiles which are assigned to the new user (if different from the previous logged-on user).

 

Note: As a reminder, the device is currently checked out to the multi-user staging user. When the device is onboarded to the multi-user staging user, Workspace ONE UEM associates the signed-in user to a user account within Workspace ONE UEM after the first network directory-based account logs in to the Mac. In the Workspace ONE UEM console, this is reflected whereby the device is assigned to the network-based user. Sign-in event re-assigns the device to the new enrollment user (in Workspace ONE UEM), and both the managed user (in macOS) and enrollment user (in Workspace ONE UEM) become the new directory account. A subsequent network logout and begins management of the newly logged-in macOS user (the managed user).

Important: In the DEP profile, although it is possible to set the Authentication setting set to OFF, this is not recommended. This setting creates a potential security vulnerability that would enable malicious actors to customize a virtual machine with a serial number from the organization to obtain applications, certificates, and so on.

Staging Single-User, Off-Domain macOS Enrollment

Introduction

To set off device assignment to the LDAP-based user, typically domain-based macOS staging workflows leverage the device’s network-based user login event. As part of the UserAuthenticate request, this function is allowed because macOS sends the GUID for the user account to Workspace ONE UEM.

The only user account that can be controlled by Workspace ONE UEM is the local user when staging without domain binding, which installs the enrollment profile. From a local user, the server will never get requests, Per Apple’s MDM Protocol Reference, apart from the one that installed the enrollment profile. Without domain binding, any staging scenario must make sure the local macOS user account the end-user will be using must be the local macOS user account that installs the enrollment profile.

Important: in the DEP profile, although it is possible to toggle the Authentication setting to OFF, this is not recommended. This setting creates a potential security vulnerability that would enable malicious actors to customize a serial number of a device within a virtual machine from the enterprise to obtain applications, certificates, and so on.

Prerequisites

Satisfy the following requirements before the admin can perform the procedures in this section.

  • Workspace ONE UEM version 9.4 or higher
  • VMware Workspace ONE Intelligent Hub running on macOS version 3.0 or higher
  • Apple device for macOS version 10.12.6 (Sierra) or higher

Before customizing any type of macOS enrollment workflow, meet the following prerequisites:

  1. Generate an APNS certificate to manage an Apple device with Workspace ONE UEM for the Workspace ONE UEM environment.
  2. Since enrollment ties a device to an enrollment user account, create a basic user account or directory user account to Workspace ONE UEM.
  • Integrate Workspace ONE UEM with the Directory Service to correlate the logged-on macOS user to a directory-based user account.
  1. Create an account for an Apple Business Manager (or Apple School Manager) account to enable Device Enrollment integration.
  2. Perform the following to enroll devices using Apple Business Manager or Apple School Manager
  • The Public Key is downloaded to integrate with Apple Business Manager.
  • The Apple Business Manager Portal is customized.
  • Devices in Apple Business Manager are associated.

 

For Local Users with Pre-Registration, Single-User Staging Using Agent-Based Enrollment

Using agent-based enrollment to configure single-user staging for local users, configure with pre-registration.

1. For Local Users with Pre-Registration Agent/Web Single-User Staging

  1. A basic Workspace ONE UEM user account is created and configured for Single-User Staging.
  2. Bulk Import the Device-to-User registration record is bulk imported. Within the Devices, navigate to Lifecycle and click on Enrollment Status page, go to Add, select Batch Import and utilize the Simple template and example for users and/or devices listed on the Batch Import page.

The sample CSV (beginning at row 2 of the CSV template) is modified by providing only the Username, GroupID, Security Type (Directory or Basic), FirstName, LastName, and DeviceSerial.

  1. The Mac is unboxed, and turn it on. Go through the Setup Assistant as normal.

A local, administrative macOS account is created as part of the Setup Assistant.

Ensure the username the admin wants to give the end-user of the machine is the local macOS account created.

  1. During Setup Assistant, Sign in to macOS as the local macOS account created.
  2. Using the Staging User credentials, Enroll with macOS Hub the admin created in step 1 of this section.
  • The device is assigned from the staging user to the user by Workspace ONE UEM when the device enrolls, the admin specified in step 2 using bulk import.
  • The device receives any profiles and apps assigned to the enrollment user specified by bulk import when the local macOS user account the admin used in step 5 is logged in.

 

Note: If a web browser (where deviceservices.url.com is the fully qualified domain name for the Workspace ONE UEM device services endpoint) except that the admin would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment, the web-based enrollment flow is similar to agent-based

2. For Local Users with API Check-Out Agent/Web Single-User Staging

Note: When the device-to-user assignments are not known ahead of time, the procedure to check out a device to an enrollment user can be utilized (for example, devices stored in a depot and subsequently assigned out to users). Generally speaking, the code mentioned in step 5 is included in a larger onboarding workflow and/or native application; this is an advanced use case.

  1. A basic Workspace ONE UEM user account is created and configured for Single-User Staging.
  2. The Mac is unboxed, and turn it on. Go through the Setup Assistant as normal.
  • As part of the Setup Assistant, create a local, administrative macOS account.
  • Ensure the username the admin wants to give the end-user of the machine is the local macOS account created.
  1. During Setup Assistant, Sign in to macOS as the local macOS account created.
  2. Using the Staging User credentials, Enroll with macOS Hub, the admin created in step 1 of this section.
  3. Call the Workspace ONE UEM Rest API while logged in as the user that enrolled in step 4 to check out the device to the precise enrollment user.

REST API Information: https://<API_Server>/api/help/#!/DevicesV2/DevicesV2_CheckOutDeviceToUser

In a workflow control application or script, the API call is typically embedded.

The username created during the Setup Assistant is used every time the end-user Signs in. Local macOS user is considered the managed user and sends apps/profiles targeted to the enrollment user by Workspace ONE UEM.

Note: In a web browser (where deviceservices.url.com is the fully qualified domain name for your Workspace ONE UEM device services endpoint), the web-based enrollment flow is alike to agent-based, except for the fact that the admin would initiate their enrollment by navigating to https://deviceservices.url.com/enrollment.

 

For Local Users with Pre-Registration Single-User Staging Using Apple Business Manager Enrollment

With Apple Business Manager enrollment, this section helps the admin to configure single-user staging for local users with pre-registration.

1. For Local Users with Pre-Registration Apple Business Manager Single-User Staging

  1. A basic Workspace ONE UEM user account is created and configured for Single-User Staging.
  2. Set the following options in the Device Enrollment Profile:

Toggle Authentication setting to OFF.

Toggle Staging Mode to Single User Device.

For Single-User Staging, configure the Default Staging User as the basic user configured.

Toggle Await Configuration to ENABLED.

Toggle Account Setup to DON’T SKIP.

Optionally, configure Admin Account details for a hidden IT administrator account and set Create New Admin Account to YES.

  1. The device record is validated if it has synced from Apple Business Manager or Apple School Manager:
  • In the Workspace ONE UEM console, Go to Devices, navigate to Lifecycle, go to Enrollment Status and change the layout to Custom.
  • By scrolling to the right, ensure the device to be staged has synced from Apple Business Manager.
  • The Token Type is checked if Apple Enrollment.
  • Go to Devices, navigate to Devices Settings, click on Apple, select Device Enrollment Program and click Sync Devices if the device has no Token Type.
  1. The device record is validated if it has the correct Device Enrollment profile:
  • In the Workspace ONE UEM console, Go to Devices, navigate to Lifecycle, click on Enrollment Status and change the layout to Custom.
  • Ensure the profile the admin created in step 2 and the Profile Name matches.
  • Navigate to the check box next to the device(s) to be enrolled if the Profile Name is incorrect, and then go to More Actions, click on Assign Profile, choose the profile the admin created in step 2 and click Save.
  1. Within the Devices, navigate to Lifecycle, go to Enrollment Status to Bulk Import the Device-to-User registration record:
  • Select Add and click on Batch Import to use the Simple template, For instance, devices and users listed on the Batch Import page.
  • By entering only the Username, GroupID, Security Type (Directory or Basic), FirstName, LastName, and DeviceSerial, customize the sample CSV (beginning in row 2 of the CSV template).
  • Reload the Enrollment Status page after the import completes.
  • Ensure the device to be staged still has a Token Type of Apple Enrollment and has a User name assigned.
  1. The macOS device is unboxed and turned on. Go through the Setup Assistant and choose to have the device managed by Workspace ONE UEM:
  • From the staging user, Workspace ONE UEM assigns the device, when the device enrolls, to the user the admin specified in step 5 using bulk import (the enrollment user).
  • When the end-user signs in with the username created during the Setup Assistant, Workspace ONE UEM sends profiles/apps targeted to the enrollment user and considers that local macOS user the managed user

 

2. For Local Users with API Check-Out Apple Business Manager Single-User Staging

  1. A basic Workspace ONE UEM user account is created and configured for Single-User Staging.
  2. Configure the following options in the Device Enrollment Profile:
  • Toggle Authentication setting to OFF
  • Toggle Staging Mode to Single User Devices
  • For single-user staging, configure the Default Staging User as the basic user configured.
  • Toggle Await Configuration to ENABLED.
  • Toggle Account Setup to DON’T SKIP.
  • Optionally, configure Admin Account details for a hidden IT administrator account and set Create New Admin Account to YES.
  1. The device record is validated if it has synced from Apple Business Manager or Apple School Manager:
  • In the Workspace ONE, UEM console Go to Devices, navigate to Lifecycle, click on Enrollment Status and change the layout to Custom.
  • By scrolling to the right, ensure that the device to be staged has synced from Apple Business Manager.
  • Validate that the Token Type is Apple Enrollment.
  • Navigate to Devices, go to Devices Settings, click on Apple and select Device Enrollment Program and click Sync Devices if the device has no Token Type.
  1. The device record is validated if it has the correct Device Enrollment profile:
  • In the Workspace ONE UEM console, go to Devices, navigate to Lifecycle, select Enrollment Status and change the layout to Custom.
  • The device to be staged is ensured if it has a Token Type of Apple Enrollment.
  • The Profile Name is validated if it matches the profile the admin created in step 2.
  • Navigate to the check box next to the device(s) to be enrolled if the Profile Name is incorrect, and go to More Actions, navigate to Assign Profile and Choose the profile the admin created in step 2 and select Save.
  1. The macOS device is unboxed and turned on. Choose to have the device managed by Workspace ONE UEM and proceed through the Setup Assistant:
  • To the staging user, Workspace ONE UEM assigns the device the admin created in step 1 when the device enrolls.
  • Workspace ONE UEM does not send any applications/profiles targeted to users when the end-user logs in with the username they create during the Setup Assistant, as the device is still assigned to the staging account.
  1. Call the Workspace ONE UEM Rest API while logged in as the user that enrolled in step 5 to check out the device to the correct enrollment user.

REST API Details: https://<API_Server>/api/help/#!/DevicesV2/DevicesV2_CheckOutDeviceToUser

  • In a workflow control application or script, the API call is typically embedded.
  • During the Setup Assistant, every time the end-user logs in with the username created, Workspace ONE UEM sends apps/profiles targeted to the enrollment user and considers that local macOS user the managed user.

Note: When the device-to-user assignments are not known ahead of time (for example, devices stored in a depot and subsequently assigned out to users), the process to check out a device to an enrollment user can be used. Generally speaking, in a larger onboarding workflow and/or native application, this is an advanced use case where the previous code is included.

Leave a comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.