Deploying Macs with Workflows, MDM and Device Enrollment
MDS 2 added Mobile Device Management (MDM) and Deployment Enrollment to MDS. Deployment Enrollment is part of Apple Business Manager (ABM) or Apple School Manager (ASM). Since many of these technologies overlap, understanding how the options work will help decide which ones to choose when deploying Macs in different environments.
When a new Mac arrives, it usually has the latest major version of macOS installed; however, depending on when an update was released, macOS may need to be updated.
MDS provides different options for making sure the correct version of macOS is installed. Three different options for installing macOS are located in the Install macOS section of an MDS workflow; each one is explained in detail below.
The “Install macOS” option uses the standard macOS installer to install macOS to the target Mac. The target disk can be erased or can use macOS already installed on the target Mac and upgrade to the desired version. “Erase and Install” macOS usually takes about 20 minutes. Upgrading macOS can take significantly longer (40 minutes or more).
The advantage of using the “Install macOS” option versus using a disk image (covered in the next section) is the ability to perform firmware updates. If the target Mac requires a firmware update and the “Install macOS” option is selected, the firmware will be downloaded and installed on the target Mac. It is recommended that all major updates (for example, 10.14 to 10.15) use “Install macOS” to make sure the firmware is up-to-date.
Erase Volume and Restore macOS from Disk Image
The “Erase Volume and Restore macOS from Disk Image” option is much faster than the “Install macOS” option (usually less than 2 minutes to restore macOS). The source for this option is a disk image that has had macOS installed onto it (using AutoDMG and the macOS installer). When the disk image is restored, Apple Software Restore (ASR) is used to quickly copy all the data from the disk image to the target Mac. This option does not upgrade the firmware and should be used when the target Mac has the same major version already installed on the Mac. If a firmware update is required, it will be updated when a software update is found and installed. In some cases, a warning will be shown, the Mac will be restarted, and the firmware will be upgraded.
Do Not Install macOS
If the target Mac already has the desired version of macOS, the “Do Not Install macOS” option can be used. All the other workflow options will be run, but macOS is not installed or upgraded. If updating macOS is done after the Mac is deployed, this option can reduce initial deployment time.
Workflow-based deployments completely setup and configure macOS. Software packages, configuration profiles, and scripts are all installed when the workflow is run. This can occur right after macOS is installed, at first boot, or when the first user logs in. Additional options, such as creating local user accounts, are installed on the target Mac.
MDM-based deployments configure macOS when the Mac is first enrolled in the MDM server. Enrollment can be done using Device Enrollment or when macOS is manually enrolled in MDM. The MDM service in MDS supports manual or automatic enrollment via Device Enrollment or a 3rd party MDM service.
When macOS is enrolled in MDM (either manually or via Device Enrollment), the Initial MDM Profile and all resources defined in it are installed.
MDM requires some setup prior to enrollment so that macOS can contact the MDM service afterwards. The MDM service does not connect to the macOS client directly, but instead sends a request to Apple to send a message to the enrolled macOS device. When the enrolled macOS device receives the message, it contacts the MDM service and completes the request.
In order for an MDM service to send messages to macOS devices, it must have a identity consisting of a digital certificate and a private key that proves to Apple that the MDM service is allowed to connect and manage clients. The MDM service does not request the identity directly from Apple.
A customer who wants to use the MDM service generates a request in MDS, then sends the request to Twocanoes to be signed. This signed request is then submitted to Apple by the customer. Apple then approves the request and returns the digital certificate to the customer for uploading to MDS. Apple does not charge the customer a fee for issuing the digital certificate; however, Twocanoes Software provides the signing service as part of a paid support contract.
Once the MDM service is enabled to send push notifications to macOS devices, macOS devices can be enrolled in the MDM service. Enrollment can be done with the Apple Device Enrollment or with manual enrollment.
A macOS device is manually enrolled in the MDM service with a configuration profile provided by the MDM service. MDS provides an enrollment web page to download the enrollment profile. The downloaded enrollment profile can be installed as part of an MDS workflow, using the profile section of the Resources panel, or by double-clicking on the profile. If the profile is installed as part of an automated process, macOS requires a one-time “opt-in” button to be pressed in the Privacy pane of System Preferences. If the installation profile is opened in Finder, opt-in is not required, since opening in Finder (and providing local admin credentials) is considered an adequate opt-in. The opt-in button can be pressed over screen-sharing as well as by clicking the button when in front of the Mac.
Some features, such as Kernel Extension whitelisting, are not available until opt-in is completed:
|Enrolled in MDM via DEP||Yes||Yes|
|User Approved MDM||Yes||Yes|
|Non-User Approved MDM||No||Yes|
As part of the Apple Business Manager (ABM) or Apple School Manager (ASM), Apple provides Device Enrollment. Device Enrollment facilitates enrollment into an MDM service during the Setup Assistant. However, Macs must be purchased directly from Apple or from an Authorized Apple Reseller to be eligible for Device Enrollment. Once a customer signs up for the Apple Business/School Manager program and purchases a Mac from the appropriate channel, the Mac is made available for assignment in the ABM or ASM portal. The Mac is assigned to an MDM service by finding the device by serial number and assigning it to the configured MDM service.
When a Mac that is assigned to the MDM service in Device Enrollment starts up to the Setup Assistant, the Setup Assistant shows the standard setup. However, after the Language and Keyboard are selected, a new Managed Device option is presented:
When Continue is pressed, the Mac is enrolled in MDM, the Initial Profile is installed, and all resources associated with it are also installed. Device Enrollment works well if the person who will be using the Mac does the initial setup.
The resources associated with the Initial Profile can install a client management agent (like Munki). This agent is used for keeping software current, installing new software, providing a Software Center for selecting additional installs, and other management features. The MDM service in MDS can also be used for installing profiles, restarting, shutting down, and more.
Selecting Workflow, Manual Enrollment, or Device Enrollment
Macs can be set up using Workflows, User Approved MDM (UAMDM), and Device Enrollment, or a combination of the methods. Selecting which method to use depends on the requirements of the organization.
Workflow setup quickly installs macOS and the required resources, including software, user accounts, and settings. If there is a large amount of initial software installed or the Mac must be ready to use immediately upon deployment (for instance, a lab, rental requirement, or training center), workflow-based deployment makes sure the Mac is set up and ready to go.
MDM enrollment works well in environments where initial configuration is done by the person who will be using the Mac. This can be a remote employee who enrolls the Mac manually into MDM or an employee who receives the Mac shipped directly to them and is enrolled in the Setup Assistant.
UAMDM is recommended for users who opt-in to management (light management or user-owned devices). Device Enrollment is recommended for Macs that must be managed starting at initial setup.
Workflow-based deployments and MDM-based deployments can be combined to optimize setup and management. MacOS can be quickly installed; large software packages can be installed ahead of time. Required local administrator accounts can be created and the Mac can optionally be enrolled in MDM. If the Setup Assistant is not skipped in the Workflow settings and the Mac is part of Device Enrollment, the Setup Assistant will show the Remote Management option and can be enrolled in MDM during setup.
Each method of deployment (workflow-based or MDM) requires a certain amount of configuration in front of the Mac.
For workflow-based deployments, the Mac is restarted into the recovery partition. The workflow selector is launched in recovery. After the Mac is set up, and if the Mac is enrolled in MDM, the enrollment must be accepted by opening System Preferences (for UAMDM) or by setting up Remote Management in the Setup Assistant. UAMDM can be accepted over screen sharing (as of macOS 10.14 or later).
For MDM-based deployments, if the Mac is assigned an MDM server in Device Enrollment, Remote Management must be set up in the Setup Assistant locally on the Mac. For manual MDM enrollments, the MDM configuration profile must be installed from macOS Finder.
All the deployment options can be optimized to reduce the amount of time physically in front of the Mac during setup. For example, a workflow-based deployment can contain an MDM enrollment profile as part of the workflow. In this example, the person setting up the Mac would start up the Mac in recovery and kick off the workflow (either via keyboard commands or via the MDS Automaton). The workflow could also enable screen sharing or remote management with Apple Remote Desktop (ARD). Once the workflow is completed, the administrator uses screen sharing to opt-in to MDM and the Mac is shut down and ready for deployment.