Enrolling macOS Devices Using a SOTI MobiControl Certificate

Before you begin

Important: Install the Apple Push Notification Service (APNS) certificate before enrolling your Apple devices. The APNS certificate facilitates regular communication between the SOTI MobiControl deployment server and enrolled Apple devices.

About this task

In this procedure, you'll learn how to:

Note: If you bound trusted third party certificates to Deployment Server Extensions and Web Console and macOS Profile Signing in the SOTI MobiControl Administration Utility and the Require Trust Profile During Enrollment setting is turned off, follow the steps at Enrolling macOS Devices Using a Third Party Certificate instead.

Procedure

Define enrollment settings for macOS devices
  1. Optional: If you plan to use a device agent, create an application catalog rule containing the SOTI MobiControl App for macOS Devices and assign it to target the devices these devices will be enrolled into.
    Download the SOTI MobiControl App for macOS Devices from https://docs.soti.net/mobicontrolagentdownloads/ and add it to the application catalog rule as an Enterprise Application.
  2. In the SOTI MobiControl legacy console, go to the Apple > Rules and right-click Add Devices. Select Create Add Devices Rule to launch the Create Add Devices Rule wizard.
    An add devices rule defines enrollment settings for your devices. You can create multiple add devices rules, each with different enrollment settings. However, you cannot use one add devices rule across multiple platforms.
    Location of right-click menu to create a new Apple add devices rule.
  3. Enter a name for the add devices rule. Make it brief, but descriptive, especially if you plan to create multiple add devices rules. Click Next.
  4. Choose the destination device groups:
    Manual All devices enrolled with this rule will be placed in the same device group.

    On the next screen, select a device group from the list to enroll your devices into and then skip to the step for selecting a user authentication option.
    Based on User Group Membership Devices will be placed into groups based on the membership of the user account assigned to the device. You'll be able to associate user groups to specific device groups later on in the wizard.

    Click Next.

  5. Choose either LDAP Directory Service or Identity Provider and then select an identity management connection from the dropdown list. If you have not configured any connections yet, click Manage Directory Services / IdP Connections to configure a new connection in the dropdown list instead. See Identity Management for more information. Click Next.
  6. Enter a user group (for example, administrators) that exists in your connection in the field and click Add. Once it appears under User Groups, choose a device group from the dropdown list. All members of the user group will be automatically added to the selected device group as soon as they enroll in SOTI MobiControl. If you'd like, add any terms and conditions documents. Click Next.
    User group mapping in add devices rule
  7. Select a user authentication option.
    Note: These options appear only if you chose Manual for mapping your device destinations.
    Utilize user groups to authenticate users during device enrollment Use a directory service or an identity provider for user authentication.

    Select Directory Service to select a directory service connection from the list, and search for a user group using that connection. If no directory service connection has yet been configured, select Manage Directory Services to open the Directory which you can use to configure a new connection.

    Select Identity Provider to select an identity provider connection from the list, and search for a user group using that connection. If no identity provider connection has yet been configured, select Manage IdP Connections to open the Identity Provider which you can use to configure a new connection.
    Authenticate using the Identity Provider that federates your Managed Apple IDs. Use the same Identity Provider (IdP) you selected for your Managed Apple IDs to authenticate your devices. You can allow all authenticated users to enroll with this rule or restrict enrollment by specifying which specific groups within the IdP connection can enroll.
    Note: This option is only available for User Enrollment add devices rules that are using Accounts Federated by Microsoft Azure AD.
    Password required to verify device enrollment Specify a single password for enrollment across all devices that enroll using this add devices rule.
    No password required to verify device enrollment Allow devices to enroll without verification.
    Use static enrollment challenge User static enrollment challenge. (For use with Apple Configurator.)
  8. Leave Internal SOTI MobiControl CA selected as the certificate authentication authority.
    If you are enrolling devices with a third-party certificate, follow the steps at Enrolling macOS Devices Using a Third Party Certificate instead.
  9. Optional: Set this add devices rule as an enrollment profile for Apple's Automated Device Enrollment (ADE). Select all the options you want to apply to this enrollment profile. If you have not already configured ADE with SOTI MobiControl, click Configure ADE. Click Next.
    Note: ADE is not supported on User Enrollment add devices rules.
  10. Optional: Enable the Terms and Conditions setting and select a terms and conditions document from the dropdown list. If you haven't uploaded a terms and conditions document yet, click Manage to add a new document. Click Next.
    Device users will be prompted to accept the terms and conditions upon enrollment.
  11. Specify a naming convention for your devices. Use a combination of text and macros to automatically and intelligently name your devices.
    For example, Ottawa Sales %AUTONUM% %ENROLLEDUSER_EMAIL% transforms into Ottawa Sales 001 sarah@organization.com, Ottawa Sales 002 saurabh@organization.com, and so on.
  12. Optional: Choose images for your devices' lock and home screens. Click the image icon to browse your computer for image files. Toggle between iPhone and iPad to use different images on different device types.
    iOS wallpaper picker
    Note: You cannot specify images for user enrollment add devices rules.
  13. Review your enrollment settings. Click Back to return to a previous screen and make changes or click Advanced to adjust the rule further.
  14. Once you're satisfied with your enrollment settings, click Finish to save your new add devices rule.
  15. Make a note of the Enrollment ID or Enrollment URL.
    Location of Enrollment ID and URL in add devices rule summary
Enroll macOS Devices
Important: Choose the user account that you use to enroll a macOS device to SOTI MobiControl carefully. Some configuration settings will only apply within the user account that was used for enrollment rather than to the entire device.
  1. On the macOS device, open an internet browser and enter the Enrollment URL in the address bar.
    You may receive a warning stating that the browser cannot verify the server identity. Click Continue to ignore it and proceed to the macOS Enrollment Service web page.
    If you created an app policy with the macOS device agent, it will proceed to download and install itself on the device.
  2. Follow the instructions of either the
    • Device Agent Setup Assistant (if enrolling with a device agent)
    • Enrollment Service Web Page (if enrolling agentlessly).
  3. If the add devices rule was configured with LDAP, enter the applicable credentials into the device.
  4. Click Step 1 to begin downloading the SOTI MobiControl Trust Profile.
    This profile installs the SOTI MobiControl Root CA certificate on your macOS device. It is required to verify the SOTI MobiControl Management Profile.
    The macOS Profile Manager application will open to continue the installation of the SOTI MobiControl Trust and Management profiles.
  5. Click Install to initiate the download. Once the Trust Profile has finished downloading, click Install again to install the Trust Profile and continue with the enrollment process.
  6. Click Step 2 to download the SOTI MobiControl Management Profile. Click Allow and then Install and then Install again to install the SOTI MobiControl management profile.
    When you click Install, you will receive a warning message with a brief description of the purpose of the SOTI MobiControl Management Profile. Click Trust to continue.
    The installation process of the SOTI MobiControl Management Profile includes several steps that require user interaction, such as entering administrator credentials.
  7. Once the profile has finished installing on your device, click Done.

Results

Your macOS device is now enrolled in SOTI MobiControl.