Enrolling macOS Devices Using a Third Party Certificate

Before you begin

Bind a trusted third-party certificate to Deployment Server Extensions and Web Console and macOS Profile Signing in the SOTI MobiControl Administration Utility and turn off the Require Trust Profile During Enrollment setting.

Alternatively, to use the SOTI MobiControl Certificate to enroll and authenticate your devices, follow the steps detailed at Enrolling macOS Devices Using a SOTI MobiControl Certificate.

Important: Install the Apple Push Notification Service (APNS) certificate before enrolling your Apple devices. The APNS certificate facilitates regular communication between the SOTI MobiControl deployment server and enrolled Apple devices.

About this task

In this procedure, you'll learn how to:

Procedure

Define enrollment settings for macOS devices
  1. Optional: If you plan to use a device agent, create an app policy containing the SOTI MobiControl App for macOS Devices and assign it to target the devices these devices will be enrolled into.
    Download the SOTI MobiControl App for macOS Devices from https://docs.soti.net/mobicontrolagentdownloads/ and add it to the app policy as an Enterprise Application.
  2. In the SOTI MobiControl legacy console, go to the Apple > Rules and right-click Add Devices. Select Create Add Devices Rule to launch the Create Add Devices Rule wizard.
    An add devices rule defines enrollment settings for your devices. You can create multiple add devices rules, each with different enrollment settings. However, you cannot use one add devices rule across multiple platforms.
    Location of right-click menu to create a new Apple add devices rule.
  3. Enter a name for the add devices rule. Make it brief, but descriptive, especially if you plan to create multiple add devices rules. Click Next.
  4. Choose the destination device groups:
    Manual All devices enrolled with this rule will be placed in the same device group.

    On the next screen, select a device group from the list to enroll your devices into and then skip to the step for selecting a user authentication option.
    Based on User Group Membership Devices will be placed into groups based on the membership of the user account assigned to the device. You'll be able to associate user groups to specific device groups later on in the wizard.

    Click Next.

  5. Choose either LDAP Directory Service or Identity Provider and then select an identity management connection from the dropdown list. If you have not configured any connections yet, click Manage Directory Services / IdP Connections to configure a new connection in the dropdown list instead. See Identity Management for more information. Click Next.
  6. Enter a user group (for example, administrators) that exists in your connection in the field and click Add. Once it appears under User Groups, choose a device group from the dropdown list. All members of the user group will be automatically added to the selected device group as soon as they enroll in SOTI MobiControl. If you'd like, add any terms and conditions documents. Click Next.
    User group mapping in add devices rule
  7. Select a user authentication option.
    Note: These options appear only if you chose Manual for mapping your device destinations.
    Utilize user groups to authenticate users during device enrollment Use a directory service or an identity provider for user authentication.

    Select Directory Service to select a directory service connection from the list, and search for a user group using that connection. If no directory service connection has yet been configured, select Manage Directory Services to open the Directory which you can use to configure a new connection.

    Select Identity Provider to select an identity provider connection from the list, and search for a user group using that connection. If no identity provider connection has yet been configured, select Manage IdP Connections to open the Identity Provider which you can use to configure a new connection.
    Authenticate using the Identity Provider that federates your Managed Apple IDs. Use the same Identity Provider (IdP) you selected for your Managed Apple IDs to authenticate your devices. You can allow all authenticated users to enroll with this rule or restrict enrollment by specifying which specific groups within the IdP connection can enroll.
    Note: This option is only available for User Enrollment add devices rules that are using Accounts Federated by Microsoft Azure AD.
    Password required to verify device enrollment Specify a single password for enrollment across all devices that enroll using this add devices rule.
    No password required to verify device enrollment Allow devices to enroll without verification.
    Use static enrollment challenge User static enrollment challenge. (For use with Apple Configurator.)
  8. Select the trusted third-party certificate from the Issue agent using dropdown list to use it as the certificate authentication authority.
    If you are not enrolling devices with a third-party certificate, see Enrolling macOS Devices Using a SOTI MobiControl Certificate instead.
  9. Optional: Set this add devices rule as an enrollment profile for Apple's Automated Device Enrollment (ADE). Select all the options you want to apply to this enrollment profile. If you have not already configured ADE with SOTI MobiControl, click Configure ADE. Click Next.
    Note: ADE is not supported on User Enrollment add devices rules.
  10. Optional: Enable the Terms and Conditions setting and select a terms and conditions document from the dropdown list. If you haven't uploaded a terms and conditions document yet, click Manage to add a new document. Click Next.
    Device users will be prompted to accept the terms and conditions upon enrollment.
  11. Specify a naming convention for your devices. Use a combination of text and macros to automatically and intelligently name your devices.
    For example, Ottawa Sales %AUTONUM% %ENROLLEDUSER_EMAIL% transforms into Ottawa Sales 001 sarah@organization.com, Ottawa Sales 002 saurabh@organization.com, and so on.
  12. Optional: Choose images for your devices' lock and home screens. Click the image icon to browse your computer for image files. Toggle between iPhone and iPad to use different images on different device types.
    iOS wallpaper picker
    Note: You cannot specify images for user enrollment add devices rules.
  13. Review your enrollment settings. Click Back to return to a previous screen and make changes or click Advanced to adjust the rule further.
  14. Once you're satisfied with your enrollment settings, click Finish to save your new add devices rule.
  15. Make a note of the Enrollment ID or Enrollment URL.
    Location of Enrollment ID and URL in add devices rule summary
Enroll macOS Devices
Important: Choose the user account that you use to enroll a macOS device to SOTI MobiControl carefully. Some configuration settings will only apply within the user account that was used for enrollment rather than to the entire device.
  1. On the macOS device, open an internet browser and enter the Enrollment URL in the address bar.
    You may receive a warning stating that the browser cannot verify the server identity. Click Continue to ignore it and proceed to the macOS Enrollment Service web page.
    If you created an app policy with the macOS device agent, it will proceed to download and install itself on the device.
  2. Follow the instructions of either the
    • Device Agent Setup Assistant (if enrolling with a device agent)
    • Enrollment Service Web Page (if enrolling agentlessly).
  3. If the add devices rule was configured with LDAP, enter the applicable credentials into the device.
  4. Click Step 1 to download the SOTI MobiControl Device Enrollment Profile. Click Allow and then Install and then Install again to install the SOTI MobiControl device enrollment profile.
    The macOS Profile Manager application will open to continue the installation of the SOTI MobiControl Trust and Management profiles.
  5. The installation process of the SOTI MobiControl Device Enrollment Profile includes several steps that require user interaction, such as entering administrator credentials. Once the profile has finished installing on your device, click Done.

Results

Your macOS device is now enrolled in SOTI MobiControl.