MacOS OTP Enrollment
You can now create One Time Enrollment invitation for Mac, which can be used for enrollment.
Few points to consider:
- There is no Secure Hub for Mac, so when the user clicks on the enrollment link, it goes to the https://<Server FQDN>:8443/zdm/macos/otae/loginwith the username populated.
- You would have to download the server cert if it’s self-signed.
- The three enrollment modes supported are Username+Password, Username+PIN, and High Security.
- Also users can enrol Mac just by going to https://<Server FQDN>:8443/zdm/macos/otae/login
- But you can disable this using Server Property, macos.otae.enable.Then users can enrol only using enrollment invitation.
- If the server property value is set to false, below is what users will see after they have entered/launched the enrollment URL:
Setup Notification Server
If not already configured, XenMobile admin should first create a Notification Server, this could be SMTP server or SMS Gateway. For this document we are configuring SMTP server to send Invitation URL and enrollment PIN.
- Goto–>Settings–>Notification Server–>Add
- From the drop down select SMTP server.
- Enter the details in Add SMTP Server screen
- Fill in the Mandatory fields such as Name,SMTP Server,From name, From email.
- By default the SMTP server port is set to 25, change the port if your SMTP server is configured on a different port.
- You can Test the configuration by sending a test email with the set configuration.
- Click Save
- Next, admin has to create Enrollment Invitation.Goto Manage–>Enrollment Invitations–>Add
- Select Add Invitation from the drop down
- Enter the following details:
- Recipient-It could be a User or Group
- Select macOS as platform
- Device ownership could be Corporate or Employee
- Enter the User name or if you have select Group as Recipient select Domain and Group you would like to send Invitation to.
- Select Enrollment Mode:
- User name + Password
- Two Factor
- User name + Pin
- Select the Template for enrollment URL and enrollment confirmation(Selected the default one)
- Send Invitation should be set to ON
- Save the settings
End User Experience
As soon as admin saves the Enrollment Invitation settings, email will be sent to the user/group:
- Email containing Enrollment URL
- Email containing PIN(If the enrollment mode is select as Two Factor or User name + Pin)
- User need to click on the link which contains subject Enrol Your Device to start the enrollment process in MacOS
- Link will open up in Default browser(Safari).
- You will notice that the user name is pre populated.
- Below screenshots are example of all the three Enrollment modes user will see depending upon what mode is configured by XenMobile admin.
- Before entering the password or PIN or both, user should ensure that XenMobile’s root certificate is added to the systems keychain.Click on XenMobile root certificate.
- Click on install
- Profile should show as Verified
- After user enters the login credentials and clicks on Sign-in, profile install screens will show up one by one.
- User need to Install the Profiles to enrol the system.
Disclaimer: Screenshots used in this article are for representation purposes only.