XenMobile-MacOS OTP Enrollment

MacOS OTP Enrollment

You can now create One Time Enrollment invitation for Mac, which can be used for enrollment.

Few points to consider:

  • There is no Secure Hub for Mac, so when the user clicks on the enrollment link, it goes to the https://<Server FQDN>:8443/zdm/macos/otae/loginwith the username populated.
  • You would have to download the server cert if it’s self-signed.
  • The three enrollment modes supported are Username+Password, Username+PIN, and High Security.
  • Also users can enrol Mac just by going to https://<Server FQDN>:8443/zdm/macos/otae/login
  • But you can disable this using Server Property, macos.otae.enable.Then users can enrol only using enrollment invitation.
User-added image
  • If the server property value is set to false, below is what users will see after they have entered/launched the enrollment URL:​
User-added image

Setup Notification Server

If not already configured, XenMobile admin should first create a Notification Server, this could be SMTP server or SMS Gateway. For this document we are configuring SMTP server to send Invitation URL and enrollment PIN.

  1. Goto–>Settings–>Notification Server–>Add
  2. From the drop down select SMTP server.
  3. Enter the details in Add SMTP Server screen
    • Fill in the Mandatory fields such as Name,SMTP Server,From name, From email.
    • By default the SMTP server port is set to 25, change the port if your SMTP server is configured on a different port.
    • You can Test the configuration by sending a test email with the set configuration.
    • Click Save
User-added image
  1. Next, admin has to create Enrollment Invitation.Goto Manage–>Enrollment Invitations–>Add
  2. Select Add Invitation from the drop down
  3. Enter the following details:
    • Recipient-It could be a User or Group
    • Select macOS as platform
    • Device ownership could be Corporate or Employee
    • Enter the User name or if you have select Group as Recipient select Domain and Group you would like to send Invitation to.
    • Select Enrollment Mode:
      • User name + Password
      • Two Factor
      • User name + Pin
    • Select the Template for enrollment URL and enrollment confirmation(Selected the default one)
    • Send Invitation should be set to ON
    • Save the settings
User-added image

End User Experience

As soon as admin saves the Enrollment Invitation settings, email will be sent to the user/group:

  1. Email containing Enrollment URL
  2. Email containing PIN(If the enrollment mode is select as Two Factor or User name + Pin)
User-added image
User-added image
  1. User need to click on the link which contains subject Enrol Your Device to start the enrollment process in MacOS
  2. Link will open up in Default browser(Safari).
  3. You will notice that the user name is pre populated.
  4. Below screenshots are example of all the three Enrollment modes user will see depending upon what mode is configured by XenMobile admin.
User-added imageUser-added imageUser-added image
  1. Before entering the password or PIN or both, user should ensure that XenMobile’s root certificate is added to the systems keychain.Click on XenMobile root certificate.
  2. Click on install
User-added image
  1. Profile should show as Verified
User-added image
  1. ​After user enters the login credentials and clicks on Sign-in, profile install screens will show up one by one.
  2. User need to Install the Profiles to enrol the system.
User-added image
User-added image
User-added image
User-added image
Post installation of the Profiles System will be successfully MDM enrolled.
User-added image

Disclaimer: Screenshots used in this article are for representation purposes only.

Master How Do I


Leave a Reply