Configuring Basic macOS Management: Workspace ONE Operational Tutorial
Overview
Omnissa Workspace ONE® UEM provides a comprehensive management solution for macOS devices, supporting operating systems version 10.9 and higher. With the ability to manage Corporate-Dedicated, Corporate Owned or Employee Owned (BYOD) devices, Workspace ONE UEM offers enterprises the flexibility to meet their employees’ needs at any level.
Purpose of This Tutorial
Omnissa provides this operational tutorial to help you with your Workspace ONE® environment. In this tutorial, you will enroll a macOS device, configure a restrictions profile and a dock profile, configure a device lock, and deploy macOS volume-purchased apps.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.
Both current and new administrators can benefit from using this tutorial. Familiarity with macOS, XML, and basic scripting is assumed.
Knowledge of additional technologies such as Omnissa Intelligence and Workspace ONE® UEM is also helpful.
Enrolling macOS Devices
This section covers basic macOS administration using Workspace ONE UEM. This exercise helps you to install the Workspace ONE Intelligent Hub and enroll a macOS device into Workspace ONE UEM.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Workspace ONE UEM version 2206 or later
- Apple device running macOS version 10.12.6 (Sierra) or later
- Retrieve the Group ID from Workspace ONE UEM Console
- Local macOS account with administrator permissions
This exercise requires admin and end user device authentication during enrollment. Gather the required account information and record it in the following tables. The account information provided in these tables is based on a test environment. Your account details will differ.
Local Administrator Account Information |
|
Username |
|
Password |
|
User Account Information |
|
Username |
|
Password |
|
Email address |
Workspace ONE UEM Information |
|
Server URL |
|
Administrator username |
|
Password |
|
Installing the Workspace ONE Intelligent Hub
Start by downloading and installing Workspace ONE Intelligent Hub on your macOS device. This exercise will outline the steps to follow.
- Log in to the macOS device with your administrator credentials.
- Enter the username. For example,
administrator
. - Enter the password. For example,
Omnissa1!
. - Click the arrow icon or press Enter.
- Enter the username. For example,
- Click the Safari icon (blue compass) to open the Safari browser.
- Enter
https://getwsone.com
in the URL field, then press Enter. - Click Download Hub beneath macOS. The Workspace ONE Intelligent Hub begins to download and will save to the Downloads folder by default.
- Launch the Intelligent Hub installer by clicking the Downloads folder in the dock (next to the Trash Bin).
- Click on the installer package you just downloaded.
- Review the Introduction. Click Continue.
- Review and Accept the Licensing Terms by clicking Continue and then click Agree (to the license terms).
- Click Install to perform a standard installation.
- Enter the admin username, for example,
Administrator
. - Enter the password.
- Click Install Software.
- Click Close when the installer finishes.
- Click Move to Trash to move the installer to the trash.
Onboarding using User-Initiated Agent-Based Workflow
In this exercise, you enroll a macOS device into Workspace ONE UEM. Enrollment is the action that brings a device under management and control by Workspace ONE UEM. There are a few ways to enroll the various platforms (macOS included), but for this exercise, we cover a basic enrollment scenario.
This enrollment flow is considered User-Approved per the functionality introduced in macOS High Sierra.
- After the Workspace ONE Intelligent Hub finishes installing, the Enrollment Wizard should start automatically. From within the Enrollment wizard window, click Server Detail.
Note: The Enrollment Wizard may take several minutes to launch. If you do not see the Enrollment Wizard immediately, be patient and wait for it to appear.
- Enter your Workspace ONE UEM URL, for example,
hol.awmdm.com
. - Enter your Group ID.
Note: You can find your Group ID in the Workspace ONE UEM console by navigating to Group & Settings. Click Groups, and then click Organization Groups. Select the Details view. - Click Continue.
- Enter the enrollment username. For example,
testuser
. - Enter the enrollment user password. For example,
Omnissa1!
. - Click Continue.
- Select the ownership type for the device. If the device is an employee-owned BYOD, select Employee Owned. If the device is a corporate-owned device, select Corporate owned. Click Next.
Note: If you select Corporate owned, you will also need to specify if the device will be dedicated to one user or shared by multiple users. - Click Next to install Workspace Services. The installation and enablement of Device Management will begin.
- When the Profile window is displayed, click Install to approve the User-Approved Enrollment Profile.
- When prompted, click Install to confirm the installation.
- When prompted, enter the password for your user account on the Mac. For example,
Omnissa1!
. - Click OK.
- When the installation is complete, close the Profiles panel by clicking the red dot. Then click Done.
- You can validate the enrollment by clicking the Hub icon in the upper-right corner of your screen.
- In the menu that appears, you can see the device’s status as Enrolled.
Configuring macOS Profiles
Profiles are the mechanism by which Workspace ONE UEM manages settings on a macOS device. All profiles are broken down into two basic sections: the General section and the Payload section.
- The General section defines the profile's name and assignment settings.
- The Payload sections define actions to be taken on the device.
Every profile must have all required fields in the General section properly filled out and at least one payload configured.
With Workspace ONE UEM, profile management for macOS can occur on the device level or on the user level.
Device-level profiles apply restrictions and settings to any user logged-on to the device. Device profiles are typically used to control settings that apply system-wide such as VPN and Wi-Fi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.
In contrast, user-level profiles apply settings and restrictions to the specific user logged-on to the device. User profiles typically control settings that apply to the enrolled user such as email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Workspace ONE UEM version 9.4 or later
- Apple device running macOS version 10.12.6 (Sierra) or later
Configuring a Restrictions Profile for macOS Devices
In this exercise, deactivate Allow Screen Capture and Allow Use of Built-in Camera settings on a macOS device by configuring a device-level restrictions profile. This exercise explores how to modify the macOS device behavior using profiles.
- On your desktop, double-click the Google Chrome icon.
- Go to the Omnissa Workspace ONE UEM Console.
For example, go tohttps://<WorkspaceONEUEMHostname>
where WorkspaceONEUEMHostname is the host name of the Workspace ONE UEM console. - Enter your Username, for example,
administrator
. - Click Next. After you click Next, the Password text box is displayed.
- Enter your Password, for example,
Omnissa1!
. Click Login.
Note: If you see a Captcha, be aware that it is case sensitive. - In the Workspace ONE UEM console, select Resources. Then select Profiles & Baselines.
- Select Profiles.
- From the Add dropdown menu, select Add Profile.
- Select Profile Platform by selecting macOS.
- For the Context, select Device Profile.
- Enter macOS Device Restrictions for the profile name.
- Scroll down the list of payloads until you find Restrictions. Click Add.
- Under Functionality, click the button next to Allow screen capture. The button, which is green by default, should turn gray.
- Click the button for Allow use of Built-in Camera. The button, which is green by default, should turn gray.
- Click Next.
- Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select All Devices (your@email.shown.here).
- Select Auto for the Assignment Type.
- Click Save and Publish.
You should now see your macOS Device Restrictions Device Profile within the list of the Profiles window.
Note: If you need to edit the profile, this is where you would do so. - You can validate that the profile has been applied, by logging in to your macOS device.
- Launch the Photo Booth application. The application reports that there is no connected camera.
Note: This will only work on a macOS device that has a built-in camera.
- Launch the Screenshot application, which is in the Utilities folder under Applications. If the macOS Device Restrictions profile created earlier is configured and applied correctly, the Screenshot application will not launch.
Configuring an Accessibility Profile for macOS Users
In this exercise, configure Accessibility settings for a specific, enrolled user on a macOS device by configuring a user-level profile.
- In the Workspace ONE UEM console, select Resources. Then, select Profiles & Baselines.
- Select Profiles.
- From the Add dropdown menu, select Add Profile.
- Select the Profile Platform by selecting macOS.
- For the Context, select User Profile.
- Enter macOS Accessibility for the profile name.
- Scroll down the list of payloads until you find Accessibility. Click Add.
- Click the button next to Use grayscale. The button, which is gray by default, should turn green.
- Change the Cursor Size to Extra Large.
- Click Next.
- Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select
All macOS Users (
your@email.shown.here
)
. - Select Auto for the Assignment Type.
- Click Save and Publish.
You should now see your macOS Accessibility User Profile within the list of the Profiles window.
Note: If you need to edit the profile, this is where you would do so. - You can validate that the profile has been applied, by logging in to your macOS device.
- The screen will be displayed as grayscale, and the cursor will be extra-large.
Configuring Device Lock for macOS
Device lock for macOS devices causes the machine to reboot into a firmware-lock screen. This lock screen occurs at the firmware level prior to OS boot. This exercise helps you to configure a macOS device lock.
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Workspace ONE UEM version 9.4 or later
- Apple device running macOS version 10.12.6 (Sierra) or later
Note: For Mac devices running Apple silicon, macOS version 11.5 or later is required. If you try to use this feature on a Mac with Apple silicon running a version of macOS before 11.5, the Mac will be deactivated, and a network connection and authentication with Secure Token will be required to re-enable the device.
Configuring Device Lock
Workspace ONE UEM supports a firmware-based device lock for macOS. The device cannot be booted until the device lock code has been entered. This exercise helps you to configure device lock for macOS.
- Open the macOS Device Details by selecting Devices.
- Select List View. Then, select your enrolled macOS device.
- Lock the device by clicking Lock in the upper-right corner of the device details view.
- When prompted, enter a Device Lock Code. For this exercise, enter
111111
as the firmware lock code.
- Click Lock Device.
- The device will reboot after a short delay and the firmware will be locked.
- To unlock the device, enter
111111
at the System Lock screen.
Understanding macOS Software Delivery
Workspace ONE UEM supports a few different methods for delivering software to managed macOS devices. This section helps you to volume-purchase app licenses in Apple Business Manager, then assign them to enrolled devices in Workspace ONE UEM.
The following software delivery methods are available for macOS:
- Apple Business Manager or Apple School Manager — Delivers macOS App Store applications to devices as volume-licensed, purchased applications.
- Software Distribution — Delivers third-party, non-store applications as internal apps in Workspace ONE UEM 2203 and later.
The type of software being delivered determines appropriate delivery method. The following table lists different types of software, and their recommended delivery method.
|
Store Apps |
Non-Store Apps |
Delivery Methods |
|
Software Distribution |
Examples |
|
|
Prerequisites
Before you can perform the exercises in this tutorial, you must meet the following requirements.
- Workspace ONE UEM version 9.4 or later
- Apple device running macOS version 10.12.6 (Sierra) or later
- Apple Volume Purchase Program (VPP) is configured in Workspace ONE UEM
Deploying macOS Volume-Purchased Apps
This section shows how to volume-purchase applications through the Apple Business Manager and assign them to devices using device-based licensing. However, Workspace ONE UEM also supports non-store, third-party software management. For details, see Deploying Third-Party macOS Applications: Workspace ONE Operational Tutorial.
Purchase App Licensing in Apple Business Manager
Before you can assign volume-purchased applications to devices, you will first purchase licenses within Apple Business Manager.
- Log in to Apple Business Manager.
- Click Apps and Books.
- Set Type to
Mac
and enterPages
in the search field.
- Click Pages in the results and, using the Assign to dropdown, assign this app to your Workspace ONE UEM instance.
- Enter 10 in the Quantity field and click Get.
Configure App Assignments in Workspace ONE UEM
In this exercise, you will enable device assignment for an app, and assign the app to a group of single-user devices. Each device will receive one license, and an Apple ID on the device will not be required to receive the application.
- In Workspace ONE UEM, click Resources.
- Click Apps, and then select Native.
- Click Purchased. Pages should be listed among your apps.
Note: If Pages is displayed in your app list, click Sync Assets. This will sync your app license purchases with Apple Business Manager.
- Place a check next to Pages. The More Actions menu will appear.
- From the More Actions menu, select Enable Device Assignment.
- Click Pages. Enter 2 for Licenses on hold.
- Click Save & Assign.
- Scroll down to view Assigned Groups and click in the search box. From the list of Assignment Groups that appear, select the appropriate group. For example, select
All macOS Devices (
your@email.shown.here
)
. - Enter the number of licenses to allocate to the assignment group.
- Click Create.
- Click Save.
- Click Publish.
- Log in to your macOS device and launch Intelligent Hub.
- Click Apps.
- If Pages has not already installed automatically, you can click the Install button next to Pages to install the app on your macOS device.
Summary and Additional Resources
This operational tutorial provided basic administration steps to manage macOS with Workspace ONE UEM. Procedures included enrolling a macOS device, configuring a restrictions profile and a dock profile, configuring a device lock, and deploying macOS volume-purchased apps.
Additional Resources
For more information about Workspace ONE UEM, explore the product page for Workspace ONE UEM on Tech Zone. You will find everything from beginner to advanced curated assets in the form of articles, videos, and labs.
Additionally, you can check out the Workspace ONE and Horizon Reference Architecture which provides a framework and guidance for architecting an integrated digital workspace using Workspace ONE and Horizon.
You may also want to read these additional operational tutorials from macOS on Omnissa Tech Zone.
- Getting Started with Freestyle Orchestrator on macOS Devices
- Using Workspace ONE to Manage Operating System Updates on macOS Devices
- Distributing Scripts to macOS Devices
- Deploying a Third-Party macOS App
- Enforcing macOS Security Compliance Project Baselines
Changelog
The following updates were made to this guide:
Date |
Description of Changes |
08/22/2024 |
|
02/29/2024 |
|
08/19/2022 |
|
03/27/2019 |
|
About the Authors
The latest version was written by:
- Michael Bradley , Senior Technical Marketing Architect, Omnissa.
Feedback
Your feedback is valuable. To comment on this paper, either use the feedback button or contact us at tech_content_feedback@omnissa.com.