macOS Enrollment

macOS device enrollment follows the same process as enrolling an iOS device. We recommend using the Safari browser to ensure a better enrollment experience for the end user.

  1. Select the Devices tab in top navigation.
  2. Click Enroll Device.

To enroll a device in KACE® Cloud Mobile Device Manager (KACE® Cloud MDM), a provisioning profile must be installed on the mobile device. A macOS device can also be enrolled using the Apple Device Enrollment Program.

A device admin can provide an enrollment URL to the device user to initiate enrollment, or send the URL with instructions by email. The admin can copy the URL or assemble as follows:

  • (Westeurope data centers only.)

Role Requirement

A user must have the Device User role assigned in order to enroll a device. The Device User role is assigned by default for every new user that is created, but if it has been unassigned at any point, it will cause an error in the enrollment process.

Passcode Management

Admins can manage passcodes for macOS devices just as they would for iOS devices. From the passcode rules library, add a new rule set—noting the icons adjacent to each rule and restriction. Some rules can be applied to both iOS and macOS, and some rules will apply to only one or the other.

Unenroll Device

There are two ways to unenroll a device:

Device Admin-initiated

  1. Select the Devices tab in top navigation.
  2. Select a device from the list.
  3. In the right panel, click the More Actions dropdown.
  4. Choose Unenroll Device.
  5. Click Confirm.

Device User-initiated

A device user can unenroll their device. On a macOS device, the device user can remove the KACE Cloud MDM Profile from the Device Management Settings section.

Set Up Using Apple DEP

An admin can set up KACE Cloud management of macOS devices in the Apple Device Enrollment Program (DEP).

macOS-specific Settings

When creating a DEP profile, an admin can choose macOS-specific settings for devices, which include the ability to:

  • Force token authentication
  • Set supervision in the form of local user accounts
  • Set disk access options

Force Token Authentication - When configuring a device with a DEP profile on a Mac-enabled tenant, an admin can enable 'force token authentication'. This setting forces a user to enter their username and a deployment token to enroll their device. This restriction helps prevent unauthorized access to sensitive customer information like VPNs, certificates, and custom applications.