Managing Apple devices

KACE Cloud allows you to manage macOS, iOS, and tvOS devices, to ensure they are secure and compliant with your policies, and also to prevent their data from being exposed to unauthorized users. This topic provides high-level instructions that allow you to start managing your Apple devices.

Apple device administrators can choose from a number of different enrollment flows depending on the device ownership (such as company-owned or personal), required level of control, and the specific business needs:

  • Apple DEP enrollments: The Apple Device Enrollment Program (DEP) is the preferred method for touch-free enrollment of corporate-owned devices in your MDM solution. This is typically the flow for enrolling new iOS, macOS, and tvOS devices purchased from Apple or an authorized reseller.
  • iOS Supervised Mode enrollments: You can enroll your target iOS devices in Supervised Mode using Apple Configurator 2. Administrators can use this mode for enrolling iOS devices that are not purchased from Apple or an authorized reseller. To enroll an iOS device in Supervised Mode, the device must be connected to a Mac running Apple Configurator 2. This process requires a KACE Cloud enrollment URL.
  • Personal device (BYOD) enrollments: Personal iOS and macOS can be enrolled easily by pointing the user to a KACE Cloud enrollment URL. A device administrator can provide an enrollment URL to the device user to initiate enrollment, or send the URL with instructions by email. During enrollment, a provisioning profile is installed on the device. 
  • tvOS device enrollments: Apple TV devices can be enrolled either using Apple DEP or Apple Configurator 2. Administrators can also enroll tvOS devices using Apple Configurator 2 and add them to Apple DEP.

After completing the steps associated with the desired enrollment path, you have an option to integrate with other enrollment providers and configurations, as required, such as integration with the KACE Systems Management Appliance. Finally, configure your email accounts, device passcodes, and other elements to comply with your organization requirements. You can link these configurations with KACE Cloud Policies to automate applicable processes and ensure your compliance requirements are in place at all times, to prevent any unpredictable issues.

The following procedure summarize the steps for getting started to manage your target devices:

  1. Ensure that your devices are supported by KACE Cloud.

    See the list of supported platforms for complete details.

  2. Ensure that you have access to KACE Cloud portal.

    When your subscription is provisioned, you will receive two emails from KACE Cloud that allow you to get started. See detailed instructions here.

  3. Optional. Add external users from your corporate account, if applicable.

    See LDAP Sync Service and Single-Sign On (SSO).

  4. Ensure that the device user accounts are properly configured in KACE Cloud.

    To enable new users to enroll their devices, you must ensure that their user account exists in KACE Cloud, and that the account has the Device User role. See detailed instructions here.

  1. Enroll Apple devices by following the appropriate path.  

    The enrollment path you choose depends on your Apple device type, ownership (company-owned or personal), and also on the level of control you need to have over devices.

    Apple DEP enrollments (iOS, macOS, tvOS)
    1. Enroll your organization in the Apple DEP program.

      When your organization is enrolled in the Apple DEP program, you order and manage Apple devices using your organization's credentials. Administrators can quickly assign desired iOS and macOS devices to the applicable Apple MDM servers and easily enroll them in KACE Cloud with Apple DEP. See this topic for more details.

    2. Link KACE Cloud with Apple DEP.

      Start by downloading your public key from KACE Cloud. When you log in to your Apple DEP subscription in ABM, configure one or more MDM servers that you want to use for KACE Cloud enrollments. Then, upload the KACE Cloud public key file to associate your MDM server in ABM with KACE Cloud. You can also specify the default MDM server for enrolling different device types. Finally, download the server tokens from ABM and upload them to KACE Cloud. Each server token links KACE Cloud to the appropriate MDM server. This enables KACE Cloud to be aware of the devices in Apple DEP. See detailed instructions here.

    3. Assign target Apple devices to Apple MDM servers.

      Using your organization's Apple account credentials, associate the devices you want to start managing with desired Apple MDM servers. See detailed instructions here.

    4. Assign KACE Cloud DEP profiles to target Apple devices.

      Create one or more DEP profiles to control the activation process of your target devices. Next, assign desired DEP profiles to the applicable macOS and iOS devices. See detailed instructions here.

    5. Activate managed Apple devices.

      Activate managed Apple devices by turning them on or resetting them to factory settings. See this topic for more details.

    iOS Supervised Mode enrollments
    • Enroll iOS devices in Supervised Mode.

      Start by installing Apple Configurator 2 to your computer and attach an iOS device to the computer using a USB cable. Next, follow all steps in the wizard to activate Supervised Mode. When prompted, provide the KACE Cloud enrollment URL. See detailed instructions here.

    Personal (BYOD) device enrollments (iOS, macOS)
    • Enroll personal iOS devices.

      Provide the end user with enrollment instructions. You can find them in KACE Cloud, in the Enroll Devices view when you select iOS. See detailed instructions here.

    • Enroll personal macOS devices.

      Provide the end user with enrollment instructions. You can find them in KACE Cloud, in the Enroll Devices view when you select macOS. See detailed instructions here.

    tvOS device enrollments
    • Enroll tvOS devices with Apple DEP.

      Complete the same flow as for enrolling iOS and macOS devices in KACE Cloud with Apple DEP. Some additional configuration may be required if tvOS devices are already in the DEP program or if they are already set up. See detailed instructions here.

    • Enroll tvOS devices using Apple Configurator 2.

      Start by installing Apple Configurator 2 to your computer and attach a tvOS device to the computer using a USB cable. Then, select the paired tvOS device and complete the configuration. When prompted, provide the KACE Cloud enrollment URL. See detailed instructions here.

    • Enroll tvOS devices using with Apple Configurator 2 and add to Apple DEP.

      Complete the same flow with Apple Configurator 2, but ensure you add the tvOS device to the Device Enrollment Program and activate it. See detailed instructions here.

     

  2. Specify common configuration settings.

    After enrolling your mobile devices, you can create and apply desired configuration changes. KACE Cloud maintains a configuration Library that you can use to create and manage your settings. For example:

    • Email: Email can be configured through an existing user account. The auto deploy option can be checked during the setup process. See Managing email accounts.
    • Device passcodes: Set up passcode defaults by selecting one or more devices under the Devices section, then choosing Passcode Rules in the right panel. Passcode rules can also be applied to one or more devices using a policy. Passcodes can then be managed by editing rule sets in the library. See Managing passcode rules.
    • VPN: There are unique VPN setup processes for the supported device OS types.
    • Wi-Fi: New Wi-Fi configurations can be added in KACE Cloud, then applied directly to a device or devices. The configuration can be added to the Wi-Fi Library for future installation, and the auto deploy option can be checked during the setup process. See Managing Wi-Fi configurations.

    See this topic for more details.

  3. Set up default policies.

    KACE Cloud policies allow you to automatically apply desired configurations in your dynamic environment, to enforce your compliance requirements. See this topic for more details.

  4. Optional: Finalize your setup by integrating with other configurations.

    If you are already a KACE SMA customer, you can configure the integration between KACE Cloud and KACE SMA. See detailed instructions here.