What is Mac MDM?

Mac MDM is essentially mobile device management for Macs, which usually involves deploying macOS (or OS X) devices to employees, distributing corporate resources such as apps, documents and media, enforcing security configurations and regular device maintenence. With the advent of modern management, iOS MDM solutions double up as macOS MDM (or OS X MDM) solutions. This requirement arose due to a multitude of devices running on diverse operating systems in organizations. However, to manage and secure these devices and the data contained within brings the need to deploy a mobile device management(MDM) solution.

ManageEngine MDM is not just a Mac MDM software but it lets you manage all Apple devices running on iOS, macOS, and tvOS besides Android devices, Chromebooks, and Windows devices, making it more than a Mac MDM solution, as it reduces the time spent in managing an array of devices running on different operating systems from a single console, thereby eliminating the need for multiple device management software.

How to manage macOS (and OS X) machines using macOS MDM?

ManageEngine MDM, the free Mac MDM solution supports the following features to manage machines running on macOS:

Enrolling devices into MDM for Macbook

Mobile Device Manager Plus, ManageEngine's MDM for Macbook, enables admins to automate device enrollment by deploying macOS devices, without any user intervention

  • Enroll machines which are already deployed:

    Enrollment is the first step under Mac device management. macOS machines which are in use even before setting up ME MDM can be enrolled using MDM. Enrollment can be performed through Invites in case of managing machines present in your inventory. For employee-owned personal machines, using Self Enrollment is ideal. The enrollment URL is accessed from the Mac machine that needs to be managed by macOS MDM solutions. Supported by MDM for macOS 10.7 and above.

  • Enroll using Apple Business Manager:

     Apple Business Manager integrates with device management solutions for Mac to facilitate out-of-the-box deployment. New machines can be enrolled and managed by Mac MDM solutions before being handed over to employees. Supported by MDM for macOS 10.9 and above.

  • Automate the creation of a local administrator account on Mac machines:

    During enrollment via Apple Business Manager, local admin account can be created on Mac machines to simplify device maintenance, configure system applications, add/remove user accounts, as well as for troubleshooting. Supported by MDM for macOS 10.11 and above.

Associating profiles to devices using an MDM for OS X

Admins can associate security configurations and policies using the Profile Management capabilities of Mobile Device Manager Plus

  • Passcode:

    Secure your managed machines and data by defining parameters for a password policy. Supported by MDM for macOS 10.7 and above.

  • Device restrictions:

    In case your organization's security policy prevents users from installing unapproved apps, it is possible to restrict the same using ME MDM. Restrictions related to device functionality, security, location settings, etc can be applied as well. Supported by MDM for macOS 10.8 and above.

  • Wi-Fi configuration:

    Wi-Fi and proxy settings for the managed machines can be configured. You can also prevent machines from connecting to unapproved Wi-Fi networks (or networds not configured by the MacOS MDM)  by configuring Restrictions. Supported by MDM for macOS 10.7 and above.

  • VPN configuration:

    VPN and proxy settings can be configured using Mac device management solutions. To know more about the supported types of VPN by MDM for Mac, click here. Supported by MDM for macOS 10.7 and above.

  • Per-App VPN:

    With per-app VPN, set up VPN connection for specified business requisite apps and secure corporate data. Supported by MDM for macOS 10.7 and above.

  • FileVault Encryption:

    Data stored in all the managed Mac machines can be secured by encrypting them through a single console using FileVault Encryption. Supported by MDM for macOS 10.9 and above.

  • Firmware Password:

    A Firmware password prevents the device from being booted from any internal or external disk other than the default startup disk. This is important to prevent the theft of the physical device. This password can be set in bulk on machines using MDM. Supported by MDM for macOS 10.13 and above.

  • AirPrint:

    Configure AirPrint to print documents, images, etc., wirelessly over Wi-Fi from your Mac to AirPrint compatible printers or non-compatible shared printers, without installing any additional app on the machine. Supported by MDM for macOS 10.7 and above.

  • Global HTTP Proxy:

    Ensure data security and protect corporate and personal data on the managed mac machines by configuring Global HTTP Proxy and route all the HTTP network traffic through the specified proxy. Supported by MDM for macOS 10.7 and above.

  • Certificate policy:

    Distribute CA certificates to the managed machines in order to secure and validate any network communication. Supported by MDM for macOS 10.7 and above.

  • Simple Certificate Enrollment Protocol (SCEP):

    In case of large organizations where it is a hectic task to distribute certificates manually, SCEP can be configured for scalable and simplified distribution of unique client certificates. Supported by MDM for macOS 10.7 and above.

  • AD Asset binding:

    Conventionally, binding Mac machines to your organization's Active Directory (AD) is a tedious task, requiring the manual intervention of the IT administrator. With MDM, the admin can configure the AD Asset binding policy to remotely bind managed Macs to your AD, without any sort of manual intervention by the admin or user. Supported by MDM for macOS 10.9 and above.

  • System Extensions:

  • Configure System Extensions to Allowlist both Kernel and System Extensions, including Network, Driver and Security extensions and provide access to these extensions. Supported by MDM for macOS 10.13 or later.

  • PPPC:

  • Configure Privacy Preferences Policy Control (PPPC) in MDM to remotely manage security preferences/permissions such as Accessibility, Camera, etc. With PPPC, you can allow or restrict permissions requested by Mac applications, on the users' behalf. Supported by MDM for macOS 10.14 or later.

  • Custom Configuration:

    To configure policies which MDM does not currently support, create custom configuration profiles using third-party tools like Apple Configurator or ProfileCreator. The supported OS version depends on the policies configured within the custom profile.

Secure managed devices using macOS MDM

Mobile Device Manager Plus provides comprehensive security management for mac devices by executing remote commands on managed devices

  • Remote Scan:

    Granular details about the managed machines can be viewed using the remote scan command. Information about the Installed apps, blocklisted apps and restrictions imposed on the machines can be obtained as well. Supported by MDM for macOS 10.7 and above.

  • Remote Lock:

    The IT administrator can remotely lock the managed machines to enhance data security and to also secure any machines that might be lost. Supported by MDM for macOS 10.8 and above.

  • Remote shutdown/ restart:

    Remotely switch off unattended Mac machines or you can also remotely reboot machines for troubleshooting issues. Supported by MDM for macOS 10.13 and above.

  • Complete Wipe:

    Suppose you require a machine to be handed over to another employee, all the data and settings on the managed machine can be completely wiped. The device will become as good as new. Supported by MDM for macOS 10.8 and above.

  • Corporate Wipe:

    Only the corporate data and settings pushed using MDM can be removed from the managed machines without deleting any personal data. Supported by MDM for macOS 10.7 and above.

  • Geotracking:

    The location of a Mac machine can be retrieved which makes it possible to know the whereabouts of a remote employee at work and also secure the device. Supported by MDM for macOS 10.7 and above.

App management using a Device Manager for Mac devices

Simplify the installation, update and uninstallation of corporate apps without user intervention using the app management capabilities of Mobile Device Manager Plus.

  • Silent app installation:

    Apps purchased via ABM can be silently installed in the managed machines from the MDM server with zero user intervention. Supported by MDM for macOS 10.10 and above.

NOTE: It is mandatory to configure an APNs certificate before managing Apple devices using macOS MDM solutions. To know more about the steps involved, click here.