Hector
Barnes

A guide to Zero-Touch deployment for Macs

Hector Barnes

Nov 24, 2021

7 min read

The ongoing pandemic has caused a sudden surge in the demand for managed devices over the last couple of years. This is mainly due to the fact that businesses have restructured their working models, causing a shift from work from office scenario, to work from home or remote locations or more precisely the ‘work from anywhere’ concept. But what about the devices? Won’t it be too hard to configure each and every device at remote locations? Well not really. That’s where zero-touch comes into play. Zero-touch streamlines the whole process of enrolling devices in bulk. In this article, we’ll see how zero-touch deployment can be achieved in Macs.

Zero-Touch with Hexnode

What is Zero-Touch?

The term zero-touch suggests automation. And here it means automation in device enrollment or provisioning. With zero-touch, you can automate device deployment lightening the load on IT admins, and making it easier for employees. It makes the devices ready-to-work right from unboxing.
How does it work? Basically, when a user turns on the device for the first time and connects to a network, the device connects to a DHCP server. The Dynamic Host Configuration Protocol (DHCP) server provides IP address, name of the file for configuration, and its location. The device then downloads the file, installs and sets up the device configuration settings.

Why Zero-Touch?

Before, IT admins were involved in each aspect of provisioning and configuring, hardware resources. Now, with zero-touch you don’t have to sit for hours writing commands and imaging the device. The perks include-

  • Simple set-up, making the device ready to work within a matter of minutes. This saves a huge amount of time as compared to the traditional method. With the old set-up, you’ll have to configure the device with an account, network connection, necessary restrictions, applications etc. But now, even the initial set-up of devices can be streamlined, saving time and effort.
  • Eliminates human errors, as you don’t have to write the code each time. Now this is a major perk. As you don’t have to set up each device individually, it not only saves time but also eliminates the chance of having errors. Once the file is written, coded, and made bug-free, it will be available for all the devices to use. It also removes the boring repetitive task.
  • Re-provisioning and fixing errors can be done easily. That is, if by any chance there is a need to change the settings, maybe due to an error or due to a change in the features required, it can be easily re-provisioned and applied uniformly to all the devices.

However, if not done with proper care, zero touch provisioning can pose some serious security concerns like man in the middle attack.

What Zero-Touch Looks Like for Macs

With macs, zero-touch enrollment can be made possible with Apple Business Manager (ABM) and a UEM (or MDM) of your choice. ABM consolidates Apple’s DEP and VPP. DEP, is Apple’s automated device enrollment platform, which allows bulk enrollment of devices by applying necessary configurations. VPP on the other hand enables businesses and educational institutions purchase and distribute apps in bulk. With ABM consolidating both services, we can manage both using a single platform. And what does a UEM solution do? it provides seamless device enrollment and management options, by integrating ABM features with its advanced settings.

Supported macOS devices:

Mac computers with OS X Mavericks 10.9 or later


Note:

Make sure to configure Apple Push Notification services (APNs) with your mobile device management. In Hexnode, you can do this at the admin tab, following the simple steps mentioned here.

First, you need to enroll your organization in Apple Business Manager. Click here to go to the ABM page and click on Enroll now. Then you’ll be asked to enter organization details like organization name, D-U-N-S number, phone number, website, and other related information. From here, it can be put into just three steps.

  • After you set up an ABM profile for your organization, pick a UEM solution like Hexnode UEM, and integrate it with your ABM. For this-
    1. Log in to your business manager account
    2. Navigate to Settings>Device Management Settings
    3. Provide an MDM Server Name and upload the Certificate file of your UEM provider, click on save and then click on Download Token.
    4. Upload the Token in Hexnode portal.
  • Next you will have to assign the devices that you need to enroll to your UEM solution, inside Apple Business Manager. You can do this by entering the serial number or order number of the device in the case of single devices. To assign devices in a bulk, there is an option to upload a CSV file.Then, in Choose Action select assign to server from Perform Action drop-down. From the MDM server drop-down, choose the server you want to assign the devices to.
  • Now that you have assigned the devices to the server, enroll the devices clicking on “Auto-Enroll Devices”.

After these steps, your devices will be enrolled with your UEM solution. When the user turns on the device, they’ll be asked to enter some information. These include country, language, preferred network etc., and then the configurations will be automatically applied to the device.

Auto Advance for Macs:

With Auto Advance, you can skip the initial configuration set-up. In order to use Auto Advance, the device serial number must be in ABM and must be managed by a UEM/MDM server. With this, all you need to do is connect the device using an ethernet cable and power it on. Then all the configurations of the UEM will get applied to the device, skipping set-up screens. The user can then log in using known credentials.

Apple had introduced User Approved Mobile Device Management with macOS High Sierra 10.13.2. This enrollment can be used if you want to manage security-sensitive settings on a Macs not enrolled through DEP.

Zero-Touch Enrollment for Macs in Hexnode UEM

Hexnode supports DEP enrollment for Apple devices, that is iOS, macOS, and tvOS. Follow these simple steps to enroll your Mac devices with Hexnode, with zero-touch-

  1. Log in to your Hexnode portal
  2. Go to Enroll > Platform-Specific > macOS > Apple Business/School Manager. You can also configure DEP with Hexnode from Admin > Apple Business/School Manager > Apple DEP.
  3. Click on add DEP account
  4. Enter a name and download the certificate file

Now, just follow the steps mentioned earlier and upload the token in Hexnode and set up the following configurations-

  • Add as pre-approved device: Enable this option to add the DEP devices as pre-approved devices.
  • Default Configuration Profile: Select an already created DEP profile, or you can also create a new DEP configuration profile.
  • User authentication: Choose the type of user authentication required. You will have the following options to choose from:
    • Use global authentication settings: When this option is selected, the authentication mode as selected under Enroll > Settings > Authentication Modes is considered.
    • No authentication: When selected, the admin must choose the Domain and Default user to assign a default user for the devices.

The Bottomline

Zero-touch provides a convenient and time-efficient way for enrolling macs in bulk, allowing users to get things started within a matter of minutes. Replacing the traditional method, which requires a great deal of time and effort with doing repetitive tasks, zero-touch is indeed a boon to the IT admins.
 

Share
  •  
  •  
  •  
  •  
  •  

Hector Barnes

Changing perspectives one word at a time.

Share your thoughts