Automatically group macOS devices by country during enrollment with Google Workspace authenticationSolved

For macOS, separate enrollment profiles mapped to different custom groups are not available in the same way as Windows enrollment profiles. The recommended approach is to use dynamic device groups with filters for macOS and geofences. This allows Hexnode to automatically group enrolled Mac devices based on their location and apply the relevant country-specific policies. You can configure this from: Manage > Device Groups > New Dynamic Group.

Suggested setup:

1. Create a new dynamic group for the country or region.
2. Add a platform condition for macOS.
3. Add a geofence filter for the required country or region.
4. Preview the matching devices.
5. Save the group.
6. Associate the required country-specific policies, apps, or configurations with that dynamic group.

When a macOS device is inside the selected geofence, it becomes a member of that dynamic group and receives the associated policies. If the device moves outside the geofence, the policy association based on that dynamic group can be removed.

So creating these macOS dynamic groups won’t affect the existing Windows enrollment profiles, right? We already have multiple Windows enrollment profiles for different countries and don’t want to disturb them.

Correct. Creating macOS-specific dynamic groups will not affect existing Windows enrollment profiles as long as the dynamic group conditions are scoped properly. For example, include a platform filter such as: “Platform is macOS“, then add the required geofence condition for the country or region. This ensures the dynamic group only evaluates Mac devices and does not interfere with Windows devices or Windows enrollment-profile-based grouping.

How should the macOS enrollment link work if we want users to authenticate with Google Workspace? I can see the option to send enrollment requests only after selecting users. Can one invite be reused for multiple Mac laptops?

For authenticated macOS enrollment, Hexnode requires the enrollment request to be sent to selected users. The Send option becomes available only after users are selected because the enrollment request must be mapped to a user before credentials or authentication details can be generated.

To send authenticated macOS enrollment requests:

1. Go to Enroll > Platform Specific > macOS > Email or SMS.
2. Switch to Authenticated Enrollment.
3. Select Enrollment Request as the enrollment type.
4. Configure the ownership setting.
5. Select Email or SMS as the delivery method.
6. Choose the required domain and users.
7. Send the enrollment request.

For bulk enrollment invites, you can also go to Manage > Users, select multiple users, then use Actions > Others > New Enrollment to send enrollment requests in bulk.

If Google Workspace authentication needs to be enforced during enrollment, make sure authentication is enabled from: Admin > Enrollment > Authentication Mode > Enforce Authentication.

With Google Workspace users synced to Hexnode, users can be required to authenticate during enrollment. However, on macOS, this still does not create separate, reusable country-specific enrollment profile links as it does on Windows. Country-based assignment should be handled using macOS dynamic groups with geofence and platform filters. For stronger management and to prevent users from removing management profiles, Apple Business Manager enrollment is recommended where possible. Manual profile-based enrollment can be used, but it is less persistent than automated enrollment through Apple Business Manager.