Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. macOS

Category filter

Setting up User Enrollment on Mac

Jump To

User enrollment on Mac is the premier management solution for Bring Your Own Device (BYOD) environments, prioritizing user privacy while ensuring organizational security. This method creates a clear, cryptographic separation between the user’s personal data and the organization’s work-related data and configurations on macOS devices.

Key Concepts and Limitations

Managed Apple IDs (MAIDs)

User Enrollment requires authentication via a Managed Apple ID (MAID). These organization-created IDs establish user identity and can securely exist alongside a user’s personal Apple ID without interaction or data mixing.

Core Management Limitations (vs. ADE)

Unlike Automated Device Enrollment (ADE), User Enrollment offers strictly limited management capabilities to protect user privacy. Hexnode UEM cannot execute critical device-level commands or retrieve extensive hardware inventory data, including:

  1. Lost Mode activation/disabling.
  2. Allowing or clearing Activation Lock.
  3. Retrieving hardware identifiers such as Serial Number, UDID, IMEI, or MEID.
Prerequisites:

Before configuring User enrollment on Mac in Hexnode UEM, ensure the following steps are complete:

  • APNs Certificate: The APNs certificate must be configured on the Hexnode UEM portal.
  • Apple Business Manager (ABM): Your organization must be enrolled in Apple Business Manager.
  • Managed Apple IDs: Create and provision the necessary Managed Apple IDs in ABM for user authentication.
  • Unsupervised: The macOS device must not be supervised.
  • macOS Version Requirements:
    • Profile-driven enrollment: Requires macOS 10.15 up to macOS 14.
    • Account-driven enrollment: Requires macOS 14 and later.

Hexnode UEM Portal Configuration

  1. Log in to your Hexnode UEM portal.
  2. Go to Enroll > Platform – Specific > macOS > Email or SMS.
  3. Set the authentication mode to Authenticated Enrollment.
  4. Select the desired user types for Enrollment Request and/or Self Enrollment.
  5. Set device Ownership to Personal.
  6. Under Apple Enrollment Type, choose the required method:
    1. Profile-driven
    2. Account-driven
  7. Click Next.
  8. Configure and send the enrollment requests (containing the enrollment URL, username, and password) via Email or SMS.

Device Enrollment Procedures

The steps vary based on the selected enrollment type.

Case 1: Profile-driven User Enrollment (macOS 10.15 – 14)

  1. Open the Safari browser and enter the enrollment URL. (e.g., https://portalname.hexnodemdm.com/enroll/).
  2. Agree to the terms and click Enroll.
  3. Authenticate with the user account credentials configured in Hexnode UEM.
  4. Enter your Managed Apple ID and click Download Profile.
  5. Open System Settings (or System Preferences) and navigate to Privacy & Security > Others > Profiles.
  6. Double-click the downloaded profile to install it.
  7. Authenticate profile installation using the device’s administrator credentials.
  8. Authenticate with the Managed Apple ID password to sign in to the Mac and finalize the enrollment.

Case 2: Account-driven User Enrollment (macOS 14+)

Before device enrollment, the administrator must complete Step 1: Set up a web server with enrollment information as detailed in the Hexnode’s Account driven Enrollment documentation.

  1. Open System Settings and navigate to Privacy & Security > Profiles.
  2. Adjacent to Work or School Account, click Sign In.
  3. Enter the Managed Apple ID and click Continue. When prompted to use a web browser for authentication, click Open Browser.
  4. Agree to the terms on the enrollment screen and click Enroll.
  5. Authenticate with the user account credentials configured in Hexnode UEM. You will be redirected back to System Settings.
  6. Sign in to iCloud using the Managed Apple ID password and click Next.
  7. When prompted to allow Remote Management, click Allow.
  8. Authenticate installation using the device’s administrator password, then click Enroll.

Case 3: User Selects Ownership and Enrollment Type

If the portal ownership setting is configured to Let the user choose/Allow user to choose, the device enrollment flow is slightly modified:

Case 3A: Profile-driven Enrollment Flow

This procedure starts in the web browser and is guided by the enrollment URL.

  1. Open the Safari browser and enter the enrollment URL (e.g., https://portalname.hexnodemdm.com/enroll/).
  2. Enable the agreement checkbox on the enrollment screen and click Enroll.
  3. Authenticate with the user account credentials configured in the Hexnode UEM console.
  4. Under Ownership, choose “I own this device” and click Authenticate (setting device ownership to Personal).
  5. On the subsequent management choice page, select “Manage only work related data and apps.” (designating Profile-driven User Enrollment).
  6. Enter the Managed Apple ID and click Download Profile.
  7. Open System Settings and navigate to Privacy & Security > Profiles.
  8. Double-click the downloaded profile to install it.
  9. Authenticate profile installation using the device’s administrator credentials.
  10. Authenticate with the Managed Apple ID password to complete the sign-in on the Mac.

Case 3B: Account-driven Enrollment Flow

This procedure starts directly within the Mac’s System Settings.

  1. Open System Settings and navigate to Privacy & Security > Profiles.
  2. Adjacent to the Work or School Account section, click Sign In.
  3. Enter the Managed Apple ID and click Continue.
  4. When prompted for web browser authentication, click Open Browser.
  5. On the enrollment screen, enable the agreement checkbox and click Enroll.
  6. Authenticate with the user account credentials configured in the Hexnode UEM console.
  7. Under Ownership, choose “I own this device” and click Authenticate (setting device ownership to Personal).
  8. On the subsequent management choice page, select “Manage only work related data and apps.” (designating Account-driven User Enrollment). And click Authenticate.
  9. The device will redirect back to System Settings. Sign in to iCloud using the Managed Apple ID password and click Next.
  10. Click Allow when prompted to authorize Remote Management.
  11. Authenticate installation using the device’s administrator password, then click Enroll.

MDM Functionalities Under User Enrollment

The management scope for User enrollment on Mac is heavily restricted to protect privacy. Functionalities are primarily focused on configurations and essential actions:

  1. Remote Actions
  2. Restrictions
    • Device Functionality and Personalization
      • Screen Capture
  3. Network
  4. Accounts
  5. Security
  6. Configurations

What Happens at the Device End? (Enrollment Verification)

Once the enrollment process is successful, the mandatory enrollment profile is installed on the Mac device. Administrators or users can verify the successful installation and check the profile’s status by locating it in the system settings, which vary by macOS version:

macOS Version Profile Location for Verification
macOS 10.15 to 12 System Preferences > Profiles
macOS 13 to 14 System Settings > Privacy & Security > Profiles
macOS 15 and later System Settings > General > Device Management

To confirm the enrollment type in the Hexnode UEM portal:

  1. Log in to the Hexnode UEM portal and navigate to the Manage tab.
  2. Select the desired Mac and open the Device Summary page.
  3. Check the Enrollment details section. The Enrollment type field will explicitly state whether the device is enrolled via Profile-driven user enrollment or Account-driven user enrollment.

Frequently Asked Questions (FAQs)

Q1. What is a Managed Apple ID and why is it mandatory for User Enrollment on Mac?

A Managed Apple ID (MAID) is an organizational account provisioned through Apple Business Manager (ABM). It is mandatory for User enrollment on Mac because it serves as the user’s secure, dedicated work identity. Crucially, the MAID operates independently of the user’s personal Apple ID, effectively establishing the necessary privacy boundary and secure context for the BYOD framework.

Q1. Why does Hexnode UEM not retrieve device identifiers (UDID, IMEI) under User Enrollment?

The inability to retrieve hardware identifiers (such as UDID, IMEI, Serial Number, or MEID) is a fundamental design feature of the User enrollment on Mac type. Because this enrollment is designed for BYOD and user privacy, Apple explicitly restricts MDM access to these sensitive, unique identifiers. This protection ensures management remains strictly limited to work-related data and maintains the separation from the user’s personal device usage.

Troubleshooting Guide for User Enrollment

1. Profile-Driven User Enrollment Failure (Deprecation)

Symptom:

Profile installation fails with the specific error: “Unable to Install Profile. Profile Driven User Enrollment is not supported.

Cause:

Apple has formally deprecated support for Profile-driven User Enrollment. This blocking mechanism is fully enforced on macOS 15 and later (and iOS/iPadOS 17+), causing the system to reject new profile-based enrollments regardless of UEM console settings.

Solution:

Migrate to Account-Driven Enrollment: The organization must switch to the Account-Driven Enrollment method. This requires users to authenticate with a Managed Apple ID and initiate the enrollment directly via System Settings (not a browser link).

Note:

Existing profile-enrolled devices on older OS versions are unaffected.

Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrolling Devices