- Enables supervisory-level management features
- Dilenates “company” versus “byod” devices
- “Out of box” deployment of a device, even remotely
- Doesn't require making hardware-specific boot images
- Helps in recovering a lost device1
- Enrollment
- Assignment
- Remote Management
- Bootstrapping MSC
- Performed by the reseller: Tech Shop, CDW, or Apple directly
- Puts the device's serial number in our “pool”
- Typically the most annoying part
- Done by the Mac team
- Tells Apple which server to send the device to at setup
- Sorta-kinda like pre-setting a task sequence
- MDM server is given new device serial number; match-making is configured
- At first boot, the Mac reaches out to Apple's match-making server
- If the match-maker knows about the device (enrolled & assigned), it returns a configuration blob with server details
- Can be triggered post-build with
profiles renew -type enrollment
profiles show -type enrollment
...
AwaitDeviceConfigured = 1;
ConfigurationURL = "https://jss.euc.it.umich.edu/cloudenroll";
IsMDMUnremovable = 1;
IsMandatory = 1;
IsMultiUser = 0;
IsSupervised = 1;
MDMProtocolVersion = 1;
OrganizationAddress = "3003 S. State St, 7071 WOTO, , ANN ARBOR, MI 48109";
...
- Setup is configured to create the UM-Support account
- MDM installs its own tools (
jamfand Service Provider Support) and a utility calledinstallapplications
- installapps pulls down a list of initial packages and scripts
- installapps installs and launches DEPNotify, which creates the progress screen you see
- installapps installs Managed Software Center and Izzy client
- Izzy does its initial registration steps
- MSC is started and installs everything else
- profit!
- Match-making misses are stored
- What about Apple Store / BestBuy purchases?
Footnotes
-
Not really ↩