By Zach DeMeyer Posted December 13, 2019
With the release of macOS® Catalina™, Apple® has extended its automated mobile device management (MDM) enrollment feature set. One of these features allows the ability to require single sign-on (SSO) authentication using the SAML 2.0 protocol to force users to authenticate against an identity provider (IdP) to enroll into the MDM server.
Organizations can configure JumpCloud® Directory-as-a-Service® as their backing identity provider for SAML 2.0 user authentication with MDM enrollment for macOS Catalina. This practice as a whole provides admins and end users alike with several benefits which we will detail below.
Secure MDM Enrollment with JumpCloud
Here’s how the process works (you can read a more technical breakdown at our Help Center):
Following the release of Catalina, MDM vendors that support automated MDM enrollment will now provide MDM-specific SAML settings to their customers. JumpCloud administrators can then use these settings with the generic SAML 2.0 connector to configure a JumpCloud SAML connection for authenticating to the MDM-enrollment URL, completing the authentication process. During enrollment, users will be prompted to authenticate using their JumpCloud credentials at the JumpCloud user portal. If the authentication is successful, the enrollment workflow will proceed and the MDM payload will be delivered.
Why Authorize MDM Enrollment?
Prior to macOS Catalina, any DEP-enrolled device with network access to a configured MDM server could initiate the re-enrollment process. In this manner, bad actors could potentially gain access to an MDM payload and all of the critical application data it holds.
By screening this enrollment process with an authentication window, admins prevent unauthorized users from initiating re-enrollment and subsequently gaining access to the MDM payload. Additionally, with an authentication step, MDM providers have the ability to track and record which user authorizes an enrollment.
Beyond this, post-enrollment workflows can be designed on a per username basis. Users tagged in this fashion can then be assigned as the device owner or provisioned with a set of software based on their group membership, all hands-free during the enrollment process. Doing so gives admins the ability to streamline system onboarding and offboarding tremendously.
Custom Automated MDM Enrollment
macOS Catalina automated MDM enrollment supports MDM-provided imagery and messaging windows. This means that admins can use MDM providers that support automated MDM enrollment custom messaging with JumpCloud to create and display to their end users before enrollment.
Administrators can leverage this capability to present enrollment users with instructions, agreements, and company branding. Users unfamiliar with the macOS enrollment process can be guided by enrollment messaging to take necessary actions, including the entering of their single sign-on credentials.
Branding, Productivity and Reducing the Cost of IT
Beyond the benefits of streamlining enrollment, companies who already leverage single sign-on services can also provide their users with consistent sign-on processes. As such, employees who enroll their new Apple device through this process can be presented with a familiar single sign-on portal. This way, employees are not burdened with the task of remembering another password and IT teams can offload the traditional device setup process to employees through zero-touch workflows.
Try JumpCloud Free
Interested in using JumpCloud to streamline your Catalina MDM enrollment? Try Directory-as-a-Service for free for up to 10 users and systems, forever. You can kick the tires for as long as you need until you’re ready to scale the size of your organization alongside a cloud directory. We also offer free personalized demos for those who want to see the product in action.