Enroll Remote macOS Systems with the MDM Enrollment Policy

Written by Scott Reed on June 26, 2020

Share This Article

Reading the tea leaves from Apple®’s WWDC2020, it’s evident that their mobile device management (MDM) framework is the future for macOS® lifecycle management. 

To that end, JumpCloud® is excited to offer admins a seamless way to remotely enroll macOS systems into MDM via policy in the Directory-as-a-Service® platform.

Admins can implement the JumpCloud MDM Enrollment policy in just a few clicks — enrolling their entire fleet of macOS systems into MDM without any end user input, interaction, or disruption.

One of the most exciting aspects of this policy is its ability to be used to migrate from another MDM vendor to JumpCloud. JumpCloud provides robust system management capabilities across Mac®, Windows®, and Linux® systems, leading many admins to Directory-as-a-Service as a way to consolidate device management into a single platform. 

How it Works

The MDM Enrollment Policy leverages the macOS system agent to apply the JumpCloud MDM enrollment profile.  

JumpCloud policies execute on a device’s agent check-in. This means that targeted offline systems will receive the policy’s payload the next time they come online.  

With one click of the checkbox shown below, the policy will also migrate the bound system from another MDM vendor to JumpCloud MDM.

When selected, the JumpCloud system agent removes any existing non-JumpCloud MDM enrollment profiles before installing the JumpCloud MDM profile on the macOS device. Like the Highlander, there can only be one MDM enrollment profile, so admins using another MDM provider must use this policy to remove existing profiles before deploying the JumpCloud MDM enrollment profile. 

Note: If a device has been enrolled into MDM via automated device enrollment (DEP) and the profile is set to be non-removable, the JumpCloud agent will not be able to remove this profile and migrate the system to JumpCloud MDM.

For admins looking to migrate systems in this state, the device must be reassigned to the JumpCloud MDM server through Apple Business or School Manager, and then re-registered to the profile via new device activation.

Why It Matters

For admins working in the new remote “work from home” world, macOS system management capabilities available via Apple MDM are more important than ever — and admins might find that Apple Business Manager isn’t the solution they’re looking for.

Often, the trickiest part of managing remote systems is deploying management software to them securely. The JumpCloud MDM Enrollment policy allows JumpCloud admins to roll out JumpCloud MDM to existing systems in their org with just a few clicks.

For admins that may have no remote system management currently in place, this policy can be paired with a new feature that allows end users to enroll their own machines into JumpCloud via a self-service workflow in the JumpCloud User Portal, creating a clear path to implement MDM.  

What’s Next

The JumpCloud Apple MDM development team is hard at work developing features that will capitalize on the investment Apple has made in the Apple MDM protocols revealed during its world wide developer conference. Stay tuned for releases that blend the power of the JumpCloud directory with the payloads only available via Apple MDM.

Scott Reed

Scott Reed is a Product Manager on the Devices team at JumpCloud. Prior to joining the Product team, he led the Solution Architecture team at JumpCloud. In fact, Scott is the original author of the JumpCloud PowerShell module. Scott’s background is in Corporate IT. Outside of work Scott loves to seek out fresh air and adventure with his wife, two young sons, and their black lab Lucy.

Continue Learning with our Newsletter