Create a Mac MDM Enrollment Policy

JumpCloud policies can help you customize, manage, and secure devices in your organization. You can create a Mobile Device Management (MDM) enrollment policy to enroll existing Macs in MDM without using Apple’s Automated Device Enrollment (ADE). 

Creating an MDM Enrollment Policy

You need to distribute and install your organization’s MDM enrollment policy and users will then approve the enrollment profile. See Add Company-Owned Apple Devices to MDM with Device Enrollment to learn more. Creating an MDM enrollment policy to do this saves you time and headaches.

Prerequisites:

• MDM is configured for your organization. See Set up Apple MDM.
• To assign a policy to a device, you need an active device running the JumpCloud agent on a supported OS. See Get Started: Devices.
• To assign a policy to a device group, you need a device group. See Get Started: Device Groups.
• Users must meet the following requirements before they can perform the MDM approval process:
  • The user account must be associated with the device. See Bind Users to Devices.
  • The user must have local administrator permissions. See Set Admin/Sudo Privileges.

To create a JumpCloud MDM Enrollment Policy for Mac:

1. Log in to the JumpCloud Admin Portal.

2. Go to Device Management > Policy Management.
3. In the All tab, click (+).
4. On the New Policy panel, select the Mac tab.
5. Locate the JumpCloud MDM Enrollment policy, then click configure.
6. (Optional) On the New Policy panel, enter a new, unique name for the policy or keep the default. 
7. (Optional) Under Settings, select Remove existing non-JumpCloud MDM enrollment profiles if you want to migrate devices previously enrolled in another MDM vendor. Selecting this removes existing non-JumpCloud MDM enrollment profiles before re-applying the JumpCloud MDM enrollment profile. However, it doesn’t remove existing enrollment profiles from other MDM vendors if the devices were enrolled through Apple’s Automated Device Enrollment. If you don’t have any devices that used another MDM vendor, the Remove existing non-JumpCloud MDM enrollment profiles setting isn’t visible.
   
8. (Optional) Select the Device Groups tab, then select one or more device groups where you'll apply this policy.

9. (Optional) Select the Devices tab, then select one or more devices where you'll apply this policy.
10. Click save.
11. Click save again to confirm. Allow up to a few minutes for the new policy to appear on the Policies page.

After you create and apply a policy, the agent on an individual device continuously compares the local policy with the policy you created in JumpCloud. If a user modifies a device policy, JumpCloud automatically modifies the device policy to comply with the JumpCloud policy. This process ensures that JumpCloud policy and local devices are kept in sync.

Some policies take effect immediately while other policies may require an additional activation step, such as restarting the local system. After a policy takes effect, you can view the policy's status or review the log file to determine if the policy requires additional attention.

User Experience: Approving the MDM Enrollment Profile

After you apply the Mac MDM enrollment policy, users must manually approve the MDM profile via the JumpCloud Menu Bar App to enable user-approved MDM payloads.