JumpCloud policies can help you customize, manage, and secure devices in your organization. You can create a Mobile Device Management (MDM) enrollment policy to enroll existing macOS devices in MDM without using Apple’s Automated Device Enrollment.
If you use macOS 11.0 (Big Sur) or later and your device was not enrolled via Automated Device Enrollment, then you must manually download your organization's MDM enrollment file, distribute it, and install it as described in Add Company-Owned Apple Devices to MDM with Device Enrollment.
Creating an MDM Enrollment Policy
You need to distribute and install your organization’s MDM enrollment policy and users will then approve the enrollment profile. For more information, see Add Company-Owned Apple Devices to MDM with Device Enrollment. Creating an MDM enrollment policy to do this saves you time and headaches.
If your macOS device has been added to Apple Business Manager (ABM) or Apple School Manager (ASM) and the JumpCloud agent is installed, you can avoid wiping the device by following this procedure.
Prerequisites:
- MDM is configured for your organization. See Set up Apple MDM.
- To assign a policy to a device, you need an active device running the JumpCloud agent on a supported OS. See Get Started: Devices.
- To assign a policy to a device group, you need a device group. See Get Started: Device Groups.
- Users must be bound to the device in the Admin Portal before they will be prompted to approve the MDM enrollment profile on the device.
To create a JumpCloud MDM Enrollment Policy for Mac:
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
- Go to DEVICE MANAGEMENT > Policy Management.
- In the All tab, click (+).
- On the New Policy panel, select the Mac tab.
- Locate the JumpCloud MDM Enrollment policy, then click configure.
- (Optional) On the New Policy panel, enter a new, unique name for the policy or keep the default.
- (Optional) Under Settings, select Remove existing non-JumpCloud MDM enrollment profiles if you want to migrate devices previously enrolled in another MDM vendor. Selecting this removes existing non-JumpCloud MDM enrollment profiles before re-applying the JumpCloud MDM enrollment profile. However, it doesn’t remove existing enrollment profiles from other MDM vendors if the devices were enrolled through Apple’s Automated Device Enrollment. If you don’t have any devices that used another MDM vendor, the Remove existing non-JumpCloud MDM enrollment profiles setting isn’t visible.
- (Optional) Select the Device Groups tab, then select one or more device groups where you’ll apply this policy.
Devices enrolled in ADE should not be added to an MDM Enrollment policy. Adding ADE devices to an MDM Enrollment policy may result in unexpected behavior during policy deployments.
- (Optional) Select the Devices tab, then select one or more devices where you’ll apply this policy.
- Click save.
- Click save again to confirm. Allow up to a few minutes for the new policy to appear on the Policies page.
After you create and apply a policy, the agent on an individual device continuously compares the local policy with the policy you created in JumpCloud. If a user modifies a device policy, JumpCloud automatically modifies the device policy to comply with the JumpCloud policy. This process ensures that JumpCloud policy and local devices are kept in sync.
Some policies take effect immediately while other policies may require an additional activation step, such as restarting the local system. After a policy takes effect, you can view the policy's status or review the log file to determine if the policy requires additional attention.
Approving an MDM Enrollment Profile
After you complete the JumpCloud enrollment policy described above, users must approve the MDM profile to unlock any user-approved MDM payloads. Note: Users must be bound to the device in the Admin Portal in order to be prompted to approve an MDM enrollment profile on the device.
Users need Admin permissions on their devices to approve the enrollment profile. If you want to later remove Sudo/Admin privileges from the user, see Set Admin Sudo Privileges.
MacOS 11.0 (Big Sur) or Later
Users running macOS 11.0 (Big Sur) or later click Enroll in the menu bar app to start the enrollment approval. Users then click Continue to manually install the enrollment profile and follow the steps to complete the enrollment.