Using these steps, you will configure JumpCloud as a Mobile Device Management (MDM) server.
Summary: You will download a Certificate Signing Request (CSR) from the JumpCloud Admin Portal; this unique CSR contains your organization’s MDM configuration within JumpCloud. Next, you will log in to the Apple Push Certificate Portal and upload the CSR file. Apple validates JumpCloud's information and issues a push certificate with the public key included in the CSR. After you download the push certificate, upload it to JumpCloud to create a secure connection.
Prerequisites:
- An Apple ID is required to set up the Apple Push Notification service (APNs).
Remember the Apple ID used to sign into the Apple Push Certificates Portal when the time comes to renew your MDM certificate.
- Confirm that each user’s local account username matches either their JumpCloud username or the value in the Local User Account field in JumpCloud.
- JumpCloud can only take over existing usernames if they match between OS and JumpCloud. Mismatches will cause JumpCloud to provision new user accounts with the JumpCloud username and create confusion. See Take Over an Existing User Account with JumpCloud.
Configuring MDM
- Log in to the JumpCloud Admin Portal.
- Go to DEVICE MANAGEMENT > MDM.
- Under Configure Apple MDM, click Configure MDM.
- Under Download Your CSR, click Download CSR and save the file.
- Under Sign in to Apple Push Certificate Portal, click Go to Apple or log in to the Apple Push Certificates Portal directly: https://identity.apple.com/pushcert.
- Click Create a Certificate.
- If prompted, review Apple’s Terms of Use and click Accept.
- Upload your JumpCloud CSR file. To do so:
- Click Choose File and select the JumpCloud CSR file.
- Click Open.
- Click Upload. See below.
- Enter your company Apple ID. This is the same account that you used to log in to the Apple Push Certificates Portal.
Your company Apple ID must be a valid email address.
- Click Download to download the new certificate (for example, MDM_JumpCloud_certificate.pem).
- In the JumpCloud Admin Portal, under Upload MDM Push Certificate on the Set Up Apple MDM Certificate page, click Browse to find the Apple Push Certificate or drag and drop the file.
- Click complete setup. A message on the MDM home tab indicates that MDM is configured.
Here's a guided simulation: Configuring JumpCloud MDM for Apple.
Renewing Your MDM Certificate
You need to renew your MDM certificate yearly to continue to securely monitor your organization’s devices. When your MDM certificate is expiring, you will see a yellow icon that reads “Expiration Warning”. If the certificate has expired, the icon will be red and read “Certificate Expired.”
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to DEVICE MANAGEMENT > MDM.
- On the MDM home page, click renew under APNs Configuration for MDM.
- In the Renew MDM Configuration page, click Download CSR under Download Your CSR, and then save the file.
- Under Sign in to Apple Push Certificates Portal, click Go To Apple or log in to the Apple Push Certificates Portal: https://identity.apple.com/pushcert.
- In the Apple Push Certificates Portal, select your certificate and click Renew.
To ensure that you are renewing the correct serial number, click the “i” icon to view the serial number you are renewing and compare it to your org’s serial number in your JumpCloud Admin Portal.
- Click Choose File, select your CSR file (for example, download-mdm.csr), then click Open.
- Click Upload to renew the push certificate.
- On the Apple Confirmation page, click Download and save the new certificate (for example, MDM_JumpCloud_certificate.pem), and then click Save.
- Enter your Apple ID.
This is the only place in the process where you can modify or add your company Apple ID.
- In the JumpCloud Admin Portal, click Browse under Upload MDM Push Certificate to locate the Apple Push Certificate and click Open. You can also drag and drop the file.
- Click complete renewal. A message on the MDM home tab indicates that your MDM configuration was renewed.
Removing Your MDM Configuration
Deleting your MDM configuration permanently removes all associated certificates and configuration files. Remove your MDM configuration only if you no longer want to use MDM to manage your devices.
- Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
- Go to DEVICE MANAGEMENT > MDM.
- On the MDM Home page, click Delete under APNs Configuration for MDM.
- Enter the number of devices that you want to unenroll from MDM. You must enter the total for all the devices that are enrolled in MDM.
- Click Delete MDM Configuration.
Occasionally, some devices running older versions of macOS will fail to erase. If the device cannot be erased, it will be locked.