Help Center
14 DAY FREE TRIAL
Search Close Search
Search result for "aa"
View all results

No Search Results

14 DAY FREE TRIAL

Category filter

How to Enroll Mac Devices in Hexnode UEM

Jump To

Hexnode UEM is a Unified Endpoint Management platform that lets administrators enroll, secure, restrict, and manage macOS devices from the Hexnode portal. macOS enrollment installs an MDM profile on the Mac and establishes communication between the device, the Hexnode UEM server, and Apple Push Notification service (APNs). This guide explains the supported macOS enrollment methods in Hexnode UEM, including Open Enrollment, Authenticated Enrollment through Email or SMS, Self Enrollment, and links to zero-touch or automated enrollment options. Use these workflows for corporate-owned Macs, BYOD deployments, directory-authenticated users, or migration scenarios where the device must be brought under management without removing existing user data. After enrollment, the Mac is associated with the specified user and the chsownership type, allowing administrators to apply policies, restrictions, and remote management actions based on the organization’s requirements.

Prerequisites for macOS Enrollment in Hexnode UEM

Complete the following requirements before enrolling macOS devices in Hexnode UEM:

  • APNs configuration: Ensure that you have successfully configured the APNs certificate in your Hexnode UEM server. APNs is mandatory for communicating with macOS devices.
  • macOS version support: Hexnode UEM supports devices running macOS 10.7 and later.

Available macOS Enrollment Methods in Hexnode UEM

Hexnode UEM supports multiple macOS enrollment workflows. Select the method based on deployment scale, security requirements, ownership model, and the level of user involvement required during enrollment.

Method 1: Enroll macOS Devices Using Open Enrollment

Open Enrollment allows users to enroll a Mac without entering enrollment credentials. This method is suitable for trusted environments or corporate-owned devices where administrators want to reduce user friction and assign all enrolled devices to a selected default user.

Configure Open Enrollment in the Hexnode UEM Portal

  1. Navigate to Enroll > Platform Specific > macOS > Email or SMS.
  2. Click Switch to Open Enrollment.
  3. Choose the appropriate user Domain. Only users belonging to this domain can be selected as the default user.
  4. Select a Default User to associate with the enrolled device.
  5. Set Ownership based on the enrolling device. Select either Personal or Corporate.
  6. Click Next.

Complete Open Enrollment on the Mac

  1. Open the Safari browser on the Mac.
  2. Enter the Hexnode enrollment URL.
  3. Click Enroll. The MDM profile will be downloaded.
  4. To install the profile, click Continue, and then click Install.
  5. Enter the Mac administrator’s username and password when prompted.

The Mac is now enrolled in Hexnode UEM and associated with the selected default user and ownership type.


Method 2: Enroll macOS Devices Using Authenticated Enrollment

Authenticated Enrollment requires the user to provide credentials before the MDM profile is downloaded and installed. In Hexnode UEM, authenticated enrollment for macOS includes Email or SMS Enrollment using generated enrollment credentials and Self Enrollment using directory or configured user credentials.

Sub-Method A: Email or SMS Enrollment Using an Enrollment Request

Email or SMS Enrollment authenticates the user with credentials either generated by Hexnode UEM and delivered through an enrollment request, or using the directory-based user’s credentials. Use this method when administrators need to invite specific users to enroll their Mac and control how the enrollment credentials are distributed.

Configure Email or SMS Enrollment in the Hexnode UEM Portal

  1. Navigate to Enroll > Platform Specific > macOS > Email or SMS.
  2. Click Switch to Authenticated Enrollment > Authenticated Enrollment.
  3. Select Enrollment Request as the enrollment type.
  4. Set the Ownership option.
  5. Click Next. A success message will be displayed.
  6. Select the checkbox for Email or SMS based on the required delivery method.
  7. Change the Domain and select the specific User to enroll.
  8. Click Send.

Complete Email or SMS Enrollment on the Mac

  1. Open the Safari browser and enter the enrollment URL.
  2. Click Enroll.
  3. Enter the unique username and password received in the enrollment request email or SMS.
  4. Click Authenticate. The MDM profile will be downloaded.
  5. Click Continue, and then click Install to install the profile.
  6. Enter the Mac administrator’s username and password.

Sub-Method B: Self Enrollment for macOS Devices

Self Enrollment allows users to enroll their Mac using existing credentials, such as Active Directory, Microsoft Entra ID, Google, or Okta credentials, or by using a common default password configured for enrollment. This method is useful when users are expected to initiate enrollment independently while still authenticating before the MDM profile is installed.

Configure Self Enrollment in the Hexnode UEM Portal

  1. Go to Enroll > Platform Specific > macOS > Email or SMS.
  2. Click Switch to Authenticated Enrollment > Authenticated Enrollment.
  3. Select Self Enrollment as the enrollment type.
  4. Set the Ownership option.
  5. Click Next. A success message will be displayed.

Complete Self Enrollment on the Mac

  1. Open the Safari browser and enter the enrollment URL.
  2. Click Enroll.
  3. Select the domain.
  4. Enter your directory-specific username and password.
  5. Click Authenticate.
  6. Click Continue, and then click Install to install the profile.
  7. Enter the Mac administrator’s username and password.

Troubleshooting macOS Enrollment Errors

Enrollment URL is inaccessible

Symptom: The user is unable to access the enrollment URL provided through email or SMS.

Cause: The Hexnode UEM server may be blocked from reaching the device. This is most commonly caused by strict local firewall settings on the Mac that prevent incoming connections required during enrollment.

Solution: Temporarily adjust the device’s firewall settings to allow the required connections:

  1. Go to System Preferences or System Settings > Security & Privacy > Firewall.
  2. Click Firewall Options.
  3. Uncheck Block all incoming connections.
  4. Click OK and try enrolling the device again.

Network connection error during profile installation

Symptom: During MDM profile installation, the following error appears: Profile installation failed. Network connection was lost.

Cause: The device cannot validate the MDM server’s SSL certificate, which is required for secure profile installation. This failure is usually caused by inaccurate date and time settings on the Mac.

Solution:

  • Time sync: Ensure that the date and time settings on the Mac are accurate and synchronized with a reliable network time server.
  • Persistent error: If the error continues after correcting the time, the operating system integrity may be affected. In this rare case, activate the device’s Recovery Mode and perform an OS restore to resolve core system issues.

Frequently Asked Questions

Why is the APNs certificate mandatory for Mac enrollment?

APNs, or Apple Push Notification service, is the Apple-managed communication channel used by the MDM or UEM server to send management commands to macOS devices. Without a valid APNs certificate in Hexnode UEM, macOS enrollment and device management cannot proceed.

What is the technical difference between Email or SMS Enrollment and Self Enrollment?

Both methods are part of Authenticated Enrollment, but they use different credential sources:

  • Email or SMS Enrollment: The user authenticates with unique credentials that are generated by Hexnode UEM and delivered through an enrollment request by email or SMS.
  • Self Enrollment: The user authenticates using existing corporate identity credentials, such as Active Directory or Microsoft Entra ID credentials, or with a default or individual password assigned from Hexnode for non-directory users.
Can I enroll a macOS device in Hexnode without factory resetting it?

Yes. Several macOS enrollment workflows can bring a device under Hexnode management without a factory reset:

  • Profile-Driven Enrollment: The user manually downloads an enrollment profile through a web browser. This supports Device Enrollment for stronger corporate control and User Enrollment for a privacy-focused BYOD approach.
  • Account-Driven Enrollment: On supported macOS versions, users enroll by signing in with a Managed Apple Account in System Settings. This supports both Device Enrollment and User Enrollment without requiring external profile downloads.
  • Hexnode Gateway migration: Hexnode Gateway is used to switch from another MDM provider to Hexnode. It uses a transition package to migrate the device while preserving existing user data and settings.
Need more help?
Image of Raise a Ticket Raise a Ticket
Image of Ask Community Ask Community
Image of Chat With us Chat With us
Enrollment