14 DAY FREE TRIAL

No Search Results

No Search Results

14 DAY FREE TRIAL
  1. Help Center
  2. Enrolling Devices
  3. macOS

Category filter

How to set up user enrollment on Mac?

Jump To

This article will help you initiate User Enrollment on Mac via Hexnode UEM.

Privacy is a critical concern when personal devices are enrolled in remote management solutions, especially in BYOD environments. On macOS and iOS devices, User Enrollment offers a solution by creating a clear separation between work and personal data. This ensures that users’ personal information stays private, while administrators retain the ability to securely manage work-related configurations and data.

User Enrollment requires a Managed Apple ID to establish a user identity on the device. These IDs, created by the organization, provide end-users access to specific Apple services and can co-exist with the user’s personal Apple ID without interaction.

Unlike Automated Device Enrollment, where the Mobile Device Management (MDM) system has complete control over the device, User Enrollment supports only a limited set of payloads and restrictions. For instance, critical MDM commands such as enabling or disabling lost mode, allowing or clearing activation lock, and retrieving device-specific information like serial number, UDID, IMEI, or MEID from the MDM console, cannot be executed. This ensures a balanced approach to device management that respects user privacy while maintaining organizational security.

Pre-requisites:

  • Configure the APNs certificate on the Hexnode UEM portal.
  • Enroll your organization in Apple Business Manager.
  • Create Managed Apple IDs to authenticate the user for MDM management.
  • Choose unsupervised devices running:
    • macOS 10.15 to macOS 14 for Profile-driven enrollment.
    • macOS 14+ for Account-driven enrollment.

Setting up User Enrollment in the Hexnode UEM portal

  1. Log in to your Hexnode UEM portal.
  2. Go to Enroll > Platform – Specific > macOS > Email or SMS.
  3. Choose the authentication mode as Authenticated Enrollment.
  4. Select the type of users for Enrollment Request and Self Enrollment needed to authenticate the enrollment.
  5. Select the Ownership of the device as Personal.
  6. Choose the Apple Enrollment Type as User Enrollment from the below options:
    • Profile-driven
    • Account-driven
  7. Click on Next.
  8. Configure the necessary details for sending enrollment requests and hit Send.

Enrollment requests comprising the enrollment URL, username, and password will be sent to the users via email or SMS.

Setup User Enrollment settings for Mac with Hexnode UEM enrollment settings

On the device,

Case – 1:

If Ownership is selected as Personal and Apple Enrollment Type is selected as Profile-driven > User Enrollment from the portal,

  1. Open the Safari browser and enter the enrollment URL specified in the enrollment request. For example, https://portalname.hexnodemdm.com/enroll/.
  2. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  3. Authenticate with the user account credentials configured in the Hexnode UEM console. Click Authenticate.
  4. Enter your “Managed Apple ID” and click on Download Profile.
  5. Open System Settings and navigate to Privacy & Security > Others > Profiles. Double click on the downloaded profile to install it.
  6. Authenticate with the device’s administrator credentials for profile installation.
  7. Authenticate with the Managed Apple ID password to sign in to the Mac.

Case – 2:

If Ownership is selected as Personal and Apple Enrollment Type is selected as Account-driven > User Enrollment from the portal,
Before enrolling your macOS device with Account-driven User Enrollment, you need to set up a web server with enrollment information. Please complete the “Step 1: Set up a web server with enrollment information” under Steps to perform Account driven enrollment.

After setting up the server, follow the steps below on the device,

  1. Open System Settings and navigate to Privacy & Security > Others > Profiles. Adjacent to the Work or School Account, click Sign In.
  2. Enter the Managed Apple ID and click Continue. When prompted authentication using a web browser click Open Browser.
  3. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  4. Authenticate with the user account credentials configured in the Hexnode UEM console. After the authentication, you will be redirected back to the System Settings.
  5. Sign in to the iCloud using the Managed Apple ID password, click Next.
  6. When prompted to allow Remote Management, click Allow.
  7. Authenticate using the device’s administrator password to install the remote management profile. Click Enroll.

Case – 3:

If Ownership is selected as Let the user choose/Allow user to choose.

For Profile-driven enrollment,

  1. Open the Safari browser and enter the enrollment URL specified in the enrollment request. For example, https://portalname.hexnodemdm.com/enroll/.
  2. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  3. Authenticate with the user account credentials configured in the Hexnode UEM console.
  4. Under Ownership, choose I own this device. Click Authenticate. This will set the device ownership to Personal.
  5. On the next page, “How do you want Hexnode to manage your device?” select Manage only work related data and apps. This will set the Apple Enrollment Type to Profile-driven User Enrollment.
  6. Enter your “Managed Apple ID” and click on Download Profile.
  7. Open System Settings and navigate to Privacy & Security > Others > Profiles. Double click on the downloaded profile to install it.
  8. Authenticate with the device’s administrator credentials for profile installation.
  9. Authenticate with the Managed Apple ID password to sign in to the Mac.

For Account-driven enrollment,

  1. Open System Settings and navigate to Privacy & Security > Others > Profiles. Adjacent to the Work or School Account, click Sign In.
  2. Enter the Managed Apple ID and click Continue. When prompted authentication using a web browser click Open Browser.
  3. On the enrollment screen, enable the checkbox to agree with the terms and conditions. Click Enroll.
  4. Authenticate with the user account credentials configured in the Hexnode UEM console.
  5. Under Ownership, choose I own this device. Click Authenticate. This will set the device ownership to Personal.
  6. On the next page, “How do you want Hexnode to manage your device?” select Manage only work related data and apps. This will set the Apple Enrollment Type to Account-driven User Enrollment. Click Authenticate.
  7. You will be redirected back to the System Settings. Sign in to the iCloud using the Managed Apple ID password, click Next.
  8. When prompted to Allow Remote Management, click Allow.
  9. Authenticate using the device’s administrator password to install the remote management profile. Click Enroll.

MDM functionalities in User enrolled devices

Compared to other enrollment types, User Enrollment severely limits the permissions that an MDM has when administering a device. Unlike device enrollment, device details such as Serial Number, UDID, IMEI and MEID cannot be retrieved in this case.

Here is a comprehensive list of available Hexnode UEM functionalities on devices enrolled using User Enrollment.

  1. Remote Actions
  2. Restrictions
    • Device Functionality and Personalization
      • Screen Capture
  3. Network
  4. Accounts
  5. Security
  6. Configurations
Need more help?
Raise a Ticket Raise a Ticket
Ask Community Ask Community
Chat With us Chat With us
  • Enrolling Devices