![]() The user enrolling the device in a user-initiated enrollment workflow must have administrative permissions on the device. User profiles are not delivered/applied to the non-staged device until the managed user account logs in again. If the managed user logs out from a non-staged device and another macOS user logs in, Workspace ONE does not apply any u ser items to that new logged-in user. This means that any profiles and applications targeting the u ser only apply when that specific macOS user is logged in. In other words, the managed user is the macOS user account that enrolled with Workspace ONE credentials. In a user-initiated enrollment (such as Bring Your Own Device), macOS device enrollment with a Workspace ONE UEM user's credentials ( e nrollment user) makes that currently logged in macOS user ( logged-in user) the Workspace ONE managed user. Via Automated Enrollment with Apple Business Manager (or Apple School Manager): Much like iOS, Automated enrollment via Apple Business (or School) Manager is considered a "corporate-owned" enrollment scenario and is therefore automatically considered user-approved.Via the Profiles panel after non-UA enrollment: If the MDM profile is installed via scripting or remote shell, the user can launch the Profiles preferences pane and manually click the Approve button on the Enrollment Profile.Via the Profiles preferences panel by the user: By forcing the user to install the MDM profile in the Profiles panel, administrators are ensured the user has agreed to their intent to be managed and approved the specific system performing management. ![]() To qualify as a user-approved enrollment, the MDM profile must be installed in one of these ways: In other words, if the user does not "approve" the enrollment, some security-related management functionality is limited or prevented. This new enrollment state provides Apple a way to prevent some management functionality until the end-user acknowledges (and approves) the device management. User-Approved MDM enrollment was introduced in macOS High Sierra as a way to prevent IT administrators (or malware attacks) from being able to silently gain full control over macOS. It is important to note the subtle differences between these three types of users as we begin discussing enrollment scenarios.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |