VMware Workspace ONE Community
RichB2u2
Hot Shot
Hot Shot
‎07-23-2018 09:23 PM
Jump to solution

Macintosh DEP supervised and AD joined

I have managed iPads before but we are now doing some Macintosh computers too. If Macs are enrolled in DEP, can they be AD joined so a user can use their AD credentials to enroll them into AirWatch and how would that be setup? Will they also be supervised?
Labels (1)
Labels
0 Kudos
1 Solution

Accepted Solutions
DavidParsons
Enthusiast
Enthusiast
‎07-24-2018 04:51 AM
Jump to solution

If your Macs are enrolled in DEP and you have AD synced with AirWatch, there is no need to join your Macs to your domain to enroll them in AirWatch. You certainly can join them to the domain, but that has nothing to do with the AirWatch enrollment.




Yes they will be supervised devices. One thing to keep in mind with macOS devices - On initial setup they need an internet connection to setup using Remote Management. If you factory reset a Mac and go through the initial setup without an internet connection, it will bypass the remote management and setup without enrollment. You can start the enrollment after it has been setup using terminal commands if necessary.


View solution in original post

0 Kudos
23 Replies
DavidParsons
Enthusiast
Enthusiast
‎07-24-2018 04:51 AM
Jump to solution

If your Macs are enrolled in DEP and you have AD synced with AirWatch, there is no need to join your Macs to your domain to enroll them in AirWatch. You certainly can join them to the domain, but that has nothing to do with the AirWatch enrollment.




Yes they will be supervised devices. One thing to keep in mind with macOS devices - On initial setup they need an internet connection to setup using Remote Management. If you factory reset a Mac and go through the initial setup without an internet connection, it will bypass the remote management and setup without enrollment. You can start the enrollment after it has been setup using terminal commands if necessary.


0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎07-24-2018 08:26 AM
Jump to solution

OK thanks for the reply. So if we want a local admin installed on the Mac do we do that after the user has enrolled it or use a staging user to prepare the Mac? Is the DEP enrollment user going to be a local admin on the Macintosh?
0 Kudos
DavidParsons
Enthusiast
Enthusiast
‎07-24-2018 08:36 AM
Jump to solution

There is an option in your DEP Profile in the console to have it setup a local admin account automatically for you on enrollment. You have to enable the ' Await Configuration'  option under your DEP profile, and then if you scroll to the bottom there will be an option for ' Create New Admin Account'  and then you'll also have the option to make it a hidden account or not. You will also see the option there to make your enrollment user an Admin or Standard user on enrollment.


0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎07-24-2018 08:52 AM
Jump to solution

OK, thanks. We don't want that wait for configuration on for our iPads so will create a separate DEP enrollment profile for Macs and apply that manually to the devices before enrollment.
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎07-31-2018 02:34 PM
Jump to solution

So the Macs have arrived, they are assigned to our DEP and the DEP Mac profile was assigned to them instead of the default iOS DEP profile. The profile is set to be required but unlike the iOS devices, there's no indication of an enrollment required on the Mac. How does it get supervised by AirWatch and enrolled?
If I manually enroll it into AirWatch it is not supervised and the IT admin account isn't added. What am I missing to force the enrollment upon initial startup?
If the DEP profile is set to ' Require MDM enrollment'  - ENABLED and ' Supervision'  - ENABLED, why is the Mac ignoring this?
If the DEP profile is set to ' Account Setup'  - SKIP, how does the user log in with directory credentials if the Mac is not already joined to AD or is it just enrolling into AirWatch with known directory credentials?
0 Kudos
DavidParsons
Enthusiast
Enthusiast
‎08-01-2018 06:57 AM
Jump to solution

We only use one DEP Profile for both macOS and iOS devices, but shouldn't be any different with two profiles. Have you verified that the Mac you are trying to enroll is listed in the Devices > Lifecycle > Enrollment Status view in the console? If it isn't showing up there yet then it won't enroll until it is, you may need to run a device sync from there to pull them in from your DEP server first. Sometimes it takes several days for the devices to show up in the console if you don't run a manual sync. Also are the Macs you are setting up connected to the internet on setup? If they aren't connected to the internet during setup it will bypass the DEP enrollment on macOS devices.
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎08-01-2018 08:49 AM
Jump to solution

The Macs are showing in Lifecycle Enrollment status and that is how I assigned the Mac DEP profile to them. Yes they join Wi-Fi during initial setup and the Apple ID is accepted so there is connectivity.
0 Kudos
DavidParsons
Enthusiast
Enthusiast
‎08-01-2018 08:59 AM
Jump to solution

From here I'd recommend checking with support then to find out why it isn't working. I'm not sure what is missing since we never had any issues after setting ours up initially. It sounds like you are 99 percent of the way to where you should be and following the correct steps. The only other thing you could try would be a factory reset of one of the macs and see if it picks it up then.
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎08-04-2018 07:31 PM
Jump to solution

So I was able to erase it and start over and it enrolled when I was at home but wouldn't allow me to log into the Mac! I could use the local admin account from the DEP profile but the AD account would not authenticate. I pushed a Wi-Fi profile at login for the Mac and on the company network it will authenticate and login. Then when I go home again the credentials are not cached and therefore it won't login. The user's home folder is there in Users.
0 Kudos
DavidParsons
Enthusiast
Enthusiast
‎08-06-2018 04:27 AM
Jump to solution

Make sure you set it up to create a mobile account when logging into the Mac. Go to System Preferences > Users & Groups > Edit your Network Account Server > Click on your Active Directory > There should be an option to create a mobile account whenever someone logs in. Doing this from memory so I think I told you all of the right steps.
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎08-06-2018 09:02 AM
Jump to solution

So if it is a brand new Mac (or erased with a fresh copy of macOS) and the DEP profile requires enrollment into AirWatch upon initial activation, how is it supposed to be bound to AD? I enrolled it and it accepted my AD credentials, created a user folder for the account with the short name the same as my AD login. Since I couldn't login with that account I could log in with the pre-configured local admin account and then bound it to AD after it was enrolled. Checking that box in System Preferences / Users & Groups / Login Options / Network Account Server / Open Directory Utility / Active Directory / ' Create  mobile account at login'  wasn't checked but now is after the fact. The account was created and then AD was bound after enrollment. How would I set the AD joining to happen prior to enrollment?
0 Kudos
Stansfield
Enthusiast
Enthusiast
‎08-06-2018 09:10 AM
Jump to solution

You have to have await configuration turned on in the dep profile, then you log in twice once at the dep screen and again at a normal login screen, like normal for dep the end user must be the one to sign in, also your mac must be able to see your ad servers when you first enroll it before it is in AirWatch, so you do not make it happen before enrollment, but it does happen between signing into dep and the user being able to use it
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎08-06-2018 09:24 AM
Jump to solution

I have the ' Await Configuration'  enabled in the DEP profile. So when the user logs into the DEP prompt it is enrolling into AirWatch with an AD authenticated account and then logging into the Mac with those credentials but that process doesn't bind the Mac to AD so the ' Create Mobile account at login'  isn't set yet. When the user leaves the company network it is unable to authenticate and therefore cannot login. There aren't cached credentials for this user to be able to login and join a home network.

0 Kudos
Stansfield
Enthusiast
Enthusiast
‎08-06-2018 09:29 AM
Jump to solution

Are you installing the domain join profile?
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎08-06-2018 09:45 AM
Jump to solution

That's what I am missing! I didn't realize that existed so THANKS!
0 Kudos
rissmacx
Contributor
Contributor
‎09-11-2018 12:50 PM
Jump to solution

What is the domain join profile? I feel like I am missing something obvious. thank you.
0 Kudos
RichB2u2
Hot Shot
Hot Shot
‎09-11-2018 12:53 PM
Jump to solution

It is part of the DEP enrollment profile for Macintosh computers.
0 Kudos
Stansfield
Enthusiast
Enthusiast
‎09-11-2018 01:09 PM
Jump to solution

The domain join profile is a profile under profile>Mac>device>directory then choose ad or ldap and configure it, that said it simplifies device setup if used during a dep enrollment with the await configuration flag turned on but it is not required
0 Kudos
rissmacx
Contributor
Contributor
‎09-11-2018 01:23 PM
Jump to solution

Thank you for immediate responses.  Very helpful. I look forward to testing more tomorrow.
0 Kudos