Configuring Mac Device Enrollment

Tanium™ Mac Device Enrollment connects the Tanium Server to the Tanium MDM Cloud, which communicates with your users' enrolled devices through the Apple Push Notification Service (APNs). This configuration allows you to configure device settings, applications and policies in the Tanium Console and push them to enrolled devices.

To configure Mac Device Enrollment, you must complete the following steps:

  1. Create a tenant in the Tanium MDM Cloud. Once you've created a tenant, you connect your Tanium Server to the Tanium MDM Cloud.

  2. Configure identity providers. This allows your users to enter their corporate credentials, such as an email address, to enroll devices using the Tanium MDM enrollment portal. It also allows you to control which users are allowed to enroll.
  3. Request and upload an Apple MDM Push Certificate (also referred to as an APNs certificate). This certificate creates trust between Mac Device Enrollment and Apple, which enables Mac Device Enrollment to communicate with enrolled devices.

Create a Tanium MDM Cloud tenant

To connect Tanium to your MDM system, you must have a tenant in the Tanium MDM Cloud. Complete the following steps to create your tenant.

Before you begin

To create your MDM tenant, you must have a client configuration in Tanium Client Management that supports macOS. For information, see Tanium Client Management User Guide: Create a client configuration.

Create a tenant

You must contact Tanium Support if you need to update your tenant information.

  1. From the Main menu, go to Shared Services > Mac Device Enrollment.
  2. From the Mac Device Enrollment menu, click Configuration.
  3. For MDM Tenant, click Configure .
  4. In the Company Name field, enter a name for your tenant.
  5. In the Domain Name field, enter the domain you want to associate with your tenant.
    • Tanium uses the domain name as the unique identifier for your tenant. It cannot be changed.
    • The domain name must be publicly registered.
  6. In the Notification Email Addresses field, enter email addresses to receive Apple MDM Push Certificate (also referred to as an APNs certificate) expiration notifications. The MDM Push Certificate is valid for one year and must be renewed annually. For renewal information, see Renew an Apple MDM Push Certificate.

  7. From the Client Configuration dropdown list, select the Tanium Client Management client configuration that you want to use for your enrolled macOS devices. The client configuration you select must support macOS.

    You can update the client configuration after Tanium Support creates your MDM tenant. For instructions, see Specify different Tanium Client version to install.

  8. Click Download File and then provide the downloaded request file to Tanium Support. Your support representative uploads the request file to the Tanium MDM Cloud to create your tenant.

    After Tanium Support creates your MDM tenant, they provide a response file for you to upload into your Tanium Console.

    It takes time for Tanium Support to upload the request file you provide to them and to create your tenant. Your support representative can provide you with information on how long this is expected to take.

  9. In the Step 2: File Upload section, upload the response file that you receive from Tanium Support.

    The Tanium Client version specified in Step 1: Tenant Information is the latest version of the client that was available when Tanium Support created your tenant. To update to the most recent version of the client, see Specify different Tanium Client version to install.

If you have problems during the configuration process, recheck the data you entered, generate and download a new request file, and provide the new request file to Tanium Support.

Configure identity providers

Configure an identity provider (IdP) to allow users to authenticate with their corporate credentials and enroll devices with the Tanium MDM enrollment portal. You can configure IdPs that use either security assertion markup language (SAML) or OpenID Connect (OIDC).

Configure a SAML Identity Provider

  1. From the Main menu, go to Shared Services > Mac Device Enrollment.
  2. From the Mac Device Enrollment menu, click Configuration.
  3. For Identity Providers, click Configure .
  4. Click Create.

  5. In the Name field, enter a unique name to identify the IdP.

  6. For the IdP Type, select SAML.

  7. Update your IdP with the SSO Redirect URL and Audience URI that are in the Required Identity Provider Entries section.

    You must update these entries before you provide your IdP metadata to Tanium. After you update your IdP with the SSO Redirect URL and Audience URI, select I have updated my SAML provider with the required information.

  8. In the SAML Settings section, select how you want to provide metadata (File or URL) and complete one of the following steps.
      • For File: Upload the XML metadata file from your IdP.
      • For URL: In the URL field, enter the URL of your IdP metadata.
  9. In the Email field, enter the attribute from your IdP that contains the email address that you want users to use to sign in to the Tanium MDM enrollment portal. For example, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/emailaddress.
  10. In the Allow User to Enroll field, enter the attribute from your IdP that Tanium can use to determine if a user is allowed to enroll a mobile device in the Tanium MDM enrollment portal. This can be any Boolean attribute with True or False values. For example, enter http://schemas.xmlsoap.org/ws/2005/05/identity/claims/appuser.mdm_enroll, where True allows a user to enroll a device, and False prevents the user from enrolling.
  11. Click Add.

Configure an OIDC Identity Provider

  1. From the Main menu, go to Shared Services > Mac Device Enrollment.
  2. From the Mac Device Enrollment menu, click Configuration.
  3. For Identity Providers, click Configure .
  4. Click Create.

  5. In the Name field, enter a unique name to identify the IdP.

  6. For the IdP Type, select OIDC.

  7. Update your IdP with the Redirect URI that is in the Required Identity Provider Entries section. Your IdP redirects users to this URI. The redirect URI is required for your IdP to integrate with Tanium MDM. After you update your IdP with the Redirect URI, select I have updated my OIDC provider to accept this redirect URI.

  8. In the OIDC Settings section, enter the following information from your IdP.

    Client ID A unique, public identifier from your identity provider.
    Client Secret A secret that is known only by the identity provider and the authorization server. It is often encrypted or hashed.
    Attribute Request Method Either GET or POST, depending on your IdP requirements. The default setting is GET.
    Issuer The URL of the IdP that allows the API server to find the public signing keys for the IdP. Must begin with https://.
  9. In the Email field, enter the name of the attribute from your IdP that contains the email address that you want users to use to sign in to the Tanium MDM enrollment portal. For example, enter email.

  10. In the Allow Users to Enroll field, enter the name of the Boolean attribute from your IdP with a True or False value that Tanium can use to determine if a user is allowed to enroll a mobile device in the Tanium MDM enrollment portal. For example, enter mdm_enroll.

  11. Click Create.

Choose a preferred identity provider

If you configure more than one IdP, you can either allow users to choose which IdP they want to manage their access to the Tanium MDM device enrollment portal, or you can optionally select a preferred IdP that manages all user requests to access the portal.

  1. From the Mac Device Enrollment menu, click Configuration.

  2. For Identity Providers, click Configure .
  3. From the list of IdPs, select the checkbox for the IdP you want to set as the preferred IdP.
  4. Click Set Preferred.

To remove a preferred IdP, select the checkbox for the preferred IdP, click Clear Preference, and then click Remove .

Upload an Apple MDM Push Certificate

Obtain an Apple MDM Push Certificate (also referred to as an APNs certificate) and upload it to the Tanium Console to enable Tanium to communicate with Apple devices.

  1. From the Main menu, go to Administration > Mac Device Enrollment.
  2. From the Mac Device Enrollment menu, click Configuration.
  3. For Apple MDM Push Certificate, click Configure .
  4. Select Allow Tanium to send user and device information to Apple.

  5. Click Download Certificate Signing Request to download a certificate signing request file. Upload this file to the Apple Push Certificates Portal to request an Apple MDM Push Certificate.

  6. Click Create Apple MDM Push Certificate to open the Apple Push Certificate Portal and request your MDM Push Certificate. This link takes you out of the Tanium Console to an external Apple website. Return to the Tanium Console after you download your certificate from Apple.

    7. Use an Apple ID that is assigned to an IT security team rather than one that is assigned to an individual when you request the Apple MDM Push Certificate. The same Apple ID must be used to renew the certificate.

  7. In the Mac Device Enrollment Upload an Apple MDM Push Certificate page, enter the Apple ID that you used to request the MDM Push Certificate from Apple in the Apple ID field.
  8. Upload the Apple MDM Push Certificate file that you received from Apple. Click Save.

Apple MDM Push Certificates are valid for one year. You must renew the certificate each year using the same Apple ID that you used to create it. Otherwise, you must request a new certificate. If a new certificate is issued, Mac Device Enrollment loses the ability to communicate with enrolled devices, and all users are forced to re-enroll their devices. For renewal instructions, see Renew an Apple MDM Push Certificate.

Set up Mac Device Enrollment users

You can use the following set of predefined user roles to set up Mac Device Enrollment users.

To review specific permissions for each role, see User role requirements.

For more information about assigning user roles, see Tanium Core Platform User Guide: Manage role assignments for a user.

MDM Administrator

Assign the MDM Administrator role to users who manage the configuration and deployment of Mac Device Enrollment functionality to endpoints.
This role can perform the following tasks:

  • Configure all Mac Device Enrollment service settings.
  • Manage device enrollment methods, enrollment profiles, initial applications, mobile device groups, and all other Tanium MDM settings.

MDM Operator

Assign the MDM Operator role to users who can manage most Mac Device Enrollment settings.

MDM Read Only User

Assign the MDM Read-Only User role to users who can review settings and configuration items in Mac Device Enrollment.

MDM Service Account

Do not assign the MDM Service Account role. This role is for internal use by Mac Device Enrollment only.

Next steps

Create enrollment profiles

Use enrollment profiles to configure settings on devices when they enroll with Mac Device Enrollment. See Creating enrollment profiles.

Add initial applications

Add applications that you want to install on macOS devices when they enroll with Mac Device Enrollment. See Specifying initial applications.

Create mobile device groups

Use mobile device groups to target policies to devices enrolled with Mac Device Enrollment. See Creating mobile device groups.

Enroll devices

Decide whether to use automated device enrollment or user assisted enrollment to enroll devices in Mac Device Enrollment. See Enrolling mobile devices.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.