Getting started with Mac Device Enrollment

Follow these steps to configure and use Mac Device Enrollment.

Step 1: Configure Tanium with your MDM system

Perform the following tasks to connect Mac Device Enrollment to your MDM system and to allow Tanium to communicate with your users' enrolled mobile devices.

1. Create your tenant in the Tanium MDM Cloud.
2. Configure one or more identity providers.
3. Upload an Apple MDM Push Certificate (also referred to as an APNs certificate).

For information, see Configuring Mac Device Enrollment.

Step 2: Upload server tokens

If you want to use automated device enrollment to enroll devices in Mac Device Enrollment, upload one or more server tokens from your Apple enrollment system. For information, see Managing server tokens.

Step 3: Create enrollment profiles

Control device settings, such as whether a device can be shared between users, or if users can delete MDM profiles from the device, as well as the device setup experience. For information, see Creating enrollment profiles.

Step 4: Configure initial applications

Configure a list of predefined critical applications to install on newly enrolled macOS devices, such as administrative tools like the Tanium Client or antivirus software. For information, see Specifying initial applications.

Step 5: Create mobile device groups

Create mobile device groups to target device configuration profiles in Enforce to devices enrolled with Mac Device Enrollment. Group membership is determined by a variety of available device attributes. For information, see Creating mobile device groups.

Step 6: Enroll mobile devices

Use one the following methods to enroll devices with Mac Device Enrollment:

• Automated device enrollment: Devices that enroll with an Apple enrollment system, such as Apple Business Manager or Apple School Manager, can be automatically added to Mac Device Enrollment. Configure initial device settings and add a predefined set of initial applications to devices. Devices enrolled through automated device enrollment can also be managed through Enforce, which enables you to target devices or groups of devices with device configuration profiles and to perform remote management tasks on a device, such as locking, resetting, or wiping the device.
• User-assisted enrollment: Users enroll devices manually using the Tanium MDM enrollment portal. Devices enrolled through user-assisted enrollment can be managed in Enforce, which enables you to target devices or groups of devices with device configuration profiles and to perform remote management tasks on a device, such as locking, resetting or wiping the device. Choose user-assisted enrollment if you do not use an Apple enrollment system, or if devices were previously enrolled in another MDM system and you do not want to reset the devices.

For information, see Enrolling mobile devices.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.