Mac Device Enrollment overview
Mac Device Enrollment is currently public beta software.
Tanium™ Mac Device Enrollment helps extend your visibility into macOS endpoints and provides the ability to manage the onboarding experience for these devices, as well as the entire device lifecycle. Integrations with Apple enrollment systems, Apple Business Manager and Apple School Manager, enable you to manage devices that are shipped directly to your employees, while the Tanium MDM enrollment portal enables you to enroll devices that are not enrolled through Apple Business Manager or Apple School Manager, or that were previously enrolled with another MDM system.
Mac Device Enrollment works by connecting the Tanium™ Server to the Tanium MDM Cloud, which then communicates with your users' enrolled devices through the Apple Push Notification Service (APNs). This configuration allows you to configure device settings, applications and policies in the Tanium™ Console and push them to enrolled devices.
Device enrollment
|
The endpoint enrolls with your Apple enrollment system (Apple Business Manager or Apple School Manager) or with the Tanium MDM enrollment portal. |
|
The endpoint retrieves instructions from Apple, depending on where the endpoint is enrolled:
|
|
The endpoint reaches out to the Tanium Cloud MDM Service. |
|
The Tanium MDM Client Profile, enrollment profile and Tanium Client install on the endpoint. |
|
|
The endpoint enrolls with your Apple enrollment system (Apple Business Manager or Apple School Manager) or with the Tanium MDM enrollment portal. |
|
|
The endpoint retrieves instructions from Apple, depending on where the endpoint is enrolled:
|
|
|
The endpoint reaches out to the Tanium Cloud MDM Service. |
|
|
The Tanium MDM Client Profile, enrollment profile and Tanium Client install on the endpoint. |
Device configuration
|
|
An Enforce user creates a macOS Device Configuration Profile policy using the Tanium Console and targets the endpoint with that policy. |
|
|
The Tanium Console (via the Tanium Module Server) sends configuration details to the Tanium Cloud MDM Service. |
|
|
The Tanium Cloud MDM Service asks APNs to request an endpoint check-in. |
|
|
APNs pings the endpoint and requests a check-in at its earliest availability (if the device responds with a "not now" code because it is locked, not online, not connected to the network, or resources are busy, the check-in is attempted again later). |
|
The endpoint checks in with the Tanium Cloud MDM Service. |
|
The Tanium Cloud MDM Service responds with the latest configuration profile, and the endpoint installs it. |
Tanium MDM Cloud
Tanium MDM Cloud is a cloud-based service that enables your Tanium Server to communicate with your enrolled macOS devices through the Apple Push Notification Service.
Tanium MDM Client Profile
When a user enrolls a device with Tanium MDM Cloud, the Tanium Cloud MDM Service installs the Tanium MDM Client Profile on the endpoint before the Tanium Client is installed. The Tanium MDM Client Profile is a Privacy Preference Policy Control profile that provides permissions required by the Tanium Client.
The Tanium MDM Client Profile provides the following permissions:
| Application | Location | Required Permissions | Apple Events |
|---|---|---|---|
| Tanium Client | /Library/Tanium/TaniumClient/TaniumClient | All System Files, Admin System Files, Post Events | System Events, SystemUIServer, Finder |
| Tanium Client Extensions | /Library/Tanium/TaniumClient/TaniumCX | All System Files, Admin System Files, Post Events | System Events, SystemUIServer, Finder |
| Tanium End User Notifications | /Library/Tanium/EndUserNotifications/bin/end-user-notifications.app | Post Events | System Events, SystemUIServer, Finder |
Enrollment profiles
When a user enrolls a device through automated device enrollment, an enrollment profile is downloaded to the device. The enrollment profile contains general settings, such as whether a device can be shared between two users or if users can delete MDM profiles from the device. The enrollment profile also contains settings that determine details of the initial device setup experience, such as whether users are asked to create an Apple ID, set up biometrics or set up a passcode. An enrollment profile also allows you to disable options such as FileVault, location services and restore from backup.
For more information, see Creating enrollment profiles.
Initial applications
You can configure Mac Device Enrollment to automatically install a predefined set of applications on any newly enrolled macOS device. These initial applications are typically critical applications, such as administrative tools like the Tanium Client or antivirus software.
For more information, see Specifying initial applications.
Mobile device groups
You can use mobile device groups to target device configuration profiles in Enforce to mobile devices enrolled with Mac Device Enrollment. Group membership is determined by device attributes that you select when you create the group.
For more information, see Creating mobile device groups.
Tanium MDM enrollment portal
The Tanium MDM enrollment portal allows your users to enroll their macOS devices with Mac Device Enrollment. Use the Tanium MDM enrollment portal if you do not have Apple Business Manager or to enroll devices that were previously enrolled in another MDM system.
For more information, see Using the Tanium MDM enrollment portal.
Interoperability with other Tanium products
Mac Device Enrollment works with other Tanium products to provide additional features.
Tanium™ Enforce
Use device configuration profiles in Enforce to centrally manage settings on macOS devices. For more information see Enforce User Guide: Create a macOS device configuration profile. You can also perform actions, such as lock, wipe or reset, on individual or multiple devices. For more information, see Enforce User Guide: Managing devices with Mac Device Enrollment.
Tanium™ Patch
Use Mac Device Enrollment with Patch to manage patching for macOS endpoints. For more information, see Patch User Guide: Managing macOS endpoints.
Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.
Last updated: 9/25/2023 8:58 AM | Feedback