Mac Device Enrollment requirements

Review the requirements before you install and use Mac Device Enrollment.

Core platform dependencies

Make sure that your environment meets the following requirements:

  • Tanium license that includes Enforce. Mac Device Enrollment is included with Enforce.
  • Tanium™ Core Platform servers: 7.4.6.1056 or later

  • Tanium™ Client: 7.4.7.1064 or later
  • Tanium™ Console or later: 2.1.706 or later

Solution dependencies

Other Tanium solutions are required for Mac Device Enrollment to function (required dependencies) or for specific Mac Device Enrollment features to work (feature-specific dependencies). The installation method you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.

Some Mac Device Enrollment dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Mac Device Enrollment requires.

Tanium recommended installation

If you select Tanium Recommended Installation when you import Mac Device Enrollment, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.

Import specific solutions

If you select to import only Mac Device Enrollment, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.

Required dependencies

Mac Device Enrollment has the following required dependencies at the specified minimum versions:

  • Tanium™ Interact 2.12.108 or later
  • Tanium™ Client Management 1.10.222
  • Tanium™ Core Content 1.3.100
  • Tanium™ RDB Service 1.2.11 or later
  • Tanium™ Secrets Service 1.0.48
  • Tanium™ System User Service 1.0.77 or later

Tanium™ Module Server

Mac Device Enrollment is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.

For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.

Endpoints

Supported Internet protocols

Mac Device Enrollment only supports IPv4 addresses.

Supported operating systems

The following endpoint operating systems are supported with Mac Device Enrollment.

Operating System Version
macOS macOS 11 Big Sur or later

Disk space requirements

Make sure that enrolled devices have enough available space to accommodate any initial applications that you select, including the Tanium™ Client, and to accommodate any policy settings that might cause space to be consumed on the device.

For information about Tanium Client requirements, see Tanium Client and Client Management requirements.

Third-party software

Tanium Mac Device Enrollment is supported for use with the following third-party software:

  • Apple Business Manager

  • Apple School Manager
  • Apple Push Notification Service

Host and network security requirements

Specific ports and processes are needed to run Mac Device Enrollment.

Ports

The following ports are required for Mac Device Enrollment communication.

Source Destination Port Protocol Purpose

Tanium Module Server and mobile devices

Tanium MDM Cloud 443 TCP Allows communication with Tanium MDM Cloud
Mobile devices Tanium MDM Cloud 80

HTTP

SCEP

Allows communication with Tanium MDM Cloud to retrieve device certificates during device enrollment

Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.

For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.

Internet URLs

If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs.

URL Description
https://s2s-grpc-api.prd.mdm.cloud.tanium.com Used by Mac Device Enrollment to communicate with Tanium MDM Cloud
https://enroll.prd.mdm.cloud.tanium.com Used to access the Tanium MDM enrollment portal URL during manual device enrollment
https://onboardingcert.prd.mdm.cloud.tanium.com/public_cert Used during the Mac Device Enrollment configuration process to encrypt the onboarding request file
https://prd-mdm-enduser-auth.auth.us-west-2.amazoncognito.com Used by Mac Device Enrollment to access the Tanium MDM Cloud API
https://cognito-idp.us-west-2.amazonaws.com Used by Mac Device Enrollment to access the Tanium MDM Cloud API

User role requirements

The following tables list the role permissions required to use Mac Device Enrollment. To review a summary of the predefined roles, see Set up Mac Device Enrollment users.

For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.

Mac Device Enrollment user role permissions
Permission MDM Administrator2 MDM Operator2 MDM Read Only User2 MDM Service Account1, 2, 3

Mac Device Enrollment

Required to view the Mac Device Enrollment workbench.


SHOW

SHOW

SHOW

MDM Abm

Create, delete, assign and update Apple Business Manager-based profiles.

Create and delete tokens.


READ
WRITE5

READ
WRITE5

READ

MDM Account Info

Allows the MDM service account to request rotation of API credentials that allow the Tanium Module Server and Mac Device Enrollment service to communicate with MDM Cloud.

This request is made automatically in configurable intervals.


READ
WRITE

READ
WRITE

READ

MDM API

Required to make API calls.


EXECUTE

EXECUTE

EXECUTE

MDM Apns

Required to upload and install new Apple Push Notification Service certificate in the Mac Device Enrollment service

View the current certificate configuration.

EXECUTE allows generation of a certificate signing request that is used to request a new MDM Push Certificate from Apple.


READ
WRITE
EXECUTE

READ
WRITE
EXECUTE

READ

MDM Config

Required to access settings for the Mac Device Enrollment service, such as how often synchronization jobs run and how often credentials are rotated.


READ
WRITE

READ
WRITE

MDM Device

Required for Read access to device information.


UNENROLL
READ

UNENROLL
READ

UNENROLL
READ

MDM Device Lock

Required to remotely lock enrolled devices.


EXECUTE

EXECUTE

MDM Device Password Reset

Required to remotely reset device passcodes on enrolled devices.


EXECUTE

EXECUTE

MDM Device Wipe

Required to remotely wipe data from enrolled devices.


EXECUTE

EXECUTE

MDM Enforce Dcp Command

Required to view the status of a DCP command.


READ

READ

MDM Groups

Required to create and manage device groups.


READ
WRITE
DELETE

READ
WRITE
DELETE

READ

MDM Idp

Required to configure identity providers.


READ
WRITE

READ
WRITE

READ

MDM Initial Applications

Required to configure and view initial applications.


READ
WRITE

READ
WRITE

READ

MDM Onboard

Required to create a tenant in Tanium MDM Cloud.


READ
WRITE
EXECUTE

READ
WRITE
EXECUTE

READ
READ

MDM Retry Profile

Required to manually install enrollment profiles on devices if automatic installation has failed.


INSTALLATION

INSTALLATION

MDM Rdb Integration Service Account

Internal use only


EXECUTE

MDM Secrets Integration Service Account

Internal use only


EXECUTE

MDM Sync Job

Basic permission to access the MDM solution.


READ
WRITE
EXECUTE

READ
WRITE
EXECUTE

READ

MDM Tanium Integration Service Account

Internal use only


EXECUTE

MDM Tcm Integration Service Account

Internal use only


EXECUTE

MDM TDS Integration Service Account

Internal use only


EXECUTE

MDM TDS Integration User

Internal. Allows the Mac Device Enrollment service account to make entries into Tanium Data Service for devices not managed by Tanium.


ACCOUNT

ACCOUNT

ACCOUNT

1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions.

2 Grants access to content in the Mac Device Enrollment content set.

3 This role provides permissions for RDB.

Provided Mac Device Enrollment platform content permissions
Permission MDM Administrator1 MDM Operator MDM Read Only User1 MDM Service Account
Filter Group
READ
Plugin
READ
EXECUTE

READ
EXECUTE

READ
EXECUTE

READ
EXECUTE
READ
EXECUTE
Saved Question
READ
Sensor
READ

READ

READ

READ
READ

To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions.

1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements.

Device information collection

Mac Device Enrollment uses the following sensors to collect information about the devices enrolled with Mac Device Enrollment. The information that is collected enables identification and auditing of devices, and enables Tanium to target device configuration profiles to devices or groups of devices.

  • MDM - Device ID

  • MDM - Enrollment Status
  • MDM - Last Check In Date
  • MDM - User ID
  • MDM - Enrollment Email
  • Installed Applications
  • Computer Name
  • MDM - Product Info
  • MDM - UDID
  • MDM - Awaiting Configuration
  • MDM - Operating System version
  • MDM - Model name
  • MDM - Model
  • MDM - Available Device Capacity
  • MDM - Device capacity
  • MDM - Is Supervised
  • MDM - Is Activation Lock Enabled
  • MDM - OS Update Settings
  • MDM - Device Config Profile Status
  • MDM - Device Platform
  • MDM - Last Seen Epoch Milliseconds