Mac Device Enrollment requirements
Review the requirements before you install and use Mac Device Enrollment.
Core platform dependencies
Make sure that your environment meets the following requirements:
-
Tanium license that includes Enforce or Patch. Mac Device Enrollment is included with Enforce and Patch.
-
Tanium™ Core Platform servers: 7.4.6.1056 or later
- Tanium™ Client: 7.4.7.1064 or later
- Tanium™ Console or later: 2.1.706 or later
Solution dependencies
Other Tanium solutions are required for Mac Device Enrollment to function (required dependencies) or for specific Mac Device Enrollment features to work (feature-specific dependencies). The installation method you select determines if the Tanium Server automatically imports dependencies or if you must manually import them.
Some Mac Device Enrollment dependencies have their own dependencies, which you can see by clicking the links in the lists of Required dependencies. Note that the links open the user guides for the latest version of each solution, not necessarily the minimum version that Mac Device Enrollment requires.
Tanium recommended installation
If you select Tanium Recommended Installation when you import Mac Device Enrollment, the Tanium Server automatically imports all your licensed solutions at the same time. See Tanium Console User Guide: Import all modules and services.
Import specific solutions
If you select to import only Mac Device Enrollment, you must manually import dependencies. See Tanium Console User Guide: Import, re-import, or update specific solutions.
Required dependencies
Mac Device Enrollment has the following required dependencies at the specified minimum versions:
-
Tanium™ Interact 2.12.108 or later
Interact 3.0 or later requires Tanium Core Platform 7.6.1 or later
- Tanium™ Client Management 1.10.252 or later
- Tanium™ Core Content 1.3.100
- Tanium™ RDB Service 1.2.11 or later
- Tanium™ Secrets Service 1.0.48
- Tanium™ System User Service 1.0.77 or later
Tanium™ Module Server
Mac Device Enrollment is installed and runs as a service on the Module Server host computer. The impact on the Module Server is minimal and depends on usage.
For information about Module Server sizing in a Windows deployment, see Tanium Core Platform Deployment Guide for Windows: Host system sizing guidelines.
Endpoints
Supported Internet protocols
Mac Device Enrollment only supports IPv4 addresses.
Supported operating systems
The following endpoint operating systems are supported with Mac Device Enrollment.
| Operating System | Version |
|---|---|
| macOS | macOS 11 Big Sur or later |
Disk space requirements
Make sure that enrolled devices have enough available space to accommodate any initial applications that you select, including the Tanium™ Client, and to accommodate any policy settings that might cause space to be consumed on the device.
For information about Tanium Client requirements, see Tanium Client Management User Guide: Tanium Client and Client Management requirements.
Third-party software and requirements
Tanium Mac Device Enrollment is supported for use with the following third-party software and requirements:
-
Apple Business Manager or Apple School Manager
You must be assigned the Administrator or Device Enrollment Manager role or equivalent permissions.
-
Apple Push Notification Service
Apple Push Notification Service requires you to upload a certificate signing request (CSR) in the Apple Push Certificates Portal, which then generates a certificate. For the portal credentials, use an Apple ID to which multiple users have access so that the certificate can be renewed. If you lose access to the Apple ID, the certificate expires, or you lose the ability to renew the certificate, all endpoints will require re-enrollment to Tanium MDM.
-
Security Assertion Markup Language (SAML) 2.0 or OpenID Connect (OIDC) compliant identity provider
The identity provider administrator must have access to manage user roles, user permissions, user mappings, and user attributes; configure applications; and assign users to applications. Refer to your identity provider documentation to understand the needed roles and permissions.
For example, the Okta App Admin role provides the needed permissions: Manage Profile Editor, Manage Profile Mappings, View applications or application instances, Add and configure applications, Assign user access to applications, and Create and modify an OIDC App.
Host and network security requirements
Specific ports and processes are needed to run Mac Device Enrollment.
Ports
The following ports are required for Mac Device Enrollment communication.
| Source | Destination | Port | Protocol | Purpose |
|---|---|---|---|---|
|
Tanium Module Server and mobile devices |
Tanium MDM Cloud | 443 | TCP | Allows communication with Tanium MDM Cloud |
| Mobile devices | Tanium MDM Cloud | 80 |
HTTP SCEP |
Allows communication with Tanium MDM Cloud to retrieve device certificates during device enrollment |
Configure firewall policies to open ports for Tanium traffic with TCP-based rules instead of application identity-based rules. For example, on a Palo Alto Networks firewall, configure the rules with service objects or service groups instead of application objects or application groups.
For Tanium Cloud ports, see Tanium Cloud Deployment Guide: Host and network security requirements.
Security exclusions
Mac Device Enrollment requires no specific security exclusions. For a list of all security exclusions to define across Tanium, see Tanium Core Platform Deployment Reference Guide: Host system security exclusions.
Internet URLs
If security software is deployed in the environment to monitor and block unknown URLs, your security administrator might need to allow the following URLs.
| URL | Description |
|---|---|
| https://s2s-grpc-api.prd-us-1.mdm.cloud.tanium.com | Used by Mac Device Enrollment to communicate with Tanium MDM Cloud |
| https://enroll.prd.mdm.cloud.tanium.com | Used to access the Tanium MDM enrollment portal URL during manual device enrollment |
| https://onboardingcert.prd.mdm.cloud.tanium.com/public_cert | Used during the Mac Device Enrollment configuration process to encrypt the onboarding request file |
| https://prd-us-1-mdm-enduser-auth.auth.us-west-2.amazoncognito.com | Used by Mac Device Enrollment to access the Tanium MDM Cloud API |
| https://cognito-idp.us-west-2.amazonaws.com | Used by Mac Device Enrollment to access the Tanium MDM Cloud API |
User role requirements
The following tables list the role permissions required to use Mac Device Enrollment. To review a summary of the predefined roles, see Set up Mac Device Enrollment users.
For more information about role permissions and associated content sets, see Tanium Console User Guide: Managing RBAC.
| Permission | MDM Administrator2 | MDM Operator2 | MDM Read Only User2 | MDM Service Account1, 2, 3 |
|---|---|---|---|---|
|
Mac Device Enrollment Required to view the Mac Device Enrollment workbench. |
SHOW |
SHOW |
SHOW |
|
|
MDM Abm Create, delete, assign and update Apple Business Manager-based profiles. Create and delete tokens. |
READ WRITE5 |
READ WRITE5 |
READ |
|
|
MDM Account Info Allows the MDM service account to request rotation of API credentials that allow the Tanium Module Server and Mac Device Enrollment service to communicate with MDM Cloud. This request is made automatically in configurable intervals. |
READ WRITE |
READ WRITE |
READ |
|
|
MDM API Required to make API calls. |
EXECUTE |
EXECUTE |
EXECUTE |
|
|
MDM Apns Required to upload and install new Apple Push Notification Service certificate in the Mac Device Enrollment service View the current certificate configuration. EXECUTE allows generation of a certificate signing request that is used to request a new MDM Push Certificate from Apple. |
READ WRITE EXECUTE |
READ WRITE EXECUTE |
READ |
|
|
MDM Config Required to access settings for the Mac Device Enrollment service, such as how often synchronization jobs run and how often credentials are rotated. |
READ WRITE |
READ WRITE |
|
|
|
MDM Device Required for Read access to device information. |
UNENROLL READ |
UNENROLL READ |
UNENROLL READ |
|
|
MDM Device Lock Required to remotely lock enrolled devices. |
EXECUTE |
EXECUTE |
|
|
|
MDM Device Password Reset Required to remotely reset device passcodes on enrolled devices. |
EXECUTE |
EXECUTE |
|
|
|
MDM Device Wipe Required to remotely wipe data from enrolled devices. |
EXECUTE |
EXECUTE |
|
|
|
MDM Enforce Dcp Command Required to view the status of a DCP command. |
READ |
READ |
|
|
|
MDM Groups Required to create and manage device groups. |
READ WRITE DELETE |
READ WRITE DELETE |
READ |
|
|
MDM Idp Required to configure identity providers. |
READ WRITE |
READ WRITE |
READ |
|
|
MDM Initial Applications Required to configure and view initial applications. |
READ WRITE |
READ WRITE |
READ |
|
|
MDM Onboard Required to create a tenant in Tanium MDM Cloud. |
READ WRITE EXECUTE |
READ WRITE EXECUTE |
READREAD |
|
|
MDM Retry Profile Required to manually install enrollment profiles on devices if automatic installation has failed. |
INSTALLATION |
INSTALLATION |
|
|
|
MDM Rdb Integration Service Account Internal use only |
|
|
|
EXECUTE |
|
MDM Secrets Integration Service Account Internal use only |
|
|
|
EXECUTE |
|
MDM Sync Job Basic permission to access the MDM solution. |
READ WRITE EXECUTE |
READ WRITE EXECUTE |
READ |
|
|
MDM Tanium Integration Service Account Internal use only |
|
|
|
EXECUTE |
|
MDM Tcm Integration Service Account Internal use only |
|
|
|
EXECUTE |
|
MDM TDS Integration Service Account Internal use only |
|
|
|
EXECUTE |
|
MDM TDS Integration User Internal. Allows the Mac Device Enrollment service account to make entries into Tanium Data Service for devices not managed by Tanium. |
ACCOUNT |
ACCOUNT |
ACCOUNT |
|
|
1 This role provides module permissions for Tanium Interact. You can view which Interact permissions are granted to this role in the Tanium Console. For more information, see Tanium Interact User Guide: Tanium Data Service permissions. 2 Grants access to content in the Mac Device Enrollment content set. 3 This role provides permissions for RDB. |
||||
| Permission | MDM Administrator1 | MDM Operator | MDM Read Only User1 | MDM Service Account |
|---|---|---|---|---|
| Filter Group |
|
|
|
READ |
| Plugin |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE |
READ EXECUTE READ EXECUTE |
| Saved Question |
|
|
|
READ |
| Sensor |
READ |
READ |
READ |
READREAD |
|
To view which content set permissions are granted to a role, see Tanium Console User Guide: View effective role permissions. 1 This role provides content set permissions for Tanium Trends. You can view which Trends content sets are granted to this role in the Tanium Console. For more information, see Tanium Trends User Guide: User role requirements. |
||||
Device information collection
Mac Device Enrollment uses the following sensors to collect information about the devices enrolled with Mac Device Enrollment. The information that is collected enables identification and auditing of devices, and enables Tanium to target device configuration profiles to devices or groups of devices.
-
MDM - Device ID
- MDM - Enrollment Status
- MDM - Last Check In Date
- MDM - User ID
- MDM - Enrollment Email
- Installed Applications
- Computer Name
- MDM - Product Info
- MDM - UDID
- MDM - Awaiting Configuration
- MDM - Operating System version
- MDM - Model name
- MDM - Model
- MDM - Available Device Capacity
- MDM - Device capacity
- MDM - Is Supervised
- MDM - Is Activation Lock Enabled
- MDM - OS Update Settings
- MDM - Device Config Profile Status
- MDM - Device Platform
- MDM - Last Seen Epoch Milliseconds
Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.
Last updated: 9/25/2023 8:58 AM | Feedback