Managing devices with Mac Device Enrollment

Mac Device Enrollment is currently public beta software.

You can use Enforce to manage devices that are enrolled with Tanium Mac Device Enrollment and to perform actions, such as locking, resetting or wiping devices.

You can also use device configuration profiles in Enforce to manage device settings, such as single sign-on, passcode requirements and email accounts. For information about using profiles to configure device settings, see Creating policies.

Each enrolled device has one of the following statuses:

  • Applied: There are no pending device configuration profile assignments for the device.

  • Pending: There is a pending device configuration profile assignment for the device.

  • Reverted: A device configuration profile assignment could not be completed for the device. If the device had a previous profile, it has been rolled back to the previous profile.

  • Failed: The device configuration profile assignment could not be completed for the device, and the device could not be rolled back to a previous profile. No profile is currently applied to the device.

When a device configuration profile assignment fails, it is often because a setting in the profile is invalid. Review the settings in the profile before you try to enforce it again.

Before you begin

To manage macOS devices with Enforce, you must configure Mac Device Enrollment. For more information, see Mac Device Enrollment User Guide: Overview.

View information about enrolled devices

You can view a list of devices that are enrolled with Mac Device Enrollment, information about the devices, and the policies that are applied to a specific device.

  1. From the Enforce menu, click Mac Device Management.
  2. From the list of enrolled devices, click the name of a device to view information about the device.

To filter devices by status, click any of the Profile Status types.

You can gather a support bundle from an endpoint for troubleshooting. For more information, see Generate a support bundle for Mac devices.

Lock a device

You can immediately lock a device that is enrolled with Mac Device Enrollment to prevent access.

If you lock a device with Apple silicon that runs a version of macOS earlier than 11.5, the device is deactivated and must be reactivated by a local administrator with Secure Token enabled.

  1. From the Enforce menu, click Mac Device Management.
  2.  From the list of enrolled devices, select the device you want to lock.
  3. Click Actions > Lock.
  4. Choose a six-digit Recovery PIN. You provide this PIN to the device user so they can access the device after they recover it.
  5. Enter a Lock Message to display on the device while it is locked. This message appears on devices where a passcode has been set by the user.
  6. Click Lock to confirm. The device reboots and displays a lock screen after it restarts.

    When the user enters the recovery PIN, the device reboots and the user must log in with their account password.

Wipe a device

You can wipe a device that is enrolled with Mac Device Enrollment to immediately erase all data on the device, even if the device is locked, without warning the user. You might decide to wipe a device when a device is lost and is unlikely to be recovered.

  1. From the Enforce menu, click Mac Device Management.
  2.  From the list of enrolled devices, select the checkbox for the device you want to wipe.
  3. Click Actions > Wipe.
  4. Select a six-digit recovery PIN. You provide this PIN to the device user so they can access the device after it has been wiped.
  5. (Optional) Click Enable to remove a device from Mac Device Enrollment after the device is wiped.
  6. Click Wipe to confirm. If you chose to also remove the device then click Wipe and Remove.

Remove a device

You can remove a device from Mac Device Enrollment that is enrolled through the Tanium MDM Enrollment Portal. When you remove a device, The device is deleted from Mac Device Enrollment and MDM Cloud, and the device automatically removes the default profile and all device configuration profiles that were installed on the device.

You cannot remove devices that used automated device enrollment to enroll with Mac Device Enrollment. Use your Apple enrollment system to remove devices that enrolled automatically.

  1. From the Enforce menu, click Mac Device Management.
  2.  From the list of enrolled devices, select the checkbox for the device you want to remove.
  3. Click Actions > Remove. Then click Remove to confirm.
  4. (Optional) Use data explorer to check the status of the device removal process. It might take up to one hour for this update to be reflected in your data. For more information, see Querying device data.