AirWatch Hands-on LabsInternal HOLsTM-HOL-MAC-1801 macOS ManagementmacOS Device and Application Management (MDM and MAM)

macOS Device and Application Management (MDM and MAM)

This chapter will explore the basics of modifying the macOS device behavior by using Profiles and how to easily distribute applications.

1. Configure macOS Profiles

Profiles are the mechanism by which AirWatch manages settings on a macOS device.  macOS profile management is done in two ways: device level and enrollment-user level. You can set appropriate restrictions and apply appropriate settings regardless of the logged-on user. You can also apply settings specific to the logged-on user on the device.

1.1. Close System Preferences if opened

Close System Preferences if opened

In the following section, we are going to create a device profile which will change some system preferences in your Mac. However, in order to see those changes take place, please close any existing System Preference sessions if they are already open.

If System Preferences are opened, click on X to close.

1.2. Add a macOS Device Profile

Add a macOS Device Profile

In the AirWatch console,

  1. Click on Devices.
  2. Click on Profiles & Resources.
  3. Click on Profiles.
  4. Click on Add
  5. Click Add Profile.

1.3. Select Profile Platform

Select Profile Platform

Click on the macOS icon.

1.4. Select the Profile Context

Select the Profile Context

Click on the Device Profile icon.

1.5. macOS Profiles

macOS Profiles

After clicking on the macOS icon, you will be presented with the Add a New Apple macOS Profile.   All profiles are broken down into two basic sections, the General section and the Payload section.

The General section has information about the Profile, its name and some filters on what device will get it.

The Payload sections define actions to be taken on the device.

Every Profile must have all required fields in the General section properly filled out and at least one payload configured.

NOTE - It is recommended a Profile contain only one payload.

1.6. Profile General Settings

Profile General Settings

Device Profiles are typically used to control settings that apply system-wide.  Device profiles can include items such as VPN and Wifi configurations, Global HTTP Proxy, Disk Encryption, and/or Directory (LDAP) integration.   In this case, we create a profile that modifies the dock for all users on the machine.

Configure the profile as follows:

  1. Click on General if it is not already selected.
  2. Give the profile a name such as macOS Device Dock Settings by entering the string in the Name field.
  3. Copy the profile name in the the Description field.
  4. Click in the Assigned Groups field. This will pop-up the list of created Assignment Groups. Start Typing All Devices and select the All Devices ([email protected]) Assignment Group.
    NOTE - You may need to scroll down to view the Assigned Groups field.

NOTE - You do not need to click SAVE or SAVE AND PUBLISH at this point.  This interface allows you to move around to different payload configuration screens before saving.

1.7. Select the Dock Payload

Select the Dock Payload

NOTE - When initially setting most payloads a Configure button will show to reduce the risk of accidentally setting a payload configuration.

  1. Click on Dock.
  2. Click the Configure button.

1.8. Configure the Dock Payload

Configure the Dock Payload
  1. Reduce the dock size.
  2. Change the position to Left.
  3. Click Save & Publish.

1.9. Publish the Device Profile

Publish the Device Profile

Click on the Publish button.

1.10. Verify the Device Profile Now Exists

Verify the Device Profile Now Exists

You should now see your Device Profile within the list of the Profiles window.

NOTE - If you need to edit the Profile, this is where you would come back to in order to do so.

1.11. Add an macOS User Profile

Add an macOS User Profile
  1. Click on Add.
  2. Click on Add Profile.

1.12. Select Profile Platform

Select Profile Platform

Click on the macOS icon.

1.13. Select the Profile Context

Select the Profile Context

Click on the User Profile icon.

1.14. Profile General Settings

Profile General Settings

User Profiles are typically used to control settings that apply to the enrolled user.  User profiles can include items such as Email configurations, web clips (URL shortcuts), credentials (certificates), and content filtering settings.  In this case, we will create restrictions for system preferences panes for the enrolled user on this machine

Configure the profile as follows:

  1. Click on General if it is not already selected.
  2. Give the profile a name such as macOS User Restrictions by entering the string in the Name field.
  3. Copy the profile name in the the Description field.
  4. Click in the Assigned Groups field.   This will pop-up the list of created Assignment Groups. Start Typing All Devices and select the All Devices ([email protected]) Group.

NOTE - You do not need to click SAVE or SAVE AND PUBLISH at this point.  This interface allows you to move around to different payload configuration screens before saving.

1.15. Select the Restrictions Payload

Select the Restrictions Payload
  1. Click on Restrictions
  2. Click on the Configure button

1.16. Configure the Restrictions Profile

Configure the Restrictions Profile
  1. Click on the Preferences tab.
  2. Select Restrict System Preferences Panes
  3. Select Disable selected items
  4. Select Bluetooth
  5. Scroll the restrictions pane down to see more restrictions.

1.17. Finish Configuring the Restrictions Profile

Finish Configuring the Restrictions Profile
  1. Select iCloud.
  2. Click Save & Publish.

1.18. Publish the User Profile

Publish the User Profile

Click on the Publish button.

1.19. Verify the User Profile

Verify the User Profile

You should now see your User Profile within the List of the Profiles window.

NOTE - If you need to edit the Profile, this is where you would come back to in order to do so.

1.20. Validate Applied Profiles

Validate Applied Profiles
  1. On your device, note that the dock has changed position and is now on the left side of the screen.
  2. Click on the Apple icon in the top left corner, then click System Preferences.
  3. If System Preferences shows you a specific subpanel, such as Time Machine, click the back button.
  4. Note you are now unable to modify the settings for Bluetooth and iCloud as those icons are grayed-out.

1.21. Key Takeaways

  • You can utilize a combination of Device-level and User-level profiles for flexibility in configuring your macOS devices.
  • Profiles can be targeted against Assignment Groups for fine-grained control.

2. Configure App Catalog and Publish Internal Apps

The Application catalog is a website in your AirWatch instance that provides a user and device specific list of managed applications available for installation.  This provides a self-service method for end-users to select the software and applications they would like deployed to their device.

AirWatch also provides multiple methods to manage applications on a macOS device.  Applications can be delivered as self-contained *.app files (what AirWatch labels an Internal Application).  Applications can also be delivered as detailed manifests which allow step-by-step execution of multiple scripts and/or software packages.  This second method, which AirWatch refers to as Product Provisioning, is outside the scope of this exercise.  

In this exercise, you will enable the application catalog and deploy an Internal Application to your device.

NOTE - All AirWatch Management Console work should be done on the server in the VLP (VMware Learning Platform), not on the Mac.

2.1. View All Settings

View All Settings

In the AirWatch Web Console

  1. Click on Apps & Books.
  2. Click on All Apps & Books Settings.

2.2. Enable the Application Catalog

Enable the Application Catalog
  1. Click on Apps
  2. Expand Workspace ONE
  3. Expand AirWatch Catalog
  4. Click on General.
  5. Click on the Publishing tab
  6. Click Override
  7. Enter the Catalog title as App Catalog

2.3. Select Platform as macOS and Save

Select Platform as macOS and Save
  1. Scroll down until you see the platform macOS.
  2. Select Enabled for macOS.
  3. Click on Save.
  4. Scroll to the top and click on X to exit the pop-up screen.

2.4. Add an Internal Application

Add an Internal Application
  1. Click on Apps & Books
  2. Expand Applications and click Native.
  3. Click on the Internal tab
  4. Click Add Application.

2.5. Select to Upload the Application

Select to Upload the Application

Click Upload

2.6. Choose the File to Upload

Choose the File to Upload
  1. Ensure Local File is selected.
  2. Click on the Choose File button.

2.7. Selecting the App File

Selecting the App File

The feedly.zip file is located in the Documents folder.

  1. Click on Documents in the left pane
  2. Click on folder HOL
  3. Click  on folder Mac OS X
  4. Click on the feedly.zip file in the right pane
  5. Click on the Open button

2.8. Saving the App File

Saving the App File

Click on the Save button.

2.9. Finish the Internal Application Installation

Finish the Internal Application Installation

Click on the Continue button.

2.10. Accept Discovered Application Descriptor Information

Accept Discovered Application Descriptor Information

Click Save & Assign at the bottom of the app details page to begin the assignment of the app.

2.11. Add Application Assignment

Add Application Assignment

Click on the Add Assignment button.

2.12. Set Assignment Options

Set Assignment Options
  1. If you do not have the All Devices group assigned then click in the Select Assignment Groups field.  This will pop up a list of created Assignment Groups. Click on the All Devices Group.
  2. Ensure your Push Mode is set to On Demand.  
  3. Ensure Remove On Unenroll is set to Enabled.  
  4. Click Add.

2.13. Save the Assignment Rules

Save the Assignment Rules

Review the Assignment rules and click Save & Publish.  

2.14. Publish the Internal Application

Publish the Internal Application

Click Publish to publish the internal application.

2.15. View the Published Application in the Application Catalog

View the Published Application in the Application Catalog
  1. On your macOS test device, click on the App Catalog web clip that was added to the Dock when you enrolled.
  2. Note that the Feedly app is listed as an internal app
  3. Click the Install button for Feedly

2.16. Confirm Feedly Installation Request

Confirm Feedly Installation Request

Click Install to confirm installation. Notice the AirWatch icon flashing in the menu bar. This indicates that the application is being downloaded and installed.

2.17. Open macOS Applications Folder

Open macOS Applications Folder
  1. Click on Finder (Smiley Face) on the Dock
  2. Click Go from the menu bar
  3. Click Applications.

2.18. Validate Feedly Application Installation

Validate Feedly Application Installation

There may be a slight delay while the AirWatch agent downloads and installs Feedly, but you can confirm the installation is complete when the Feedly icon appears in the Applications folder.

2.19. Key Takeaways

  • AirWatch provides an Application Catalog to allow user and device specific self-service requests for application installation.
  • macOS Applications can deployed as a single item (Internal Application) or a detailed manifest of scripts and packages (Products).

3. Configure Device Lock

Device lock for macOS devices causes the machine to reboot into a firmware-lock screen.  This lock screen occurs at the firmware level prior to OS boot.

3.1. View macoS Device

View Device
  1. Click on Devices.
  2. Click on List View.
  3. Click on your enrolled macOS device.

NOTE - We are working with Mackbooks in this module, so please ensure that you are selecting your enrolled macOS device.

3.2. Lock Device

Lock Device

Click Lock in the top right corner of your device details view.

3.3. Enter Device Lock Code

Enter Device Lock Code
  1. Enter 111111 as the firmware lock code
  2. Click Lock Device

3.4. Device Reboot

Device Reboot
  1. The Device will reboot after a short delay and the firmware will be locked.

3.5. Unlock The Device

Unlock The Device
  1. At the System Lock screen, enter the unlock code (111111)
  2. Click the Arrow (-->) to boot the device.

3.6. Key Takeaways

  • AirWatch supports a firmware-based device lock for macOS
  • The device cannot be booted until the device lock code has been entered

0 Comments

Add your comment

E-Mail me when someone replies to this comment

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.