Top

MacOnboardingMate – Capacities – EN

Capacities

The capacities listed below are the ones that are currently actively supported by MacOnboardingMate 4.

Any idea to enrich MOM capacities or being able to adopt MOM ? Feel free to send a feature request via the form available at the bottom on the Introduction page.

Terminology
Execution modes • MOM is delivered as a unique package named « MOM-Core » that offers two execution modes differentiated by the way MOM is launched and the workflows supported
• In Setup mode, MOM is executed manually from an opened user’s session
• In AutoSetup mode, MOM is executed from a management solution, either automatically or from a Self Service
Workflows supported • Setup mode is used to onboard or to migrate from one MDM to another MDM a Mac that is already in production ; the workflow is triggered locally
• AutoSetup mode is used to onboard a new or resetted Mac enrolled during the Setup Assistant (1), or to migrate a Mac that is already in production from one MDM to another MDM ; the workflow is triggered remotely
Locations • A MOM Location refers to the destination point of the device once enrolled in the management solution
• Depending on the management solution, a MOM Location can be seen as a site or a device group
• Device Enrollment : the targeted Location is defined automatically (one Location available) or manually with a selector (two or more Locations available)
• Automated Device Enrollment : the targeted Location is defined automatically
Enrollment methods • Both Setup and AutoSetup modes offer to use Device Enrollment (no-ADE capable Mac) or Automated Device Enrollment (ADE capable Mac) (2) to enroll a Mac in a MDM
• In the specific workflow of an onboarding during the Setup Assistant, MOM does not orchestrate the enrollment which is already managed by the Automated Device Enrollment
• Aside this last workflow, MOM orchestrates the enrollment in the context of a first onboarding, or the unenrollment from the previous MDM followed by the enrollment in the new MDM in the context of a migration
Onboarding
MDM enabled user
(Setup mode only)
• The MDM enabled user is basically the logged in user during the enrollment or the user created in the Computer account pane of the Setup Assistant (Automated Device Enrollment only)
• The MDM enabled user is the only user on the device to be able to receive User-level Configuration profiles (User Channel)
• In the context of a 1:1 deployment with an enrollment orchestrated outside of the Setup Assistant, the technician can be asked to validate that MOM is correctly executed from the session of the targeted MDM enabled user
ADE remediation
(Setup mode only)
• MOM detects that the device was enrolled in the MDM without using Automated Device Enrollment and that an enrollment profile is currently available in Apple Business Manager or Apple School Manager
• In this context, MOM orchestrates a reenrollment using Automated Device Enrollment
ADE warning
(Setup mode only)
MOM can warn the technician that an Automated Device Enrollment profile is not available for the device (which may be the result of a misconfiguration either in the MDM, Apple Business Manager or Apple School Manager) and offers whether or not to continue using Device Enrollment
BYOD devices • User Enrollment is the appropriate option to enroll BYOD devices in a MDM, bringing better user acceptance and more privacy for end users
• From MOM perspective, User Enrollment is piloted the same way as Device Enrollment
Migration
Transition between two MDM
Flagship capacity of MOM 4
• The MDM migration implies both the assisted unenrollment from the previous MDM before the enrollment in the new MDM, and the copy of selected inventory values of the migrated device during its exodus
• The migration of inventory values is based on the declaration of mappings that associate carefully the name of a source attribute in the previous MDM with the name of a destination attribute in the new MDM ; all migrated values are eventually treated as strings
• The MDM migration is configured in the targeted MOM Location property list file
• In the context of AutoSetup mode, the MDM migration is all set up in the MDM that the device leaves
Triggering • The user can be offered to postpone the migration workflow so that it is triggered at an appropriate time with an optional deadline
• The migration process is actively monitored by an autonomous daemon that is responsible for reactivating the migration workflow if it is unexpectedly interrupted
• The migration process can be restricted to a list of accounts to prevent a management account from running the migration workflow and thus inadvertently becoming the MDM enabled user
Transparent Device Unenrollment • MOM can remove an Automated Device Enrollment Remote Management profile protected by the « prevent unenrollment » option by making an API call to the MDM the device leaves
• This capacity is currently only offered by Jamf Pro, Jamf School, VMware Workspace ONE UEM, Microsoft Intune and SimpleMDM
• In this situation, with the other supported MDM, the workflow is paused until the unenrollment is manually triggered by the IT Support
Administrative privileges granting
(AutoSetup mode only)
• MOM can automatically grant the administrative privileges required by macOS for the enrollment in the new MDM. Once the enrollment is done, the granted privileges are revoked.
• The privileges elevation is actively monitored by an autonomous daemon which revokes the granting if the workflow is detected as interrupted.
• For an enrollment using Device Enrollment, the logged in standard user is granted administrative privileges after the display of the enrollment Web page or the opening of Microsoft Company Portal, until the enrollment is done.
• For an enrollment using Automated Device Enrollment with macOS 11 and later, the grant occurs just before the display of the enrollment notification, until the enrollment is done.
• For an enrollment using Automated Device Enrollment with macOS 10.15 and earlier, the grant occurs only at the time the enrollment notification is displayed.
Power Management • The workflow execution can require that the device is connected to AC Power
• The workflow can be allowed to be executed while the device is on Battery Power and optionally only if the battery charge exceeds a required minimum
Basic configurations
Boot volume name The Boot volume can be renamed silently to a defined arbitrary name
Desktop picture • The Desktop picture can be customized with a wallpaper provided by your organization (PNG file)
• The setting is by default executed via the Login script once per logged-in user to let the end users customize their Desktop picture afterwards
Dock • The Dock can be customized to add the Self Service app icon and to remove unwanted macOS apps icons
• The setting is by default executed via the Login script once per logged-in user to let the end users customize their Dock afterwards
Firmware password The Firmware password of an Intel Mac can be set silently to a defined arbitrary string
Remote Management • The Remote Management service can be configured to accept incoming connections only as the Management account with all privileges
• An Enable Remote Desktop MDM command is still required to enable silently the remote observation of the screen
Rosetta 2 Rosetta 2 that enables a Mac with Apple silicon to run Intel apps can be installed
Automatic opening of an app An app that will likely be the Self Service app of the management solution can be opened once the workflow is done
Automatic opening of a Web page A Web page can be opened by the default Web browser of the logged in user once the workflow is done
Device renaming
Renaming methods • Prompt : the user is prompted to enter the device name
• Template : the device name is composed with arbitrary text and Product Name and/or Serial Number informations
• CSV : the device name is retrieved from a Serial Number / Device name CSV table stored inside the Content package
Device name case A lowercase or uppercase conversion can be enforced with prompt and template renaming methods
Device name lenght • A maximal lenght can be enforced whatever renaming method is used
• This policy will typically prevent a distortion between the local computer name and the Active Directory computer record name limited to 15 characters
Management account
Account creation
(Setup mode)
• The defined management account is created at enrollment if missing
• The management account parameters include Account name, Full name, UID, Shell, Home folder, Password and Hidden flag
• The creation is executed silently on a device since macOS 11 with a Bootstrap Token escrowed by the MDM, or if a SecureToken should not be granted
• The creation is interactive if a SecureToken must be granted
Account creation
(AutoSetup mode)
The defined management account is created if missing after the Automated Device Enrollment sequence
Account picture The management account can be customized with a picture provided by your organization (PNG file)
Delete other local accounts
(Setup mode only)
• If the management account has been created during the workflow, all the other local accounts can be deleted
• The use case is the preparation of a no-ADE capable Mac by a technician who sets up a temporary Computer account manually in the Setup Assistant while the Management account creation is automated for its credentials reliability
Directory integration
Azure AD integration MOM has been designed to work effectively with Jamf Connect and Mosyle Auth 2. These tools replace the macOS login window by a customized login window that authorizes the sign in with a Microsoft Azure AD account for a just-in-time local account creation.
Modern On-Prem AD integration MOM has been designed to work effectively with NoMAD Login. This tool replaces the macOS login window by a customized login window that authorizes the sign in with a Microsoft AD account for a just-in-time local account creation.
Traditional On-Prem AD integration • The device can be bound traditionally to an Active Directory server to implement mobile accounts
• As part of a support action, Agnosys can provide you with a traditional integration script, intended to be used as a Preflight script, and assist you in its customization
• The use case is the workflow that plans that the binding is not done via the Directory payload of a Configuration profile provided by the MDM, but by a script executed once the device has been renamed
Open source products integration
Munki Munki is a set of tools, used together with a webserver-based package repository, that are implemented in organizations all over the world to manage software installs on macOS devices (3)
• In the specific workflow of an onboarding during the Setup Assistant, an initial Munki Check-in is executed as desired to install as soon as possible the most critical apps once the first end user logs in (with a graphical user interface to display a progression) or silently in background
• Aside this last workflow, an initial Munki Check-in is executed as desired once the workflow is completed or once the end user logs out
• When a MDM solution is used, Munki is seen as an auxiliary tool and the configuration of the Munki agent is supposed to be performed by a MDM Configuration profile
• When a MDM solution is not used, Munki is considered the main management solution and the configuration of the Munki agent must be performed by a script provided by Agnosys
• Munki is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
NoMAD NoMAD is a tool that let local accounts sign in with their AD account essentially to get Kerberos tickets at login and keep their local password synchronized with their AD password, without binding their device traditionally to AD nor implementing mobile accounts that are source of known concerns
• NoMAD is dynamically downloaded from the editor’s website if Internet connectivity is available at onboarding time and configured with a MDM Configuration profile
NoMAD Login NoMAD Login is a tool that let users to sign in with their AD account from a customized login window so their local account is created just-in-time, without binding their device traditionally to AD nor implementing mobile accounts
• The awesome caribou picture can be replaced by a picture provided by your organization (PNG file)
• NoMAD Login is dynamically downloaded from the editor’s website if Internet connectivity is available at onboarding time and configured with a MDM Configuration profile
Advanced configurations
Scripts embedded in MOM • Preflight, Postflight and Login scripts provided by your organization or wrote by (or with the help of) Agnosys as part of a support action can be embedded in MOM
• Preflight and Postflight scripts, than can bee seen as Hooks to enrich the default code, are executed respectively at the beginning and at the end of the workflow, as the root user (caution)
• Login script is executed when the user logs in, as the logged-in user (safer)
Scripts embedded in profiles The device can be configured to execute the loginhook and/or logouthook scripts embedded in the Login Window payload of a Configuration profile provided by the MDM
Jamf Pro specific capacities
Built-in attributes and Extension attributes • The user can be prompted to enter an arbitrary text for the « Asset Tag » field or the « Building » field or the « Department » field or the « Room » field or a pre-defined extension attribute field
• The user can be prompted to select values in up to four fully customizable menus mapped to built-in attributes or extension attributes
• These values stored in the device’s inventory may be used as criteria for Smart groups (Classic API)
Policies • Policies can be executed during the workflow before the execution of the Postflight script
• Policies can be triggered by their Custom event or by their Identifier
Remote Management An Enable Remote Desktop MDM command is automatically sent to the enrolled device after the Remote Management service has been enabled (Classic API)
Jamf School specific capacities
Asset Tag and Notes The user can be prompted to enter the Asset Tag and Notes that are stored in the device’s inventory and may be used as criteria for Smart groups
VMware Workspace ONE UEM specific capacities
Built-in attributes and Custom attributes • The user can be prompted to enter an arbitrary text for the « Asset Number » field or a new note within the « Notes » array or a pre-defined custom attribute field
• The user can be prompted to select values in up to four fully customizable menus mapped to custom attributes
• These values are stored in the device’s inventory (REST API)
Microsoft Intune specific capacities
Notes The user can be prompted to enter the Notes that are stored in the device’s inventory (API Graph Beta)
Mosyle Business specific capacities
Asset Tag and Tags The user can be prompted to enter the Asset Tag and Tags that are stored in the device’s inventory and may be used as criteria for Smart groups (API v1)
Mosyle Manager specific capacities
Asset Tag and Tags The user can be prompted to enter the Asset Tag and Tags that are stored in the device’s inventory and may be used as criteria for Smart groups (API v2)
SimpleMDM specific capacities
Custom attributes • The user can be prompted to enter an arbitrary text for a pre-defined custom attribute
• The user can be prompted to select values in up to four fully customizable menus mapped to custom attributes
• These values are stored in the device’s inventory and may be used as key values inside Configuration profiles (API v1)
Cisco Meraki Systems Manager specific capacities
Tags and Notes The user can be prompted to enter the Tags and Notes that are stored in the device’s inventory (API v1)
Software dependencies
Graphical user interface • MOM relies on DEPNotify to provide a graphical user interface
• DEPNotify is dynamically downloaded from the editor’s website but can be encapsulated in the Content package if Internet connectivity is not available at the time of integration
• The DEPNotify panes can be widely customized with your own titles, texts and organization’s pictures
• MOM can revert to a lightweight AppleScript-only interface if DEPNotify integration is disabled
Desktop picture configuration Dockutil binary is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
Dock configuration set_desktops.py script is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
Munki launching MunkiPostInstall script, used to launch Munki LaunchDaemons without restart after install, is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
API calls • MOM relies on JQ to parse JSON datas received from VMware Workspace ONE UEM
• JQ is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
Implementation
Configuration • Setup mode is configured with one property list file for its execution and one property list file per MOM Location ; these files are read locally
• AutoSetup mode is configured with one property list file per MOM Location ; this file is received from the MDM as a Configuration profile and MOM waits for its reception before proceeding
Content • Content is pictures, files and scripts used during the onboarding process, wrapped in an signed package
• Setup mode : the Content package is installed locally when MOM is executed
• AutoSetup mode : the Content package is installed from the MDM and MOM waits for its installation before proceeding
Resources
(Setup mode only)
• MOM « Essential » provides that the property list files and the content are encapsulated in an encrypted disk image positioned in the same folder as MOM-Core when it is executed
• MOM « Premium » provides that those resources are encapsulated at no extra cost in a customized copy of MOM-Core named MOM-Custom
Execution prevention
(Setup mode only)
• MOM « Essential » : the correct entry of a security code is required to authorize MOM-Core to access the encrypted disk image encapsulating the resources required for its operation
• MOM « Premium » : the correct entry of a security code can be required to authorize the execution of MOM-Custom in the context where user accounts have administrative privileges and the software has been left unattended on the device
Logs MOM logs, used for debugging purposes and stored only locally on the device, can be deleted immediately once the workflow is completed
Trust • Both MOM-Core and MOM-Custom are signed and notarized so you are confident that the software has been checked for any malicious code
• Agnosys can sign and notarize your Content package if necessary as part of a support action
macOS compatibility MOM is currently compatible with macOS 12 (Monterey), macOS 11 (Big Sur), macOS 10.15 (Catalina), macOS 10.14 (Mojave) and macOS 10.13.4 or later (High Sierra)
Processor compatibility MOM is compatible with Apple silicon and Intel processors

(1) Some MDM offer the capacity to install a developer signed package (PKG) specifically during the Automated Device Enrollment sequence. MOM-Core should ideally be installed with this mechanism (see MDM documentation). If the MDM does not offer this capacity, MOM-Core should be installed like any other PKG, at enrollment, with the highest priority, with some reasonable compromises due to velocity concerns.

(2) An ADE (Automated Device Enrollment) capable Mac is part of an Apple Business Manager or Apple School Manager and therefore is eligible to an initial configuration including a MDM enrollment from the Setup Assistant. Please note that the only way to prevent a device to be unenrolled even by users who have administrative privileges is to enroll the device in MDM using Automated Device Enrollment with the « prevent unenrollment » option enabled in the enrollment profile.

(3) Munki is supposed to deploy the apps that are not available on the Mac App Store. Mac App Store apps must be distributed by a MDM linked to Apple Business Manager or Apple School Manager with en masse purchased licences.