Top

MacOnboardingMate – Capacities – EN

Capacities

The capacities listed below are the ones that are currently actively supported by MOM.

Any idea to enrich MOM capacities or being able to adopt MOM ? Feel free to send a feature request via the form available at the bottom on the Introduction page.

Enrollment
Setup and AutoSetup • MOM is delivered as two different modules called Setup and AutoSetup
• Setup is executed from an opened end user’s session to streamline the onboarding using Device Enrollment (no-ADE capable Mac) or Automated Device Enrollment (ADE capable Mac) (1)
• AutoSetup is a lightweight version of Setup, installed by the MDM and executed silently as soon as possible in the context of Automated Device Enrollment (ADE capable Mac required) (2)
Locations • A MOM Location refers to the destination point of the device once enrolled in your management solution
• Depending on your management solution, a MOM Location can be seen as a site or a device group
• Device Enrollment : the targeted Location is defined automatically (one Location available) or manually with a selector (two or more Locations available)
• Automated Device Enrollment : the targeted Location is defined automatically
Configuration • Setup is configured with one property list file for its execution and one property list file per MOM location ; these files are read locally
• AutoSetup is configured with one property list file per MOM location ; this file is received from MDM as a Configuration profile
Content • Content is pictures, files and scripts used during the onboarding process, embedded in an signed package
• Setup : the package is installed locally when Setup is executed
• AutoSetup : the package is installed from the MDM and AutoSetup waits for its installation before proceeding
Custom copy
(Setup only)
• Setup « Premium » offers at no extra cost the possibility for the customer to get a customized copy of MOM encapsulating all the resources required for its operation
• Setup « Essential » provides that these resources are encapsulated in an encrypted disk image positioned in the same folder as Setup when it is executed
MDM enabled user
(Setup only)
• The MDM enabled user is basically the logged in user during the enrollment or the user created in the Computer account pane of the Setup Assistant (Automated Device Enrollment only) and is the only user on the device to be able to receive User-level Configuration profiles (User Channel)
• In the context of 1:1 deployments, the technician can be asked to validate that Setup is correctly executed from the session of the targeted MDM enabled user
MDM migration
(Setup only)
• Setup detects that the device is currently enrolled in a MDM (the targeted one or another /previous one)
• In this context, Setup orchestrates the new enrollment using Device Enrollment or Automated Device Enrollment (3)
ADE remediation
(Setup only)
• Setup detects that the device was enrolled in a MDM (the targeted one or another / previous one) without using Automated Device Enrollment and that an enrollment profile is currently available in Apple Business Manager or Apple School Manager
• In this context, Setup orchestrates the new enrollment using Automated Device Enrollment (3)
ADE warning
(Setup only)
Setup can warn the technician that an Automated Device Enrollment profile is not available for the device (which may be the result of a misconfiguration either in the MDM, Apple Business Manager or Apple School Manager) and offers whether or not to continue using Device Enrollment
BYOD devices • User Enrollment is the appropriate option to enroll BYOD devices in a MDM, bringing better user acceptance and more privacy for end users
• From MOM perspective, User Enrollment is piloted the same way as Device Enrollment
Execution prevention
(Setup only)
• Setup « Premium » : the correct entry of a security code can be required to authorize the execution of Setup in the context where user accounts have administrative privileges and the software has been left unattended on the device
• Setup « Essential » : the correct entry of a security code is required to authorize Setup to access the encrypted disk image encapsulating the resources required for its operation
Logs MOM logs, used for debugging purposes and stored only locally on the device, can be deleted immediately once the workflow is completed
Trust • Both MOM Setup and AutoSetup are signed and notarized so you are confident that the software has been checked for any malicious code
• Agnosys can sign and notarize your Content package if necessary as part of a support action
macOS compatibility MOM is currently compatible with macOS 11 (Big Sur), macOS 10.15 (Catalina), macOS 10.14 (Mojave) and macOS 10.13.4 or later (High Sierra)
Processor compatibility MOM is compatible with Apple silicon and Intel processors
Basic configurations
Boot volume name The Boot volume can be renamed silently to a defined arbitrary name
Desktop picture • The Desktop picture can be customized with a wallpaper provided by your organization (PNG file)
• The setting is by default executed via the Login script once per logged-in user to let the end users customize their Desktop picture afterwards
Dock • The Dock can be customized to add the Self Service app icon and to remove unwanted macOS apps icons
• The setting is by default executed via the Login script once per logged-in user to let the end users customize their Dock afterwards
Firmware password The Firmware password of an Intel Mac can be set silently to a defined arbitrary string
Remote Management • The Remote Management service can be configured to accept incoming connections only as the Management account with all privileges
• An Enable Remote Desktop MDM command is still required to enable silently the remote observation of the screen
Rosetta 2 Rosetta 2 that enables a Mac with Apple silicon to run Intel apps can be installed
Device renaming
Renaming methods • Prompt : the user is prompted to enter the device name
• Template : the device name is composed with arbitrary text and Product Name and/or Serial Number informations
• CSV : the device name is retrieved from a Serial Number / Device name CSV table stored inside the Content package
Device name case A lowercase or uppercase conversion can be enforced with prompt and template renaming methods
Device name lenght • A maximal lenght can be enforced whatever renaming method is used
• This policy will typically prevent a distortion between the local computer name and the Active Directory computer record name limited to 15 characters
Management account
Account creation
(Setup only)
• The defined management account is created at enrollment if missing
• The management account parameters include Account name, Full name, UID, Shell, Home folder, Password and Hidden flag
• The creation is executed silently on a device since macOS 11 with a Bootstrap Token escrowed by the MDM, or if a SecureToken should not be granted
• The creation is interactive if a SecureToken must be granted
Account creation
(AutoSetup)
The defined management account is created if missing after the Automated Device Enrollment sequence
Account picture The management account can be customized with a picture provided by your organization (PNG file)
Delete other local accounts
(Setup only)
• If the management account has been created during the workflow, all the other local accounts can be deleted
• The use case is the preparation of a no-ADE capable Mac by a technician who sets up a temporary Computer account manually in the Setup Assistant while the Management account creation is automated for its credentials reliability
Directory integration
Azure AD integration MOM has been been designed to work effectively with Jamf Connect and Mosyle Auth 2. These tools replace the macOS login window by a customized login window that authorizes the sign in with a Microsoft Azure AD account for a just-in-time local account creation.
Modern On-Prem AD integration MOM has been been designed to work effectively with NoMAD Login. This tool replaces the macOS login window by a customized login window that authorizes the sign in with a Microsoft AD account for a just-in-time local account creation.
Traditional On-Prem AD integration • The device can be bound traditionally to an Active Directory server to implement mobile accounts
• As part of a support action, Agnosys can provide you with a traditional integration script, intended to be used as a Preflight script, and assist you in its customization
• The use case is the workflow that plans that the binding is not done via the Directory payload of a Configuration profile provided by the MDM, but by a script executed once the device has been renamed
Open source products integration
Munki Munki is a set of tools, used together with a webserver-based package repository, that are implemented in organizations all over the world to manage software installs on macOS devices (4)
• Setup : an initial Munki Check-in is executed to install as soon as possible most critical apps as desired once the workflow is completed or once the end user logs out
• AutoSetup : an initial Munki Check-in is executed as desired once the first end user logs in (with a graphical user interface to display a progression) or silently in background
• When an MDM solution is used, Munki is seen as an auxiliary tool and the configuration of the Munki agent is supposed to be performed by an MDM Configuration profile
• When an MDM solution is not used, Munki is considered the main management solution and the configuration of the Munki agent must be performed by a script provided by Agnosys
• Munki is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
NoMAD NoMAD is a tool that let local accounts sign in with their AD account essentially to get Kerberos tickets at login and keep their local password synchronized with their AD password, without binding their device traditionally to AD nor implementing mobile accounts that are source of known concerns
• NoMAD is dynamically downloaded from the editor’s website if Internet connectivity is available at onboarding time and configured with an MDM Configuration profile
NoMAD Login NoMAD Login is a tool that let users to sign in with their AD account from a customized login window so their local account is created just-in-time, without binding their device traditionally to AD nor implementing mobile accounts
• The awesome caribou picture can be replaced by a picture provided by your organization (PNG file)
• NoMAD Login is dynamically downloaded from the editor’s website if Internet connectivity is available at onboarding time and configured with an MDM Configuration profile
Advanced configurations
Scripts embedded in MOM • Preflight, Postflight and Login scripts provided by your organization or wrote by (or with the help of) Agnosys as part of a support action can be embedded in MOM
• Preflight and Postflight scripts, than can bee seen as Hooks to enrich the default code, are executed respectively at the beginning and at the end of the workflow, as the root user (caution)
• Login script is executed when the user logs in, as the logged-in user (safer)
Scripts embedded in profiles The device can be configured to execute the loginhook and/or logouthook scripts embedded in the Login Window payload of a Configuration profile provided by the MDM
Jamf Pro specific capacities
Asset Tag or Extension attribute • The user can be prompted to enter an arbitrary text for the « Asset Tag » field or a pre-defined extension attribute field
• This value stored in the device’s inventory may be used as a criterion for Smart groups (Classic API)
Remote Management An Enable Remote Desktop MDM command is automatically sent to the enrolled device after the Remote Management service has been enabled (Classic API)
Jamf School specific capacities
Asset Tag and Notes The user can be prompted to enter the Asset Tag and Notes that are stored in the device’s inventory and may be used as criteria for Smart groups
Microsoft Intune specific capacities
Notes The user can be prompted to enter the Notes that are stored in the device’s inventory (API Graph Beta)
Mosyle Business specific capacities
Asset Tag and Tags The user can be prompted to enter the Asset Tag and Tags that are stored in the device’s inventory and may be used as criteria for Smart groups (API v1)
Mosyle Manager specific capacities
Asset Tag and Tags The user can be prompted to enter the Asset Tag and Tags that are stored in the device’s inventory and may be used as criteria for Smart groups (API v2)
SimpleMDM specific capacities
Custom attribute The user can be prompted to enter an arbitrary text for a pre-defined custom attribute that is stored in the device’s inventory and may be used as a key value inside a Configuration profile (API v1)
Cisco Meraki Systems Manager specific capacities
Tags and Notes The user can be prompted to enter the Tags and Notes that are stored in the device’s inventory (API v1)
Software dependencies
Graphical user interface • MOM relies on DEPNotify to provide a graphical user interface
• DEPNotify is dynamically downloaded from the editor’s website but can be encapsulated in MOM as part of the Setup « Premium » service if Internet connectivity is not available at the time of integration
• The DEPNotify panes can be widely customized with your own titles, texts (unformatted) and organization’s pictures
• MOM can revert to an AppleScript-only interface if DEPNotify integration is disabled
Desktop picture configuration Dockutil binary is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
Dock configuration set_desktops.py script is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time
Munki launching MunkiPostInstall script, used to launch Munki LaunchDaemons without restart after install, is dynamically downloaded from GitHub if Internet connectivity is available at onboarding time

(1) An ADE (Automated Device Enrollment) capable Mac is part of an Apple Business Manager or Apple School Manager and therefore is eligible to an initial configuration including an MDM enrollment from the Setup Assistant. Please note that the only way to prevent a device to be unenrolled even by users who have administrative privileges is to enroll the device in MDM using Automated Device Enrollment with the « prevent unenrollment » option enabled in the enrollment profile.

(2) Some MDM offer the capacity to install a developer signed package (PKG) specifically during the Automated Device Enrollment sequence. AutoSetup should ideally be installed with this mechanism (see MDM documentation and MOM Knowledge base). If the MDM does not offer this capacity, AutoSetup should be installed like any other PKG, at enrollment, with the highest priority, with some reasonable compromises due to velocity concerns.

(3) Setup does not have the capacity to force remove locally an Automated Device Enrollment Remote Management profile protected by a « prevent unenrollment » option. In this context, the unenrollment must be triggered from the MDM console.

(4) Munki is supposed to deploy the apps that are not available on the Mac App Store. Mac App Store apps must be distributed by an MDM linked to Apple Business Manager or Apple School Manager with en masse purchased licences.