Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Solutions A small chevron
Device management

Device management

Remotely manage, and protect laptops and mobile devices.

Orchestration

Orchestration

Automate tasks across devices, from app installs to scripts.

Software management

Software management

Inventory, patch, and manage installed software.

Extend Fleet

Extend Fleet

Integrate your favorite tools with Fleet.

Customers A small chevron
Stripe + Fleet

Stripe + Fleet

Stripe consolidates multiple tools with Fleet.

Foursquare + Fleet

Foursquare + Fleet

Foursquare quickly migrates to Fleet for device management.

What people are saying

What people are saying

Stories from the Fleet community.

Pricing
More A small chevron
Try it yourself Get a demo
{{thisPage.meta.articleTitle}}
search

macOS MDM setup

{{articleSubtitle}}

| The author's GitHub profile picture

Mo Zhu

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Get a demoGet a demo

macOS MDM setup

{{articleSubtitle}}

| The author's GitHub profile picture

Mo Zhu

macOS MDM setup

To turn on macOS, iOS, and iPadOS MDM features, follow the instructions on this page to connect Fleet to Apple Push Notification service (APNs).

To use automatic enrollment (aka zero-touch) features on macOS, iOS, and iPadOS, follow instructions to connect Fleet with Apple Business Manager (ABM).

To turn on Windows MDM features, head to this Windows MDM setup article.

Turn on Apple MDM

Apple uses APNs to authenticate and manage interactions between Fleet and hosts.

To connect Fleet to APNs or renew APNs, head to the Settings > Integrations > Mobile device management (MDM) page.

Then click Turn on under the Apple (macOS, iOS, iPadOS) MDM section.

An icon indicating that this section has important information

Apple requires that APNs certificates are renewed annually.

  • The recommended approach is to use a shared admin account to generate the CSR ensuring it can be renewed regardless of individual availability.
  • If your certificate expires, you will have to turn MDM off and back on for all macOS hosts.
  • Be sure to use the same Apple ID from year-to-year. If you don't, you will have to turn MDM off and back on for all macOS hosts.

Apple Business Manager (ABM)

An icon indicating that this section has important information

Available in Fleet Premium

Connect Fleet to your ABM to allow automatic enrollment for company-owned and Account-driven User Enrollment for personal (BYOD) macOS, iOS, and iPadOS hosts.

To connect Fleet to ABM, you have to add an ABM token to Fleet. To add an ABM token:

  1. Navigate to the Settings > Integrations > Mobile device management (MDM) page.
  2. Under "Automatic enrollment", click "Add ABM", and then follow the instructions in the modal to upload an ABM token to Fleet.

When one of your uploaded ABM tokens has expired or is within 30 days of expiring, you will see a warning banner at the top of page reminding you to renew your token.

To renew an ABM token:

  1. Navigate to the Settings > Integrations > Mobile device management (MDM) page.
  2. Under "Automatic enrollment", click "Edit", and then find the token that you want to renew. Token status is indicated in the "Renew date" column: tokens less than 30 days from expiring will have a yellow indicator, and expired tokens will have a red indicator. Click the "Actions" dropdown for the token and then click "Renew". Follow the instructions in the modal to download a new token from Apple Business Manager and then upload the new token to Fleet.

After connecting Fleet to ABM, set Fleet to be the MDM for all Macs:

  1. Log in to Apple Business Manager
  2. Click your profile icon in the bottom left
  3. Click Preferences
  4. Click MDM Server Assignment and click Edit next to Default Server Assignment.
  5. Switch Mac, iPhone, and iPad to Fleet.

macOS, iOS, and iPadOS hosts listed in ABM and associated to a Fleet instance with MDM enabled will sync to Fleet and appear in the Hosts view with the MDM status label set to "Pending".

Hosts that automatically enroll will be assigned to a default team. You can configure the default team for macOS, iOS, and iPadOS hosts by:

  1. Creating teams, if you have not already, following this guide. Our best practice recommendation is to have a team for each device type.
  2. Navigating to the Settings > Integrations > Mobile device management (MDM) page and clicking "Edit" under "Automatic enrollment".
  3. Clicking on the "Actions" dropdown for the ABM token you want to update, and then clicking "Edit teams".
  4. Using the dropdowns in the modal to select the default team for each type of host, and clicking "Save" to save your selections.
An icon indicating that this section has important information

If no default team is set for a host platform (macOS, iOS, or iPadOS), then newly enrolled hosts of that platform will be placed in "No team".

An icon indicating that this section has important information

A host can be transferred to a new (not default) team before it enrolls. In the Fleet UI, you can do this under Settings > Teams.

Volume Purchasing Program (VPP)

An icon indicating that this section has important information

Available in Fleet Premium

To connect Fleet to Apple's VPP, follow the instructions in our VPP guide.

Best practice

Most organizations only need one ABM token and one VPP token to manage their macOS, iOS, and iPadOS hosts.

These organizations may need multiple ABM and VPP tokens:

  • Managed Service Providers (MSPs)
  • Enterprises that acquire new businesses and as a result inherit new hosts
  • Umbrella organizations that preside over entities with separated purchasing authority (i.e. a hospital or university)

For MSPs, the best practice is to have one ABM and VPP connection per client.

The default teams in Fleet for each client's ABM token in Fleet will look like this:

  • macOS: 💻 Client A - Workstations
  • iOS: 📱🏢 Client A - Company-owned iPhones
  • iPadOS:🔳🏢 Client A - Company-owned iPads

Client A's VPP token will be assigned to the above teams.

For enterprises that acquire, the best practice is to add a new ABM and VPP connection for each acquisition.

These will default teams in Fleet:

Enterprise ABM token:

  • macOS: 💻 Enterprise - Workstations
  • iOS: 📱🏢 Enterprise - Company-owned iPhones
  • iPadOS:🔳🏢 Enterprise - Company-owned iPads

The enterprises's VPP token will be assigned to the above teams.

Acquisition ABM token:

  • macOS: 💻 Acquisition - Workstations
  • iOS: 📱🏢 Acquisition - Company-owned iPhones
  • iPadOS:🔳🏢 Acquisition - Company-owned iPads

The acquisitions's VPP token will be assigned to the above teams.

Simple Certificate Enrollment Protocol (SCEP)

Fleet uses SCEP certificates (1 year expiry) to authenticate the requests hosts make to Fleet. Fleet renews each host's SCEP certificates automatically every 180 days.

Troubleshooting failed enrollments

If a host is turned off due to user action or a low battery during the Setup Assistant, it may fail to enroll. This can also happen if your Fleet instance is down for maintenance when a host tries to enroll automatically during the Setup Assistant. In these cases, hosts usually restart after the user attempts to get past the “Welcome to Mac" screen. The best practice in this situation is to wipe the host with Fleet if it has network connectivity or to reinstall macOS from Recovery.