Skip to main content

Mac Authenticator Automated Device Enrollment Guide

Overview
  • Apple Business Manager setup
    • Create MDM Server
    • Apple Configurator setup
  • Jamf Pro setup
    • Create MDM Server
    • Create Configuration Profiles
    • Create PreStage Enrollment

Apple Business Manager setup

  1. Sign In Apple Business Manager Apple Business Manager
  2. Go to Preferences to add new MDM Server
  1. Setup MDM Server
  • Provide a name for the MDM Server
  • Check the box to “Allow this MDM Server to release devices.”
  1. Download token for newly created MDM Server (This token needs to be set on the MDM, e.g., Jamf)
  1. Go to App Store and download Apple Configurator iOS app (this is required for the Admin to configure provisioning through the MDM).
  • Sign in using Apple Business Manager account
  • Pick newly created MDM Server as default assigned for provisioned machines

JAMF Pro Setup

Step 1: Sign into your Jamf Pro account https://DOMAIN.jamfcloud.com Step 2: Go to “Settings”, then navigate to the “Automated device enrollment” to create a new MDM server integration Step 3: Setup new instance of MDM server (Choose server token file obtained from Apple Business Manager as described in step 4 in the Apple Business Manager section) Step 4: Setup Configuration Profiles 4-a: Go to “Computers”, then navigate to “Configuration Profiles” 4-b: Create “Account Provisioning Profile” 4-b-i: Click the + New button to create new profile 4-b-ii: Provide a name for the new configuration profile 4-b-iii: Open “Application & Custom Settings” and click Upload 4-b-iv: Define Property List (PLIST) for the Configuration Profile NOTE: Make sure that your downloaded PLIST have the following values 
<key>enableGetStartedNotification</key>
		<true/>
		<key>runPostEnrollmentAfterReboot</key>
		<true/>
  • Create Preference Domain for ai.truu.ma.dep with the following PLIST:
<?xml version="1.0" encoding="UTF-8"?> <!DOCTYPE plist PUBLIC "-//Apple Computer//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd"> <plist version="1.0"> <dict>     <key>createAdminAccount</key>     <true/> </dict> </plist>
  • You will see the following in your profile:
4-c: Create Application Provisioning Profile 4-c-i: Follow steps i – iii for part b above to add the Application Provisioning Profile 4-c-ii: Enter ai.truu.ma.configuration as the Preference Domain 4-c-iii: To create the PLIST, you will need to convert your “application.config” file to a PLIST by replacing the “CHANGE IT” variables with the the values from your config file 
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
	<key>allowPasswordSync</key>
	<true/>
	<key>canUnenroll</key>
	<true/>
	<key>enableAdminAccess</key>
	<true/>
	<key>domain</key>
	<string>c2</string>
	<key>idsDomainLookup</key>
	<string>https://global-stage.platform.truu.ai/api/v1/public/fqdn/{CHANGE IT}</string>
	<key>oAuthClientId</key>
	<string>{CHANGE IT}</string>
	<key>oAuthClientSecret</key>
	<string>{CHANGE IT}</string>
	<key>oAuthScope</key>
	<string>tenant-management-api-agent</string>
	<key>ssoRedirectionURLs</key>
	<array>
		<string>{CHANGE IT}</string>
	</array>
	<key>authPluginSettings</key>
	<dict>
		<key>enableLoginWindow</key>
		<true/>
	</dict>
	<key>accountLockOverride</key>
	<dict>
		<key>maxFailedLoginAttempts</key>
		<integer>10</integer>
		<key>minutesUntilFailedLoginReset</key>
		<integer>10</integer>
		<key>shouldLockScreenOnAccountLock</key>
		<true/>
	</dict>
</dict>
</plist>
4-d: Create Configuration to Enable SSO 4-d-i: Scroll to “Single Sign-On Extensions” and click the + Add button 4-d-ii: Enter the following:
  • Payload Type – SSO
  • Extension Identifier – com.truu.LoginHost.SSO
  • Team Identifier – VGJPA2G633
  • Sign-on Type – Credential
  • RealmCompany Kerberos Ream (e.g. {domain.com })
  • HostsCompany resources domains (e.g. {domain.com })
4-e: Apply Scope for Provisioning Profiles (as needed) Step 5: Configure PreStage Enrollments 5-a: Go to “Computers”, then select “PreStage Enrollments” 5-b: Setup new PreStage Enrollment 5-c: General settings (MDM server, Setup Assistant Options, etc.) Note: TruU agent is responsible for local account creation during enrollment process. Account creation from MDM setting should be skipped 5-d: Select the Configuration Profiles that were created above 5-e: Define the Distribution Point for the Enrollment Package You’re all set! Go back to iOS Apple Configuration Application and start provisioning for new machines
Importing TruU Packages for JAMF Setup ADE/DEP Intune Setup