UniFi Identity Enterprise - Understanding Identity Enterprise MDM

Overview

Identity Enterprise MDM allows you to securely and simply enroll and manage corporate-owned and BYOD macOS, Windows, iOS, and Apple tvOS devices. IT admins can push commands, security configurations, software packages, and customized profile files to enrolled devices through MDM policies.

The centralized inventory management also visualizes device information including device type, model, name, serial number, UDID, OS version, apps installed, app versions, and more.

Notes

  • Workspace Owner, Super Admin, IT Admin, and the customized admin roles with the Device permission can manage all the trusted devices in the workspace.
  • This feature is only available in the Identity Enterprise Paid Plan. To subscribe to it, please use your owner account to sign in to your Identity Enterprise Manager and go to Settings > Plan & Billing > Upgrade Plan.

Enrollment Method

Enrollment Method macOS Windows iOS tvOS
Enroll by Me Yes Yes Yes Yes
Invite User to Enroll Yes Yes Yes Yes
Apple Device Enrollment Program (DEP) Yes No No No
  • Enroll by Me: Admins can enroll devices using Mac, iPhone, or Apple TV profiles or a magic link for Windows PC. This is an ideal method for enrolling only one or a few devices. Learn more
  • Invite User to Enroll:
    • Streamline bulk enrollment: Admins can simultaneously invite multiple users to enroll their macOS, Windows, iOS, and Apple tvOS devices.
    • Auto notifications for instructions: UniFi Identity Enterprise sends the necessary information and instructions via email and push notifications to the selected users.
    • Approval process: After users complete the self-enrollment process, their enrollment requests will be sent to approvers through push notifications for approval.
    • Learn more
  • DEP: An Apple program automates the enrollment of new or factory-reset Macs into UniFi Identity Enterprise upon device activation. Learn more

Set Up Apple Push Notification Service (APNs)

Setting up Apple Push Notification service (APNs) is a required step in establishing mutual trust between your Apple account and UniFi Identity Enterprise. Once APNs is set up, you can remotely manage Macs in UniFi Identity Enterprise.

Note: Please do not reload or close the Identity Enterprise Manager during APNs setup.

Download the uid-mdm.csr File

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Click Trusted Devices > MDM Settings > Apple Push Notification Service (APNs).
  3. Click Set Up.
  4. Click Download the uid-mdm.csr file. This file is used to establish trust between Apple and the Identity Enterprise MDM Server. You’ll need to upload it to Apple’s Push Certificate Portal later.
  5. Save the downloaded uid-mdm.csr file on your computer.

Download the Apple Push Certificate

  1. Sign in to your Apple Push Certificates Portal.
  2. Click Create a Certificate.
  3. Read the terms and conditions thoroughly, tick the "I have read and agree to these terms and conditions" checkbox, and click Accept.
  4. Click Choose file and select the CSR file from your computer.
  5. Click Upload to generate an Apple push certificate.
  6. Click Download. The Apple push certificate is downloaded to your computer.
  7. Refer to Apple’s documentation for details.

Upload the Apple Push Certificate

  1. Return to the Identity Enterprise Manager and enter the Apple ID used for generating the Apple push certificate. This feature is to help you document your Apple ID, preventing issues in case of forgotten or unknown Apple ID information. Note that using a certificate generated by a different Apple ID requires re-enrollment of all devices.
  2. Upload the Apple push certificate to the Identity Enterprise Manager.
  3. Click Set Up.

Renew an Apple Push Certificate

An Apple push certificate is valid for one year and must be renewed annually for continued Mac management. When expired, the Identity Enterprise MDM server cannot push MDM commands to MDM-enrolled Macs unless the certificate is renewed. If not renewed within 30 days after expiration, the certificate becomes invalid and the enrolled devices can no longer be managed.

Note: If the "Apple MDM Push Certificate does not match" window prompts, please make sure the Apple ID of the uploaded certificate matches that of the existing certificate.

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Go to Trusted Devices > MDM Settings > Apple Push Certificate.
  3. Click Show More > Renew Apple Push Certificate.
  4. Download the uid-mdm.csr file.
    1. Click Download the uid-mdm.csr file. This file is used to establish trust between Apple and the Identity Enterprise MDM Server. You’ll need to upload it to Apple’s Push Certificate Portal later.
    2. Save the downloaded push CSR file on your computer.
  5. Upload the CSR file and download the Apple push certificate.
    1. Use the Apple ID displayed in the Apple ID for Record Keeping field to sign in to your Apple Push Certificates Portal. Please do not reload or close the Identity Enterprise Manager, you will need to return to it later.
    2. Find your current MDM certificate and click Renew.
    3. Click Choose File and select uid-mdm.csr file.
    4. Click Upload.
    5. Click Download. The Apple push certificate is downloaded to your computer.
  6. Return to the Identity Enterprise Manager and upload the push certificate.

Troubleshoot APNs

If your Macs aren't getting Apple push notifications, see this article to troubleshoot.

Set Up Apple Device Enrollment Program (DEP)

DEP is an Apple program that automates new or factory-reset Apple device enrollment into UniFi Identity Enterprise upon device activation.

Note: To set up DEP, APNs must be set up first.

Set Up DEP

  1. Sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
  2. Go to Trusted Devices > MDM Settings > Apple Device Enrollment Program (DEP).
  3. Click Set Up > Download the DEP Public Key.
  4. Sign in to your Apple Business Manager Portal or Apple School Manager Portal.
  5. In the lower-left corner, click your name and select "Preferences".
  6. Go to Your MDM Servers > Add MDM server.
  7. Provide a name for the server (e.g., Identity Enterprise).
  8. Click Choose File, select the DEP Public Key you downloaded from Step 3, and click Save.
  9. Go to the server details page and click Download Token.
  10. Click Download Server Token to save the token file.
  11. Go to Upload DEP Server Token and click Upload or drag and drop the server token.
  12. Click Next, configure the device setup settings as needed, and click Set Up.

Sync DEP Devices

Notes

  • You can only sync the devices registered in your Apple Business Manager or Apple School Manager.
  • Only the workspace owner, super admins, IT admins, and the device assignee can use their Identity Enterprise accounts to activate a synced device.
  1. Go to Trusted Devices > Devices and click the Sync DEP Devices icon.
  2. Select a device from the device list and click Settings > Assignee to assign it to a user.
Was this article helpful?
7 out of 8 found this helpful