Cloud Gateways WiFi Switching Camera Security Door Access New Integrations Accessory Tech Identity
UISP
Support Dropdown arrow
Store
User
Help Center UniFi Help Articles UISP Help Articles Community UniFi Design Center UISP Design Center Contact Support Tech Specs Large Project Assistance Professional Phone Support
Sign Up UniFi Site Manager
Ubiquiti Logo Ubiquiti Logo
User User
Sign Up UniFi Site Manager
Cloud Gateways WiFi Switching Cameras & Security Door Access New Integrations Accessory Tech Identity UISP Store

Support

Help Center UniFi Help Articles UISP Help Articles Community Contact Support Tech Specs Large Project Assistance Professional Phone Support

Social

Facebook Twitter Youtube Instagram

Company

Careers Contact Us Investors

Training

Courses Calendar Trainers Become a Trainer

Tools

WiFiman UniFi Design Center UISP Design Center
  1. Ubiquiti Support and Help Center
  2. UniFi
  3. Identity Enterprise
  4. Admin Guide - Advanced
Help Center
Back to Top

UniFi Identity Enterprise - Manage MDM-Enrolled Devices

2023-11-24 02:15:19 UTC

Push MDM Commands to a Single Device

Admins can push commands to an MDM-enrolled device only when it is powered on and connected to the network.

  1. Go to your Identity Enterprise Manager > Trusted Devices > Devices and select an active and supervised device.
  2. Click Settings in the prompted panel.
  3. Scroll down to the Manage section and perform the actions as needed:
    • Apply MDM Policy
    • Lock Screen/Device
    • Restart Device
    • Power Off Device
    • Reset to Factory Defaults

Understand Device Screen Locking and Factory Reset Behaviors

Certain Mac devices require you to generate a 6-digit PIN for locking or resetting. The PIN will be necessary to unlock the Mac or sign in after a reset. Please store the PIN safely, as UniFi Identity Enterprise doesn't store it.

Lock Device Screen

Mac

Upon receiving the Lock Device command, the Mac will lock and can only be unlocked using the 6-digit PIN set by the workspace admins. The behavior varies based on hardware and macOS version. See the details below.

  • Installed with Apple silicon

    • macOS 11.5 or earlier: PIN is not supported. The Mac will lock and reboot to macOS Recovery upon receiving the command and will require authentication and activation.
    • macOS 11.5 or later: The Mac will reboot and lock upon receiving the command, and can be unlocked using the set PIN.

  • Installed with Intel processor running any supported macOS version
    The device will reboot and lock upon receiving the command and can be unlocked using the set PIN.

Windows PC

Upon receiving the Lock Screen command, the Windows PC’s screen will lock and can be unlocked using the device's password.

Reset to Factory Defaults

Note: This action cannot be undone.

Mac

The behavior varies based on hardware and macOS version. See the details below.

  • Installed with Apple silicon (PIN is not supported)
    • macOS 12 or earlier: Upon receiving the command, all data and configurations of the Mac will be erased.
    • macOS 12 or later: Upon receiving the command, all data and configurations of the Mac will be erased. If the Erase All Content and Settings (EACS) process fails, the Mac will automatically switch to the erase behavior, and macOS will require a reinstall.
  • Installed with Intel T1 or Intel T2 running macOS 12 or later
    Upon receiving the Reset to Factory Defaults command, the Mac will execute the Erase All Content and Settings (EACS) process, and a PIN is required for the next sign-in. If EACS fails, all data and configurations will be erased, and macOS will require a reinstall.
Windows PC

Upon receiving the Reset to Factory Defaults command, all data and configurations of the Windows PC will be erased.

Bulk Manage MDM-Enrolled Devices via MDM Policy

IT admins can go to their Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) to push configurations, packages, and customized profile files to MDM-enrolled devices through MDM policies.

  1. Go to Trusted Devices > MDM Settings > MDM Policy and select "Mac" or "Windows".
  2. Click + New Policy or select an existing policy.
  3. Specify the policy name and select the applied users.
  4. Specify the following configurations as needed.
OS macOS Windows
Security
  • Restart device upon completion of the enrollment process
  • Prompt user to enable FileVault
  • Lock screen
  • Restart device upon completion of the enrollment process
  • Block the use of USB flash drives
  • Encrypt all non-removable drives
  • Lock screen
Device Password Requirements Require strong passwords with a minimum of specific characters Require strong passwords with a minimum of specific characters
Screen
  • Start the screen saver after specific minutes of inactivity
  • Require password after screen saver begins or display is turned off for a specific duration
  • Start the screen saver after specific minutes of inactivity
  • On battery power, turn off the screen after specific minutes
  • When plugged in, turn off the screen after specific minutes
Sleep No supported
  • On battery power, put the device to sleep after specific minutes
  • When plugged in, put the device to sleep after specific minutes
Update Policy Automatically download and install the latest macOS version
  • Allow/disallow non-Microsoft signed updates
  • Do not include drivers with Windows updates
  • Allow Windows service updates
  • Automatically check for updates every specific duration
  • Turn off auto-restart for updates during active hours
Device Name Rename devices using a specific format Rename devices using a specific format
  1. Click Add Custom Profile File.
  2. Drag and drop or upload the profile file and click Upload.
  3. Click Create Policy or Apply Changes.

Notes:

  • When an MDM policy is enabled, the system will automatically push profiles to the applied users’ MDM-enrolled devices.
  • Deleting profile files from an MDM policy will also remove the corresponding profiles from the applied users’ devices.

View the Device and MDM Status

  1. Go to Trusted Devices > Devices.
  2. View the Status and MDM columns. See below to understand each status.

Note: MDM commands can only be pushed to active and supervised devices.

Device Status

Status Description Available Actions
Active The device is managed by Identity Enterprise.
  • Deactivate
  • Stop Supervising
Deactivated The device is not managed by Identity Enterprise and must be re-enrolled for supervision. Delete
Deleted The device is removed from the device list and no longer be managed by Identity Enterprise.
  • Deactivate
  • Stop Supervising

MDM Status

Status Description Available Actions
Awaiting Enrollment A DEP device is assigned to a user but is not activated. Its status will change to “Supervised” once it is activated and enrolled in MDM. -
Enrollment Failed Failed to enroll the device in MDM. Admins can hover their mouse over the device and click Retry.
Enrolling The device is being enrolled in MDM. -
Pending Approval The device is enrolled by a user and is waiting for the admin’s approval. Enrollment approvers can hover their mouse over the device and click Approve or Reject.
Rejected The device is enrolled by the user but their enrollment request is rejected by the admin. -
Supervised The device is enrolled and managed by the Identity Enterprise MDM server. Admins can hover their mouse over the device and click Unsupervise.
Unsupervised Once unsupervised, the device’s MDM profile will be removed, and it will no longer be managed by the Identity Enterprise MDM server unless it is re-enrolled. -
Was this article helpful?
0 out of 0 found this helpful