Push MDM Commands to a Single Device
Admins can push commands to an MDM-enrolled device only when it is powered on and connected to the network.
- Go to your Identity Enterprise Manager > Trusted Devices > Devices and select an active and supervised device.
- Click Settings in the prompted panel.
- Scroll down to the Manage section and perform the actions as needed:
- Apply MDM Policy
- Lock Screen/Device
- Restart Device
- Power Off Device
- Reset to Factory Defaults
Understand Device Screen Locking and Factory Reset Behaviors
Certain Mac devices require you to generate a 6-digit PIN for locking or resetting. The PIN will be necessary to unlock the Mac or sign in after a reset. Please store the PIN safely, as UniFi Identity Enterprise doesn't store it.
Lock Device Screen
Upon receiving the Lock Device command, the Mac will lock and can only be unlocked using the 6-digit PIN set by the workspace admins. The behavior varies based on hardware and macOS version. See the details below.
Installed with Apple silicon
- macOS 11.5 or earlier: PIN is not supported. The Mac will lock and reboot to macOS Recovery upon receiving the command and will require authentication and activation.
- macOS 11.5 or later: The Mac will reboot and lock upon receiving the command, and can be unlocked using the set PIN.
Installed with Intel processor running any supported macOS version
The device will reboot and lock upon receiving the command and can be unlocked using the set PIN.
Upon receiving the Lock Screen command, the Windows PC’s screen will lock and can be unlocked using the device's password.
Reset to Factory Defaults
Note: This action cannot be undone.
The behavior varies based on hardware and macOS version. See the details below.
Installed with Apple silicon (PIN is not supported)
- macOS 12 or earlier: Upon receiving the command, all data and configurations of the Mac will be erased.
- macOS 12 or later: Upon receiving the command, all data and configurations of the Mac will be erased. If the Erase All Content and Settings (EACS) process fails, the Mac will automatically switch to the erase behavior, and macOS will require a reinstall.
Installed with Intel T1 or Intel T2 running macOS 12 or later
Upon receiving the Reset to Factory Defaults command, the Mac will execute the Erase All Content and Settings (EACS) process, and a PIN is required for the next sign-in. If EACS fails, all data and configurations will be erased, and macOS will require a reinstall.
Upon receiving the Reset to Factory Defaults command, all data and configurations of the Windows PC will be erased.
Bulk Manage MDM-Enrolled Devices via MDM Policy
IT admins can go to their Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) to push configurations, packages, and customized profile files to MDM-enrolled devices through MDM policies.
- Go to Trusted Devices > MDM Settings > MDM Policy and select "Mac" or "Windows".
- Click + New Policy or select an existing policy.
- Specify the policy name and select the applied users.
- Specify the following configurations as needed.
|Device Password Requirements||Require strong passwords with a minimum of specific characters||Require strong passwords with a minimum of specific characters|
|Update Policy||Automatically download and install the latest macOS version||
|Device Name||Rename devices using a specific format||Rename devices using a specific format|
- Click Add Custom Profile File.
- Drag and drop or upload the profile file and click Upload.
- Click Create Policy or Apply Changes.
- When an MDM policy is enabled, the system will automatically push profiles to the applied users’ MDM-enrolled devices.
- Deleting profile files from an MDM policy will also remove the corresponding profiles from the applied users’ devices.
View the Device and MDM Status
- Go to Trusted Devices > Devices.
- View the Status and MDM columns. See below to understand each status.
Note: MDM commands can only be pushed to active and supervised devices.
|Active||The device is managed by Identity Enterprise.||
|Deactivated||The device is not managed by Identity Enterprise and must be re-enrolled for supervision.||Delete|
|Deleted||The device is removed from the device list and no longer be managed by Identity Enterprise.||
|Awaiting Enrollment||A DEP device is assigned to a user but is not activated. Its status will change to “Supervised” once it is activated and enrolled in MDM.||-|
|Enrollment Failed||Failed to enroll the device in MDM.||Admins can hover their mouse over the device and click Retry.|
|Enrolling||The device is being enrolled in MDM.||-|
|Pending Approval||The device is enrolled by a user and is waiting for the admin’s approval.||Enrollment approvers can hover their mouse over the device and click Approve or Reject.|
|Rejected||The device is enrolled by the user but their enrollment request is rejected by the admin.||-|
|Supervised||The device is enrolled and managed by the Identity Enterprise MDM server.||Admins can hover their mouse over the device and click Unsupervise.|
|Unsupervised||Once unsupervised, the device’s MDM profile will be removed, and it will no longer be managed by the Identity Enterprise MDM server unless it is re-enrolled.||-|