UniFi Identity Enterprise - Managing Devices Enrolled in MDM

Push MDM Commands to a Single Device

Admins can push commands to an MDM-enrolled device only when it is powered on and connected to the network.

  1. Go to your Identity Enterprise Manager > Trusted Devices > Devices and select an active and supervised device.
  2. Click Settings in the prompted panel.
  3. Scroll down to the Manage section and perform the actions as needed. The following details the Identity Enterprise MDM capability to push each command to various device types.
Command Mac Windows PC iPhone Apple TV
Apply MDM Policy  Yes Yes Yes Yes
Lock Screen/Device Yes Yes Yes No
Restart Device * Yes Yes Yes Yes
Power Off Device * Yes Yes Yes No
Reset to Factory Defaults  Yes Yes Yes Yes
Note: Resetting or powering off iPhone and Apple TV requires enabling Apple device supervision.

Understand Device Screen Locking and Factory Reset Behaviors

Certain Mac devices require you to generate a 6-digit PIN for locking or resetting. The PIN will be necessary to unlock the Mac or sign in after a reset. Please store the PIN safely, as UniFi Identity Enterprise doesn't store it.

Lock Device Screen

Mac

Upon receiving the Lock Device command, the Mac will lock and can only be unlocked using the 6-digit PIN set by the workspace admins. The behavior varies based on hardware and macOS version. See the details below.

  • Installed with Apple silicon

    • macOS 11.5 or earlier: PIN is not supported. The Mac will lock and reboot to macOS Recovery upon receiving the command and will require authentication and activation.
    • macOS 11.5 or later: The Mac will reboot and lock upon receiving the command, and can be unlocked using the set PIN.
  • Installed with Intel processor running any supported macOS version
    The device will reboot and lock upon receiving the command and can be unlocked using the set PIN.

Windows PC

Upon receiving the Lock Screen command, the Windows PC’s screen will lock and can be unlocked using the device's password.

iPhone

Admins can choose to show a phone number and customized lock message for an iPhone. Upon receiving the Lock Screen command, the iPhone screen will promptly lock, showing the message and phone number. Users can unlock the device using their current passcode, Face ID, or Touch ID. People who find a lost iPhone can easily contact the information shown on the screen.

Reset to Factory Defaults

Note: This action cannot be undone.

Mac

The behavior varies based on hardware and macOS version. See the details below.

  • Installed with Apple silicon (PIN is not supported)
    • macOS 12 or earlier: Upon receiving the command, all data and configurations of the Mac will be erased.
    • macOS 12 or later: Upon receiving the command, all data and configurations of the Mac will be erased. If the Erase All Content and Settings (EACS) process fails, the Mac will automatically switch to the erase behavior, and macOS will require a reinstall.
  • Installed with Intel T1 or Intel T2 running macOS 12 or later
    Upon receiving the Reset to Factory Defaults command, the Mac will execute the Erase All Content and Settings (EACS) process, and a PIN is required for the next sign-in. If EACS fails, all data and configurations will be erased, and macOS will require a reinstall.
Windows PC

Upon receiving the Reset to Factory Defaults command, all data and configurations of the Windows PC will be erased.

iPhone

Upon receiving the Reset to Factory Defaults command, the iPhone will execute the Erase All Content and Settings (EACS) process. The iPhone will reboot and will present the Setup Assistant. iOS 17 supports selecting Use Return to Service option when erasing a device, allowing the process of resetting and re-enrolling iPhone to be fully automated and much faster.

Apple TV

Upon receiving the Reset to Factory Defaults command, the Apple TV will reboot and will present the Setup Assistant. It is important to note that this is not a full system restore, and the device will not be updated to the latest version.

Bulk Manage MDM-Enrolled Devices via MDM Policy

IT admins can go to their Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud) to push configurations, packages, and customized profile files to MDM-enrolled devices through MDM policies.

  1. Go to Trusted Devices > MDM Settings > MDM Policy and select a device type.
  2. Click + New Policy or select an existing policy.
  3. Specify the policy name and select the applied users.
  4. Specify the configurations as needed.
  5. Click Add Custom Profile File.
  6. Drag and drop or upload the profile file and click Upload.
  7. Click Create Policy or Apply Changes.

Notes:

  • When an MDM policy is enabled, the system will automatically push profiles to the applied users’ MDM-enrolled devices.
  • Deleting profile files from an MDM policy will also remove the corresponding profiles from the applied users’ devices.

View the Device and MDM Status

  1. Go to Trusted Devices > Devices.
  2. View the Status and MDM columns. See below to understand each status.

Note: MDM commands can only be pushed to active and supervised devices.

Device Status

Status Description Available Actions
Active The device is managed by Identity Enterprise.
  • Deactivate
  • Stop Supervising
Deactivated The device is not managed by Identity Enterprise and must be re-enrolled for supervision. Delete
Deleted The device is removed from the device list and no longer be managed by Identity Enterprise.
  • Deactivate
  • Stop Supervising

MDM Status

Status Description Available Actions
Awaiting Enrollment A DEP device is assigned to a user but is not activated. Its status will change to “Supervised” once it is activated and enrolled in MDM. -
Enrollment Failed Failed to enroll the device in MDM. Admins can hover their mouse over the device and click Retry.
Enrolling The device is being enrolled in MDM. -
Pending Approval The device is enrolled by a user and is waiting for the admin’s approval. Enrollment approvers can hover their mouse over the device and click Approve or Reject.
Rejected The device is enrolled by the user but their enrollment request is rejected by the admin. -
Supervised The device is enrolled and managed by the Identity Enterprise MDM server. Admins can hover their mouse over the device and click Unsupervise.
Unsupervised Once unsupervised, the device’s MDM profile will be removed, and it will no longer be managed by the Identity Enterprise MDM server unless it is re-enrolled. -

Block Apps by Sending XML/.mobileconfig Files via MDM Policy

Mac

Identity Enterprise Desktop Agent utilizes Apple’s Endpoint Security System Extension to block specific software from running on Macs supervised by Identity Enterprise MDM.

The following outlines how to create an app restriction profile and send it to devices via MDM policy.

Requirements
  • macOS 10.15 or later.
  • Identity Enterprise Desktop Agent 0.70.4 or later. The Desktop Agent will be automatically installed on an MDM-enrolled Mac.
Create a Custom Profile for App Restrictions
  1. Identify the software’s Bundle ID and App Name. If a process that matches the Bundle ID is found to be running, it will be blocked. Learn more about Bundle ID identification
  2. Create a .mobileconfig file. Here we take blocking Slack and the Identity Enterprise apps for example. You can change the app name and BundleIdentifier in the example below to block other apps.
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE plist PUBLIC "-//Apple//DTD PLIST 1.0//EN" "http://www.apple.com/DTDs/PropertyList-1.0.dtd">
<plist version="1.0">
<dict>
<key>PayloadContent</key>
<array>
<dict>
<key>AppsRestrictions</key>
<array>
<dict>
<key>name</key>
<string>Slack</string>
<key>BundleIdentifier</key>
<string>com.tinyspeck.slackmacgap</string>
</dict>
<dict>
<key>name</key>
<string>Identity Enterprise</string>
<key>BundleIdentifier</key>
<string>com.ui.uid.desktop</string>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>Apps Restrictions</string>
<key>PayloadIdentifier</key>
<string>com.ui.uid.mdm.agent.apps-restrictions.43E00489-36CE-40FC-A369-8752536EB127</string>
<key>PayloadType</key>
<string>com.ui.uid.mdm.agent.apps-restrictions</string>
<key>PayloadUUID</key>
<string>46E3D5F7-8639-4A16-9004-2290F654CA82</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</array>
<key>PayloadDisplayName</key>
<string>MDM Agent Apps Restrictions Configuration</string>
<key>PayloadIdentifier</key>
<string>com.ui.uid.mdm.agent.apps-restrictions</string>
<key>PayloadOrganization</key>
<string>Ubiquiti Networks, INC.</string>
<key>PayloadScope</key>
<string>System</string>
<key>PayloadType</key>
<string>Configuration</string>
<key>PayloadUUID</key>
<string>CC5C0E2C-C6C1-4D53-A370-8E5DAB29871F</string>
<key>PayloadVersion</key>
<integer>1</integer>
</dict>
</plist>
Upload the Profile to MDM Policy
  1. Go to your Identity Enterprise Manager > Trusted Devices > MDM Settings > MDM Policy > Mac.
  2. Select an existing policy or create a new policy.
  3. Specify the required information, go to Custom Profile File, and click Add Custom Profile File. Learn more about MDM policy 
  4. Once the MDM policy is applied and the profile is sent to applied users’ Macs, the restricted app cannot be opened or downloaded.

Windows

Identity Enterprise MDM utilizes Windows Defender Application Control (WDAC) to block specific software from running on MDM-enrolled Windows devices.

WDAC Overview
WDAC can control what runs on your Windows devices by setting policies that specify whether a driver or application is trusted. WDAC policies apply to the managed computer as a whole and affect all device users. WDAC rules can be defined based on:
  • Attributes of the codesigning certificate(s) used to sign an app and its binaries.
  • Attributes of the app's binaries that come from the signed metadata for the files, such as the Original Filename and version, or the hash of the file.
  • The reputation of the app is determined by Microsoft's Intelligent Security Graph.
  • The identity of the process that initiated the app installation and its binaries (managed installer).
  • The path from which the app or file is launched (beginning with Windows 10 version 1903).
  • The process that launched the app or binary.
Important Notes
WDAC has the potential to block the OS from booting entirely. Please first read this article to understand the design of the WDAC policy.
Create WDAC Policy XML File
  1. Download WDAC Policy Wizard.
  2. Click Policy Editor.
  3. Ensure you have read the basic policies provided by Windows, select Edit Policy XML File, click Browse, and select the basic example policy XML file (e.g., c:\Windows\schemas\CodeIntegrity\ExamplePolicies\AllowAll.xml) from your computer.
  4. Configure the policy template, read the audit mode’s introduction carefully, enable it as needed, and click Next.
625f66cd-6958-448c-80e4-d781292ef3f5
  1. In the File Rules step, click Add Custom Rule.

0f7443d4-2cf1-407c-b3f5-eae593007be4

  1. Configure the custom rule conditions. Specify the rule action and rule type, and click Browse to select the application you want to control. The rule condition details will show up, configure them as needed, and click Create Rules
  2. Finish creating the policy XML file and remember the file path.

174d67f1-0301-47d6-880d-b484b9020e51

Convert Policy XML File to CSP  XML File
  1. Convert the Policy XML file to a BIN file using Windows PowerShell, and input the following command:
ConvertFrom-CIPolicy -XmlFilePath {existing .xml file path} -BinaryFilePath {.bin format file path to save}
  1. Convert a BIN file to base64 data.
  2. Create a CSP (Configuration Service Provider) XML file.
<Add>
  <CmdID>1</CmdID>
  <Item>
    <Target>
      <LocURI>./Vendor/MSFT/ApplicationControl/Policies/{PolicyID}/Policy</LocURI>
    </Target>
    <Meta>
      <Format xmlns="syncml:metinf">b64</Format>
    </Meta>
    <Data>
{base64 data}
    </Data>
  </Item>
</Add>
  1. Replace the {PolicyID} with the PolicyID in the Policy XML file and remove the brace {}.
ba64e924-e1fd-41fc-aa68-39754dee407f
  1. Replace the {base64 data} with the data converted in Step 3.
  2. Finish building the CSP XML file and name it (e.g., testWDAC.xml).

bad1d0e3-9fb2-4659-ba83-69ffa7beb1f5

Upload the CSP XML File to the MDM Policy
  1. Go to your Identity Enterprise Manager > Trusted Devices > MDM Settings > MDM Policy > Windows.
  2. Select an existing policy or create a new policy.
  3. Specify the required information, go to Custom Profile File, click Add Custom Profile File, and upload the CSP XML file. Learn more about MDM policy
Was this article helpful?
2 out of 3 found this helpful