Ivanti EPM 2018.3 introduces new Methods and Agent Packaging for managing MacOS devices. This new Management Best-Practice is known as Integrated Device Management.
The purpose of this document is to detail the changes in 2018.3 in regards to MacOS Management, and how to apply these changes to the Management Environment.
Integrated Device Management
Per Apple's best practice guidelines, full management of a MacOS device requires:
- An Agent to be installed
- Enrollment in MDM
Fully integrating a MacOS device ensures the Administrator has complete control over:
- Kernel Extensions
- Processes that access user private data
- Remote control
Ivanti EPM 2018.3 enables Administrators to Integrate their devices from both MDM-First and Agent-First Methods.
New MacOS Utilities
A couple of utilities have been introduced in order to enable Integrated Device Management:
- Builds Configuration PKG files for use with Provisioning
Ivanti MDM Enroller.app
- Updated with new Features to Support Integrated Device Management
Note: MDM will need to be configured on the Ivanti Core Server before starting. For more information please visit Getting Started with Mobility LANDESK Management Suite
Administrators that have used Ivanti EPM in the past to deploy agents to Managed Mac Devices can use 2018.3 to easily enroll these Agents in MDM.
Enroll in Ivanti MDM Provisioning Action
New Provisioning Workflows in EPM 2018.3 allow the Administrator to install the Agent and Enroll in Ivanti MDM all within one Template.
This action will use the information stored within the Agent to Enroll in the Core Server MDM. No additional configuration is required.
For more information on Mac Provisioning in 2018.3, please visit Ivanti Mac Provisioning Guide: Mojave
Enroll in MDM via Distribution Package
EPM 2018.3 includes a default Distribution Package to automatically enroll Mac Agents in MDM.
Navigate to Tools > Distribution > Distribution Packages. Within the Distribution Packages tool, select All Packages. Right-Click the Enroll macOS Device in Ivanti MDM Distribution Package and select Properties.
This Distribution Package comes pre-configured so that it can be Deployed to EPM Mac Agents without any changes. Depending on how the the Package is Deployed, users may want to make changes to items such as Description, Logo, Tags, etc.
Once finished, Click Save.
Right-Click the Package again and select Create Scheduled Task(s). This will create a task and open the Scheduled Task tool. Drag desired Mac Devices from the Network View into the task.
This package can be deployed using several different methods. Examples include:
- Policy-Supported Push
- Portal Manager for Mac (About Portal Manager for Mac)
This Package forces User-Approved MDM Enrollment. This means that the user will be prompted with the following when Enrollment is initiated:
The user will need to approve the installation of this MDM Profile before full Management/Whitelisting is available.
Ivanti recommends informing users prior to Deploying this Package in order to ensure Install is selected. If the user selects Cancel, this package will need to be deployed again in order to complete Enrollment.
EPM 2018.3 includes a default Distribution Package to automatically enroll Mac Agents via MDM. The changes Apple did with Mojave will require the mac devices have a mobileconfig file sent to the device for agent install with out prompting the end user. This file is located at \ManagementSuite\ldlogon\AgentBehaviors\macOSPayloads\whitelisting_profiles. This is already created for you as a profile in the macOS Device Configuration as EPM Agent Authorization.
This is installed during enrollment but if the device is already enrolled in MDM prior to upgrading to 2018.3, you will need to make sure to select this profile in CPE and distribute it to your devices.
Installing the agent via MDM package
Ivanti MDM managed Mac device can have the Agent Installed via Software Distribution at any time. Any installation via MDM requires hosting the install package files on:
- HTTPS Server
- Visible to the Device
- Proper SSL Certificate
If you do not want to host this on your company's servers, Ivanti has provided the agent files available at https://download.ivanti.com/product/mac/2018.3/manifest.plist. The bundle ID and Version for this can be found in the plist file or shown below.
- Bundle ID- com.ivanti.ivagent-complete
- Bundle Version- 22.214.171.124
Once you have created the package, you can create a scheduled task and target the machines you want updated with the new agent. With the EPM Agent Configuration profile on the device will install with no pop ups on the end user and configure the agent based on the MDM core info. This is why you can use the general agent that we host but it will talk to your core once it's fully installed.
Install agent during/after enrollment to all macOS devices
The easiest and fastest way to get the EPM Agent installed with little effort is to configure the main agent configuration you want to use. Then you can change the Agent Settings for different groups or departments using the change settings task.
Navigate to Tools> Configuration> Agent Configuration> Click on MDM Enrollment Agent Packages
Click on Install mac agent during enrollment and move the "Agent Configuration" profile over to Selected, this is the agent configuration you want to use. Then move the EPM Agent Authorization profile to Selected.
The drop down box is to choose the same plist file that you created before to pull the agent files. This plist file is the main agent files and has no configuration, that is sent out with the selected profiles.