IBM MaaS360

IBM MaaS360

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

Getting Started with Manage Corporate owned MacOS Devices

By Ernesto Soto posted Tue August 05, 2025 01:58 PM

  

This checklist will help you set up Mac computers that are owned by your company so they’re ready for employees to use with full control and security. You’ll use MaaS360 and Apple Business Manager (ABM) to achieve this. 

Use this setup when:

Your organization purchases Mac computers from Apple or authorized resellers, requiring full control of the device. For this use case, these Mac computers will be managed through MaaS360 right out of the box or after a factory reset. This setup ensures full control of the machine, not creating a separate partition for personal data, which is ideal for Mac computers used strictly for business purposes. 

Deployment tip:

MaaS360 offers a wide variety of features and settings. This checklist is meant to help you begin with the most common setup steps. It’s best to test the setup on a few devices first, then apply your configuration across the rest. 

Before you begin:

Start with the MaaS360 Getting Started Checklist to complete any prerequisites. 

2.          1. Sign up for Apple Business Manager, creating an account for your organization.

3.          2. Work with your reseller/ carrier to load your devices into the ABM portal by order number, serial number, or CSV file. 

Note: If devices were purchased from other sources, you can use Apple Configurator 2.5 to add them to Apple Business Manager. Learn More here.

Tip: Use the built-in guided walkthroughs in MaaS360 as they provide step-by-step help to make the setup easier and faster.

   

Task

Path

Best Practices

Create and Upload APNS Certificate

In MaaS360> Setup> Services> Mobile Device Management> APNS Certificate

Use a company-owned Apple ID instead of a personal account. Use an email account that can be shared with other admins.

Configure Directory and User Authentication Setup

In MaaS360> Setup> Settings> Directory and Enrollments> Directory and Authentication> User Authentication Set up> Select Default Authentication

User authentication for enrollment is based on the authentication type specified in the user record (Local or Corporate).

Add Local Users if Applicable

In MaaS360> Users> Directory> Add User

It is recommended to use a different email address for each added user to prevent multiple notifications sent to one email. User Passwords can be generated automatically or set them manually via Set up> Settings> User Settings.

Configure User Settings

In MaaS360> Setup> Settings> User Settings> User Password Settings

Configure local user password generation. You can decide for the system to not generate, manually set or auto generate the password.

Configure Device Enrollment Settings

In MaaS360> Setup> Settings> Directory and Enrollment> Basic Enrollment Settings> User Input at Authentication

Select what users should input during authentication. (username and domain, email or username)

Configure a MacOS Security Policy

In MaaS360> Security> Policies> View to view the MacOS MDM policy or ‘Add’ to add a new one.

Configure Restrictions, App Compliance, System Preference, functionality and more. 

Integrate MaaS360 with Apple Volume Purchase Program (VPP)

In MaaS360> Apps> Catalog> More> VPP Licenses> Add Token.

Use Apple VPP to add and distribute MacOS apps silently. VPP licenses are used to install apps with no Apple ID account required.

Build an App Catalog and Distribute Apps

In ABM> Apps & Books> Search for the app up top> Assign to> Quantity> Get.

In MaaS360> Apps> Catalog> Distribute (underneath the app name)

You can associate as many licenses needed if the app is free. If the app is paid, you want to purchase the total number of app licenses per device.

Integrate Apple Device Enrollment Program and Assign a DEP profile

In MaaS360> Devices> Enrollments> Other Enrollment Options> Apple> Apple Device Enrollment> Tokens> Add Token and Profiles> Add Profiles.

Consider locking the MDM profile to the device to prevent users from unenrolling the Mac. Select if authentication is required upon enrollment. Consider setting the DEP Profile as the Default for an automatic profile assignment. 

Boot up devices to Complete Enrollment

Power up the Mac and go through the setup to receive the remote management screen.

The device is enrolled once the remote management screen is displayed. A device record is then added to your device inventory. 

Manage Devices in the portal

In MaaS360> Devices> Inventory> click View to view the device record.

Devices in your inventory are utilizing a device license unless they show the device record status as Inactive.

 

0 comments
34 views

Permalink

https://community.ibm.com/community/user/blogs/ernesto-soto/2025/08/05/manage-corporate-owned-macos-devices-checklist