Skip to main content
All CollectionsPulseway MDM
Pulseway MDM: Enrollment
Pulseway MDM: Enrollment

This article provides compatibility, prerequisite and process information related to using Pulseway RMM as your MDM solution.

Elias from Pulseway avatar
Written by Elias from Pulseway
Updated over a month ago

NAVIGATION

Modules > Integrations > Connectors

NAVIGATION

Modules > Devices > MDM Enrollment

SECURITY

Connectors > Full access to all Connectors pages

SECURITY

Device Management > Add Devices

SECURITY

Administrative privileges to manage software on the device to be enrolled and any endpoints assisting in the enrollment

Prerequisites

Compatibility

Our MDM solution currently supports enrollment for the following Apple operating systems:

  • iOS 4.0 and above

  • iPadOS 4.0 and above

  • macOS 10.7 and above

Permissions

To complete this process, you'll need the following permissions in both Pulseway RMM and the Apple portal:

  • Full access to all Connectors pages

  • Ability to log in to appleid.apple.com with the Apple ID of the device or devices you'd like to enroll

How to...

To enroll a device in MDM, you'll perform the following steps:

  1. Create a connector in Pulseway RMM.

  2. Create a push certificate in the Apple portal and upload it to Pulseway RMM.

  3. Enroll the device in MDM.

Create a connector in Pulseway RMM

You'll start the MDM enrollment process by creating a new entry for the device on the Connectors page. To do so, perform the following steps:

  1. In your Pulseway RMM instance, navigate to Modules > Integrations > Connectors.

  2. Click Create Connector.

  3. In the Details section of the page, select the organization with which the new device will be associated.

  4. In the Download CSR File section, click Download CSR. Pulseway RMM will transfer a Certificate Signing Request (CSR) file named CertificateSigningRequest.plist to the default download location on your computer.

  5. Scroll down to the Create an Apple Push Certificate page area.

  6. Click Go to Apple portal.

  7. Without closing the Create Connector page, proceed to the Create a push certificate section of this article.

Create a push certificate

Once you've completed the steps in Create a connector in Pulseway RMM, you'll need to follow the process described below to obtain a vendor-signed version of the CSR file and upload it to Pulseway RMM to create your new push certificate.

Create the Apple Push Certificate

  1. The Apple Push Certificates Portal will open and prompt you for credentials. Log in with the Apple ID of the device or devices you'd like to enroll.

  2. Click Create a Certificate.

  3. The Apple portal will prompt you to accept the MDM Certificate Agreement Terms of Use. Once you've done so, you'll receive a prompt to upload your CSR file.

  4. Click Choose File. Select the CSR you generated in Create a connector in Pulseway RMM. Then, click Upload.

  5. The Apple portal will surface a confirmation that you've successfully created the push certificate. Click Download.

  6. Continue to the next section of this article.

Upload the push certificate to Pulseway RMM

  1. Return to the Create Connector page in Pulseway RMM and locate the Upload Apple Push Certificate section.

  2. Upload the certificate you downloaded from the Apple portal by dragging it into or clicking the Drag your certificate here box.

  3. Confirm the ID you used to create the certificate by entering it in the Apple ID field.

  4. Click Create. Then, proceed to the Enroll a device in MDM section of this article.

Enroll a device in MDM

After creating the signed CSR and uploading it to Pulseway RMM, you can enroll the device in MDM. To do so, perform the following steps.

  1. In Pulseway RMM, navigate to Modules > Devices > MDM Enrollment.

  2. In the Context page area, select the Organization Name, Site Name, and Agent Group where the device will reside.

  3. From the Enroll Path drop-down menu, choose the method via which you'd like to enroll the device in MDM. To proceed, or to learn about each configuration type, select a topic to continue:

    • QR Code and Link

    • USB using Apple Configurator

QR Code and Link

QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS. To enroll a device via either of these methods, perform the following steps:

  1. A Scan QR Code pane, similar to the example shown below, will appear on the MDM Enrollment page.

  2. Follow the workflow it provides to complete the device enrollment. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send.

  3. Once the enrollment process is complete, the device will become available to manage on Pulseway RMM's Device List page.

USB using Apple Configurator

The USB enrollment method will erase your device.

This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices. To enroll a device via this method, perform the following steps:

  1. A USB pane, similar to the example shown below, will appear on the MDM Enrollment page. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send. Otherwise, proceed to the next step of this workflow.

  2. On a separate device, download and install Apple Configurator 2. You'll use this device to enroll the managed endpoint. You can obtain this application from the Mac App Store.

  3. Once the application is installed, proceed to the next step.

Create a Wifi profile

  1. In Apple Configurator's top navigation menu, click File > New Profile.

  2. In the window that opens, on the General tab, enter a profile name in the Name field.

  3. In the left navigation menu, select WiFi.Then, click Configure.

  4. Input the settings of the WiFi network to which the device should connect.

  5. In Apple Configurator's top navigation menu, click File > Save.

  6. When prompted, save the file in a location that you will be able to access in the next steps of this article.

Create a blueprint

  1. In Apple Configurator's top navigation menu, click File > New Blueprint.

  2. Specify a blueprint name.

  3. Click the blueprint. Then, click Add > Profiles.

  4. Select the WiFi profile you created in the previous section of this article and click Add.

Prepare the blueprint

  1. Click the blueprint. Then, click Prepare.

  2. In the Prepare Devices window, select Prepare with > Manual Configuration.

  3. Ensure that the Supervise devices check box is selected.

  4. Click Next.

  5. On the Enroll in MDM screen, click Server > New Server. Then, click Next.

  6. On the Define an MDM Server screen, input Pulseway in the Name field.

  7. In the Host name or URL field, enter the enrollment link URL from the USB pane on the MDM Enrollment page.

  8. Apple Configurator will fetch and add your trust anchor certificates. Click Next.

  9. You may be prompted to sign in to Apple School Manager or Apple Business Manager. You can do so, or you can skip the step.

Create an organization

  1. On the Create an organization screen, define the name of the organization with which this device will be associated. Then, click Next.

  2. When prompted, select Generate a new supervision identity and click Next.

  3. The Configure the iOS Setup Assistant screen will appear. Make any desired selections.

  4. Click Prepare.

Apply the blueprint to the device

  1. Via USB, connect the device you're enrolling to your current desktop or laptop computer.

  2. In Apple Configurator, right-click the device, select Apply, and choose the blueprint you created.

  3. Click Apply.

  4. Apple Configurator will apply the blueprint. It may take several minutes for this process to complete and the new device to index in the MDM server. Once the enrollment process is complete, the device will become available to manage on Pulseway RMM's Device List page.

Unenroll a device

To unenroll a device from MDM, perform the following steps:

  1. Locate VPN & Device Management in the device's settings.

  2. Open the MDM profile.

  3. Click Remove Management.

  4. Pulseway RMM will automatically remove the device from your platform.

Pulseway MDM commands

Once you've enrolled a device in MDM, the following commands will become available. Note that the availability of any command is dependent on both the device type and enrollment method used.

FAQs

The following answers to frequently-asked questions will help you get the most out of your Pulseway MDM experience.

What devices can I enroll?

Refer to Compatibility.

Can I enroll a virtual machine in MDM?

No, currently, you'll see a "Device is not supported" error when you attempt to do so.

What types of enrollment are available?

The available enrollment types are:

  • QR Code and Link: QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS.

  • USB using Apple Configurator: This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices.

Should iPhones be powered on or initialized when using USB enrollment?

While being powered on doesn't matter, the iPhone should not be initialized. Connect the phone to USB and follow the steps described in the Pulseway MDM: Enrollment section of this article. The device will be erased and the new blueprint applied.

Is it possible to enroll a device via USB without erasing it?

Apple recommends clearing the device when it is enrolled as supervised. However, if you back up the primary device to a secondary device before enrolling it, you can restore the backup from the secondary device to the primary device after you complete the enrollment. To do so:

  1. Ensure that Find My iPhone is off on both devices to avoid problems during enrollment.

  2. Use AppleConfigurator or Finder to back up the primary device.

  3. Restore this backup on the secondary device.

  4. Use AppleConfigurator or Finder to back up the secondary device.

  5. Restore the backup of the secondary device to the primary device.

  6. After restoration, when the primary device shows the Welcome screen on activation, connect it to Apple Configurator and enroll it via the USB method.

  7. After activation, the device should appear in Pulseway RMM and contain the restored data.

Does only macOS support USB enrollment? Can it be done on Windows or Linux devices?

USB enrollment is only available for macOS devices compatible with Apple Configurator.

What is a supervised device?

Supervised mode provides more options to manage the device, such as restarting, shutting down, and enabling or disabling lost mode. The Play Lost Mode Sound will work only for supervised devices.

macOS devices are always supervised. iOS and iPadOS devices are supervised if they have been enrolled via USB with the Supervised option checked. You can find out if a device is supervised in the Asset Info section of the device details pane:

Refer to Pulseway MDM: Supervised vs. non-supervised devices.

I installed a profile, but the device does not appear in the Pulseway UI. What's wrong?

There might be a delay in seeing an enrolled device or its data.

Apple does not terminate its requests. However, Pulseway RMM has a 20-minute cache and pings MDM services every 15 minutes to get device information.

So, if you enroll, unenroll, change lost mode, or perform any other actions with a device, there may be a delay in reporting this information to Pulseway RMM. If you have been waiting for more than one hour and still do not see a device, please open a ticket with Pulseway Support for assistance. When doing so, be sure to include the device's serial number.

I opened the Integrations or Connectors page and saw an EMM token error. What does this mean?

This error can appear in several different formats:

"EMM authentication token is expired."

"EMM token is invalid."

"EMM token is missing."

It can occur as a result of MDM licensing being misconfigured in the Admin app. To resolve the issue, contact Pulseway Support for assistance.

I only see the Erase command for the device. Where are the other options?

Due to Apple limitations, the following conditions apply to MDM-enrolled devices:

  • Devices enrolled via QR Code and Link only have access to the Erase command.

  • Devices enrolled via USB have access to the following commands:

    • Restart

    • Shutdown

    • Enable/Disable Lost mode

    • Play Lost Mode Sound (if Lost Mode is enabled)

    • Erase

  • macOS devices enrolled in MDM without the Pulseway agent app installed have access to the following commands:

    • Restart

    • Shut down

    • Erase

Refer to Pulseway MDM commands for a complete table of commands and their availability.

Can I enroll a macOS device in MDM if the Pulseway agent is already installed?

Yes. To take advantage of full Pulseway management capabilities, you should both enroll a macOS device in MDM and have an agent installed. There is no preferred order to doing so; the process will not create duplicate devices.

I sent a command but a device did not execute it. Why not?

There could be several reasons why a command did not execute:

  • To get and process MDM commands, a device must have an internet connection. All types of internet connections are supported; Apple IDs and SIM cards are not required.

  • Pulseway sends commands to Apple right after you click the action button, but we cannot control how long the queued action will take to be relayed to the device and executed. The action may be awaiting processing.

  • If a device is in sleep mode or turned off, it can not process commands. In some cases, Apple sends the same command periodically until a device is awake or until the command times out.

    • If a command times out, and Apple returns a status that the device is unavailable, our MDM server will try to send the command at the following intervals:

      • Five minutes after the first request

      • 10 minutes after the first request

      • 20 minutes after the first request

      • 40 minutes after the first request

What actions occur when I erase a device?

Erasing is similar to a factory reset. All of the device's data, including the MDM profile, is deleted, and the phone is returned to its initial setup state. Erased and unenrolled devices must follow the enrollment process before they can be managed again.

What is lost mode?

Lost Mode is a feature available on Apple devices that you can use when your device is missing or stolen. When you activate Lost Mode, the device locks to prevent anyone else from accessing its data. You can activate this mode via MDM on iOS and iPadOS device. You can also display a custom message with a contact number on the Lock screen.

Is it possible to set up a passcode to unlock a Lost Mode device?

No. Apple does not provide a way to set up a passcode for a device with Lost Mode. However, it is possible to set up a lock screen message or phone number in the confirmation popup after you click Enable Lost Mode.

How can I unenroll a device?

Refer to the Pulseway MDM: Enrollment section of this article.

Did this answer your question?