Kolide is now compatible with Apple's Mobile Device Management Protocol. Using this protocol, administrators can use Kolide to manage compatible Apple Devices and perform actions such as Remote Erase and Remote Lock.

The MDM capabilities in Kolide are completely optional and only provide additional enhancements and features. There is no need enroll devices in the MDM to use the product.

Compatible Devices

During the preview period, Kolide's MDM is only compatible with both Intel and Apple Silicon based Macs. In the future, Kolide plans to roll out MDM support for iPhones and iPads running iOS 14 or later.

Initial Setup

Before you can enroll devices into Kolide MDM, you will need to set it up for first time use. Please note: This can only be done by a Kolide Administrator with Full Access or a Limited User with the ability to configure the MDM.

Step 1. Go To Apple MDM Initial Setup section of the Setting Screen.

Step 2. Complete all the steps in the Pre-Flight Check List.

Once the Kolide MDM is set up, you can enroll and migrate compatible devices into Managed Mode.

Changes To Slack Device Enrollment

Once the Kolide MDM is setup, users who wish to enroll a compatible device will be asked to enroll in Apple's MDM instead of directly installing the Kolide Agent.

Once the enrollment profile is successfully installed, Kolide will automatically install the Kolide Agent, and grant it the appropriate Full Disk permissions. Once the Device is enrolled, Kolide will automatically assign it to the Slack user.

Obtaining the Enrollment Profile Manually

You may wish to download your organization's unique Kolide MDM Enrollment profile without having to pre-assign a device-owner. To download the profile, simply browse directly to https://k2.kolide.com/x/mdm/enrollments/unassigned.

Migrating Unmanaged Macs

Once the MDM is set up, you may want to bring all of your existing Kolide enrolled Macs under management. There are two ways in which you can do this.

Migrating Macs One at a Time

If you just have a few devices you'd like to bring under management, you can do this right on the device's detail page.

  1. Go to Inventory, choose a Mac you'd like to put under management, and click its name to go to the device's detail page.
  2. In the upper-right corner click the Actions dropdown and choose Enroll in MDM...
  3. In the modal that appears, confirm the device owner is correct and click the Contact button. (Note: If the device is unassigned or assigned to someone with a Slack identity, you will be instead given the option to download the enrollment profile directly)
  4. The device will have an Unmanaged (Pending) badge to indicate we are waiting on the assigned device owner to complete the enrollment process.

You can hover over the badge to get more details on the amount of contact attempts. If you want to send another notification to the end-user, simply click on the badge, and click the contact button on the resulting modal.

Once the device is enrolled in the MDM, it will have a Managed Badge as shown below.

Migrating Macs All at Once

Kolide has built a migration tool that will allow you to reach out to the assigned owners of all the unmanaged Macs enrolled in Kolide. Please note: This can only be done by a Kolide Administrator with Full Access or a Limited User with the ability to configure the MDM.

You can access the migration feature under Migrate Unmanaged Macs under settings. Once there, you will see a list of all the Macs that are currently unmanaged. This feature works by contacting each assigned owner via Slack and walking them through the process of installing the MDM enrollment profile. In order for this process to work the Mac must not already be managed and be assigned to a person who is contactable via Slack.

To get a sense of the message that will be sent to the device owners, simply click the Test Enrollment Request button on the upper-right of the table. When you do, you will see a message that looks like the following:

Unenrolling Macs from Management

Once a device is managed under Kolide's MDM, you may need to unenroll it from the Kolide MDM. You can do this right from the device's detail page.

  1. Go to Inventory, choose a Mac you'd like to remove management and click its name to go to the device's detail page.
  2. In the upper-right corner click the Actions dropdown and choose Unenroll from MDM...
  3. Click OK when the confirmation modal appears.

This will send the un-enrollment command to the device. This command may not run right away when the device is offline. Once the command is run, the Managed badge will disappear from the header.

Alternatively, if the Mac is in your physical possession, you can unenroll the Mac from management by following these steps:

  1. Click the Apple logo in the top-left corner of your desktop and choose System Preferences...
  2. Click the Profiles icon in the bottom-right corner
  3. In the left panel, click the Kolide Profile For Kolide item to select it
  4. On the bottom-left of the panel, click the minus (-) button and press the Remove button in the confirmation modal.

Doing this will notify Kolide that the device is no longer under management, and the Managed badge will be removed from the header of the device's detail page.

As always, please do not hesitate to reach out via Intercom, or by emailing support@kolide.co should you have any questions or feedback regarding this feature.

Did this answer your question?