Skip to content

CERN-managed Mac

Introduction

All of the new Macs purchased by CERN via EDH punch-out will be registered with Apple and automatically enrolled into CERN's MDM server starting from 1st of May 2025.

These devices will become CERN-managed Macs and have a set of security policies applied to them in line with Computer Security Rules for Endpoints:

  • installation of ESET Endpoint Security and ESET Protect agent
  • enabling automatic system updates
  • enabling FileVault disk encryption
  • it will be possible to remotely wipe the device in case of theft or loss

The CERN-managed Mac model will exist in parallel and be an extension to the previous Mac Self Service model. In both models users will be able to use policies available in the Self Service application.

Opt-out / deregistration

Removing the device from CERN-managed Mac model is possible:

  • for devices that are not owned by CERN
  • after obtaining a derogation from Computer Security Office
  • for devices that are decomissioned or resold

If you fit any of these categories and wish to opt-out/deregister the device, please follow this form.

Once we deregister the device with Apple and remove it from MDM, you will need to manually execute 

sudo jamf removeFramework
in the Terminal.app to remove the now non-functional Self Service application.

Remote wipe

Remote wipe of the CERN-managed Mac can be performed by the Mac Support after filling the theft or loss declaration.