Skip to content

CERN-managed Mac

Introduction

All of the new Macs purchased by CERN via EDH punch-out will be registered with Apple and automatically enrolled into CERN's MDM (Mobile Device Management) server starting from 1st of May 2025.

These devices will become CERN-managed Macs and have a set of security policies applied to them in line with Computer Security Rules for Endpoints:

  • installation of ESET Endpoint Security and ESET Protect agent
  • enabling automatic system updates
  • enabling FileVault disk encryption
  • it will be possible to remotely wipe the device in case of theft or loss

The CERN-managed Mac model will exist in parallel and be an extension to the previous Mac Self Service model. In both models users will be able to use policies available in the Self Service application.

Installed Configuration Profiles

The following configuration profiles required for remote management of the device are installed automatically on CERN-managed Macs. You can see them listed in System Settings -> Device Management.

Name Function
MDM Profile Creates binding between the MDM server and your device
Automatic System Updates Enables automatic system updates
CERN Certificates Trusts CERN CA issued certificates
CERN WiFI Disables MAC address randomization
Managed Login Items - Jamf Apps Allows agent service to run
Jamf Notifications Permission for Self Service / agent to display system notifications
Privacy Preferences Policy Control Gives agent access to file system
Allow Apple Events Allows agent to automate other applications
ESET allow System Extensions Required by antivirus: allows ESET kernel system extension to run
ESET permissions Required by antivirus: gives ESET full disk access, allows it to send system notifications, allows it to install (network) content filters & 2 local-to-local VPNs

Opt-out / deregistration

Removing the device from CERN-managed Mac model is possible:

  • for devices that are not owned by CERN
  • after obtaining a derogation from Computer Security Office
  • for devices that are decomissioned or resold

If you fit any of these categories and wish to opt-out/deregister the device, please follow this form.

You will be notified once we deregister the device with Apple and remove it from the CERN's MDM. Then the last step for you will be to execute 

sudo jamf removeFramework
in the Terminal.app to remove the now non-functional Self Service application.

Remote wipe

Remote wipe of the CERN-managed Mac can be performed by the Mac Support after filling the theft or loss declaration.