Mac Self-Service is a functionality within the Mac Desktop Service built and maintained to empower CERN users by giving them easy access to applications and configurations through the Self-Service application. It also enables CERN users to acquire Mac App Store applications through the Apple Volume Purchasing Program. Access to licensed software is restricted to Macs that are regurarely on site.
Mac Self-Service is based on the pull philosophy. CERN users join the Self-Service by enrolling their Mac in the CERN MDM, which requires logging-on with their CERN credentials and then downloading and installing the Self-Service application. This enables the users to select the applications they would like to install or the settings they would like to apply on their Mac.
The framework used by the Mac Self-Service collects inventory information about the software and hardware of your Mac and reports this to the MDM server at CERN.
The enrolment and the Self-Service app use Single-Sign-On. SSO to these services works with username and password or with an existing kerberos token. The SSO for these services does not work with user certificates.
If the device on which you intend to install this software is owned by an external university or institute, please ensure that you have the right to authorise the enrollment.
Enrolling your Mac
Enrolling macOS versions older than 10.14 is not supported any more.
On recent versions of macOS two profiles are downloaded and installed (first a "CA Certificate" and then an "MDM Profile"), for each of these the user is asked several times for confirmation. The framework and the Self-Service app are then pushed from the server in the background. Due to this it might take a few minutes until the Self-Service app is installed on newer versions of macOS.
To enrol your Mac simply visit https://mdm.cern.ch/enrol. You will be asked first to download and install a "CA Certificate". When that is done go back to the browser window to download and install the "MDM Profile". You will be asked several times for confirmation. Once these two are installed you can quit your browser, the installation of the framework and the Self-Service app will happen automatically in the background. Within a few minutes the Self-Service app should appear in your Applications folder.
Using the Self-Service
When starting the Self-Service for the first time users should run the policy 'Trust CERN CA Certificates' to ensure that the Mac trusts the certificates issued by CERN's Certification Authority, needed for the installation of some applications via the Self-Service.
Access to licensed software is only granted to Macs that are properly registered in CERN's network database and that have reported to the MDM server while being on site recently. Even for Macs that are on site there is delay of a few minutes between the enrollment and the check for eligibility, which means that licensed software is not visible directly after the enrollment. Macs that are registered in the network database as 'visitor-xyz' are not eligible for licensed software.
On the technical level, the Self-Service works based on the MDM agent, which is installed during the enrolment process. The MDM agent runs with local admin privileges in order to automate installations, manage software dependencies and gather information about the hardware and software, which helps the Mac Desktop Service team provide a better service. The Mac Desktop Service team is committed to ensure confidentiality of this information.
Updates to the applications installed through the Self-Service are handled by mechanisms provided by these applications themselves - in exactly the same way as when these applications are installed outside of the Self-Service. Although technically possible, the Mac Desktop Service team does not push any updates, settings or applications to the Macs enrolled in the Self-Service.
Some applications require the installation of System Extensions, this is currently the case for Parallels Desktop and ESET. To be able to silently install such an application the MDM remembers that such an app has been requested, and will attempt to re-install it when it notices that it's not installed. If you want to remove one of these apps you should use the corresponding Removal item in the Mac Self-Service. If you simply drag such an app to the bin the MDM will re-install it later.
Most of the applications provided by the Self-Service have the option to check for updates, the Self-Service itself will not update applications installed through it. It will also not present newer versions of the applications installed.
In case you would like to remove Self-Service, and you have not installed any CERN licensed software, simply execute the following command in terminal:
sudo jamf removeframework.
Please 'Quit' the Self-Service app after use
The Self-Service app goes into weird state when kept open for too long, and will probably use a large fraction of your Macs network bandwidth. To avoid that the Self-Service app wastes too many resources please quit the app when you are done.
About Migration Assistant, Restoring from Time Machine and Replaced Motherboards
When a new Mac is set up using the migration assistant directly or via Time Machine or when a Mac has its motherboard replaced that Mac might also receive the Self-Service.app and the jamf framework, but the Self-Service server will not accept any connection from that Mac since the new Mac is unknown to the server. The same holds for any other intervention that changes the serial number and/or the UDID of the Mac. For these devices we recommend to first run the command
sudo jamf removeframework and then enroll the new Mac as described above.
About the Self-Service Application Version
The Self-Service application gets updated automatically whenever the server version is updated - as long as the Self-Service framework on your Mac is still working properly. Since April 2022 the version of the Self-Service app should be 10.37.2. If your Self-Service app is older than that you can assume that there is a problem with the Self-Service framework on your Mac. In general that implies that the Self-Service itself will not be functioning any more, and we recommend that you first remove the non-functional framework by running
sudo jamf removeframework, and then enroll the new Mac as described above.
About Devices that Stop Reporting
Devices that stop reporting to the server for more than three months (more than 12 month for devices that use disk encryption) will be deleted from the database. In that case the Self-Service will remain on the device, but will not work anymore. Reasons for stopping to report include
- the device is switched off
- the framework has been corrupted
- the framework failed to upgrade when the server side software was upgraded
Please Report all Self-Service Related Problems to the Service Desk
We can discover some Self-Service issues on the server side, but for the majority of issues we rely on you reporting malfunctions to become aware of problems. So please report any issues with the Self-Service to the Service Desk, see https://cern.service-now.com/service-portal.