macOS MDM Enrollment (Hexnode ADE/DEP)

This guide covers enrolling a company Mac into Hexnode MDM management via Apple Device Enrollment (ADE/DEP). After successful enrollment, mandatory company applications are installed automatically and disk encryption is activated.

Platforms and versions

• MDM console: etnetera.hexnodemdm.com
• Operating system: macOS Tahoe (15) and later
• Sign-in: Microsoft SSO (Entra ID) or AD Connect

---

Part A – IT Admin: Preparing the Device in Hexnode

This section is performed by the IT administrator before handing the device to the user.

1. Verify the Device in Apple Business Manager

1. Sign in to business.apple.com using the company Apple ID.
2. Go to the Devices section and confirm that the new Mac appears in the DEP device list.
3. Check the MDM server assignment — the MDM Server column must point to etnetera.hexnodemdm.com.

Device not in ABM?

If the Mac is missing from Apple Business Manager, contact the supplier and request that the serial number be added to the DEP programme. Alternatively, the device can be added manually via Apple Configurator 2.

2. Sign in to the Hexnode Console

1. Open etnetera.hexnodemdm.com.
2. Click Sign in with Microsoft and sign in with your company account (@etnetera.cz).
3. In the left menu, choose Enroll → Apple → DEP Devices.

3. Create or Assign a DEP Profile

Recommended approach

Use the pre-configured profile Etnetera-Standard-macOS. This profile ensures correct Setup Assistant configuration and automatic assignment to the All-Mac-Devices group.

1. Click Enrollment Profiles → New Profile (or open the existing Etnetera-Standard-macOS).
2. Configure the following:

   Parameter	Value
   Profile Name	Etnetera-Standard-macOS
   Department	IT
   Support Phone	+420 XXX XXX XXX
   Supervised	✅ Yes
   Mandatory Enrollment	✅ Yes
   MDM Removal	❌ Disabled

3. In the Setup Assistant section, hide these steps: Apple ID, iCloud, Siri, Screen Time, Privacy.
4. Save the profile and assign it to the relevant device (or the entire DEP device group).

4. Assign Application Policies

1. Go to Manage → Policies → macOS.
2. Assign the policy Etnetera-Mac-Standard to the device (or group). This policy installs:
   • ESET Endpoint Security (antivirus)
   • Viscosity (VPN client)
   • Slack
   • Google Chrome
3. Confirm with a green policy status icon.

ESET Licence

Before enrollment, verify that a licence is available in ESET Business Account (EBA). Installing ESET without a valid licence starts a 30-day trial only.

5. Hand the Device to the User

1. The device must be reset to factory settings (or brand new in the box).
2. Inform the user that the first boot will run the Setup Assistant and requires an internet connection (Wi-Fi or cable).
3. Hand over this guide — Part B — to the user.

---

Part B – User: Enrolling a New Mac

This section is performed by the user on the first boot of their company Mac.

What you will need

• Company Mac (new or reset)
• Internet connection (Wi-Fi or Ethernet)
• Company email and password (firstname.lastname@etnetera.cz)

1. First Boot and Setup Assistant

1. Power on the Mac — the Setup Assistant wizard (with the Apple logo) will appear.
2. Select your language and country.
3. Connect to Wi-Fi or plug in an Ethernet cable.

Corporate Wi-Fi

Connect to the Etnetera-Corp network using the password provided by the IT team. The network is available in all offices.

4. The Mac automatically contacts Apple servers and downloads the MDM enrollment profile from Hexnode.
5. The Remote Management screen appears with the text: "This Mac is supervised and managed by Etnetera a.s."
6. Click Continue.

Do not use a personal Apple ID

The Setup Assistant will offer to sign in with an Apple ID. Skip this field or use a company Apple ID (if one was assigned to you by IT). Never enter a personal Apple ID on a company device.

2. Sign in with your Company Account (Microsoft SSO)

1. After completing the Setup Assistant, the Mac will boot to the desktop.
2. Hexnode automatically shows a sign-in prompt — click Sign in with Microsoft.
3. Enter your company email: firstname.lastname@etnetera.cz.
4. Enter your password on the Microsoft Entra ID sign-in page.
5. Complete multi-factor authentication (MFA) in Microsoft Authenticator on your phone.

AD Connect (alternative sign-in)

If Microsoft SSO sign-in fails, use direct Active Directory sign-in: username ETNETERA\firstname.lastname and your domain password. Report this situation to the IT team.

3. Automatic Application Installation

After successful sign-in, Hexnode will automatically install company software. The process takes approximately 10–20 minutes depending on internet speed.

Installed applications:

Application	Description
ESET Endpoint Security	Antivirus protection — starts automatically
Viscosity	VPN client for corporate network access
Slack	Company communication platform
Google Chrome	Web browser (recommended for company systems)

Monitoring installation progress

Progress can be monitored in the Hexnode MDM app (shield icon in the Dock or menu bar). Green icon = everything is fine.

4. FileVault Encryption Activation

Hexnode automatically activates FileVault — full-disk encryption. The process runs in the background.

1. A system notification appears: "FileVault encryption is being enabled."
2. If the Mac asks for a password to start FileVault, enter your macOS login password.
3. Disk encryption runs in the background — you can use the Mac normally.

Keep Mac plugged in

During disk encryption, keep the Mac connected to power. Unplugging will not interrupt the encryption but may slow the process.

FileVault recovery key

The FileVault recovery key is automatically backed up to the Hexnode MDM console. Users do not need to store it — contact the IT team if needed.

5. Verify Enrollment Status

After installation completes, verify that enrollment was successful:

1. Click → System Settings → Privacy & Security → Profiles.
2. The list should contain Etnetera MDM Profile with status ✅ Verified.
3. Open ESET Endpoint Security — a green shield reading "Your computer is protected." should be displayed.

VPN setup

After Viscosity is installed, you need to import the VPN configuration. See the VPN Connection guide.

---

Troubleshooting

Mac did not enroll into MDM automatically

• Check that the device is assigned to the MDM server etnetera.hexnodemdm.com in Apple Business Manager.
• Perform an MDM enrollment reset: System Settings → Privacy & Security → Profiles → remove the profile and restart the Mac.
• Contact the IT team.

Microsoft SSO sign-in not working

• Check your internet connection.
• Try the alternative AD Connect sign-in: ETNETERA\firstname.lastname.
• Check that your account is not blocked in Azure Active Directory.

An application did not install

• Open the Hexnode MDM app → Apps and check the installation status.
• Manually trigger a sync: Hexnode MDM → Settings → Sync.
• If the application is still missing after sync, contact the IT team.

---

Contact the IT team

If you have any issues with MDM enrollment, contact us:

Email: it@etnetera.cz

Please include in the subject line: MDM Enrollment – [your name] and attach the Mac serial number (About This Mac → Serial Number).