Notes from Custom app distribution and device management lab (Thursday, June 9th 2022)

I took notes during the "Custom app distribution and device management" lab. If interested, please see the attached "Notes from lab":

Replies

For question 5, this was covered in the Slack Q&A in #device-management-lounge. The answer from Jesse E (Apple) is pasted below for posterity (not sure how long the Slack instance will stay around):

Because the local account exists on the Mac already, the user will still be able to login to this local account even though the account has been disabled in the IdP. The last password that synced remains. In a scenario where the user should no longer be able to login to the device, other methods should be used such as the device lock MDM command. Think of this like a local password that just happens to get automatically updated/kept in sync. But it's still a local password and therefore still behaves exactly as any other local password would — since that's what it is. So in those cases you're talking about, you'll want to handle it separately.

The answer to question # 6 in the notes is partially incorrect.


With regards to the "Requirement for internet access in Setup Assistant" - How does the device retain knowledge of its organization registration after a wipe or a DFU restore? 

Is this information stored in NVRAM or is it stored elsewhere?


Answer:

It does not survive a DFU restore, but it does survive a disk wipe. I don't know where this information is stored, but a good place for research should be the Local policy manifest information included in the Apple Platform Security guide.

The correct answer is that it survives both a DFU restore and a disk wipe. This is because online activation is required following DFU. As part of the activation process, macOS will discover that the device is managed and will re-apply the relevant setting to the device.