macOS Endpoint Management Baseline

This KB provides a summary of applications and configurations present on all Libraries staff macOS devices.

Table of Contents


Users retain administrative rights on their macOS devices and can perform all admin-level functions.  However, several applications cannot be removed, as they are configured to be automatically reinstalled should a user attempt to uninstall them.  Those applications include Workspace ONE Intelligent Hub, Lansweeper, and GlobalProtect.  If you experience any issues with these applications such that you would like one or more of them to be removed, please contact the LTG Help Desk.

Installed Applications & Scripts

Workspace ONE Intelligent Hub

  • Used for software deployment, profile management, and security compliance


  • Allows LTG to inventory hardware and software for asset tracking and lifecycle management

Palo Alto Networks GlobalProtect

  • Used for VPN access

Post-Enrollment Script

This script:

  • renames the device to include the last eight (8) digits of its serial number;
    • Example: "GLS-MLAP-1A2B3C4D"
  • sets the time zone to either Central Standard Time or Central Daylight Time, depending on the current date; and
  • enables Apple Remote Desktop.

Default Configurations

  • macOS firewall is turned on.
  • Certain kernel extensions, also known as "kexts," and system extensions are enabled to make deployed software operational.
    • Users are allowed to grant both kernel extensions and system extensions permissions for software they install manually.
  • A password is required if the macOS device is awakened from sleep mode.
  • The initial login window will prompt for both a username and password.
  • An LTG Admin account is added.
    • The password for this account is unique for every macOS device (i.e., no two devices have LTG Admin accounts with matching passwords), and the password changes regularly.

Optional Software

If you would like any of the optional software listed above added to your macOS device, please contact the LTG Help Desk, and they will add your device to the appropriate group to automatically receive it.

Keywordsmacos, mac, workspaceone, ws1, mobile device management, mdm, unified endpoint management, uem, vmware, intelligent hub, lansweeper, lan sweeper, palo alto networks, palo alto, pan, general library system vpn, gls vpn, vpn, globalprotect, global protect, application deployment, app deployment, deployment, deploy, app, push application, push app, install application, install app, profile management, manage profile, security compliance, compliance, inventory hardware, inventory software, inventory, asset tracking, asset, lifecycle management, lifecycle, vpn, virtual private network, script, serial number, serial, time zone, kernel extension, kext, system extension, password, sleep mode, cisco secure endpoint, cisco advanced malware protection, cisco amp, qualys   Doc ID110296
OwnerDylan R.GroupLibraries
Created2021-04-15 14:35:01Updated2024-04-26 16:31:09
SitesUW-Madison Libraries
Feedback  0   0