Endpoint Services, macOS 11 (Big Sur), Configuration Profiles

macOS 11 lack of support for profile installation via Munki, and how to use Workspace ONE to accomplish the same goals.

Systems

Workspace ONE Unified Endpoint Management (UEM)
Munki Mac Endpoint Management

Intended Audience

University of Illinois IT Pros managing macOS endpoints with Endpoint Services Multi-Tenant Munki and Workspace ONE UEM.

General Information

With the fall 2020 release of macOS 11 (Big Sur), Apple removed the ability to install configuration profiles using command-line tools, the method used by Munki to install profiles. This change affects a variety of profile packages in the Multi-Tenant Munki service, including unit-level Workspace ONE (WS1) auto-enroll profiles, which are used to enroll non-Device Enrollment Program (DEP)-eligible Macs into WS1.

Workspace ONE Auto-Enroll Profiles

Using Munki to install Workspace ONE (WS1) auto-enroll profiles on non-DEP-eligible Macs running Big Sur is no longer possible. Instead, use manual enrollment methods for these enrollments.

Other Configuration Profiles

The following table contains MTM configurations that can't be installed on Big Sur via Munki, and the corresponding Workspace ONE profiles available for all versions of macOS. We encourage units to begin transitioning from Munki profiles to Workspace ONE profiles as soon as possible. If you would like assistance with the transition, please contact the Endpoint Services team.

Munki Manifest Conditions

You can add conditions to your unit Munki manifests to prevent Munki from evaluating profiles for installation on Big Sur clients. This will prevent warnings from being logged to your MunkiReport dashboard. Learn how to create and apply conditions to your unit-level Munki manifests.


Munki Package Workspace ONE Profile(s) Purpose
enterprise_connect_uiuc_settings Enterprise Connect UIUC Settings Pre-populates the AD domain in the Enterprise Connect dialogue.
Big Sur is the last macOS version to support Enterprise Connect.
illinoisnet_wireless_system_auth IllinoisNet_Wireless_System_Auth Uses AD Computer Object credentials to automatically log on to IllinoisNet.
For AD-bound machines only.
mobileconfig_com.microsoft_disableupdatesandfirstrun ms.disable.autoupdates, ms.first.run.complete For Office 365/2019, disables automatic updates and suppresses initial setup dialogues.
munkitimewindow_9pmto4am MunkiTimeWindow-9pm-4am Changes the default MunkiTimeWindow schedule to 9pm - 4am.
Requires base munkitimewindow installation via Munki.
munkitimewindow_12amto2am MunkiTimeWindow-12am-2am Changes the default MunkiTimeWindow schedule to 12am - 2am.
Requires base munkitimewindow installation via Munki.
munkitimewindow_12amto6am MunkiTimeWindow-12am-6am Changes the default MunkiTimeWindow schedule to 12am - 6am.
Requires base munkitimewindow installation via Munki.
secure_token_bypass SecureTokenBypass Bypasses the SecureToken dialogue for all logins.


Contact the EPS team