Mac Self-Service is a functionality within the Mac Desktop Service built and maintained to empower CERN users by giving them easy access to applications and configurations through the Self-Service application. It also enables CERN users to acquire Mac App Store applications through the Apple Volume Purchasing Program.
Mac Self-Service is based on the pull philosophy. CERN users join the Self-Service by enrolling their Mac in the CERN MDM, which requires logging-on with their CERN credentials and then downloading and installing the Self-Service application. This enables the users to select the applications they would like to install or the settings they would like to apply on their Mac. The enrolment process depends on the version of macOS installed on your Mac. For older versions of macOS is documented step-by-step in the attached document or on the video on the right. On newer versions of macOS only two profiles are downloaded and installed (first a "CA Certificate" and then an "MDM Profile", for each of these the user is asked for confirmation). The framework and the Self-Service app are then pushed from the server. Due to this it might take a few minutes until the Self-Service app is installed on newer versions of macOS.
Since May, 30th 2017 the enrolment and the Self-Service app use Single-Sign-On instead of the previous login page. SSO works with username and password or with an existing kerberos token. The SSO for the Self-Service currently does not work with user certificates.
When starting the Self-Service for the first time users should run the policy 'Trust CERN CA Certificates' to ensure that the Mac trusts the certificates issued by CERN's Certification Authority, needed for the installation of products via the Self-Service.
On the technical level, the Self-Service works based on the MDM agent, which is installed during the enrolment process. The MDM agent runs with local admin privileges in order to automate installations, manage software dependencies and gather information about the hardware and software, which helps the Mac Desktop Service team provide a better service. The Mac Desktop Service team is committed to ensure confidentiality of this information.
Updates to the applications installed through the Self-Service are handled by mechanisms provided by these applications themselves - in exactly the same way as when these applications are installed outside of the Self-Service. Although technically possible, the Mac Desktop Service team does not push any updates, settings or applications to the Macs enrolled in the Self-Service.
However, in case you would like to remove Self-Service, and you have not installed any CERN licensed software, simply execute the following command in terminal :
sudo jamf removeframework
If the device on which you intend to install this software is owned by an external university or institute, please ensure that you have the right to authorise the installation.
To enrol you Mac in the Mac Self-Service, click here: https://mdm.cern.ch/enrol
About Migration Assistant and Restoring from Time Machine
When a new Mac is set up using the migration assistant directly or via Time Machine that new Mac might also receive the Self-Service.app and the jamf framework, but the Self-Service server will not accept any connection from that Mac since the new Mac is unknown to the server. For devices that are set up via the Migration assistant we recommand to run the 'sudo jamf removeframework' and then enroll the new Mac by visiting https://mdm.cern.ch/enrol.