macOS Intelligent Hub Test Plan - Beta 1

Beta 1 Test Plan

Please complete the below test plan for Beta 1 on any macOS device running 10.12+. Completing this test plan will help determine how well this functionality is working for you and your organization. 



We have updated the enrollment UI to align with the other platforms supported by Workspace ONE Intelligent Hub. This version of Intelligent Hub allows for multiple enrollment methods to help achieve a variety of onboarding use-cases. Please note the UI may be subject to tweaks and modifications before GA release.


Please review the options below and test Hub in the same way as your organization would currently use Intelligent Hub 4.0 or AirWatch Agent 3.1.1 (and lower).

1. DEP or Web Enrollment

Automatic deployment of Hub will not be supported in this beta. To test, perform a DEP or Web enrollment, then manually install the Intelligent Hub beta pkg. The app should recognize the enrollment and the menu bar icon should show as Enrolled & Connected. If you have any Internal Apps or Custom Attributes configured, these should start processing shortly after the app is installed.

Note: This flow also includes enrollment methods that install the exported profile from Console Settings > Devices & Users > Apple > Automated Enrollment.


2. Hub Enrollment

To test enrollment through the app, manually install the beta pkg on an unenrolled macOS 10.12+ device. Once installed, click the menu bar icon and click Enroll Now. The enrollment UI should appear. Continue through enrollment as you usually do and report any issues, quirks, or any other comments as you test. All forms of enrollment are supported through the app - Basic Authentication, SAML, Token, and Staging (no authentication).                                                         



 Basic Authentication




SAML Authentication view rendered within the app




Token-based Authentication




Optional prompts for Ownership type or Asset Number




Optional Custom Terms of Use








After enrollment is complete:

After enrollment is complete with the MDM profile installed and the app has recognized that it is enrolled, click the menu bar icon and click Account. This should launch the app with an Account screen, displaying details on the enrolled user & device, including a link to collect logs for troubleshooting.





FileVault Encryption Management

We have redesigned FileVault management from the ground up to support Apple best practices for managing encryption via MDM. Previously the Disk Encryption profile on the UEM Console was limited and did not expose all functionality available via MDM. Furthermore, the profile did not clearly delineate between what was managed via Apple MDM and what was behavior specific to the Agent / Hub. This major enhancement comes with changes to both the UEM Console and to Intelligent Hub to support FileVault management on macOS 10.12+. The profile will also now allow you to configure MDM specific FileVault settings and turn off Hub functionality completely.

In macOS 10.13 (and with APFS), Apple revamped MDM FileVault management and made it more reliable for escrowing Personal Recovery Keys. We strongly encourage customers to upgrade any 10.12.X devices to take advantage of these enhancements from Apple.


There are two major flows for the redesigned FileVault encryption management functionalities of Intelligent Hub, depending on the state of the device before the FileVault profile is installed. Please review the two cases below and test each on devices with various encryption states and OS versions typically found in your organization. To completely disable Intelligent Hub functionality for FileVault, simply disable the root setting in the Intelligent Hub Device Management section, Use Intelligent Hub for enforcement.


Case 1: Device is not FileVault encrypted.

For this case, the profile is installed to a device that is not yet encrypted. The primary goal in this scenario is to instruct the user to start the encryption process. With the redesigned profile UI, Workspace ONE UEM now takes full advantage of native MDM FileVault Deferred Enablement, which requires the user to enter their login password during logout or login (or both), when prompted by the OS, depending on the configuration and state of the machine when the profile is installed (i.e user logged in or not).

Intelligent Hub can help instruct your end-users to logout to perform the Deferred Enablement when Encryption disabled notification is enabled in the Intelligent Hub Device Management section. The notification message to end-users can be customized, including the number of times it can be dismissed and the interval between dismissals. You can also optionally force the logout after a certain number of dismissals.


Notifications will appear as native notifications in the right hand corner and the full message (if longer than x characters) can be viewed in the Notification Center tray.


Clicking Logout on the notification will initiate a standard log out process, with the OS prompt.


When the OS prompts the user depends on the When to prompt user setting in the Native Device Management section - default is set to both Login and Logout. The prompt will come during the black transition between user desktop and Login Window (and vice versa).



If the Display Personal Recovery Key setting is enabled (default disabled), then macOS will display the new PRK to the user.


After finishing this process, the end-user can log back into the account and continue using as normal.


Case 2: Device is already FileVault encrypted but Recovery Key not escrowed.

In this scenario the device is already encrypted, but the Personal Recovery Key needs to be escrowed. Depending on the OS Version, it will work two different ways:

macOS Sierra 10.12 

Before the enhancements Apple made to FileVault in 10.13, the recovery key was escrowed via a redirection URL. When a PRK is generated or changed, macOS sends the key to the redirect URL (however does not retry if this fails). Due to the historical unreliability of this redirection mechanism, Hub will periodically check with the UEM Server to see if the key has been escrowed, and prompt the end-user for password to rotate the key if it has not been escrowed after 24hours. Additionally, Hub will periodically validate the escrowed Recovery Key to ensure it is still the current key.

macOS High Sierra 10.13 and above

In macOS 10.13 and APFS, FileVault was revamped to support a much more reliable method of Personal Recovery Key escrow, utilizing the MDM SecurityInfo command - a sample query that is periodically requested from devices every day. When a PRK is generated or changed, the next Security Info sample will detect it and escrow the key to the UEM Server.


Intelligent Hub can help instruct your end-users to enter their password to perform a rotation of the Personal Recovery Key. This rotation is required because a pre-existing PRK cannot be escrowed, only a newly generated one. This functionality of Hub is activated only if Prompt for password if encrypted is enabled in the Intelligent Hub Device Management section.


Notifications can be customized, including the interval between each dismissal.


If Dismiss is clicked, the notification will dismiss and it will appear again at the next interval defined in the profile for Dismissal interval.

If Continue is clicked, a prompt will appear, which can be customized.


If this prompt is dismissed without entering password, the notification will again appear at the next interval. This will continue until Hub detects that the UEM Server has escrowed the current PRK.

Note: Installing a newer version of a FileVault profile on 10.13+ will cause macOS to require a new PRK rotation - thus, Hub will notify the user to enter their password again when a new version is installed.

If the password is accepted and the PRK rotation is successful, Hub will display the customizable Success prompt.


If the Display Personal Recovery Key setting is enabled (default disabled), then Hub will also display the new PRK to the user.



In the event of an OS issue or unexpected response when running the command to rotate the recovery key (fdesetup changerecovery -personal), Hub will display a customizable Error prompt to the end-user after the number of times configured in the profile for Retries before error message. This is to prevent end-user fatigue and work stoppage if there's an OS issue that needs administrator intervention before Hub can successfully initiate a PRK rotation.

Have more questions? Submit a request


Article is closed for comments.