IT Services

menu

Personal and unmanaged Apple Mac computers

This guide applies to University staff and postgraduate research students only.

Contents

Using a personal or unmanaged Apple Mac computer

The University has introduced compliance checking for personally owned Apple Mac computers of main staff and PGRs when accessing University services. If staff and PGRs wish to use their personal Apple Mac computer to access University services, they can enrol their personal device into University management.

This also affects third-party Apple Mac devices and University-managed Apple Mac computers that are not compatible with the latest management system.

It does not impact iPhones or iPads, only laptops and desktops running macOS.  

Please note this does not affect honorary or associate staff, or taught students

Why have we made this change?

This change was necessary to allow us to retain Cyber Essentials certification, which the University relies on for commercial and research funding and income. Enrolling a device allows us to check that the device is compatible and is running a secure version of macOS, which includes the current and previous two versions.

What services will be unavailable unless a device is enrolled?

Restricted University services include Microsoft 365 applications and services behind Single Sign On. However, we strongly recommend staff and postgraduate research students use their university-provided and managed devices to access any University services or data.

Support for staff and PGRs

  • If you have concerns about this change and have a critical business need for an additional computer, then please speak to your School or Division.
  • If you are a staff member, and your role allows you to have a device, or you are a PGR student who does not have a computer provided by the University, you can request one from IT Services
  • For those with a University Apple Mac computer that is not managed, please contact IT Services.

Enrol your personal Mac

  1. Raise a "personal Mac access" Service Request on the IT self-service site. As part of this request, you will need to agree to the terms and conditions for using and confirm which operating system your Mac is on. If you cannot access the IT self-service site, please contact IT Services by phoning 0117 428 2100.
  2. Receive enrolment email. You will receive an email informing you that you are now able to enrol your Mac. You will need to register within a defined timeslot. If you miss your enrolment window, you will need to raise a new Service Request.
  3. Enrol your device by following the steps below.

Important notes

You will not be able to enrol your personal Mac computer until you have submitted the form and received the enrolment email

  • If your device is not on a supported version of its operating system, you will not be able to access University services. Support versions of macOS include the current and previous two versions.
  • We recommend you back up your personal data on your personal devices using tools such as TimeMachine, and enable remote wipe in iCloud in case your device is lost or stolen.
  • Throughout this process it is likely the operating system will prompt you to enter your username and password. Please enter the username and password for your device, and not your University of Bristol username and password, except when prompted at step 2 below.

1. In a web browser, visit https://go.microsoft.com/fwlink/?linkid=853070. Download and then install Company Portal.

2. Open Company Portal and sign in using your University of Bristol credentials.

 Screengrab showing Company Portal sign-in screen

3. Select begin.

Screen showing set up process:

4. Review privacy information carefully and select continue.

Note: The University will only be able to see University of Bristol managed apps we have provided. The University will not be able to see apps you have installed for personal use.

Screen showing

5. Select download profile.

Screen showing

6. Your system settings will open. Double click on the new management profile. You will be asked "Are you sure you want to install this profile?", click install. 

Screen showing profiles with

Screen of Management Profile, saying  

7.  When this has installed, go back to Company Portal and wait for the device setup to complete. If your device meets the required compliance standards, you will be able to access University services.

Screen showing

FAQs

Personal Apple Mac computers

What device are staff and PGRs entitled to?

Our University policy states that all business should be conducted on compliant devices and/or on managed services.

If a member of staff or PGR colleague is impacted by these changes you can make a request for an alternative managed Windows or Linux device or a replacement managed Mac device based on the suitability of the device to the demands of the role.

The IT purchasing policy (last updated March 2023) allows the core budget to provide "one device (a laptop or desktop) per member of staff or PGR", and this includes Mac devices "where research and/or teaching demonstrates a need." This would also include professional services staff where there is a business need to use macOS. 

Colleagues will appreciate that Mac devices can be more expensive than Windows or Linux and purchasing decisions should only be based on business need rather than a preference.

If your role qualifies you to have a University-managed computer and you do not have one, you can request one by following the purchasing guidance on the Buying IT pages.

Lecture theatres, study spaces and teaching spaces are catered for within this core (ie. non-school budget) already.  Additional research-only devices normally would come from grants but are still subject to the key principles of IT purchasing and would still be required to meet all Information Security Policy requirements or placed onto a research-only network.

Why are we making these changes now?

‌‌

To ensure that the University can meet the Cyber Essentials requirements it is necessary for all devices to be under some form of centralised management.

We now need to accommodate some changes for Macs.

The decision was made by the Academic Leadership Board and Operations Board. The Information Security Policy is owned by the University Executive Board and this decision is in line with this policy. 

Why do we need Cyber Essentials accreditation?

Much of our research and third-party funding relies upon the University maintaining Cyber Essentials. This was due to a requirement of the Public Procurement Notices (PPN) issued by the Government for any organisation in the Government supply chain - with includes both the research councils and the University taking on grants.

The PPN was changed in September 2023 - after direct lobbying by the University - to allow for alternatives to Cyber Essentials however it is noted it may take many years for existing contracts to complete and for frameworks to change their inclusion of these terms. This is outside the control of the University.

How do I get data off my personal device before the change?

Please move all University data to OneDrive or your departmental filestore.

Any processing or storage of University information using personally owned devices must comply with the University’s Mobile and Remote Working Policy (ISP-14).

Can I still access University resources on the web if I don't enrol?

No. Those web applications are still in scope for Cyber Essentials and require you to authenticate (log in) using your University ID.  It is at the point of login that a check of the device is made no matter whether the service is located on campus (for example, MyERP) or in the cloud (for example, Outlook or Blackboard).

If I don't enrol can I still use my Mac to access services via a virtual machine or desktop?

No. Whilst the virtual machine (including Engineering and Open Access Virtual Desktops) may be compliant with CE, the underlying operating system must also be compatible and the University cannot make a technical check for that Mac compatibility at the point of login. Further investigation into whether there is a method for making this form of access compliant.

Can I unenrol my Mac?

Yes, you can. 

  1. Sign in to Company Portal for macOS.
  2. Go to Devices and select the device you want to unenroll.
  3. From the app toolbar, select the Devices menu > Remove.
  4. When asked to confirm the removal, select Remove. The device is immediately removed from Intune.

Does enrolling mean that I need to be on campus?

‌No. ‌‌You will register your wish to be enrolled and will be contacted with a time window in which you can enrol your device using the instructions provided. This can be done away from Bristol. Support will also be available from the IT Service Desk

What does enrolling my personal Mac allow the University to see and do?

  • The management DOES NOT ALLOW the University to see: personal files, browsing history, open emails or contacts, personal passwords nor what applications are installed (other than those provided by the University).
  • The management DOES ALLOW the University to see: operating system version and whether you have a device password set
  • The management DOES ALLOW the University to wipe your computer remotely if needed. However, by policy, this would only happen after you directly and in writing request that action (for example it were stolen).

My computer is already managed by another University or organisation. Can I enrol?

No, Mac devices can only be managed by one organisation. If your device is already managed by another organisation, it cannot be enrolled for management by the University of Bristol unless you de-register from the other organisation (preventing you from accessing data from that organisation) and register with Bristol.

Will enrolling the device give the University the possibility of updating system software remotely?

No. Enrolment checks that the operating system of your device meets the latest available version and security patch and where they are not in place the device will be blocked from access until it is updated.

If you are running software that is not compatible with supported operating systems then the device should not be used to access University services (as per Information Security policy) as it presents a very real cyber risk.

‌ How should I work with University data on my personal device after the change?

You should not be saving or using University data on a personal device if you have not enrolled your device (see guidance above). This also means you should not be moving data from University systems onto a portable device to access from your personal device.

If you find you still need to move University data from your personal device back to University services please ensure you follow the Information Handling Policy (ISP-07) and only use portable media (USB memory stick or drive) that has been purchased through IT Services.

Can I use the Mozilla Thunderbird email client on my Mac?

No. The Mozilla Thunderbird email client is not supported on macOS devices and will not work. There is a configuration made by Mozilla which is currently incompatible with the University systems, and until it is resolved by Mozilla, it will continue not to work.

The University's supported email client is Microsoft Outlook.

Information for taught students

I'm a taught student with a staff role, does this change affect me?

The change in April will exclude all taught students. However, certain paid roles are in scope for Cyber Essentials. A process will be launched via schools and divisions at a later date to understand what roles are being undertaken and the classification of any data the role might have access to.  A decision will be made on inclusion or exclusion from Cyber Essentials on that basis. For now there is no impact.

 

University managed Mac computers

I have a University provided Mac, how do I know if it is managed and compliant?

If your device is managed by the latest management platform, you will have 'Self Service' installed. If you are on the older management platform you will have the 'Software Center' installed. See additional FAQs for the actions you need to take if you need to upgrade and register (or just register) your device.

 

 

 

What should I do if my University Mac has the application 'Self Service' installed?

‌‌

Those with Self Service installed

  1. For those with 'Self Service', please use the 'Company Portal' (also installed) to check that you are 'enrolled with Jamf Device Compliance'.

Company portal - Jamf compliant

 

2. If it does not say you are enrolled, please follow the guidance on how to register your device for compliance checking.

3. Approve popups.  Various applications and browsers will request your approval to allow compliance checks. Please accept and, where asked, select Always Allow to avoid the popups from reappearing. Please contact the IT Service Desk if you have any issues with passwords.

Example popups include:


'Google Chrome wants to export key "Microsoft Workplace Join Key" from your keychain.’


Please submit your device password and select Always Allow

 macOS compliance Google keychain

When signing into Office online - ‘The website “device.login.microsoftonline.com” requires a client certificate’. 

Please ensure you approve the certificate request.‌

 

What should I do if my University Mac has the application 'Service Center' installed?

You will need to update to the Jamf management platform

The process involves a few steps which includes removing content from your device, setting up the new operating system, and registering for compliance. 

  1. Follow guidance on the page migrate your macOS device to the current management platform for instructions on how to erase the content on your device and upgrade. Please read the Important Notes section at the top of the page and make sure you back up data to OneDrive.

  2. Once you have completed step 1, you must set up your device as if it were a new device. Follow the instructions on setting up a new deviceWe advise printing a copy of this or having another device available to view the guidance.

  3. You will then need to register your device to be checked for compliance. See the instructions on registering for compliance.  

Please read through all the documentation in advance. 

If you require any assistance, please contact IT Service Desk or visit the IT Counter.

What do I do if my device is still showing it's not registered with Company Portal?

If you have a University Mac computer with Self Service installed

1. Please restart your computer. 

2. Re-register your University provided Mac computer for compliance by following the instructions at How to register your macOS device to check compliance

3. To allow compliance checking applications and browsers will ask you to allow access. Examples of these popups can be seen below. Please approve these requests. Submit your device password and select Always Allow. If you have any issues with the password for these requests please contact the IT Service Desk.

macOS compliance Google keychain

 

Shared University Apple Mac computers

Staff and PGRs using a shared university Mac computer

Please be aware that compliance checking for main staff and PGRs is done on an individual basis.  This means that if main staff and PGRs use an open access Mac computer in teaching spaces or have a shared device in an office, each person will need to register when they login.

To register, simply follow the instructions on this page.

Troubleshooting

After compliance is applied I can't sign in, what do I do?

If you have a University Mac computer with Service Center installed

Please follow the instructions on this page.


If you have a personal Mac computer that you have registered for compliance

Please contact the IT Service Desk for guidance.


If you have a personal Mac that you have not registered

Please follow the guidance above.

If you have a University Mac computer with Self Service installed

1 Please restart your computer. 
2 Re-register your University provided Mac computer for compliance by following the instructions at How to register your macOS device to check compliance.  
3 Applications and browsers will ask you to approve access for compliance checking. Approve these popups ‌to Always Allow.

I'm registered for compliance but I can't access University services via my browser

Please try an alternate browser or clear the browsing history and try again on the browser that is not allowing access. We recommend using Edge or Safari to access corporate resources as they support compliance checking.

Data protection and privacy

Registering your device to access your University account through the M365 native apps does not give the University any access to your personal data. 

 Your organisation can't see:

  • Calling and web browsing history
  • Email and text messages
  • Contacts
  • Calendar
  • Passwords
  • Pictures, including what's in the photos app or camera roll
  • Files.

 Your organisation can always see:

  • Device owner
  • Device name
  • Device serial number
  • Device model,
  • Device manufacturer
  • Operating system and version
  • Device IMEI
  • App inventory and app names, such as Microsoft Word
    • On personal devices, your organization can only see your managed app inventory, which includes work and school apps.
    • On corporate-owned devices, your organization can see all apps installed on the device.

Feedback

Edit this page