This article includes a simple, call-ready checklist you can use while working with a customer. It walks you through the key items to confirm that everything is set up, reachable, and working before starting macOS MDM enrollments. Feel free to use this checklist during case notes, Teams calls, or any troubleshooting session to make sure all requirements are in place.

ITMS 8.6 and later

Symantec Apple MDM – Setup Validation Checklist

Use this checklist to validate each component of the macOS MDM setup.
Enrollment should not proceed until all items pass.

1. Apple Requirements Validation

APNS Certificate

⬜ Verify APNS certificate is present in ITMS
⬜ Confirm certificate is not expired
⬜ Confirm certificate was created with the correct Apple ID
⬜ Confirm Apple Push Certificates Portal shows the same certificate expiry date

2. Code Signing & MDM Certificate Validation

MDM Code Signing Certificate

⬜ Confirm private/public key pair exists (OpenSSL or internal CA)
⬜ Confirm CSR was generated properly
⬜ Confirm Broadcom or internal CA returned a valid signing certificate
⬜ Confirm signing certificate imports without errors
⬜ Confirm code-signing certificate appears as valid in ITMS

MDM Server SSL Certificate

⬜ Verify certificate CN/SAN matches the MDM FQDN
⬜ Confirm certificate chain includes intermediates
⬜ Confirm certificate + private key imported successfully on Linux MDM server
⬜ Validate “full chain” format is correct (PEM order)

Certificate Chain Consistency

⬜ Validate SMP, Linux MDM server, and IGW all present the same trust chain
⬜ Confirm no old/duplicate certificates exist (KB Failed to import MDM Server certificate "The certificate with thumbprint <cert thumbprint> already exists" scenario)

3. Linux MDM Server Validation

Service & Configuration

⬜ Confirm Linux OS version supported
⬜ Verify all MDM services start successfully
⬜ Check systemctl status for Broadcom MDM services
⬜ Confirm certificate directories/permissions correct
⬜ Validate server connectivity to SMP (ping/FQDN resolution)

Network & Connectivity

⬜ Validate Linux MDM server can resolve:

• SMP internal FQDN

• IGW external FQDN (if used)
  ⬜ Test HTTPS access to the MDM endpoints
  ⬜ Confirm outbound traffic to APNS on TCP/443 is allowed
  ⬜ Validate no SSL interception by proxies

4. Internet Gateway (If used)

IGW Configuration

⬜ Confirm IGW installed and running
⬜ Confirm IGW external FQDN matches the certificate
⬜ Validate certificates installed correctly on IGW
⬜ Confirm IGW can reach SMP and Linux MDM server
⬜ Validate external reachability via https://<FQDN>/mdm

5. SMP (Symantec Management Platform) Validation

Modern Device Management Settings

⬜ Verify ITMS version supports MDM
⬜ Confirm MDM server configured and showing “healthy”
⬜ Check that the MDM code signing certificate is recognized
⬜ Confirm ABM token imported (if applicable)

Enrollment Policy Setup

⬜ Validate an MDM Enrollment Policy is created
⬜ Check targets are correct (All Mac clients, test group, etc.)
⬜ Confirm enrollment URL is accessible externally & internally

6. macOS Device Validation (Pre-enrollment)

Device State

⬜ macOS version 11+
⬜ Device time/date correct
⬜ Device not enrolled in another MDM
⬜ Keychain trust store does not contain conflicting certificates

Connectivity Tests

⬜ Device can reach:

• https://<FQDN>

• https://<FQDN>/mdm

• Apple APNS servers
  ⬜ No firewall or Wi-Fi filtering blocking enrollment

Profile Installation Readiness

⬜ Confirm the user has administrator rights
⬜ Confirm System Settings → Profiles can install unsigned/signed profiles normally

7. Functional Tests (Performed During the Call)

Test 1 — Enrollment Profile Download

⬜ Validate the enrollment URL prompts profile download
⬜ Confirm profile shows signed status
⬜ If it shows “unsigned”, check:

• Code signing certificate

• Certificate chain

• SMP/IGW FQDN mismatch

Test 2 — Enrollment Completion

⬜ Install profile and confirm:

• Device appears in ITMS

• MDM GUID stable

• No GUID resets (ref. KB 271514)

Test 3 — Basic MDM Commands

⬜ Lock device test (if allowed)
⬜ Profile push test
⬜ Application push test (optional)

Test 4 — Log Validation

⬜ Collect macOS profiles debug output
⬜ Check Linux MDM logs for enrollment events
⬜ Confirm no TLS or certificate chain errors

8. Final Confirmation

⬜ All certificates validated
⬜ Linux MDM server online and reachable
⬜ IGW functional (if applicable)
⬜ Enrollment policy working
⬜ Test Mac enrolled successfully
⬜ Profiles deploy correctly
⬜ MDM commands execute successfully

Modern Device Management