Lights Out Management MDM payload settings for Apple devices
You can configure Lights Out Management settings to remotely start, shut down, and restart the following after they’re enrolled in a mobile device management (MDM) solution.
Mac mini (M2, 2023) with a 10Gb Ethernet card
Mac Studio (2022)
Mac mini (M1, 2020) with a 10Gb Ethernet card
Mac Pro (2019)
The Lights Out Management command is sent from a MDM to the Mac (acting as the Controller) using the MDM protocol. The Mac acting as a Controller in turn sends the command to another configured Mac (acting as the Device), as specified in the payload, using a secured and proprietary protocol. All Mac computers acting as Controllers or Devices:
Must be using macOS 11or later
Must be on the same local subnet and use Ethernet (communication is over IPv6)
Must have the CA Certificate Trusts for a Device (If configured as a Controller)
Must have the CA Certificate Trusts for Controller (If configured as a Device)
Must be enrolled in the same MDM solution
Must have the Lights Out Management payload installed
Don’t require a static IP address for communication
Communication between the MDM solution and the Controller uses Apple Push Notification service (APNs). Communication between the Controller and the Device computers uses TCP/IP (IPv6) and TLS, which is encrypted using the certificates supplied by the Lights Out Management payloads on each device and evaluated using a proprietary protocol and mTLS.
Certificates
Certificates configured on Controllers or Devices for LOM communication can be included as PKCS #12 or issued using an SCEP payload. Each must include the following certificate specific configurations:
x509 Key Usage: Digital Signature, Key Encipherment and Data Encipherment
x509 Extended Key Usage: Server Authentication, Client Authentication
x509 Subject CN
x509 SubjectAltName, dNSName
If a Mac supports Lights Out Management, it can be both a Controller and a Device. You configure it by including the UUID of the device certificate payload for both ControllerCertificateUUID
and DeviceCertificateUUID
keys within the com.apple.lom
payload.
The Lights Out Management payload supports the following. For more information, see Payload information.
Supported installation method: Requires an MDM solution to install.
Supported payload identifier: com.apple.lom
Supported operating systems and channels: macOS device.
Supported enrollment types: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: False—only one Lights Out Management payload can be delivered to a device.
You can use the settings in the table below with the Lights Out Management payload.
Setting | Description | Required | |||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
| Configures a device for LOM. | Yes | |||||||||
Controller certificate | The certificate for the LOM controller. | If the Mac is being used as a Controller. | |||||||||
Device certificate | The certificate for the LOM device. | If the Mac is being used as a Device. | |||||||||
Controller CA certificate | The CA certificate for the controller. | If the Mac is being used as a Device. | |||||||||
Device CA certificate | The CA certificate for the device. | If the Mac is being used as a Controller. |
Note: Each MDM vendor implements these settings differently. To learn how various Lights Out Management settings are applied to your devices, consult your MDM vendor’s documentation.