Self-Enroll in Endpoint Management

Self-Enroll in Endpoint Management

Netflix’s endpoint management tools help us streamline device deployment, improve security, and offer time-saving productivity features. Centrally managing device configuration alleviates much of the toil of setting up new computer systems and software. 

These tools also allow our information security team to better understand our endpoints’ exposure to vulnerabilities and other risks and to work with users to mitigate security threats when they’re detected. Automated security configurations, like full-disk encryption and firewalls, remove the burden of manual configurations from employees and protect company time and resources.

Do not enroll a personal computer or any other device that is not managed by Netflix, as doing so will result in permanently blocked access to Google suite.

For more context about the logic behind our use of endpoint management, reference this article.

This software is available for full-time employees (FTEs), contingent talent, Animation, VFX, and Games employees.

Check whether or not your device is enrolled 

Follow these steps to check whether or not your Mac, Windows, or ChromeOS device is already enrolled. Other platforms are not supported at this time.

Mac 

1. From the Apple menu, select System Settings or System Preferences.
2. In the search box, type Profiles and select the first result.

If you’re enrolled, a list of profiles will include one called MDM Profile. If MDM Profile isn’t listed, follow the Mac instructions in the Enroll Your Device dropdown.

Windows 

1. Select Start or press the Windows key on your keyboard.
2. Type Settings and open Settings.
3. Select Accounts, then select Access work or school.

If you’re enrolled, you will see the following:

Connected by email@netflix.com

Connected to Netflix's Entra ID

If the device was enrolled manually or upgraded from Windows 10 to Windows 11, your email address will be listed as a Work or School account.

If this is not present, follow the enrollment instructions.

ChromeOS 

If you’re enrolled, the message “Chromebook managed by netflix.com” will appear on the login screen.

Endpoint Verification Chrome extension 

The Endpoint Verification Chrome extension is a Google product that helps to inventory devices accessing our corporate Google Workspace. With this extension, we can block access to Google applications for systems and identities that don’t adhere to our Netflix policies. 

This extension only collects these data points: 

• Device ID, serial number, device type, and operating system (macOS, Windows, and ChromeOS)
• User’s name and corporate email address 
• Device encryption status

Installation steps

 If using Google Chrome, you must have a Netflix profile with the sync feature turned on. The extension can then be automatically pushed out to your device through our Google Workspace console. Visit go/google-install (FTEs only) if you need help creating a Netflix profile with the sync feature turned on.

If you’re using a browser other than Chrome or do not have your profile created with the sync feature turned on, manually install the endpoint verification extension by selecting the Endpoint Verification Link and then selecting Add to Chrome.

Note: If you create a new Netflix profile, import your bookmarks from your existing profile to this new profile. Find the steps to do that in the FAQ.

Enroll your device 

Before proceeding, confirm if your device is already enrolled in Endpoint Management using the steps in Check whether your device is enrolled.

Mac 

These instructions are applicable to macOS.

If you have an older version of macOS, we strongly recommend upgrading to the latest version before enrolling your device. 

We do not recommend using Migration Assistant or Time Machine to configure your device. Follow the steps appropriate to your OS instead.

1. Select this link and download the Netflix Enrollment Assistant tool.
2. Google Drive will present a message stating: This file type might be dangerous. Ignore this notification and select Download Anyway.
3. Once downloaded, locate and launch the tool.
4. Follow the prompts to begin enrolling your Mac.
5. Once the Mac is enrolled, you’ll be shown a screen that states: Enrollment is complete.
6. Select OK to close the tool.

Note: If you configured your device using Time Machine or Migration Assistant, you may need to use the steps in this article to enroll your device.

Windows 10 

These instructions are applicable to devices operating on Windows 10.

1. Right-click Start (located on your taskbar) and select Settings or press and hold Windows and I on your keyboard.
2. Select Accounts.
3. Select Access work or school.
4. Select the + Connect icon.
5. From the Alternate actions section, select Join this device to Microsoft Entra ID. 
6. In the Work or school account field, enter your Netflix email address and follow the instructions to sign in. 
7. Verify the information and select Join.
8. After joining, a screen will inform you that your device is being registered.
9. After the device is registered, you’ll be notified that the registration was successful.
10. Disregard the Switch Account guidance.

Windows 11 

These instructions are applicable to Windows 11.

1. Right-click Start (located on your taskbar) and select Settings or press and hold Windows and I on your keyboard.
2. Select Accounts from the navigation pane. If the navigation pane is not visible, maximize the window.
3. Select Access work or school.
4. Select Connect.
5. From the Alternate actions section, select Join this device to Microsoft Entra ID.
6. In the Work or school account field, enter your Netflix email address and follow the instructions to sign in. 
7. Verify the information and select Join.
8. After joining, a screen will inform you that your device is being registered.
9. After the device is registered, you’ll be notified that the registration was successful.
10. Disregard the Switch Account guidance.

ChromeOS 

If you’re enrolling an existing Chromebook (instead of a new or replacement unit for the first time), then you may need to powerwash the Chromebook. Powerwashing resets the device to factory settings. Any files or folders not uploaded to Google Drive will be deleted. 

1. Switch on the device and select Get Started.
2. Connect to a network. If the device is already enrolled, it will state: Chromebook managed by netflix.com. 
3. The next screen will ask “Who’s using this Chromebook?” Select You and select Next.
4. At the sign-in screen, press and hold ctrl, alt, and E or More options, then, select Enterprise enrollment.
5. Sign in using your email address to enroll the device. 

If the device has previously been deprovisioned, it may perform a factory reset during the enrollment process. Once the reset is completed, perform Steps 1 through 5 again to finish the enrollment process.

Support 

If you don't have access to the Managed Software Center, contact #ntech-help to troubleshoot.

Endpoint Management FAQ for N-Tech

How do I enroll in endpoint management?

Utilize these user-facing Endpoint Management Self-Enrollment Steps.

What if there's a need to remove a device from endpoint management?

There will be certain use cases where a person won’t need their device enrolled in endpoint management or a user wants to opt out for testing purposes, engineering, or security needs. These unique use cases should only be valid for a few people. Be sure to advise the user to reach out to #security-help to evaluate their business needs before setting the expectation simply wanting to opt out is not sufficient. Endpoint management is required for company devices.

If the device is owned by Netflix, and #security-help has given approval, contact #ncse-partners-collab on Slack. They can assist in removing the device from endpoint management.

How do I verify a device is already enrolled in endpoint management?

macOS 

N-tech: 

1. Visit https://netflixstudios.jamfcloud.com/
2. Select Computers.
3. Search by serial number.

User: 

1. From the Apple menu, choose System Preferences or System Settings.
2. Select Profiles.
3. Ensure you have a profile named MDM Profile.

Note: If you don't see Profiles or MDM Profile, you aren't yet enrolled in endpoint management.

Windows 

N-tech: 

1. Visit https://endpoint.microsoft.com/ 
2. Select Devices.
3. Select Enroll devices. 
4. Select Device. 
5. Type the serial number of the device.
6. Look for Enrollment State.

User: 

1. Go to Settings.
2. Select Accounts.
3. Verify that the Access Work or School section indicates that it's connected to Netflix.

How do I know if a machine is set up for auto-provisioning?

macOS 

1. Visit https://netflixstudios.jamfcloud.com/
2. Select Computers.
3. Select PreStage Enrollments. 
4. Select Corp Prestage.
5. Select Scope.
6. Type the serial number into the search bar. 
7. If the machine is enrolled and ready for provisioning, it should appear and say Assigned in the Device Assignment Status column.

Note: If you see a name in the Device column, the machine is most likely already assigned to another user who has gone through the provisioning process. You can verify by going back to the Computers section and searching for the serial number.

Windows 

1. Visit https://endpoint.microsoft.com/
2. Navigate to the Devices page. 
3. In the By Platform section, select Windows.
4. Type the serial number in the search box.
5. Verify the device is present.

How do I troubleshoot endpoint management tools?

N-Tech Client Systems Engineering (NCSE) has comprehensive runbooks for support and troubleshooting of all endpoint management tooling. Reference the relevant manual for support.

• Google MDM
• Gorilla
• Intune
• Jamf
• Munki
• swiftDialog
• Windows Autopilot

What do I need to do when a managed machine is returned before re-purposing?

Refer to Unassign Users from Jamf and Intune.

What if the remote management appears to hang on macOS for more than five minutes?

Restart the Mac and let the Munki application pick up where it left off. Because the Stop button probably won’t work, and the Restart button is inaccessible in the background, a forced restart by holding the power button may be necessary.

What if I don't see the Managed Software Center installed?

The policies can take some time to install. 

You can attempt to force it by running either of the following commands in Terminal:

• sudo jamf policy 
• sudo jamf policy -event prestage

Note: This command will rerun the Jamf pre-stage, so you’ll see the Munki bootstrap run as it does during the normal auto-provisioning process.

What if the macOS dock doesn't reconfigure after getting to the desktop?

1. Restart the machine and see if the dock reconfigures after the reboot.
2. If the reboot didn’t fix the dock, try running this command in Terminal to force it:
   1. managed_python3 /Library/NCSE/scripts/dock-corp.py
3. If all those steps fail, you can open Terminal and type: 
   1. sudo jamf policy -event prestage 

Note: This command will essentially rerun the Jamf pre-stage, so you’ll see the Munki bootstrap run similar to the way it does during the normal auto-provisioning process.

What if the remote management screen doesn't display during provisioning?

If the machine isn’t set up for auto-provisioning, proceed with these steps:

1. Proceed with the standard macOS account setup wizard and set up a local account.
   1. Full name: Firstname Lastname
   2. Account name: Use account alias (before @netflix).
   3. Password: Set a local password of your choice.

Follow the Help Center article for Self Enrollment.

What steps do I need to take before sending a computer to an E-Waste vendor?

Reference Remove Endpoint Management from Ex-Netflix Devices.

• When permanently decommissioning a Mac, N-Tech needs to release the device in Apple Business Manager (ABM). 
• ABM accounts are limited, and not all N-Tech staff will have access.
• Released devices will never again be assignable in ABM, so triple-check the serial number before releasing devices.
• Contact your regional N-Tech ABM admin as per the article guidance if you need to remove a machine or group of machines. 

If an admin isn’t available, contact the Netflix Client Systems Engineering team on Slack at #ncse-partners-collab.

Can we invoke a remote wipe or lock command on endpoint-managed devices?

NCSE has granted all AnimTech and N-Tech specialists elevated permissions to remotely lock or wipe devices. These permissions are provisioned automatically for FTEs and via a Google Group for contingent workers. Reference the NTE EM Tool Access memo for more information.

SEC-OPS handles MDM admin permission and access requests in the #security-help channel as needed.

Note: #ncse-partners-collab doesn’t support these requests but will remain available for urgent incidents and troubleshooting endpoint management tools and services as needed.

Mac Remote Wipe 

Reference How To Wipe a Computer for the relevant instructions.

The Jamf 100 course is relevant to specialists with access to lock or wipe devices. If needed, review:

• Searching for mobile devices (iPads): Lesson 22: Simple Device Inventory Searches
• Mobile device MDM commands: Lesson 24: Device Inventory and Remote Commands
• Searching for computers (Macs): Lesson 29: Simple Computer Inventory Searches
• Computer MDM commands: Lesson 31: Computer Inventory and Remote Commands

Note: It’s essential to know how to search for the exact device you’re looking for. There are limitations on and conditions for remote wipe on Macs with Apple silicon compared to Macs with Intel chips and how remote wipe works when obliteration is applied:

Apple Platform Deployment: Erase Apple devices - Apple Support (IE)

Windows Remote Wipe 

Intune Wipe action: Retire or wipe devices using Microsoft Intune

Note: There is no lock option for Intune.

Remote Lock a Device 

Reference: Manage device auto-lock using Remy-D.

When and how do I escalate an issue?

Occasionally, other teams may need to be involved in troubleshooting and resolving issues, especially for systemic issues or issues affecting multiple devices.

N-Tech will usually escalate issues to the following teams for Endpoint Support:

• STS: For purchasing issues and overall vendor management
• NCSE: For the engineering behind most things in this process, including Apple Business Manager, Jamf, Munki, Chef, and scripts such as the dock customization

For Escalations to NCSE specifically:

• From #ntech-help, use !oncall NCSE to bring the on call into the thread.
• Post the message to the #ncse-partners-collab in Slack.
  • Include as much detail as possible:
    • Level of urgency
    • How many people are impacted?
    • One or more Mac serial numbers in the impacted group
    • What troubleshooting steps you’ve already taken
    • Optional: screenshots, photos, and log output

For urgent requests, reply to your thread with this bot command:

• !page Urgent Mac provisioning issue.
• This command will create a PagerDuty alert, after which you should get a response from the NCSE team ASAP.
• For non-urgent requests, NCSE’s business hours are 9 AM to 5 PM PST. They should reply within 60 minutes during these hours.

Note: Replies outside of business hours are typical but not guaranteed.