With macOS, administrators can deliver an MDM configuration profile that can change settings for just a single user or the whole device. This article will cover what to consider when using user channels for settings management in macOS as well as the payloads supported by this.
User Channel Considerations - Managed Users
The first user created on the device (or the user currently logged in during enrollment) generates a unique token to allow for communication over the user channel. This token is then received by Addigy and stored for delivery of configuration profiles to that specific user. It is important to note that a user must have this token generated and uploaded to Addigy in order for the account to work properly during deployment.
For devices that are bound to a directory service, like Active Directory, all network and mobile users are enabled for user channel configuration profile deployment.
For devices that are 10.12 or newer and not bound to a directory service, there can only be one managed user that can have this user-based token. Changes to which account has user channel enabled will disable the previously working user account. Changing which user has this token requires the removal and reinstallation of the MDM profile on the device.
Profile Payloads Supporting User-Based Deployment
For the most up-to-date information on these and other configuration profile payloads, Apple has documented each settings payload here. Simply search for the profile, such as SCEP, and view the "Profile Availability" section of the page to see if the profile can be deployed via User Channel.
Deploying User Channel MDM Profiles to Devices
For steps on how to deploy an eligible MDM Profile via User Channel, please reference our other article on this. How to Deploy User Channel MDM Profiles on an Individual device