Lights Out Management device management payload settings for Apple devices
You can configure Lights Out Management settings to remotely start, shut down, and restart the following after they’re enrolled in a device management service.
Mac Studio (2025)
Mac mini (2024) with a 10Gb Ethernet card
Mac mini (2023) with a 10Gb Ethernet card
Mac Pro (2023)
Mac Pro (Rack, 2023)
Mac Studio (2023)
Mac Studio (2022)
Mac mini (2020) with a 10Gb Ethernet card
Mac Pro (2019)
Mac Pro (Rack, 2019)
The Lights Out Management command is sent from a device management service to the Mac (acting as the Controller). The Mac acting as a Controller in turn sends the command to another configured Mac (acting as the Device), as specified in the payload, using a secured and proprietary protocol. All Mac computers acting as Controllers or Devices:
Need to have macOS 11 or later
Need to be on the same local subnet and use Ethernet (communication is over IPv6)
Need to have the CA Certificate Trusts for a Device (If configured as a Controller)
Need to have the CA Certificate Trusts for Controller (If configured as a Device)
Need to be enrolled in the same device management service
Need to have the Lights Out Management payload installed
Don’t require a static IP address for communication
Communication between the device management service and the Controller uses Apple Push Notification service (APNs). Communication between the Controller and the Device computers uses TCP/IP (IPv6) and TLS, which is encrypted using the certificates supplied by the Lights Out Management payloads on each device and evaluated using a proprietary protocol and mTLS.
Certificates
Certificates configured on Controllers or Devices for LOM communication can be included as PKCS #12 or issued using an SCEP payload. Each needs to include the following certificate specific configurations:
x509 Key Usage: Digital Signature, Key Encipherment and Data Encipherment
x509 Extended Key Usage: Server Authentication, Client Authentication
x509 Subject CN
x509 SubjectAltName, dNSName
If a Mac supports Lights Out Management, it can be both a Controller and a Device. You configure it by including the UUID of the device certificate payload for both ControllerCertificateUUID and DeviceCertificateUUID keys within the com.apple.lom payload.
The Lights Out Management payload supports the following. For more information, see Payload information.
Supported installation method: Requires a device management service to install.
Supported payload identifier: com.apple.lom
Supported operating systems and channels: macOS device.
Supported enrollment methods: Device Enrollment, Automated Device Enrollment.
Duplicates allowed: False—only one Lights Out Management payload can be delivered to a device.
You can use the settings in the table below with the Lights Out Management payload.
Setting | Description | Required | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
| Configures a device for LOM. | Yes | |||||||||
Controller certificate | The certificate for the LOM controller. | If the Mac is being used as a Controller. | |||||||||
Device certificate | The certificate for the LOM device. | If the Mac is being used as a Device. | |||||||||
Controller CA certificate | The CA certificate for the controller. | If the Mac is being used as a Device. | |||||||||
Device CA certificate | The CA certificate for the device. | If the Mac is being used as a Controller. | |||||||||
Note: Each device management service developer implements these settings differently. To learn how various Lights Out Management settings are applied to your devices, consult your developer’s device management service documentation.