Home » Apple User Enrollment
pdf icon
Category Filter

Apple User Enrollment

MDM extends Apple's User Enrollment (Account Driven User Enrollment) support for Personal Devices (BYOD). When a device is enrolled via User Enrollment, a separate volume is created on the device for the corporate space. With this capability, admins can manage the corporate data on the employee's personal device (BYOD) without invading their privacy. The users can enroll their iPhones, iPads, Mac machines using the Managed Apple ID provided by their organization. User Enrollment mainly focuses on enhancing user privacy while protecting the enterprise security.

Prerequisites

Ensure that you meet the following pre-requisites before enrolling the devices via User Enrollment:

  1. iPhones/iPads must be running iOS/iPadOS 16.0 and above.
  2. Mac devices must be running macOS 14.0 and above.
  3. Managed Apple IDs should be created for your employees using your organization's Apple Business Manager account.
  4. Directory services should be configured for authenticating users during enrollment.

Service Discovery

Apple User Enrollment starts when a user enters their Managed Apple ID in the "Sign in with Work or School Account" widget, located in the Settings > VPN & Device Management section.

Once the user proceeds, the operating system extracts the domain from the Managed Apple ID. For example, if the Apple ID is example@zylker.com, the OS extracts "zylker.com" and initiates an HTTP call to the URL: https://zylker.com/.well-known/com.apple.remotemanagement. The device expects a JSON response to identify the MDM server. This process is known as Service Discovery.

For Service Discovery to succeed, customers must download the ServiceDiscovery JSON file from the MDM console and host it in the specified path for their respective domain. Below is an example of the ServiceDiscovery JSON file format:

Sample Format of ServiceDiscovery JSON File

{

"Servers":

{

"Version": "mdm-byod",

"BaseURL": "https://mdm.manageengine.com.au/mdm/client/v1/enroll?templateToken=1234&encapiKey=1234"

}

}

BaseURL represents the MDM server URL.

Notes:"BaseURL" represents the MDM Server URL.

Steps to Configure Service Discovery for Your Domain

                                    
  1. Navigate to Enrollment > Self Enrollment and enable the checkbox for Apple User Enrollment.
  2. Download the JSON file and host it in the following path:
    https://{domain}/.well-known/com.apple.remotemanagement
    For example, if the Managed Apple ID is mdm@zylker.com, the {domain} will be zylker.com.

    IT Admins are expected to be familiar with configuring a new URL. If the hosting service is managed by a third-party solution, please contact the respective solution provider for URL configuration assistance. For further help, reach out to ManageEngine Support. If your organization's domain is hosted on a Windows IIS Server, refer to our detailed guide on Configuring the URL on Windows IIS Server for step-by-step instructions.

    If your verified ABM domain (e.g., zylker.com) used for creating Managed Apple IDs is different from your organization's domain (e.g., www.zylker.com), you can set up an HTTP redirect. Refer to our Configure HTTP Redirect guide for detailed instructions.

    Note:For ServiceDiscovery to succeed, the HTTP response for the service discovery URL must also meet the following conditions:
    1. HTTP Status Code : 200
    2. HTTP Response Header
        Content-Type: application/json
        Content-Length: {actual-length-of-contents-in-ServiceDiscoveryData.json}

  3. Add all domains where the JSON is hosted (from Step 2) under the section Specify the Managed Apple ID Domain Name. Then, click Save. We collect these domain names to perform a verification on MDM. This verification is designed to determine whether the ServiceDiscovery process will pass or fail.
    Tick (✓): Confirms that the domain has been successfully verified and all configurations are accurate.
    Warning (⚠): Indicates that there may be issues with the implementation, and detailed error information can be reviewed in the MDM console for further action.

Note: You can configure Apple User Enrollment for multiple verified ABM domains using the same ServiceDiscovery JSON file.

If all the above steps are successfully completed, your domain will be verified with ManageEngine MDM, and you can start using Managed Apple IDs with this domain for enrollment.

MDM Enrollment

Follow the steps below to enroll the device:

  • Navigate to Settings → VPN & Device Management → Sign in with Work or School Account.
  • Enter your Managed Apple ID and click Continue.
  • Since Service Discovery has been successfully configured, the OS will detect the MDM server and proceed with user authentication.

Note:
1. MDM redirects the users to the respective Identity Provider for authentication.
2. Admins can configure the authentication mode under Enrollment → Self Enrollment.
3. Apple User Enrollment will use the authentication method set for self-enrollment.

Once authentication is successful, the MDM profile will be downloaded, and the device will display the MDM details. When the user proceeds, the MDM profile will be installed successfully on the device.

                                    
Jump To

< Previous

Next >