Apple User Enrollment

MDM extends Apple's User Enrollment (Account Driven User Enrollment) support for Personal Devices (BYOD). When a device is enrolled via User Enrollment, a separate volume is created on the device for the corporate space. With this capability, admins can manage the corporate data on the employee's personal device (BYOD) without invading their privacy. The users can enroll their iPhones, iPads, Mac machines using the Managed Apple ID provided by their organization. User Enrollment mainly focuses on enhancing user privacy while protecting the enterprise security.

Prerequisites

Ensure that you meet the following pre-requisites before enrolling the devices via User Enrollment:

1. iPhones/iPads must be running iOS/iPadOS 16.0 and above.
   
2. Mac devices must be running macOS 14.0 and above.
3. Managed Apple IDs should be created for your employees using your organization's Apple Business Manager account.
4. Directory services should be configured for authenticating users during enrollment.

Service Discovery

Apple User Enrollment starts when a user enters their Managed Apple ID in the "Sign in with Work or School Account" widget, located in the Settings > VPN & Device Management section.

Once the user proceeds, the operating system extracts the domain from the Managed Apple ID. For example, if the Apple ID is example@zylker.com, the OS extracts "zylker.com" and initiates an HTTP call to the URL: https://zylker.com/.well-known/com.apple.remotemanagement. The device expects a JSON response to identify the MDM server. This process is known as Service Discovery.

For Service Discovery to succeed, customers must download the ServiceDiscovery JSON file from the MDM console and host it in the specified path for their respective domain. Below is an example of the ServiceDiscovery JSON file format:

Sample Format of ServiceDiscovery JSON File

BaseURL represents the MDM server URL.

Notes:"BaseURL" represents the MDM Server URL.

Steps to Configure Service Discovery for Your Domain

1. Navigate to Enrollment > Self Enrollment and enable the checkbox for Apple User Enrollment.
2. Download the JSON file and host it in the following path:
   https://{domain}/.well-known/com.apple.remotemanagement
   For example, if the Managed Apple ID is mdm@zylker.com, the {domain} will be zylker.com.

   IT Admins are expected to be familiar with configuring a new URL. If the hosting service is managed by a third-party solution, please contact the respective solution provider for URL configuration assistance. For further help, reach out to ManageEngine Support. If your organization's domain is hosted on a Windows IIS Server, refer to our detailed guide on Configuring the URL on Windows IIS Server for step-by-step instructions.

   If your verified ABM domain (e.g., zylker.com) used for creating Managed Apple IDs is different from your organization's domain (e.g., www.zylker.com), you can set up an HTTP redirect. Refer to our Configure HTTP Redirect guide for detailed instructions.

   Note:For ServiceDiscovery to succeed, the HTTP response for the service discovery URL must also meet the following conditions:
   1. HTTP Status Code : 200
   2. HTTP Response Header
       Content-Type: application/json
       Content-Length: {actual-length-of-contents-in-ServiceDiscoveryData.json}

   curl -i -L https://zylker.com/.well-known/com.apple.remotemanagement          HTTP/2 200          content-type: application/json          content-length: 132 { "Servers": [ { "Version": "mdm-byod", "BaseURL": "https://mdm.manageengine.in/mdm/client/v1/enroll?templateToken=1234&encapiKey=1234" } ] }

3. Add all domains where the JSON is hosted (from Step 2) under the section Specify the Managed Apple ID Domain Name. Then, click Save. We collect these domain names to perform a verification on MDM. This verification is designed to determine whether the ServiceDiscovery process will pass or fail.
   Tick (✓): Confirms that the domain has been successfully verified and all configurations are accurate.
   Warning (⚠): Indicates that there may be issues with the implementation, and detailed error information can be reviewed in the MDM console for further action.

Note: You can configure Apple User Enrollment for multiple verified ABM domains using the same ServiceDiscovery JSON file.

If all the above steps are successfully completed, your domain will be verified with ManageEngine MDM, and you can start using Managed Apple IDs with this domain for enrollment.

MDM Enrollment

Follow the steps below to enroll the device:

• Navigate to Settings → VPN & Device Management → Sign in with Work or School Account.
• Enter your Managed Apple ID and click Continue.
• Since Service Discovery has been successfully configured, the OS will detect the MDM server and proceed with user authentication.

Note:
1. MDM redirects the users to the respective Identity Provider for authentication.
2. Admins can configure the authentication mode under Enrollment → Self Enrollment.
3. Apple User Enrollment will use the authentication method set for self-enrollment.

Once authentication is successful, the MDM profile will be downloaded, and the device will display the MDM details. When the user proceeds, the MDM profile will be installed successfully on the device.

Troubleshooting tips

The following are possible errors that may occur during enrollment. To resolve these errors, refer to the below mentioned steps.

1. The Host is not reachable
   Ping and verify if https://{domain}/.well-known/com.apple.remotemanagement is accessible from the machine where the MDM server is hosted, and also check if the above domain is permitted to make queries through the proxy server.
    
2. JSON file mismatch
   The hosted JSON file should match with the downloaded file. Verify the downloaded JSON file and try again.
    
3. The content type of response should be in the format 'application/json'
   The content type of response should be in the format 'application/json'. Try again by reconfiguring the file format correctly.
    
4. The HTTP response status code should be '200'
   The HTTP response status code should be '200'. Try again with the correct value.
    
5. Error occurred while authenticating users
   While authenticating, the users should enter the same Directory credentials associated with the Managed Apple ID provided by their organization.
    
6. Internal server error occurred
   Contact mdm-support@manageengine.com

If you are still unable to fix the errors even after following the solution we provided, you can contact support for additional help.