Enroll Apple devices

Enrolling devices is the first stage in managing a mobile device and here you can know the various steps involved in enrolling Apple devices. Before enrolling any Apple device, it is mandatory you upload an APNs certificate in MDM as explained here.

Pre-requisites

• The most basic step for enrolling Apple devices is to create an APNs certificate and upload it in MDM.
• The following URLs, api.push.apple.com:443 should be allowed for the Endpoint Central Server to contact Apple Push Notification Services(APNs).
• Port 5223 must be open if the managed devices access Internet via Wi-Fi. For better security, you can restrict these connections on the IP range 17.0.0.0/8. If all the managed devices have access to cellular data network, then this is not required.

Types of Enrollment

Endpoint Central offers the following types of Enrollment methods:

User Enrollment:

• Through User Invites
• Self Enrollment
• Bulk Enrollment

Admin Enrollment:

• Apple Business Manager(ABM)[previously known as DEP]
• Apple Configurator

The major advantage of using Admin enrollment methods, is that users cannot revoke management from the device end whereas that is not the case when enrolled using user enrollment methods. Hence it is recommended to utilize Admin enrollment methods like ABM to exercise full control over the devices besides the benefits offered by the traditional methods. These benefits include:

• Mandatory management
• Bulk device enrollment
• Automated out-of-the-box management with zero user intervention
• One time setup
• Supervision of devices

Supervising the devices offer added advantages such as full control over policies and configurations, silent app installation without user intervention, Kiosk support, etc. Considering the devices to be enrolled are already in use, the devices are reset during enrollment. In case you do not prefer the devices being reset, you can either:

• Follow the workaround offered by MDM by using a temporary device to enroll and supervise devices without data loss, or
• Enroll the devices using Invites / Self Enrollment methods.

Admin enrollment methods can be preferred if the devices to be enrolled are corporate owned devices whereas the latter can be settled on in case the devices are employee owned. If the devices to be managed are corporate owned, it is certain that complete device management is preferred. In case of employee owned devices, it is adequate to manage just the workspace. To learn the differences between complete device management and container management, click here.

Enrolling devices

Follow the steps mentioned below to enroll both Mac and iOS devices.

In case you want to seamlessly enroll Apple devices in bulk, you can enroll using DEP and Apple Configurator.

1. On the web console, navigate to Enrollment.
2. Click Enroll Device and select Apple. From here, you have an option to choose between iOS and Mac.
3. If you wish to complete the enrollment without any user intervention, select By Myself. This displays the OTP on the next screen.
4. If the enrollment is to be completed by the user, select Through User Invites.
5. User Name- Enter the user name of the device that needs to be enrolled.
6. Email address/ Mobile number- It is mandatory to enter the email address and/or mobile number of the user who receives the enrollment request.
7. Owned By- Owner of the device either Corporate or Personal
8. Assign to Group- Specify the group to which the device should be added. If you select an existing group from the drop down, then the newly added device automatically gets all the apps and profiles which were already distributed to the group. By doing so you can automate the process of imposing the minimum required restrictions and apps to all the newly added devices. If you add a new group name, then a new group is created and the device is added to it.
9. Click Send Enrollment Invite or Next to continue with device enrollment.

Ensure that you configure your Proxy settings, and the mail server settings, so that you the user can receive the email with the OTP. (This is not applicable for Endpoint Central Cloud)

In case of Endpoint Central Cloud, users will be sent 2 mails, one for account creation with MDM (joining the organization) and the second with the enrollment invitation.

After enrollment users receive an email with the enrollment instructions and the link to enroll the devices. Based on the authentication policy defined for enrollment, users receive the OTP. Users need to manually install the MDM Profile by clicking on the enrollment request. All enrolled devices are listed in the Devices Tab in the Endpoint Central console under Groups and Devices.

Enroll additional devices for same user

You can enroll multiple devices for the same user. In case a user has more than one mobile device that needs to be managed, you can enroll those devices by following the steps mentioned below;

1. On the web console, navigate to Enrollment
2. Under Devices choose the User Name to whom you wanted to enroll the additional device
3. Under Actions click Enroll Additional Device option.
4. Specify the Platform as iOS or Android or Windows
5. Specify the Owned By type as Corporate or Personal and click Enroll

The mail to enroll additional device would be sent to the specified user.

SMS Enrollment

The admin can choose to either send out an SMS along with the email or just an SMS to users to enroll their devices.

Endpoint Central provides organization free SMS credits to enroll devices. An organization get 20% extra credits on the number of licensed mobile devices. For Example: An organization with 100 devices will have 120 free SMS credits.

Following are a few points to be kept in mind while using SMS enrollment:

1. Endpoint Central integrates with Clickatel and BulkSMS to send out SMS to the users.
2. Since bulk SMS providers are used, a user might not receive the SMS if they have enabled 'Do not Disturb' for their mobile numbers.
3. The sender ID differs from country to country and carrier to carrier and hence it is recommended to inform the users that they will be receiving an enrollment SMS to ensure that these SMS are not treated as spam. The sender name varies since some countries block SMS sent from foreign numbers.

Bulk Enrollment

This option facilitates you to enroll many devices at a same time. You can simply create a csv file with the User Name, Domain Name, Email, Platform and Owned by details and upload the same. Multiple entries should be in separate lines. Refer the below mentioned csv file for example,

Sample CSV Format

USER_NAME,DOMAIN_NAME,EMAIL_ADDRESS,PLATFORM_TYPE,OWNED_BY,GROUP_NAME,UDID
ANDREW,,andrew@mobiledevicemanagerplus.com,iOS,Personal,IOS_Group,00f0ba8f7a6c41cca9cc5fd6b7ee666b

Note :
1. The CSV file should contain the following fields: User Name, Domain Name, Email Address, Platform Type, Owned By, Group Name and UDID.
2. UDID is applicable only for iOS devices
3. The fields User Name, Email Address and Platform Type are mandatory. All the other fields are optional. If not provided, default values are taken.
4. The default values for various non-mandatory fields are:
   Domain Name -- MDM
   Owned By -- Corporate
   Group Name -- Default Group for given Owned By & Platform Type.
5. The first line of the CSV is the column header and the columns can be in any order.
6. Blank column values should be comma separated.
7. If the column value contains comma, it should be specified within quotes.

Follow the steps mentioned below, to enroll devices through Bulk Enrollment.

1. On the web console, navigate to
2. Click  Bulk Enrollment . A window opens, click Browse to upload the created CSV file and Import the same.

Enrollment mail is sent to all the users listed in the csv file.

Enrollment process on Apple devices

The users, upon receiving the enrollment requests, can enroll their device as given below. The steps differ for devices running iOS 12 and above versions.

Follow the steps given below to enroll devices below iOS 12.0 and later versions.

1. Users should note down the OTP. OTP is case sensitive.
2. Clicking the link in the email opens a window and prompt for the OTP
3. User should specify the OTP received in the email and click Continue. After validating the OTP, a confirmation screen appears. Click Continue.
4. Click Install to install the profile
5. The profile is installed.
6. Click Done to view the enrollment status

The device enrollment process has been successfully completed and the device is listed in Endpoint Central.

Follow the steps given below to enroll devices running iOS 12.0 and later verisons.

1. Click on the invitation link in the e-mail and specify the OTP received.
2. This validates the invitation and ask to Continue the enrollment process.
3. You are notified that MDM is trying to download and install a profile on the device. Click on Continue to download the profile.
4. You then have to manually install the profile by navigating to Settings -> General -> Profile-> MDM Profile and click on Install.
5. This completes the enrollment process on the device.

Once the device enrollment is completed, the device is be scanned and the users receive an App Catalog and MDM Profile . All the Apps that are distributed by Endpoint Central are listed in the App Catalog. Users can choose the App and install them by clicking on it. Incase of App store App, by clicking on the App users are prompted to enter their Apple ID and password and the App is downloaded from the App store. MDM Profile is the profile used by Endpoint Central to manage the mobile device, if the user removes the MDM Profile, then all the Apps that has been installed through Endpoint Central and the policies applied are reverted.

Distributing ME MDM app to enrolled devices

When ME MDM App is installed on the device, you get advanced control over the device. Using ME MDM App helps administrators to identify Jail broken devices and also helps in location tracking. You can view where the device is geographically located by using this App. This App can be distributed to all the managed devices by following the steps mentioned below:

1. Click Enrollment.
2. Under iOS select ME MDM App.
3. Enable the check boxto automate the distribution of ME MDM app to all the managed Apple devices.

You have successfully distributed Apps to groups. The distributed Apps are listed in the App Catalog of the user's mobile device. Users can click on it and install the App. If this App is installed on a device running iOS 7 or later versions, then the app is automatically fetch Server Name, Port number and Enrollment ID. On the devices running iOS versions lower than 7.0, users should provide the Server Name, Port number and Enrollment ID which was sent to them via email. After installing the ME MDM app, you can see that the App Catalog is moved inside the app automatically. You can track the geographic location of the device by configuring location tracking.

Removing an enrolled device

1. On the web console, navigate to Enrollment.
2. Click on Enrollment tab.
3. Click Search button and search for the device by using its known properties( user name, device name etc).
4. Click on Action button and select Remove Device.
5. In the confirm box that appears, click OK.

Removing the device removes all profiles and apps associated with the device. ME MDM app is also removed if installed through Endpoint Central.

Troubleshooting Tips

1. Users are unable to access the URL sent via e-mail
   1. Endpoint Central server is not running or not accessible by the users.
   2. Check if the firewall running in Endpoint Central Server is blocking the communication (at port 9020/9383).

      If you are using Endpoint Central as a plug in to Endpoint Central, then you can open the ports 8020/8383 for the communication.

   3. If the users are outside LAN, they should be able to reach the Endpoint Central Server via public IP. Check whether the NAT Settings is configured in Endpoint Central Server.
2. Users have installed the profile, but their devices are not listed in the Endpoint Central Server
   1. The device is not able to reach APNs. Check whether your Wi-Fi allows communication at port 5223.
   2. If WiFi is disabled on the device, it should have access to Cellular Data network.
3. A "not verified" message is shown when the profile is to be installed in the device.

This message is displayed if a SSL certificate is not uploaded on the server. If this has no effect on the enrollment or the device security, you can ignore the message and continue with the enrollment process.

1. A "This connection is not private" warning is displayed when the enrollment URL is accessed using Safari .

This message is displayed if a SSL certificate is not uploaded on the server. This has no effect on the enrollment or the device security. You must click on Show details and select visit this website to access the enrollment request.