Account-driven Apple User Enrollment
User Enrollment can be set up so the device users can self-enroll from the Settings page on their device (usually their personal iphone, iPad, or Mac device.) This feature uses the device user's managed Apple ID, making their devices managed. Account-driven Apple User Enrollment is good for when a device user logs in and out multiple times a day.
Account-driven User Enrollment is not supported in Ivanti EPMMs with SAML enabled for Apple Web-based Registration.
WARNING: Before signing out of iCloud, Ivanti recommends app-based data that is stored on the device to be saved to a server. App-based data in the user-enrolled iCloud account is stored in a separate partition. When signing out of iCloud on the user-enrolled device, Apple removes the management and all data on the device is removed. The device will still show as active on Ivanti EPMM until the administrator retires the device from the console. If the device user would like to sign back in using User Enrollment, device users will need to restart their devices and re-register, creating a new device record in Ivanti EPMM.
To find a managed Apple user-enrolled device:
-
In the Device Details page > Advanced search, select Apple User Enrolled Device > Equals > true.
-
Add a second search criteria: MDM Managed > Equals > false.
-
Make sure the Exclude retired devices from search results check box is selected.
-
Click Search.
If the device user re-registers and the login fails, restart the device and then re-register again.
Enabling device users to enroll in MDM User Enrollment directly
Procedure
Once enrolled, Admins can view information in the Apple User Enrolled Device field in the Device Details page - or search on it in Advanced Search.
-
In the Admin Portal, go to Devices & Users > Users.
-
Select user check box and then click Actions > Assign Roles.
The Assign Roles dialog box opens.
- Select Allow Account Driven Apple User Enrollment.
-
Enter a valid Managed Apple ID that matches the host domain being used in step 2 of Required action by device users.
For example, [email protected] is a valid Managed Apple ID for example.URL.ivanti.com, but Joe Smith cannot use [email protected] on the same Ivanti EPMM.
After configuring, there is Required action by device users.
Required action by device users
When using Allow Account Driven Apple User Enrollment, required action must be taken by device users.
Procedure for iOS
-
On their iOS devices, device users navigate to Settings > General > VPN & Device Management > Sign In to Work or School Account.On their Mac devices, device users navigate to Settings > Privacy & Security > Profiles > Sign In to Work or School Account.
-
In the email address field, device users enter “[anyusername]@[Ivanti EPMM domain with subdomain] and then tap Continue. For example, [email protected].
The Ivanti login page displays. This login accepts either local or LDAP users, as in any other registration. It also supports PINs and passwords.
- Device users login using a valid local or LDAP account that has Allow Account Driven Apple User Enrollment enabled (see Enabling device users to enroll in MDM User Enrollment directly.)
- Device user enters the password and then tap Continue.
-
Device user acknowledges the privacy policy screen and the Terms of Service screen (if the administrator has configured it to display.)
-
The iCloud for Work screen displays. This screen is presented by Apple, not Ivanti EPMM. Device users tap the Sign in to iCloud button.
-
Device users enter the password for their Managed Apple ID - this is the Apple password, not an Ivanti EPMM password.
-
Device users address the two-factor authentication screen.
-
The Allow Remote Management page displays. Device users tap the Allow Remote Management button.
Apple configures the device for User Enrollment; it will take approximately 30-60 seconds to complete.
-
The device Settings page displays. Device users will see their Managed Apple ID displayed under the local iCloud user in the top left corner of the Settings page. This indicates the device is fully registered with iReg.
WARNING: Before signing out of iCloud, Ivanti recommends app-based data that is stored on the device to be saved to a server. When signing out of the iCloud on the user-enrolled device, Apple removes the management and all data on the device is removed. To return to the iCloud, device users will need to restart their device and then re-register using the steps above.
Procedure for macOS
-
On their macOS devices, device users navigate to Settings > Privacy & Security > Profiles > Sign In to Work or School Account.
-
In the email address field, device users enter “[anyusername]@[Ivanti EPMM domain with subdomain] and then tap Continue. For example, [email protected]
-
Ivanti recommends device user to select Open Browser, device user’s organization requires authentication for using a web browser. The Ivanti login page displays. This login accepts either local or LDAP users, as in any other registration. It also supports PINs and passwords.
-
Enter the username and password, and then tap Register.
-
The Ivanti Your Privacy Matters page displays. Device users must acknowledge the Your Privacy Matters page (If the administrator has configured it to display).
-
The iCloud for Work screen displays. This screen is presented by Apple, not Ivanti EPMM. Tap the Sign In button to continue with iCloud account.
-
Device users enter the password for their Managed Apple ID - this is the Apple password, not an Ivanti EPMM password. Then tap Next.
-
Device users address the two-factor authentication screen. Enter the six-digit verification code, which will be sent to your registered mobile number (if two-factor authentication is enabled).
-
The Allow Remote Management page displays. Tap the Allow button.
-
The Profiles page displays. Enter your password to enroll you in the remote management service.