Adding a custom Automated Device Enrollment web page
Applicable to: iOS 13.0 and macOS 10.15 or supported newer versions.
When using LDAP for registration, the device user needs to be authorized in Ivanti EPMM or be bulk enrolled. Device users that are not in Ivanti EPMM will not be recognized and registration will fail.
- In the Admin Portal, go to Devices & Users > Apple Device Enrollment.
- Find and select the name of the server you created on the Apple site.
- Select Actions > Add Enrollment Profile.
- In the Custom Enrollment URL field, enter the URL, such as https://mycustomweburl.com. This URL defines the value of the custom URL to present to the user in a web view loaded during the initial setup of a new Device Enrollment device or an erased device. Use this field to define your own authentication UI with authentication method. After the user is authenticated, the MDM enrollment profile is downloaded.
Workflow of the custom Automated Device Enrollment web page
This section elaborates the behavior of the custom Automated Device Enrollment web page and the procedure to create the custom web page (web view).
When the custom web page specified in the Custom Enrollment URL field loads initially:
- The configuration web URL has an HTTPS scheme and is a POST request. The web page should use a publicly trusted certificate.
- A custom header x-apple-aspen-deviceinfo is appended to the POST request by the Apple device on which enrollment is initiated. It contains a base64 encoding of a CMS (Cryptographic Message Syntax) envelope that contains a plist with device attributes. This is the same information, in the same format, as provided in the initial GET request with token-based device enrollments.
When the custom web page loads subsequently:
- The device user interacts with the web page (web view) until the administrator's host server provides a custom.mobileconfig file to the client. The Ivanti EPMM server returns byte code of the MDM profile. In the administrator's host server, the custom.mobileconfig file should be set with a MIME type of application/x-apple-aspen-config so that the MDM profile for the device is downloaded and installed on the device.
- To get the MDM profile for that device and its related user, the administrator's host web server should make a POST request to the Ivanti EPMM server URL. It should contain basic authentication using a Ivanti EPMM user ID with administrator rights. For example, https://IvantiEPMMDomain.com/api/v2/external/mdm/config/DEPMDMProfile). With parameters as principal, and deviceInfo as the header, where:
- deviceInfo is the "x-apple-aspen-deviceinfo" data Apple sent
- principal is the Ivanti EPMM user to associate to the Device Enrollment profile's device
If the principal user does not exist, the Device Enrollment profile must allow the anonymous authentication type in order to associate the device to an anonymous user. If the Anonymous Authentication type is not set, the POST call will fail. To set the anonymous authentication, select "Anonymous" in the Authentication Type field in the Device Enrollment profile.
- Here are the additional details:
- When a device hits the custom web URL configured in the Device Enrollment profile, administrator's host web server should capture the header "x-apple-aspen-deviceinfo" presented by the device. Between the initial POST with the x-apple-aspen-deviceinfo and the return response with the x-apple-aspen-config, the third party host has control. After the return response, Apple gets control back. The reason for this is the response has to come from the third party host due to the SSL certificate negotiations, as Apple will only trust the response from the third party host.
- After the administrator's host web server receives the byte code, the third party host should respond by setting response headers, Content-Disposition = attachment;filename="custom.mobileconfig" and Content-Type = application/x-apple-aspen-config.
- The web view closes and the OS attempts to install the profile, which must be an MDM enrollment profile.
Ivanti EPMM does not authenticate the user ID for which the MDM profile is returned. Therefore, administrators should perform the necessary authentication for the user ID before requesting for the MDM profile.
For iOS, this workflow is supported during initial setup of an erased device. For macOS, this workflow is supported both within Setup Assistant and also via the Profiles preference pane, if Automated Device Enrollment was skipped during Setup Assistant.
For developer information related to creating a custom web page, see the following Apple documentation references:
Authenticating Through Web Views
Sample code to implement a simple iPad web browser that can view either the desktop or mobile version of a website