Account-Driven Device Enrollment

Account driven device Enrollment is used for devices that are owned by the organization. Account-Driven Device enrollment provides higher visibility and management of the device. This utilizes the user's managed Apple ID, which is required and associated with all enterprise apps and data on the device and in Ivanti EPMM.

To find devices registered through ADDE:

  1. In the Device Details page > Advanced search, select Account Driven Device Enrolled > Equals > true.

  2. Ensure the Exclude retired devices from search results check box is selected.

  3. Click Search.

Enabling devices to enroll in MDM Account-Driven Device Enrollment (ADDE)

Procedure

Once enrolled, Admins can view information in the Device Details page - or search on it in Advanced Search.

  1. Enable Account Driven Device Enrollment in Settings >ios >mdm page.

  2. In the Admin Portal, go to Devices & Users > Users.

  3. Select user check box and then click Actions > Assign Roles.

    The Assign Roles dialog box opens.

  4. Select Allow Account Driven Apple Device Enrollment.

  5. Enter a valid Managed Apple ID that matches the host domain being used in step 2 of Required action by device users.

For example, [email protected] is a valid Managed Apple ID for example.URL.ivanti.com, but Joe Smith cannot use [email protected] on the same Ivanti EPMM.

Required action by device users

When using Allow Account Driven Apple Device Enrollment, required action must be taken by device users.

Procedure for iOS

  1. On their iOS devices, device users navigate to Settings > General > VPN & Device Management > Sign In to Work or School Account.

  2. In the address field, device users enter “[username]@[Ivanti EPMM domain with subdomain] and then tap Continue. For example, [email protected].

    The Ivanti login page displays. This login accepts either local or LDAP users, as in any other registration. It also supports PINs and passwords.

  3. Device users login using a valid local or LDAP account that has Allow Account Driven Apple device Enrollment enabled (see Enabling devices to enroll in MDM Account-Driven Device Enrollment.)

  4. Device user enters the password and then tap Continue.

  5. Device user acknowledges the privacy policy screen and the Terms of Service screen (if the administrator has configured it to display.)

  6. If enrollment is set to account-driven device enrollment, then a Remote Management screen appears that displays what an organization can see and do on that device.

  7. The iCloud for Work screen displays. This screen is presented by Apple, not Ivanti EPMM. Device users tap the Sign in to iCloud button.

  8. Device users enter the password for their Managed Apple ID - this is the Apple password, not an Ivanti EPMM password.

  9. Device users address the two-factor authentication screen.

  10. The Allow Remote Management page displays. Device users tap the Allow Remote Management button.

    Apple configures the device for device Enrollment; it will take approximately 30-60 seconds to complete.

  11. The device Settings page displays. Device users will see their Managed Apple ID displayed under the local iCloud user in the top left corner of the Settings page. This indicates the device is fully registered with iReg.

    WARNING: Before signing out of iCloud, Ivanti recommends app-based data that is stored on the device to be saved to a server. When signing out of the iCloud on the user-enrolled device, Apple removes the management and all data on the device is removed. To return to the iCloud, device users will need to restart their device and then re-register using the steps above.

Procedure for macOS

  1. On their macOS devices, device users navigate to Settings > Privacy & Security > Profiles > Sign In to Work or School Account.

  2. In the email address field, device users enter “[username]@[Ivanti EPMM domain with subdomain] and then tap Continue. For example, [email protected]

  3. Ivanti recommends device user to select Open Browser, device user’s organization requires authentication for using a web browser. The Ivanti login page displays. This login accepts either local or LDAP users, as in any other registration. It also supports PINs and passwords.

  4. Enter the username and password, and then tap Register.

  5. The Ivanti Your Privacy Matters page displays. Device users must acknowledge the Your Privacy Matters page (If the administrator has configured it to display).

  6. The iCloud for Work screen displays. This screen is presented by Apple, not Ivanti EPMM. Tap the Sign In button to continue with iCloud account.

  7. Device users enter the password for their Managed Apple ID - this is the Apple password, not an Ivanti EPMM password. Then tap Next.

  8. Device users address the two-factor authentication screen. Enter the six-digit verification code, which will be sent to your registered mobile number (if two-factor authentication is enabled).

  9. The Allow Remote Management page displays. Tap the Allow button.

  10. The Profiles page displays. Enter your password to enroll you in the remote management service.

If the device user re-registers and the login fails, restart the device and then re-register again.