Connecting Core to Apple School Manager

Add your Apple School Manager account to Core on the Apple Device Enrollment page.

NOTE:

You can use a previously created Apple Device Enrollment account for with Apple Education, regardless of whether that Device Enrollment account was originally associated with Apple School Manager. Whatever Apple Device Enrollment account you use must be associated with Apple School Manager so that it successfully retrieves Apple School Manager data. You can associate an Apple Device Enrollment account when you contact Apple to create your Apple School Manager account.

Before you begin 

• Make sure you have added your school information to your Apple School Manager account. For details, see Adding school information to your Apple School Manager account.
• Configuring devices in bulk for Apple School Manager

Procedure 

1. Log in to your Apple School Manager account.
2. Navigate to the MDM Servers page on the Apple School Manager portal.
3. Click Add MDM server link on the lower right.
4. In the dialog box that opens, enter a name for your MobileIron Core server.
5. Switch to another browser window, and open the MobileIron Core Admin Portal.
6. In the Core Admin Portal, select Devices & Users > Apple Device Enrollment
7. Click Add+.

8. In the Add Account window, click Download Certificate.

   A file type called .CRT is downloaded to the file system.

9. Switch back to the Apple School Manager portal.
10. Under Upload Your Public Key, click Upload File, and browse for the .CRT file you downloaded from Core.
11. Click Save MDM Server.
12. The Apple School Manager portal prompts you to download a server token file. Download the server token file.
13. In MobileIron Core, Devices & Users > Apple Device Enrollment dialog box, click Browse next to the ServerToken field.
14. Select the .P7M file you downloaded from the Apple School Manager portal.
15. Click Open.

16. Click Save.

    Core displays a summary of the MDM server you added.

Creating Enrollment Profiles for Apple School Manager

Apple Device Enrollment profiles allow you to apply a set of mobile device management (MDM) features to the devices assigned to a given Apple deployment program account. There is no limit to the number of Device Enrollment profiles, however, you can assign only one default enrollment profile per Apple School Manager account.

NOTE:

"Apple deployment program" means either Apple Business Manager or Apple School Manager.

The Apple Device Enrollment profile allows you to specify:

• Account details, such as the department of the organization to which the Apple deployment program account is assigned, and the phone number device users may call for support
• The default profile, indicating whether the enrollment profile is automatically assigned to all devices in the Apple deployment program account
• MDM features, such as enabling supervision, requiring MDM enrollment, shared iPad, and allowing devices to pair with a host
• Setup options, such as whether device users are permitted to skip screens in the Setup Assistant
• Certificates, such as anchor certificates (from which the chain of trust is derived) and pairing certificates (allowing the bearer of the certificate to pair with the device)
• Enrollment options, such as whether to use anonymous, PIN-based enrollment

NOTE:

For tvOS, the Apple device enrollment profile does not get downloaded until AFTER the Wi-Fi is configured. It is advised you use ethernet for tvOS device enrollment.

Procedure 

1. In the Admin Portal, go to Devices & Users > Apple Device Enrollment.
2. Select a Apple deployment program account, and then go to Actions > Add Enrollment Profile.
   The Add Enrollment Profile dialog box opens.
3. Create or edit an enrollment profile.
4. Click Save.
   If you have assigned the enrollment profile as the default for devices in your Apple deployment program account, the enrollment profile is tagged with a purple icon that reads Default.

Apple device enrollment profile settings

The following table describes the Apple device enrollment profile settings.

Table 1. Device enrollment profile

Item	Description
Profile Name	Enter a name for the device enrollment profile. Required.
Description	Enter a description of the device enrollment profile.
Department	Enter the name of the department associated with the account. Required.
Support Phone Number	Enter the support phone number for the Apple deployment program account. Required.
Default Enrollment Profile	Select to have all devices added to this account be automatically assigned to the default profile. NOTE: If you change the default profile for your Device Enrollment account, existing devices are not affected. This means devices that were previously assigned to the old default enrollment profile continue to be assigned to the old default enrollment profile.
Authentication Type
Password	Select to enable enrollment with a username and password. Device users enter their username and password when prompted.
PIN	Select to enable PIN-based enrollment. MobileIron Core will prompt the device user to enter their username and a PIN. To enable PIN-based enrollment for an individual device: 1. Go to Devices & Users > Devices. 2. Select Add > Single Device. 3. Search for the User. 4. Select the Device Platform. Choices are Android, iOS, macOS or Windows. 5. If you select iOS or macOS, the Include Registration PIN only for Apple Device Enrollment field activates. Select this check box. 6. Enter a username, operator, and mobile number (or select This devices has no phone number) for the device, as you normally would. 7. Make other selections for Device Ownership, Device Language, and User Notification. 8. Click Register. To enable PIN-based enrollment for multiple Apple deployment program devices using bulk registration: • Create a CSV file containing the information you need to bulk register a number of devices. • Add the field Include DEP Only Registration Pin (TRUE or FALSE) to the CSV file, with a value of TRUE for all devices for which you want to enable anonymous Apple Device Enrollment. For more information about single or bulk device registration in MobileIron Core, see the following sections in Getting Started with MobileIron Core. • “Single device registration” • “Registering multiple devices” • “Bulk device registration CSV file requirements”
Anonymous	Select to enable device enrollment without assigning a username and password during enrollment. After completing the Device Enrollment, the device will be in a signed-out state (with no user assigned). Usernames will be assigned after devices are distributed, using the Secure Sign In web clip. For more information about the Secure Sign In web clip, see Multi-User Support. NOTE: You cannot use the Anonymous enrollment option on macOS devices.
Custom Enrollment
Custom Enrollment URL	(iOS 13.0+ and macOS 10.15+) Create custom enrollment web page(s). Specify your own custom web page (web view) to authenticate device users during Device Enrollment. Use this page to display custom information such as authentication type, branding, consent text, and privacy policy. See Adding a custom Automated Device Enrollment web page for more details. Enter the URL, such as https://mycustomweburl.com. This URL defines the value of the custom URL to present to the device user in a web view.
MDM Options
Enable supervision	Select to allow Apple School Manager devices to be supervised. Supervision allows for additional restrictions and configurations to be applied to devices. NOTE: If you configure your devices to be supervised, you can apply restrictions through MobileIron Core. For more information about applying restrictions to supervised Apple devices, see iOS and tvOS restrictions settings.
Require MDM enrollment	Select to force users to apply the enrollment profile when Setup Assistant runs.
Allow MDM profile removal	Select to allow device users to remove the device from device management. If you want to prohibit Apple School Manager device users from removing MDM management, the Apple School Manager devices must be supervised.
Allow pairing	Select to allow host pairing functions, such as iTunes synchronization. Apple School Manager devices can only pair with hosts bearing valid pairing certificates.
Enable Shared iPad (multi-user) for Apple Education	NOTE: This field displays only if you have an Apple Education license loaded into Core. Select to enable. Devices added to this profile will be configured as an Apple Education shared device. Only Managed Apple IDs as part of an Apple Education account will be allowed to log into device. If you opt to have shared iPads (multi-users), be sure to also select the following settings: • Enable supervision • Require MDM enrollment
Await device configuration during Apple device enrollment Wait until policies and configurations are pushed to devices	Select to configure all iOS devices to be kept in the Setup Assistant until all configurations have been pushed to the devices. This step is optional, but it can reduce support calls. When registering a Apple School Manager device, the device will be held in the Setup Assistant screen until MobileIron Core receives confirmation that the profiles and configurations for that device have been pushed to the device. The Apple School Manager device is then released from the Setup Assistant screen. Alternatively, the device is released from the Setup Assistant screen after the specified time limit has passed and Core has not received acknowledgment that the profiles and configurations have been pushed to the device. If a Apple School Manager device checks in with MobileIron Core, and Core detects this device is still awaiting its profiles and configurations, Core sends a command to release the Apple School Manager device from the Setup Assistant, if a command has not already been sent. This option applies to iOS devices only. Time Limit (Minutes) - Enter the number of minutes for which you want to hold all iOS devices in the Setup Assistant. The default is 1 minute. NOTE: For macOS devices, selecting Await device configuration during Apple device setup has the effect of allowing account setup during the Apple Device Enrollment process.
Setup Options
Skip All Options (Applicable to iOS 13.0, macOS 10.14, and macOS 10.15 through the most recently released version as supported by MobileIron. Default setting is disabled.) Skip Location Services Skip Restore from Backup Skip Move from Android Skip signing in to Apple ID and iCloud Skip Terms and Conditions Skip passcode creation Skip Siri Skip automatically sending diagnostic information Skip Registration Screen (macOS only) Skip Touch ID Setup Skip Apple Pay Setup Skip Zoom Setup Skip FileVault Setup Assistant Screen (macOS only) Skip DisplayTone Setup Skip the Home Button screen Skip iCloud Storage Skip the Tap To Set Up option in AppleTV (tvOS only) Skip the Aerial Screensavers Setup in AppleTV (tvOS only) Skip the Aerial Screensavers Setup in AppleTV (tvOS only) Skip on-boarding informational screens Skip the screen for Apple Watch migration Skip iCloud Analytics screen (macOS only) Skip Apple TV home screen layout sync screen (tvOS only) Skip the Apple TV provider sign in screen (tvOS only) Skip the Where is this Apple TV? screen (tvOS only) Skip the Privacy screen Skip the iMessage and FaceTime screen Skip the Screen Time screen (Applicable to macOS 10.15 through the most recently released version as supported by MobileIron.) Skip the Mandatory software update screen Skip the Add cellular plan screen Skip the Choose Your Look screen (Applicable to iOS 13.0 and macOS 10.14 through the most recently released version as supported by MobileIron.) Skip Express Language Setup pane (Applicable to iOS 13.0 through the most recently released version as supported by MobileIron.) Skip Preferred Language Order pane (Applicable to iOS 13.0 through the most recently released version as supported by MobileIron.) Skip Get Started pane(Applicable to iOS 13.0 through the most recently released version as supported by MobileIron.) Skip the Accessibility pane (Applicable to macOS 11.0 through the most recently released version as supported by MobileIron.) If the Mac is connected to Ethernet and the Device Enrollment profile is downloaded, skips the Accessibility pane. Skip the Restore Completed pane(Applicable to iOS 14.0 through the most recently released version as supported by MobileIron.) Skip the Software Update Complete pane (Applicable to iOS 14.0 through the most recently released version as supported by MobileIron.)	Select the screens to be skipped when Setup Assistant runs on Apple School Manager or Apple Business Manager devices. Note The Following:   • Selecting Skip signing in to Apple ID and iCloud auto-selects the Skip Apple Pay Setup option. • Selecting Skip passcode creation auto-selects the Skip Apple Pay Setup and Skip Touch ID Setup options. • Selecting Skip Touch ID Setup auto-selects the Skip Apple Pay Setup option. • Skip on-boarding informational screens - The information in this screen is used for user education, for example: Cover Sheet, Multitasking & Control Center. You can choose to skip or enable as many screens as you like. Device users will be able to set up skipped features later.
Skip the App Store pane (Applicable to iOS 14.2 through the most recently released version as supported by MobileIron.)	Select to skip the App Store pane during the registration of an Automated Device enrollment device.
Show custom text on the Login page	Select to show customized text on the login page when users log in to their Apple School Manager devices. In the text field that appears when selecting this option, enter your customized text. You can enter up to 50 characters.
Anchor Certificates	Click Browse, to select an anchor certificate. Click Add to add an additional anchor certificate. The anchor certificate allows the device to trust the connection to MobileIron Core. This is the certificate from which the chain of trust is derived. NOTE: Certificate files must be in DER or PEM format.
Pairing Certificates	Click Browse, to select a pairing certificate. Click Add to add an additional pairing certificate. The pairing certificate allows the device to securely pair with a host possessing this certificate when Allow Pairing is disabled. NOTE: Certificate files must be in DER or PEM format.
macOS account creation Users must enroll macOS devices in the Apple School Manager with an administrator account. You can prompt users to create an administrator account for themselves, or you can create an administrator account in Core, which Core then pushes to macOS Apple School Manager devices.
Prompt primary account setup to users	Select to prompt the device user to set up a primary account for the macOS Apple School Manager device. You can prompt the user to create a regular account or an administrator account. If you prompt users to create a regular account, you will still need to create an administrator account for enrolling macOS devices in Apple School Manager. This is because device enrollment on macOS devices requires the use of an administrator account. • Regular user: The device user is prompted to create a regular user account. If you select this option, you must still create an administrator account for use on the Apple School Manager device in the Setup Managed macOS Admin Account section. • Admin user: The device user is prompted to create an administrator account to be used when enrolling the device in Device Enrollment. You can create an additional administrator account that Core synchronizes with Apple School Manager devices by selecting the Create a new admin user account option. NOTE: For macOS devices, be sure to select Await device configuration during DEP setup, as this option has the effect of allowing account setup during the Apple Device Enrollment process.
Skip primary account setup	Apple School Manager device user will not be prompted to setup an account when enrolling the device in Device Enrollment. You create an administrator account in Core instead, so that an administrator account exists on the device when the user enrolls in Device Enrollment. Select to create a new user with administrator privileges for use when configuring the Apple School Manager device. As there is no primary account that can be used as an admin user, you must create an admin user in the next section of this window.
Create a new admin user account	Select to enable the creation of an administrator account. Device Enrollment on macOS devices requires the use of an administrator account.
Setup Managed macOS Admin Account
Username	Enter the username of the macOS device. This is the name that is displayed when logging on to the device. The administrator account you create will be associated with the macOS device bearing this username.
Full Name	Enter the name of the macOS device as defined in macOS under Settings > Sharing > Computer Name. The administrator account you create will be associated with the macOS device bearing this name.
Password	Enter a password for the administrator account and confirm it.
Hide managed administrator account in Users & Groups	Select this option to hide the administrator account from device users. When selecting Settings > Users & Groups on a macOS Apple School Manager device, the administrator account will be hidden from view.

Example Device Enrollment Profiles for Apple School Manager

• Teacher Profile - create a single profile that meets your teacher requirements.
• Student Profile (1:1) - Create a single profile that meets your student requirements for student 1:1 devices (not multi-user).
• Shared iPad Profile (Multi-User)

1. Create a new Add Enrollment Profile and ensure that it has the following settings selected:

   • Enable Supervision
   • Require MDM Enrollment
   • Enable Shared iPad (multi-user) for Apple Education

2. Click Save. The Shared iPad profile displays in the Device Enrollment page. The profile is marked as "Multi--user" and from this point forward, any devices that get this enrollment profile will automatically be set for multi-user.

   

Next steps 

Adding your enrolled devices to your MDM server.