Setting up Apple Device Enrollment with MobileIron Core
Setting up Apple Device Enrollment with MobileIron Core involves the following main steps:
- Editing Core roles for Apple Device Enrollment
- Linking MobileIron Core to Apple Device Enrollment
- Assigning devices to the Apple Device Enrollment account
- Creating Apple Device Enrollment profiles
- Assigning Apple Device Enrollment devices to an enrollment profile en masse
- Checking for Apple Device Enrollment account updates
- Updating the OS on supervised Apple Device Enrollment devices
Before you begin
Sign up for Apple Business Manager. Apple's deprecated deployment accounts will continue to be supported by MobileIron Core as long as Apple continues support.
For more information, see the Apple documentation for setting up an Apple Device Enrollment account.
NOTE: | When using the hold feature while registering a device with Apple Device Enrollment, it is possible for the device to get stuck in the hold screen if its Internet connectivity drops, causing the Apple MDM server to be unable to reconnect to the device. Make sure you have a stable Internet connection before registering a Apple School Manager device using the hold feature. |
Editing Core roles for Apple Device Enrollment
Before you can set up and manage Apple Device Enrollment in Core, you must be sure your user name has the correct permissions for these actions. By default, user names with the administrator role will have the correct permissions.
Procedure
- In the Core Admin Portal, select Admin > Admins.
- Select the administrators whose permissions you want to edit.
- Select Actions > Edit Roles.
-
In the Edit Roles window, select the following:
Item
Description
Admin Space
Select the space over which this administrator has administrative control. For example, select Global to allow the administrator to use the permissions selected here throughout Core.
Manage custom attributes
Select to allow the administrator to create custom attributes for use with Apple Device Enrollment.
Manage device enrollment (iOS only)
Select to enable Apple Device Enrollment.
NOTE: You can use Apple Device Enrollment to manage macOS and tvOS devices. - Click Save.
Linking MobileIron Core to Apple Device Enrollment
Linking your MobileIron Core server to the Apple School Manager portal allows you to use Core as the designated MDM server for your Apple School Manager devices. You can then use Core to manage and secure your enrolled devices.
This process involves:
- downloading a public key from MobileIron Core and uploading it to the Apple School Manager
- downloading the Apple School Manager server token file and uploading it to MobileIron Core
After you upload it to the Apple School Manager, the public key certificate encrypts the authentication server token file for secure transfer to MobileIron Core.
NOTE: | If you have multiple Apple School Manager accounts for the same instance of MobileIron Core, you can use the same certificate you download from MobileIron Core for all your Apple School Manager accounts. |
NOTE: | The following procedure is applicable for only Apple School Manager. If you try to create a MDM server using Apple Business Manager, you will not be able to connect it to Apple School Manager. |
Procedure
- In MobileIron Core, go to Devices & Users > Apple Device Enrollment.
-
Click Add+. The Add Account dialog box opens.
- In the Add Account window, click Download Certificate. A .CRT file is downloaded to the file system.
- Go to your Apple School Manager portal and sign in using a dedicated Apple ID.
- Navigate to the Manage Servers page and add an MDM server using the certificate (.CRT file) downloaded in the previous steps.
- Download the server token (.P7M file) from the Apple School Manager. The file will download to your default download location.
- Go back to MobileIron Core and in the Add Account window, click Browse next to the ServerToken field.
- Select the server token (.P7M file) you downloaded from the Apple School Manager portal.
- Click Open.
- Click Save.
- Go back to the Apple School Manager portal.
- Click Done.
- In MobileIron Core, click Check for Updates. Core retrieves the new devices.
Assigning devices to the Apple Device Enrollment account
After linking your Apple School Manager account to MobileIron Core, you must add devices to your Apple Device Enrollment account. Devices added to Apple Device Enrollment are assigned to MobileIron Core, as this is the MDM server you linked to in Linking MobileIron Core to Apple Device Enrollment.
Procedure
- Go to the Apple School Manager portal and sign in using a dedicated Apple ID.
-
Navigate to the Manage Devices page and select the method by which you want to add devices, and take action accordingly.
Choose Devices By...
Description
Serial Number
Enter one or more comma-separated serial numbers for the devices you want to assign.
Order Number
Choose an order
• Click the Order Number radio button. • Select a specific order number from the Choose an order drop-down list. A list of devices purchased with that order number is displayed.
Upload CSV File
• Click the Upload CSV File radio button. • Click the Choose File link to select a CSV file listing devices by serial number. - Select Assign to Server.
- From the Choose MDM Server drop-down list, select your instance of MobileIron Core.
- Click OK. The devices are assigned.
Creating Apple Device Enrollment profiles
Apple Device Enrollment profiles allow you to apply a set of mobile device management (MDM) features to the devices assigned to a given Apple deployment program account. There is no limit to the number of Device Enrollment profiles, however, you can assign only one default enrollment profile per Apple School Manager account.
NOTE: | "Apple deployment program" means either Apple Business Manager or Apple School Manager. |
The Apple Device Enrollment profile allows you to specify:
- Account details, such as the department of the organization to which the Apple deployment program account is assigned, and the phone number device users may call for support
- The default profile, indicating whether the enrollment profile is automatically assigned to all devices in the Apple deployment program account
- MDM features, such as enabling supervision, requiring MDM enrollment, shared iPad, and allowing devices to pair with a host
- Setup options, such as whether device users are permitted to skip screens in the Setup Assistant
- Certificates, such as anchor certificates (from which the chain of trust is derived) and pairing certificates (allowing the bearer of the certificate to pair with the device)
- Enrollment options, such as whether to use anonymous, PIN-based enrollment
NOTE: | For tvOS, the Apple device enrollment profile does not get downloaded until AFTER the Wi-Fi is configured. It is advised you use ethernet for tvOS device enrollment. |
Procedure
- In the Admin Portal, go to Devices & Users > Apple Device Enrollment.
- Select a Apple deployment program account, and then go to Actions > Add Enrollment Profile.
The Add Enrollment Profile dialog box opens. - Create or edit an enrollment profile.
- Click Save.
If you have assigned the enrollment profile as the default for devices in your Apple deployment program account, the enrollment profile is tagged with a purple icon that reads Default.
Apple device enrollment profile settings
The following table describes the Apple device enrollment profile settings.
Item |
Description |
|||||||||||||||||||||||||||||||||||||||
Profile Name |
Enter a name for the device enrollment profile. Required. |
|||||||||||||||||||||||||||||||||||||||
Description |
Enter a description of the device enrollment profile. |
|||||||||||||||||||||||||||||||||||||||
Department |
Enter the name of the department associated with the account. Required. |
|||||||||||||||||||||||||||||||||||||||
Support Phone Number |
Enter the support phone number for the Apple deployment program account. Required. |
|||||||||||||||||||||||||||||||||||||||
Default Enrollment Profile |
Select to have all devices added to this account be automatically assigned to the default profile.
|
|||||||||||||||||||||||||||||||||||||||
Authentication Type |
||||||||||||||||||||||||||||||||||||||||
Password |
Select to enable enrollment with a username and password. Device users enter their username and password when prompted. |
|||||||||||||||||||||||||||||||||||||||
PIN |
Select to enable PIN-based enrollment. MobileIron Core will prompt the device user to enter their username and a PIN. To enable PIN-based enrollment for an individual device:
To enable PIN-based enrollment for multiple Apple deployment program devices using bulk registration:
For more information about single or bulk device registration in MobileIron Core, see the following sections in Getting Started with MobileIron Core.
|
|||||||||||||||||||||||||||||||||||||||
Anonymous |
Select to enable device enrollment without assigning a username and password during enrollment. After completing the Device Enrollment, the device will be in a signed-out state (with no user assigned). Usernames will be assigned after devices are distributed, using the Secure Sign In web clip. For more information about the Secure Sign In web clip, see Multi-User Support.
|
|||||||||||||||||||||||||||||||||||||||
Custom Enrollment |
||||||||||||||||||||||||||||||||||||||||
Custom Enrollment URL |
(iOS 13.0+ and macOS 10.15+) Create custom enrollment web page(s). Specify your own custom web page (web view) to authenticate device users during Device Enrollment. Use this page to display custom information such as authentication type, branding, consent text, and privacy policy. See Adding a custom Automated Device Enrollment web page for more details. Enter the URL, such as https://mycustomweburl.com. This URL defines the value of the custom URL to present to the device user in a web view. |
|||||||||||||||||||||||||||||||||||||||
MDM Options |
||||||||||||||||||||||||||||||||||||||||
Enable supervision |
Select to allow Apple School Manager devices to be supervised. Supervision allows for additional restrictions and configurations to be applied to devices.
|
|||||||||||||||||||||||||||||||||||||||
Require MDM enrollment |
Select to force users to apply the enrollment profile when Setup Assistant runs. |
|||||||||||||||||||||||||||||||||||||||
Allow MDM profile removal |
Select to allow device users to remove the device from device management. If you want to prohibit Apple School Manager device users from removing MDM management, the Apple School Manager devices must be supervised. |
|||||||||||||||||||||||||||||||||||||||
Allow pairing |
Select to allow host pairing functions, such as iTunes synchronization. Apple School Manager devices can only pair with hosts bearing valid pairing certificates. |
|||||||||||||||||||||||||||||||||||||||
Enable Shared iPad (multi-user) for Apple Education |
Select to enable. Devices added to this profile will be configured as an Apple Education shared device. Only Managed Apple IDs as part of an Apple Education account will be allowed to log into device. If you opt to have shared iPads (multi-users), be sure to also select the following settings:
|
|||||||||||||||||||||||||||||||||||||||
Await device configuration during Apple device enrollment Wait until policies and configurations are pushed to devices |
Select to configure all iOS devices to be kept in the Setup Assistant until all configurations have been pushed to the devices. This step is optional, but it can reduce support calls. When registering a Apple School Manager device, the device will be held in the Setup Assistant screen until MobileIron Core receives confirmation that the profiles and configurations for that device have been pushed to the device. The Apple School Manager device is then released from the Setup Assistant screen. Alternatively, the device is released from the Setup Assistant screen after the specified time limit has passed and Core has not received acknowledgment that the profiles and configurations have been pushed to the device. If a Apple School Manager device checks in with MobileIron Core, and Core detects this device is still awaiting its profiles and configurations, Core sends a command to release the Apple School Manager device from the Setup Assistant, if a command has not already been sent. This option applies to iOS devices only. Time Limit (Minutes) - Enter the number of minutes for which you want to hold all iOS devices in the Setup Assistant. The default is 1 minute.
|
|||||||||||||||||||||||||||||||||||||||
Setup Options |
||||||||||||||||||||||||||||||||||||||||
Skip All Options (Applicable to iOS 13.0, macOS 10.14, and macOS 10.15 through the most recently released version as supported by MobileIron. Default setting is disabled.) Skip Location Services Skip Restore from Backup Skip Move from Android Skip signing in to Apple ID and iCloud Skip Terms and Conditions Skip passcode creation Skip Siri Skip automatically sending diagnostic information Skip Registration Screen (macOS only) Skip Touch ID Setup Skip Apple Pay Setup Skip Zoom Setup Skip FileVault Setup Assistant Screen (macOS only) Skip DisplayTone Setup Skip the Home Button screen Skip iCloud Storage Skip the Tap To Set Up option in AppleTV (tvOS only) Skip the Aerial Screensavers Setup in AppleTV (tvOS only) Skip the Aerial Screensavers Setup in AppleTV (tvOS only) Skip on-boarding informational screens Skip the screen for Apple Watch migration Skip iCloud Analytics screen (macOS only) Skip Apple TV home screen layout sync screen (tvOS only) Skip the Apple TV provider sign in screen (tvOS only) Skip the Where is this Apple TV? screen (tvOS only) Skip the Privacy screen Skip the iMessage and FaceTime screen Skip the Screen Time screen (Applicable to macOS 10.15 through the most recently released version as supported by MobileIron.) Skip the Mandatory software update screen Skip the Add cellular plan screen Skip the Choose Your Look screen (Applicable to iOS 13.0 and macOS 10.14 through the most recently released version as supported by MobileIron.) Skip Express Language Setup pane (Applicable to iOS 13.0 through the most recently released version as supported by MobileIron.) Skip Preferred Language Order pane (Applicable to iOS 13.0 through the most recently released version as supported by MobileIron.) Skip Get Started pane(Applicable to iOS 13.0 through the most recently released version as supported by MobileIron.) Skip the Accessibility pane (Applicable to macOS 11.0 through the most recently released version as supported by MobileIron.) If the Mac is connected to Ethernet and the Device Enrollment profile is downloaded, skips the Accessibility pane. Skip the Restore Completed pane(Applicable to iOS 14.0 through the most recently released version as supported by MobileIron.) Skip the Software Update Complete pane (Applicable to iOS 14.0 through the most recently released version as supported by MobileIron.) |
Select the screens to be skipped when Setup Assistant runs on Apple School Manager or Apple Business Manager devices. Note The Following:
You can choose to skip or enable as many screens as you like. Device users will be able to set up skipped features later. |
|||||||||||||||||||||||||||||||||||||||
Skip the App Store pane (Applicable to iOS 14.2 through the most recently released version as supported by MobileIron.) |
Select to skip the App Store pane during the registration of an Automated Device enrollment device. |
|||||||||||||||||||||||||||||||||||||||
Show custom text on the Login page |
Select to show customized text on the login page when users log in to their Apple School Manager devices. In the text field that appears when selecting this option, enter your customized text. You can enter up to 50 characters. |
|||||||||||||||||||||||||||||||||||||||
Anchor Certificates |
Click Browse, to select an anchor certificate. Click Add to add an additional anchor certificate. The anchor certificate allows the device to trust the connection to MobileIron Core. This is the certificate from which the chain of trust is derived.
|
|||||||||||||||||||||||||||||||||||||||
Pairing Certificates |
Click Browse, to select a pairing certificate. Click Add to add an additional pairing certificate. The pairing certificate allows the device to securely pair with a host possessing this certificate when Allow Pairing is disabled.
|
|||||||||||||||||||||||||||||||||||||||
macOS account creation Users must enroll macOS devices in the Apple School Manager with an administrator account. You can prompt users to create an administrator account for themselves, or you can create an administrator account in Core, which Core then pushes to macOS Apple School Manager devices. |
||||||||||||||||||||||||||||||||||||||||
Prompt primary account setup to users |
Select to prompt the device user to set up a primary account for the macOS Apple School Manager device. You can prompt the user to create a regular account or an administrator account. If you prompt users to create a regular account, you will still need to create an administrator account for enrolling macOS devices in Apple School Manager. This is because device enrollment on macOS devices requires the use of an administrator account.
|
|||||||||||||||||||||||||||||||||||||||
Skip primary account setup |
Apple School Manager device user will not be prompted to setup an account when enrolling the device in Device Enrollment. You create an administrator account in Core instead, so that an administrator account exists on the device when the user enrolls in Device Enrollment. Select to create a new user with administrator privileges for use when configuring the Apple School Manager device. As there is no primary account that can be used as an admin user, you must create an admin user in the next section of this window. |
|||||||||||||||||||||||||||||||||||||||
Create a new admin user account |
Select to enable the creation of an administrator account. Device Enrollment on macOS devices requires the use of an administrator account. |
|||||||||||||||||||||||||||||||||||||||
Setup Managed macOS Admin Account |
||||||||||||||||||||||||||||||||||||||||
Username |
Enter the username of the macOS device. This is the name that is displayed when logging on to the device. The administrator account you create will be associated with the macOS device bearing this username. |
|||||||||||||||||||||||||||||||||||||||
Full Name |
Enter the name of the macOS device as defined in macOS under Settings > Sharing > Computer Name. The administrator account you create will be associated with the macOS device bearing this name. |
|||||||||||||||||||||||||||||||||||||||
Password |
Enter a password for the administrator account and confirm it. |
|||||||||||||||||||||||||||||||||||||||
Hide managed administrator account in Users & Groups |
Select this option to hide the administrator account from device users. When selecting Settings > Users & Groups on a macOS Apple School Manager device, the administrator account will be hidden from view. |
Example Device Enrollment Profiles for Apple School Manager
- Teacher Profile - create a single profile that meets your teacher requirements.
- Student Profile (1:1) - Create a single profile that meets your student requirements for student 1:1 devices (not multi-user).
- Shared iPad Profile (Multi-User)
-
Create a new Add Enrollment Profile and ensure that it has the following settings selected:
- Enable Supervision
- Require MDM Enrollment
- Enable Shared iPad (multi-user) for Apple Education
-
Click Save. The Shared iPad profile displays in the Device Enrollment page. The profile is marked as "Multi--user" and from this point forward, any devices that get this enrollment profile will automatically be set for multi-user.
Next steps
- For Apple Business Manager, continue to Assigning Apple Device Enrollment devices to an enrollment profile en masse.
- For Apple School Manager, continue to Adding your enrolled devices to your MDM server.
Assigning Apple Device Enrollment devices to an enrollment profile en masse
After linking MobileIron Core to a Apple Device Enrollment account, the devices assigned to this account are displayed in the Core Admin Portal. The Apple Device Enrollment devices are organized so that clicking the number in the Devices column for an account shows the devices assigned to that account. To manage your devices in Apple Device Enrollment, it can help to assign multiple devices to an enrollment profile. You can do that by:
- selecting the devices and adding them
- creating a CSV file containing the relevant devices and uploading the file to Core
You can also assign custom attributes to the devices using a CSV file. This happens when you assign these devices to an enrollment profile.
If you have already created an enrollment profile and assigned it as the default for all Apple Device Enrollment devices associated with your Apple School Manager account, then your devices have already been assigned an enrollment profile, and you can skip this step. Continue on to Checking for Apple Device Enrollment account updates.
Note The Following:
- The CSV file can contain up to 5,000 devices.
- Assigning devices and profiles with a CSV file containing UTF-8 characters may cause errors due to invalid encoding.
- When adding a custom attribute to a CSV file, the column header must match the name of the custom attribute exactly. For multi-users in shared device carts, be sure the CSV file you upload has a new column for the custom attribute created when you enabled Apple Education and connected to the MDM server. Each of these devices must be pre-assigned to a device cart.
- The value of a custom attribute must match the data type of the custom attribute. For example, a boolean type custom attribute can only have a boolean value. For Apple Education Managed Apple ID and Apple Education Device Cart attributes, string is the only valid data type.
Procedure
- Go to Apple School Manager and sign in using your Apple ID.
- Select Device Enrollment Program in the sidebar.
- Select Manage Servers, then click the name of the server.
- In the Server Details window, click Download Serial Numbers to download a comma-separated value (CSV) file that contains the serial numbers of all assigned devices.
- After you download the CSV file, click OK.
- Open the CSV file in an editor.
- Remove the column next to the serial numbers. This column may be called MODEL.
- Optionally, you can assign a custom attribute to the devices listed in the CSV file by editing the CSV file. The custom attribute is assigned to devices when the devices are assigned to the enrollment profile.
- Add a column to the file and name it.
- The name of the column is the name of the custom attribute.
- Enter a value for the custom attribute in each device row.
- Optionally, add more custom attributes and values.
- Save your changes.
- In Core, select Devices & Users > Apple Device Enrollment.
- Find the Apple School Manager account you want to use, and click the number in the Enrollment Profiles cell. Core displays the available enrollment profiles.
- Select the device enrollment profile you want to use.
- Select Actions > Assign Devices to Profile.The Assign Devices to Profile dialog box opens.
- Click Upload, and browse for the CSV file you downloaded from the Apple School Manager Portal.
- Click Assign.
Checking for Apple Device Enrollment account updates
As devices are added to the Apple Device Enrollment account on the Apple School Manager portal, and not on MobileIron Core, it is recommended to occasionally check for Device Enrollment account updates in Core. Core will synchronize with the Apple School Manager portal, and any devices that have been added or removed will be reflected in the Core Admin Portal. If an enrollment profile has been configured as the default for the Apple Device Enrollment account, the default enrollment profile will be applied to all newly assigned Apple School Manager devices.
Procedure
- In Admin Portal, go to Devices & Users > Apple Device Enrollment.
- Click Check for Updates.
Verifying the Apple Device Enrollment status of a device
Two values in the Device Details tab indicate the status of a device:
- Apple School Manager Device
- A value of true indicates the device was purchased from Apple as a Apple School Manager device. The device itself may or may not be enrolled via Apple School Manager.
- A value of false indicates the device is either not a Apple School Manager device, or the device was a Apple School Manager device that was later removed from the Apple School Manager portal.
- Apple Device Enrolled
- A value of true indicates the device is enrolled in the Apple School Manager. Alternatively, the device is enrolled in the Apple School Manager and registered with Core, but the device has been removed from the Apple School Manager portal.
- A value of false indicates the device is not currently enrolled via Apple School Manager.
If a Apple School Manager device is not enrolled in Apple Device Enrollment, you can retire and wipe the device so as to re-purpose the device for another user.
Procedure
- In the Admin Portal, select Devices & Users > Devices.
- Find the device whose enrollment details you want to examine, and click the carat (^) next to it.
- Click the Device Details tab.
- Examine the values for DEP Device and DEP Enrolled.
Updating the OS on supervised Apple Device Enrollment devices
MobileIron Core can update the iOS on supervised Apple School Manager devices, when updates are available.
NOTE: | This feature is supported on supervised devices running iOS 9 through the most recently released version of iOS as supported by MobileIron. |
Procedure
- Log into MobileIron Core.
- Select Devices & Users > Devices.
- Select a supervised iOS Apple School Manager device.
- Click Actions.
- Select iOS Only > Update OS Software:
- The Confirmation window appears.
- Click Confirm.