Creating an Apple Device Enrollment Profile

Apple Device Enrollment profiles allow you to apply a set of mobile device management (MDM) features to the devices assigned to a given Apple deployment program account. There is no limit to the number of Device Enrollment profiles, however, you can assign only one default enrollment profile per Apple School Manager account.

"Apple deployment program" means either Apple Business Manager or Apple School Manager.

The Apple Device Enrollment profile allows you to specify:

  • Account details, such as the department of the organization to which the Apple deployment program account is assigned, and the phone number device users may call for support
  • The default profile, indicating whether the enrollment profile is automatically assigned to all devices in the Apple deployment program account
  • MDM features, such as enabling supervision, requiring MDM enrollment, shared iPad, and allowing devices to pair with a host
  • Setup options, such as whether device users are permitted to skip screens in the Setup Assistant
  • Certificates, such as anchor certificates (from which the chain of trust is derived) and pairing certificates (allowing the bearer of the certificate to pair with the device)
  • Enrollment options, such as whether to use anonymous, PIN-based enrollment

For tvOS, the Apple device enrollment profile does not get downloaded until AFTER the Wi-Fi is configured. It is advised you use ethernet for tvOS device enrollment.

Procedure 

  1. In the Admin Portal, go to Devices & Users > Apple Device Enrollment.
  2. Select a Apple deployment program account, and then go to Actions > Add Enrollment Profile.
    The Add Enrollment Profile dialog box opens. See descriptions of the settings below.
  3. Create or edit an enrollment profile.
  4. Click Save.
    If you have assigned the enrollment profile as the default for devices in your Apple deployment program account, the enrollment profile is tagged with a purple icon that reads Default.

Apple device enrollment profile settings

The following is a list of the Apple device enrollment profile setting links in this section.

General

Authentication Type

Custom Enrollment

MDM (Mobile Device Management) Options

Setup Options

macOS Account Creation

Setup Managed macOS Administrator Account

Profile settings are below.

General

Table 14.  Apple device enrollment profile settings

Item

Description

Profile Name

(Click on column heading to sort alpha-numerically.)

Enter a name for the device enrollment profile. Required.

Description

(Click on column heading to sort alpha-numerically.)

Enter a description of the device enrollment profile.

Department

(Click on column heading to sort alpha-numerically.)

Enter the name of the department associated with the account. Required.

Support Phone Number

(Click on column heading to sort alpha-numerically.)

Enter the support phone number for the Apple deployment program account. Required.

Default Enrollment Profile

Select to have all devices added to this account be automatically assigned to the default profile.
If you change the default profile for your Device Enrollment account, existing devices are not affected. This means devices that were previously assigned to the old default enrollment profile continue to be assigned to the old default enrollment profile.

Authentication Type

Table 15.  Authentication Type

Item

Description

Password

Select to enable enrollment with a username and password. Device users enter their username and password when prompted.

PIN

Select to enable PIN-based enrollment. Ivanti EPMM will prompt the device user to enter their username and a PIN.

To enable PIN-based enrollment for an individual device:

  1. Go to Devices & Users > Devices.

  2. Select Add > Single Device.

  3. Search for the User.

  4. Select the Device Platform. Choices are Android, iOS, macOS or Windows.

  5. If you select iOS or macOS, the Include Registration PIN only for Apple Device Enrollment field activates. Select this check box.

  6. Enter a username, operator, and mobile number (or select This devices has no phone number) for the device, as you normally would.

  7. Enter a username, operator, and mobile number (or select This devices has no phone number) for the device, as you normally would.

  8. Make other selections for Device Ownership, Device Language, and User Notification.

  9. Click Register.

To enable PIN-based enrollment for multiple Apple deployment program devices using bulk registration:

  • Create a CSV file containing the information you need to bulk register a number of devices.

  • Add the field Include DEP Only Registration Pin (TRUE or FALSE) to the CSV file, with a value of TRUE for all devices for which you want to enable anonymous Apple Device Enrollment.

For more information about single or bulk device registration in Ivanti EPMM, see the following sections in Getting Started with Ivanti EPMM.

  • “Single device registration”

  • “Registering multiple devices”

  • “Bulk device registration CSV file requirements”

Anonymous

Select to enable device enrollment without assigning a username and password during enrollment. After completing the Device Enrollment, the device will be in a signed-out state (with no user assigned).

Usernames will be assigned after devices are distributed, using the Secure Sign In web clip. For more information about the Secure Sign In web clip, see Multi-User Support.

You cannot use the Anonymous enrollment option on macOS devices.

Enable SAML

As part of DEP profile, the MDM server provides custom enrollment URL along with standard URL to get the MDM profile to Apple server. This URL can be used to enforce your own authentication model or to provide any other information.

Select this to support external IdP with DEP enrollment.

This feature is applicable for iOS 13.0 and macOS 10.15 devices or supported newer versions.

  • You must have SAML enabled. (See "Configuring SAML/IdP support" in the Ivanti EPMM System Manager Guide.) If the IdP has not been configured properly, and is not reachable, the Enable SAML check box will not display.

  • Once set up for SAML on iReg or DEP devices, you will not be able to disable SAML from the System Manager. You must first de-select Enable SAML in the Device Registration page before you can disable the IdP SAML connection in the System Manager.

Custom Enrollment

Custom Enrollment URL: (iOS 13.0+ and macOS 10.15+) Create custom enrollment web page(s).

Specify your own custom web page (web view) to authenticate device users during Device Enrollment. Use this page to display custom information such as authentication type, branding, consent text, and privacy policy. See Adding a custom Automated Device Enrollment web page for more details.

Enter the URL, such as https://mycustomweburl.com. This URL defines the value of the custom URL to present to the device user in a web view.

MDM (Mobile Device Management) Options

Item

Description

Enable supervision

Select to allow Apple School Manager devices to be supervised. Supervision allows the use of additional device restrictions and configurations (For iOS 13+ and macOS 10.15+, Supervised mode will be selected by default).

In iOS 13+ and supported later versions, all devices using Apple Device Enrollment will be supervised and the iOS will ignore the is_supervised flag.

For more information about applying restrictions to supervised Apple devices, see iOS and tvOS restrictions settings.

Require MDM enrollment

Select to force users to apply the enrollment profile when Setup Assistant runs.

In iOS 13+ and supported newer versions, all Apple Device Enrollments are mandatory.

(For iOS 13+ & macOS 10.15+, selected by default).

Allow MDM profile removal

Select to allow device users to remove the device from device management. Supervision is required to disallow removal.

Allow pairing

Select to allow host pairing functions, such as iTunes synchronization. Pairing is always allowed for hosts that have valid pairing certificates (Not applicable for iOS 13+ & macOS 10.15+).

Enable Shared iPad (multi-user)

  • If this field is selected, you MUST also have the Await device configuration during Apple device enrollment field selected.

  • For Apple Business Manager, this is applicable to iOS 14.5 and later.

Only Apple-licensed apps are sent to Shared iPad devices through registration. This is set up by selecting the Send Installation Request on device registration or sign in option in the AppCatalog. For more information, see “Using the wizard to import iOS apps from the Apple App Store" in the Ivanti EPMM Apps@Work Guide.

Be sure to also select the following settings: Enable supervision and Require MDM enrollment.

For Apple Business Manager, when this field is selected, new options display:

Allow Guest / Temporary Sessions Only - Guest / temporary shared iPad users to use the iPad, but the data in the guest's partition is deleted when the user logs out. The next guest that logs into the same iPad will start afresh.

When the Allow Guest / Temporary Sessions Only field is selected, only the Guest/Temporary Session Timeout (seconds) field displays. Enter the number of seconds into the field. If this field is left blank, the timeout will use the iPad's system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds.

If Allow Guest/Temporary Sessions Only is deselected, the following fields display:

  • Use Device Defaults - Select to set the session timeouts and let Apple figure out the Quota Size for you.

  • Set Maximum Resident Users - Set the number of users on the Shared iPad. Apple will then automatically allocate the quota space evenly between the number of users. 32 is the maximum number of users allowed on a shared iPad.

    If the maximum resident users is set to five users on a Shared iPad, and a sixth user logs in, the data from the oldest user on the Shared iPad gets deleted.

  • Set Quota Size (MB) - The size allocated for the user's data on the Shared iPad. For example, on a 100 GB iPad with 10 users, then each user has 10 GB for that iPad.

    Administrators need to choose either Set Max Residence User or Set Quota Size.

  • Guest/Temporary Session Only - If left blank, the timeout will use the iPad's system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds. Once the temporary session has ended (user logs out), the data is deleted from the iPad. Label to be used: Allow only Temporary Session.

  • User Session Timeout (seconds) - If left blank, the timeout will use the system defaults. If set to zero, there will be no timeout. Maximum limit is 1800 seconds. Label to be used: Set Timeout for User Session - Seconds.

Be sure to also select the following settings: Enable supervision and Require MDM enrollment.

  • Online Authentication Grace Period (Day(s) - Select the number of days' grace period before the online authentication against Apple's identity server is required. During the grace period, the Shared iPad only verifies the user’s passcode locally during login (for users that already exist on the device.) Default value is 0. Applicable to iPadOS 16+.

  • Domains - Click the Add+ button to add default domains to make it easier for the Shared iPad user to select from a list the domain user wants to sign in to. This list is located just above the keypad on the iPad. Optionally, device user can also type in the domain when signing in. Applicable to iPadOS 16+.

Await device configuration during Apple device enrollment

Wait until policies and configurations are pushed to devices

Select to set device-based VPP applications to install during the DEP enrollment process and during (supervised) device enrollment. Using VPP apps using device-based licenses, the applications can be installed and available for the device user by the time the device finishes set up.

When registering a Apple School Manager device, the device will be held in the Setup Assistant screen until Ivanti EPMM receives confirmation that the profiles and configurations for that device have been pushed to the device. The Apple School Manager device is then released from the Setup Assistant screen.

If a Apple School Manager device checks in with Ivanti EPMM, and Ivanti EPMM detects this device is still awaiting its profiles and configurations, Ivanti EPMM sends a command to release the Apple School Manager device from the Setup Assistant, if a command has not already been sent.

  • Applicable to supervised iOS devices - Install in-house apps are also supported during DEP await configuration along with VPP apps.

  • Applicable to supervised macOS devices - In-house apps are not supported.

Time Limit (Minutes) - Enter the number of minutes for which you want to hold all iOS and macOS devices in the Setup Assistant. The maximum is 10 minutes. If, after the specified time limit has passed and Ivanti EPMM has not received acknowledgment that the profiles and configurations have been pushed to the device, the device is released from the Setup Assistant. This is helpful in case there are a lot of apps that require more time. The remaining apps will be automatically installed after the device is registered.

If selecting this field, then you need to also select Send installation upon device registration in the specific app.

For macOS devices, selecting Await device configuration during Apple device setup has the effect of allowing account setup during the Apple Device Enrollment process.

Auto Advance Setup

Device will tell Setup Assistant to automatically advance through its screens (Applicable for tvOS and macOS 11.0 and later versions.)

Setup Options

Skip Options

Other Options

Skip Options

Select the screens to be skipped when Setup Assistant runs on Apple School Manager or Apple Business Manager devices.

Note the following:

  • Selecting Skip signing in to Apple ID and iCloud auto-selects the Skip Apple Pay Setup option.

  • Selecting Skip passcode creation auto-selects the Skip Apple Pay Setup and Skip Touch ID Setup options.

  • Selecting Skip Touch ID Setup auto-selects the Skip Apple Pay Setup option.

  • Skip on-boarding informational screens - The information in this screen is used for user education, for example: Cover Sheet, Multitasking & Control Center.

  • You can choose to skip or enable as many screens as you like. Device users will be able to set up skipped features later.

Skip options available

Skip Option

Notes

Skip All Options Applicable to iOS 13.0, macOS 10.14, and macOS 10.15 or supported newer versions. Default setting is disabled.
Skip Location Services  
Skip Restore from Backup  
Skip Move from Android  
Skip signing in to Apple ID and iCloud  

Skip Terms and Conditions

 
Skip passcode creation  
Skip Siri  

Skip automatically sending diagnostic information

 

Skip Registration Screen

macOS only

Skip Touch ID Setup

 

Skip Apple Pay Setup

 

Skip Zoom Setup

 

Skip FileVault Setup Assistant Screen (macOS only)

 

Skip DisplayTone Setup

 

Skip the Home Button screen

 

Skip iCloud Storage

 

Skip the Tap To Set Up option in AppleTV

tvOS only

Skip the Aerial Screensavers Setup in AppleTV

tvOS only

Skip on-boarding informational screens

 

Skip the screen for Apple Watch migration

 

Skip iCloud Analytics screen

macOS only

Skip Apple TV home screen layout sync screen

tvOS only

Skip the Apple TV provider sign in screen

tvOS only

Skip the Where is this Apple TV? screen

tvOS only

Skip the Privacy screen

 

Skip the iMessage and FaceTime screen

 

Skip the Screen Time screen

Applicable to macOS 10.15 or supported newer versions.

Skip the Mandatory software update screen

 

Skip the Add cellular plan screen

 

Skip the Choose Your Look screen

Applicable to iOS 13.0 and macOS 10.14 or supported newer versions.

Skip Express Language Setup pane

Applicable to iOS 13.0 or supported newer versions.

Skip Preferred Language Order pane

Applicable to iOS 13.or supported newer versions.

Skip Get Started pane

Applicable to iOS 13.0 or supported newer versions.

Skip the Accessibility pane (macOS only)

If the Mac is connected to Ethernet and the Device Enrollment profile is downloaded, skips the Accessibility pane.

Applicable to macOS 11.0 or supported newer versions.

Skip the Restore Completed pane

Applicable to iOS 14.0 or supported newer versions.

Skip the Software Update Complete pane

Applicable to iOS 14.0 or supported newer versions.

Skip Unlock With Watch (macOS only)

Skips Unlock Your Mac with your Apple Watch pane. Availability: macOS 12+.

Skips the Terms of Address pane

Skips the Terms of Address pane. Availability: iOS 16+, and macOS 13+.

Skip the Device to Device Migration

Skips Device to Device Migration pane. Availability: iOS 13+.

Skip the iMessage pane when using phone number for Message Activation

Skips the iMessage pane. Availability: iOS 10+.

Other Options

  • Show custom text on the Login page: Select to show customized text on the login page when users log in to their Apple School Manager devices. In the text field that appears when selecting this option, enter your customized text. You can enter up to 50 characters.

  • Anchor Certificates: Click Browse, to select an anchor certificate. Click Add to add an additional anchor certificate. The anchor certificate allows the device to trust the connection to Ivanti EPMM. This is the certificate from which the chain of trust is derived.

Certificate files must be in DER or PEM format.

  • Pairing Certificates: Click Browse, to select a pairing certificate. Click Add to add an additional pairing certificate. The pairing certificate allows the device to securely pair with a host possessing this certificate when Allow Pairing is disabled.

Certificate files must be in DER or PEM format.

macOS Account Creation

Users must enroll macOS devices in the Apple School Manager with an administrator account. You can prompt users to create an administrator account for themselves, or you can create an administrator account in Ivanti EPMM, which Ivanti EPMM then pushes to macOS Apple School Manager devices.

Prompt primary account setup to users

Select to prompt the device user to set up a primary account for the macOS Apple School Manager device.

You can prompt the user to create a regular account or an administrator account. If you prompt users to create a regular account, you will still need to create an administrator account for enrolling macOS devices in Apple School Manager. This is because device enrollment on macOS devices requires the use of an administrator account.

  • Regular user: The device user is prompted to create a regular user account. If you select this option, you must still create an administrator account for use on the Apple School Manager device in the Setup Managed macOS Admin Account section.

  • Administrator user: The device user is prompted to create an administrator account to be used when enrolling the device in Device Enrollment. You can create an additional administrator account that Ivanti EPMM synchronizes with Apple School Manager devices by selecting the Create a new admin user account option.

    For macOS devices, be sure to select Await device configuration during DEP setup, as this option has the effect of allowing account setup during the Apple Device Enrollment process.

Skip primary account setup

Apple School Manager device user will not be prompted to setup an account when enrolling the device in Device Enrollment. You create an administrator account in Ivanti EPMM instead, so that an administrator account exists on the device when the user enrolls in Device Enrollment.

Select to create a new user with administrator privileges for use when configuring the Apple School Manager device.

As there is no primary account that can be used as an administrator user, you must create an administrator user in the next section of this window.

Create a new administrator user account

Select to enable the creation of an administrator account.

Device Enrollment on macOS devices requires the use of an administrator account.

Setup Managed macOS Administrator Account

Fill in the following entries to setup the Administrator account:

  • Username: Enter the username of the macOS device. This is the name that is displayed when logging on to the device.
    The administrator account you create will be associated with the macOS device bearing this username.

  • Full Name: Enter the name of the macOS device as defined in macOS under Settings > Sharing > Computer Name.
    The administrator account you create will be associated with the macOS device bearing this name.

  • Password: Enter a password for the administrator account and confirm it.

  • Hide managed administrator account in Users & Groups: Select this option to hide the administrator account from device users. When selecting Settings > Users & Groups on a macOS Apple School Manager device, the administrator account will be hidden from view.