Account driven User Enrollment
Applicable to
- Devices with iOS 15+
- Devices with macOS 14+
- Devices with visionOS 1.1+
Account driven User Enrollment for iOS 15+, macOS 14+, and visionOS 1.1+ devices is an enrollment option designed for companies implementing BYOD (Bring Your Own Device). Account driven User Enrollment is a modified version of the MDM protocol and User Enrollment with Apple Business Manager with a much greater focus on user privacy, implemented with a level of security that enterprises need.
Prerequisites
-
A user must have a account in Ivanti Neurons for MDM with managed Apple ID (Apple school or work account).
- Under the Users -> User Settings ->set the Device Owner Settings to ON > select User Owned option.
Setup the discovery service
If your enterprise has an enterprise domain name, for example, acme.com, then the email ID for your device is [email protected].
-
The user enters [email protected] to sign in to their work or school account then the device makes a HTTP GET request call to the URL:
https://acme.com/.well-known/[email protected]
For more information, see - https://developer.apple.com/documentation/devicemanagement/discover_authentication_servers -
On the acme.com domain configure redirection rule for the URI - /.well-known/com.apple.remotemanagement to redirect it to the following URL:
https://<n-MDM cluster>/.well-known/com.apple.remotemanagement
Device user instructions for registering using Account Driven User Enrollment
This topic addresses the actions the device user needs to take for registering Account Driven User Enrollment.
Procedure
- On the device go to one of the following:
- For iOS device - Settings > General > VPN & Device Management.
For macOS device - System Settings > Privacy & Security > Profiles.
- For visionOS device - Settings > General > VPN & Device Management.
- For iOS device - Settings > General > VPN & Device Management.
- Go to Sign in to Work or School Account.
- Type the work or school account email address. Ensure that the email address is according to the following format:
username@<enterprise domain name>, for example, [email protected]. - The login page automatically takes the Managed Apple ID and takes the user through iReg flow. Ensure that you enter Ivanti Neurons for MDM credentials.
- Type the work or school account credentials and click Continue.
- After a 2-factor authentication, the device enrollment completes.