Account driven User Enrollment

Applicable to

  • Devices with iOS 15+

Account driven User Enrollment for iOS 15+ devices is an enrollment option designed for companies implementing BYOD (Bring Your Own Device). Account driven User Enrollment is a modified version of the MDM protocol and User Enrollment with Apple Business Manager with a much greater focus on user privacy, implemented with a level of security that enterprises need.

Prerequisites

The requirements for Account Driven User Enrollment are as follows:

  • An unsupervised device with iOS 15+
  • A user account in Ivanti Neurons for MDM with managed Apple ID (Apple school or work account)

Setup the discovery service

If your enterprise has an enterprise domain name, for example, acme.com, then the Managed Apple ID for your users is [email protected]. To enable the service discovery for your enterprise you must provide a well-known endpoint as follows:

GET https://acme.com/.well-known/com.apple.remotemanagement

The endpoint will return a JSON object containing your Ivanti Neurons for MDM cluster registration base URL as follows:

/c/i/reg/userenroll.mobileconfig

The Ivanti Neurons for MDM URL must begin with https and not http.

Example: 

{
        
  "Servers":[
    {
     “Version”: “mdm-byod”,
     “BaseURL”: “https://<your polaris cluster>/c/i/reg/userenroll.mobileconfig”
     }
    ]
}

For more information, see the information at the following URL:

https://developer.apple.com/documentation/devicemanagement/discover_authentication_servers

Device user instructions for registering using Account Driven User Enrollment

This topic addresses the actions the device user needs to take for registering Account Driven User Enrollment.

Procedure

  1. On the iOS device, open Settings > General > VPN & Device Management.
  2. Go to Sign in to Work or School Account.
  3. Type the work or school account email address. Ensure that the email address is according to the following format:

    username@<enterprise domain name>, for example, [email protected].
  4. The login page automatically takes the Managed Apple ID and takes the user through iReg flow. Ensure that you enter Ivanti Neurons for MDM credentials.
  5. Type the work or school account credentials and click Continue.
  6. After a 2-factor authentication, the device enrollment completes.