Account driven User Enrollment

Applicable to

  • Devices with iOS 15+
  • Devices with macOS 14+

Account driven User Enrollment for iOS 15+ and macOS 14+ devices is an enrollment option designed for companies implementing BYOD (Bring Your Own Device). Account driven User Enrollment is a modified version of the MDM protocol and User Enrollment with Apple Business Manager with a much greater focus on user privacy, implemented with a level of security that enterprises need.

Prerequisites

The requirements for Account Driven User Enrollment are as follows:

  • An unsupervised device with iOS 15+
  • Devices with macOS 14+
  • A user account in Ivanti Neurons for MDM with managed Apple ID (Apple school or work account)

Setup the discovery service

If your enterprise has an enterprise domain name, for example, acme.com, then the email ID for your users is [email protected].

  1. The user enters [email protected] to sign in to their work or school account then the device makes a HTTP GET request call to the URL:
    https://acme.com/.well-known/[email protected]
    For more information, see - https://developer.apple.com/documentation/devicemanagement/discover_authentication_servers

  2. On the acme.com domain configure redirection rule for the URI - /.well-known/com.apple.remotemanagement to redirect it to the following URL:
    https://<n-MDM cluster>/.well-known/com.apple.remotemanagement

Device user instructions for registering using Account Driven User Enrollment

This topic addresses the actions the device user needs to take for registering Account Driven User Enrollment.

Procedure

  1. On the device go to one of the following:
    1. For iOS device - Settings > General > VPN & Device Management.

    2. For macOS device - System Settings > Privacy & Security > Profiles.

  2. Go to Sign in to Work or School Account.
  3. Type the work or school account email address. Ensure that the email address is according to the following format:

    username@<enterprise domain name>, for example, [email protected].
  4. The login page automatically takes the Managed Apple ID and takes the user through iReg flow. Ensure that you enter Ivanti Neurons for MDM credentials.
  5. Type the work or school account credentials and click Continue.
  6. After a 2-factor authentication, the device enrollment completes.