Apple MDM Enrolment Methods

Description

Enrolling Apple devices involves the installation of an MDM Enrolment Profile.

Installation may be initiated by either the user or the device. This same distinction also applies to the linking of the enrolment.

Initiating Enrolment

This refers to the driving force of enrolment.

Consider Automated Device Enrolment (ADE), delivering the Profile before authentication (if configured). This is an example of profile-based enrolment.

Account-driven enrolment relies on the authentication of a user in advance.

User vs Device Enrolment

Automated Device Enrolment links enrolment with the identity of the device; providing the maximum management options available. The extreme opposite is Bring Your Own Device (BYOD) enrolment. This is an example of the user's identity linking enrolment and provides the minimum amount of control.

User enrolment cryptographically separates organisational data from user data and limits many features of MDM. Further details explained in Apple's KB:

User Enrolment and MDM

Overview

Therefore, the key methods of enrolment can be categorised as:

profile-based device enrolment
account-driven device enrolment
profile-based user enrolment
account-driven user enrolment

Enrolment Methods

Automated Device Enrolment

On startup, the device reaches out to Apple and, where associated, the Enrolment Profile is delivered to the device and installed. The user is then prompted for authentication (if not configured for no authentication).

OTA Enrolment

This enrolment type potentially has two offerings:

User authenticates to download the Enrolment Profile and then instals the Profile manually.
An Enrolment Profile is provided to the user, for example by email, and the user manually instals the Profile.

BYOD

BYOD also could be described with two possible options:

Enrolment Profile is downloaded and then the user authenticates (deprecated, see below note)
User authenticates in Settings and then approves the subsequently downloaded Profile.

Deprecation

Although definitions exist for all enrolment methods above, as of iOS18 and macOS15 Apple will no longer support profile-based user enrolment. This impacts the first described BYOD enrolment method, meaning BYOD with personal devices must action account-driven user enrolment.

Account-Driven User Enrolment

Although these are personal devices, this enrolment method requires the user to add credentials into Settings which must be a Managed Apple ID. Federated Authentication links a supported IdP with Apple, matching Managed Apples IDs with IdP usernames and passwords.

Federated Authentication

Initial support for Account-driven user enrolment is currently targeted for FileWave 15.5. Confirmation of inclusion should be available closer to release.

Desktop / Laptop Client Install and Configure

Enrolling Computer Clients in to FileWave

Mass Deploy Windows FileWave Client

Apple Notarisation and Custom PKG Installers

Apple MDM Enrolment Methods

User Approved MDM Enrollment (macOS)

macOS MDM Enrolment State

Enrolling Mobile Devices into FileWave

Enrolling AppleTV into FileWave

Importing Computer Clients from a File

FileWave Custom Installer

Superprefs Fileset

FileWave Client Configuration Settings

Location Tracking Technologies

Location Tracking Setup

Apple MDM Missing Enrolment Profile

Clearing FileWave Client Certs

FileWave Client notification for zsh running in the background

FileWave Client Rename Behavior

FileWave Client Status Check: How to ask the client what it is doing on macOS and Windows

FileWave Windows Network Sweeper

PSExec as a Helper in Troubleshooting

Using PsExec to Remotely Restart the FileWaveWinClient Service

Understanding and Resolving Proxy Communication Issues in FileWave

Using PowerShell to Remotely Check the Windows FileWave Client Status

When does the inventory client run scans?

Archiving Clients

Retiring a device from FileWave

Uninstall the FileWave Client on Windows

Uninstall the FileWave Client on macOS

Removing Android Devices

Apple MDM Enrolment Methods

Description

Initiating Enrolment

User vs Device Enrolment

Overview

Enrolment Methods

Automated Device Enrolment

OTA Enrolment

BYOD

Deprecation

Account-Driven User Enrolment

Related Content

No Comments