Apple MDM Enrolment Methods

Description

Enrolling Apple devices involves the installation of an MDM Enrolment Profile.  

 

Installation may be initiated by either the user or the device.  This same distinction also applies to the linking of the enrolment.

image.png

Initiating Enrolment

This refers to the driving force of enrolment.

Consider Automated Device Enrolment (ADE), delivering the Profile before authentication (if configured). This is an example of profile-based enrolment.

Account-driven enrolment relies on the authentication of a user in advance.

User vs Device Enrolment

Automated Device Enrolment links enrolment with the identity of the device; providing the maximum management options available.  The extreme opposite is Bring Your Own Device (BYOD) enrolment.  This is an example of the user's identity linking enrolment and provides the minimum amount of control.

User enrolment cryptographically separates organisational data from user data and limits many features of MDM.  Further details explained in Apple's KB:

User Enrolment and MDM

Overview

Therefore, the key methods of enrolment can be categorised as:

Enrolment Methods

Automated Device Enrolment

On startup, the device reaches out to Apple and, where associated, the Enrolment Profile is delivered to the device and installed.  The user is then prompted for authentication (if not configured for no authentication).

OTA Enrolment

This enrolment type potentially has two offerings:

BYOD

BYOD also could be described with two possible options:

Deprecation

Although definitions exist for all enrolment methods above, as of iOS18 and macOS15 Apple will no longer support profile-based user enrolment.   This impacts the first described BYOD enrolment method, meaning BYOD with personal devices must action account-driven user enrolment.

Account-Driven User Enrolment

Although these are personal devices, this enrolment method requires the user to add credentials into Settings which must be a Managed Apple ID.  Federated Authentication links a supported IdP with Apple, matching Managed Apples IDs with IdP usernames and passwords.

Federated Authentication

Initial support for Account-driven user enrolment is currently targeted for FileWave 15.5.  Confirmation of inclusion should be available closer to release.


Revision #10
Created 13 September 2024 07:15:16 by Sean Holden
Updated 4 November 2024 13:55:40 by Sean Holden