Skip to main content

Account Driven Enrollment for iOS/iPadOS

This article is linked to from product so don't delete it but ok to edit it to match the topic. 

What

HereIn we2021, wantApple tointroduced explaina thenew purposeway of thisinitiating content.BYOD : Account Driven Enrollment. With iOS 18 / iPadOS 18, profile based User Enrollment is no longer supported ; FileWave 15.5 now supports Account Driven Enrollment (ADE).i.e. what does this function do?

When/Why

NowApple thatwants weBYOD knowto whatbe thisas functionsecure as possible ; with ADE, the complexity to make it secure is usednow for,on when/whythe wouldOrganization weshoulders. useADE it?relies on  mechanism for MDM discovery.

How

Enrolling a Device

For iOS/iPadOS devices, supports new BYOD workflow based on Apple Account Driven Enrollment.

    • On

    Existing

    User

    FileWave

    can’t
    iPhone or iPad, the user navigates to Settings > General > VPN & Device Management and then selects the Sign In to Work or School Account button.

    image.png

    The email entered will be used by the device to discover MDM server. If you enter “pn@widget.ch", the device will query the widget.ch domain, more specifically https://widget.ch/.well-known/com.apple.remotemanagement

    This endpoint must return a specific json message which contains all information required to proceed to MDM BYOD enrollment. This means that organizations must have a way to control this url, which could be any issue for the ones completely outsourcing their website management (see below for potential workarounds).

    macOSFileWave Setup
    Enrollment option in FileWave now enables legacy BYOD and new ADE:

    FileWave Download.pngimage.png
    manage your domain, but provides some helpers:

    1. Well-known content (json) can be retrieved, so if you want to host the file yourself, you can easily get the content.
      If you press the “Well-known content” button, following json will be copied into your clipboard : {"Servers": [{"Version": "mdm-byod", "BaseURL": "https://pn.filewave.ch:20445/ios/byod/enroll/"}]} ; you can then create the file which will be served by your web server.

    2. Another option is to setup a redirection from your web server (https://domain/.well-known/com.apple.remotemanagement) to FileWave server endpoint ; the endpoint can be retrieved by clicking the. Well-known URL button : https://pn.filewave.ch:20445/ios/byod/well-known/ for instance.

    Check your web server documentation for details about how to setup redirection. Apache, for instance, can be configured by adding the following inside the VirtualHost section:

    RewriteRule ^/.well-known/com.apple.remotemanagement https://pn.filewave.ch:20445/ios/byod/well-known/ [R=301,L]

    Related Content

    Digging Deeper

    Want

    Device Enrollment Process Workflow

    detail Want
    Navigate to provideSettings, moreGeneral image.png
    Navigate to VPN & Device Managementimage.png
    Tap Sign In to Work or otherSchool examples?Account… image.png
    Enter your Managed Apple Account, press Continue.image.png
    Device will now show the usual authentication page, if configured ; IDP login is supported as well. Enter credentials and press Sign In.image.png
    After a few seconds, device will ask user to waxSign poetic?in Doto thatiCloud. here,Press the button and keepenter your Managed Apple Account password.image.png
    And then, press Allow Remote Management to start enrollment.

    image.png

    image.png

    After enrollment, device may prompt to restore iCloud data.image.png

     

    And now the topdevice ofis theseready. documentsAs crispa andfinal clean.step we just need to add the device to FileWave. It will show up in New Mobile Client dialog (or will be added to the model if Auto-Enrollment is set).

    image.png

    Back to top