Account-Driven Enrollment for iOS/iPadOS BYOD Devices (v15.0+)

What

In 2021, Apple introduced Account-Driven User Enrollment, a new ~~way~~method for initiating Bring Your Own Device (BYOD) enrollments. With the releases of ~~initiating BYOD :~~ ~~Account Driven Enrollment. With~~ iOS 1817 /and iPadOS ~~18,~~17, ~~profile~~ profile-based User Enrollment is deprecated, and starting with iOS 18 and iPadOS 18, it is no longer ~~supported~~supported. ;To align with these changes, FileWave 15.5 now supports ~~Account~~Account-Driven ~~Driven~~User Enrollment (ADE)., enabling organizations to securely enroll BYOD devices using this new workflow.

When/Why

When to Use

BYOD Environments: When employees use their personal iOS or iPadOS devices for work purposes and need access to corporate resources.

Transitioning from Profile-Based Enrollment: As profile-based User Enrollment is being phased out, organizations should begin migrating to Account-Driven User Enrollment to ensure compatibility with future iOS and iPadOS versions.

Why This Feature Matters

Apple ~~wants~~aims to enhance the security and privacy of BYOD todeployments. beAccount-Driven asUser Enrollment offers several benefits:

Improved Security: Separates personal and corporate data more effectively, protecting user privacy and corporate assets.

Simplified Enrollment: Users can enroll their devices by signing in with their Managed Apple ID, streamlining the enrollment process.

Modern Authentication: Utilizes OAuth 2.0 and OpenID Connect for authentication, providing a more secure asand ~~possible~~standardized ;method.

Organizational Control: Shifts the responsibility of secure enrollment to the organization, allowing for better compliance with ~~ADE,~~internal ~~the~~policies.

~~complexity~~

Account-Driven ~~make~~Enrollment ~~it secure is now~~relies on the ~~Organization shoulders. ADE relies on~~ Well-known URI mechanism for Mobile Device Management (MDM) discovery, ensuring that devices can locate the MDM ~~discovery.~~server securely and efficiently.

How

Enrolling a Device Using Account-Driven User Enrollment

~~For~~To ~~iOS/~~enroll an iOS or iPadOS ~~devices,~~device ~~supports~~using ~~new BYOD workflow based on Apple~~ ~~Account~~ Account-Driven User Enrollment. with FileWave 15.5:

On their iPhone or iPad, the user navigates to Settings > General > VPN & Device Management and ~~then selects the~~taps Sign In to Work or School ~~Account button.~~Account.

The email entered ~~will be~~is used by the device to discover the MDM server. IfFor example, if you enter “pn@widget.~~ch"~~ch”, the device ~~will query~~queries the widget.ch domain, ~~more~~ specifically at https://widget.ch/.well-known/com.apple.remotemanagement.

This endpoint must return a specific ~~json~~JSON message ~~which contains~~containing all the information required to proceed towith MDM BYOD enrollment. ~~This means that~~Therefore, organizations must have acontrol ~~way to control~~over this ~~url,~~URL, which could be ~~any~~an issue for ~~the~~those ~~ones~~who completely ~~outsourcing~~outsource their website management (see below for potential workarounds).

FileWave Setup

~~Existing~~The existing User Enrollment option in FileWave now enables both legacy BYOD and the new ~~ADE:~~Account-Driven Enrollment (ADE):

FileWave ~~can’t~~cannot manage your ~~domain,~~domain but provides some ~~helpers:~~helpful options:

Retrieving the Well-~~known~~Known ~~content~~Content (~~json)~~JSON):
~~can~~
- ~~retrieved, so if~~
  If you ~~want~~prefer to host the required file yourself, you can easily ~~get~~obtain the ~~content.~~
  Ifnecessary ~~you~~JSON ~~press~~content from FileWave.
- Click the “Well-known content” ~~button,~~button in the FileWave interface. The following ~~json~~JSON will be copied ~~into~~to your ~~clipboard~~clipboard:
  :
```
{"Servers": [{"Version": "mdm-byod", "BaseURL": "https://pn.filewave.widget.ch:20445/ios/byod/enroll/"}]} ; you can then create the file which will be served by your web server.
```
- ~~Another option is to setup~~Create a ~~redirection~~file containing this JSON and serve it from your web server at the appropriate URL (https://~~domain/~~yourdomain/.well-known/com.apple.remotemanagement).

Setting Up a Redirection to the FileWave Server Endpoint:
- Alternatively, you can configure your web server to redirect requests from https://yourdomain/.well-known/com.apple.remotemanagement to the FileWave server ~~endpoint~~endpoint.
  ;
- Retrieve the endpoint ~~can be retrieved~~URL by clicking ~~the.~~the “Well-known ~~URL~~URL” button :in FileWave. For example, the endpoint might be:
```
https://pn.filewave.widget.ch:20445/ios/byod/well-known/ for instance.
```

~~Check~~Consult your web server documentation for details ~~about~~on ~~how~~setting up the redirection. For instance, to ~~setup redirection.~~configure Apache, ~~for instance, can be configured by adding~~add the following directive inside the VirtualHost section:

RewriteRule ^/.well-known/com.apple.remotemanagement https://pn.filewave.widget.ch:20445/ios/byod/well-known/ [R=301,L]

Apple: User Enrollment and MDM

Well-known URI

Digging Deeper

Device Enrollment Process Workflow

Navigate to Settings, General
Navigate to VPN & Device Management
Tap Sign In to Work or School Account…
Enter your Managed Apple Account, press Continue.
~~Device~~ The device will now ~~show~~display the ~~usual~~standard authentication ~~page,~~page if ~~configured ;~~configured; IDP login is ~~supported~~also ~~as well.~~supported. Enter your credentials and ~~press~~tap Sign ~~In.~~In.
After a few seconds, the device will ~~ask~~prompt ~~user~~you to ~~Sign~~sign in to iCloud. ~~Press~~Tap the button and enter your Managed Apple ~~Account~~ID password.
And then, press Allow Remote Management to start enrollment.
After enrollment, device may prompt to restore iCloud data.

~~And now~~Now the device is ready. As a final ~~step~~step, ~~we just~~you need to add the device to FileWave. It will ~~show up~~appear in the “New Mobile ~~Client~~Client” ~~dialog~~dialog, (or it will be automatically added to the model if Auto-Enrollment is ~~set).~~enabled.