Personal Device Profiles

Personal device profiles are used to enroll personally owned iOS and Android devices with the Jamf Software Server (JSS) via user-initiated enrollment. Personal device profiles are also used to perform management tasks on personally owned devices, including defining settings and distributing managed apps to personal iOS devices.

You can create one personal device profile for each site in the JSS, and one profile for the full JSS. A personal device profile is only used to enroll and manage devices if the profile is enabled in the General payload.

The personal device profile used to enroll and manage a device is based on the site that the mobile device user has access to. Site access is determined by the LDAP directory account or JSS user account credentials entered during user-initiated enrollment. (For information on specifying the sites that LDAP user groups have access to during enrollment, see User-Initiated Enrollment Settings.)

If a profile has been enabled for the site, that profile is used to enroll the device and add the device to the site. If a profile has not been enabled for the site, or if sites have not been added to the JSS, the profile for the full JSS is used if it is enabled.

Note: Changing the site that a personal device belongs to automatically changes the profile that is used to perform management tasks on the device. If a profile has not been enabled for the new site, the device will continue to be managed by the JSS, but all settings and apps that were previously defined by the old profile are removed.

Personal Device Profile Payloads

The payloads and settings that you can configure using a personal device profile represent a subset of the iOS configuration profile payloads and settings available for institutionally owned mobile devices.

Before creating a personal device profile, you should have basic knowledge of configuration profile payloads and settings, and how they affect mobile devices. For detailed information about each payload and setting, see Apple’s Profile Manager documentation at:

https://help.apple.com/profilemanager/mac

Some personal device profile settings are unique to the JSS. For more information on these settings, see the following Knowledge Base article:

Personal Device Profile Settings Reference

Managed App Distribution to Personal iOS Devices

When creating or editing a personal device profile, you can specify managed in-house apps and App Store apps to distribute to personal iOS devices. Available apps include all managed apps that have been added to the site that the profile is assigned to, and all managed apps that have been added to the full JSS.

When a managed app is distributed to personal iOS devices, the personal device profile automatically applies settings to do the following:

  • Distribute the app using the Install Automatically/Prompt Users to Install distribution method

  • Remove the app when the MDM profile is removed

  • Prevent backup of app data

  • Prevent opening documents from managed apps in unmanaged apps

When selecting managed apps to distribute, you have the option to clone an unmanaged app and make it managed. This adds a managed version of the app to the JSS and leaves the original app unmanaged.

Note: Not all apps can be managed by the JSS. For information on the factors that determine whether an app can be managed, see Understanding Managed Apps.

Requirements

To create personal device profiles, the User-Initiated Enrollment settings must be configured to allow user-initiated enrollment for personally owned devices on the iOS or Android platform. (For more information, see User-Initiated Enrollment Settings.)

To enroll and manage personal iOS devices, you need:

  • Mobile devices with iOS 4 or later (iOS 7 or later is recommended)

  • A push certificate in the JSS (For more information, see Push Certificates.)

Note: To distribute managed apps to personal iOS devices, the devices must have iOS 5 or later and an MDM profile that supports managed apps. For more information, see Managed App Requirements

To enroll and manage personal Android devices, you need:

  • Mobile devices with Android 4.0.3 or later

  • A proxy server token in the JSS (For more information, see Jamf Push Proxy.)

In addition, as part of user-initiated enrollment for personal Android devices, users need to install the Self Service Mobile app from Google Play. After enrollment, Self Service Mobile must remain installed on an enrolled Android device to keep the device managed by the JSS. (For more information, see User-Initiated Enrollment Experience for Mobile Devices.)

Note: Although not required, it is recommended that you configure the Mobile Device Inventory Collection settings to collect user and location information from LDAP. This is recommended because the mobile device name displayed in inventory for an Android device is often cryptic, making it difficult to identify a specific device. By collecting user and location information, you can search for and identify a specific Android device based on the Username field in the mobile device’s inventory information.

Creating a Personal Device Profile

You can only create a personal device profile if there is an available site (or the full JSS) that does not have a profile assigned to it.

  1. Log in to the JSS with a web browser.

  2. Click Mobile Devices at the top of the page.

  3. Click Personal Device Profiles.

  4. Click New images/download/thumbnails/16433475/New_icon.png .
    Note: Only one personal device profile can be created per site in the JSS. If all sites (or the full JSS) already have an assigned personal device profile, you will not be able to create a new one.

  5. Use the General payload to configure basic settings for the profile, including the display name and the site to assign the profile to.
    Note: If you have site access only, the profile is assigned to the applicable site automatically and the Site pop-up menu is not displayed.
    To enable this personal device profile, select the Enable personal device profile checkbox.

  6. (Optional) Use the Passcode payload to configure passcode policies.
    Note: On Android devices, the user is allowed to cancel when prompted to change their passcode to meet the configured settings. If the device passcode does not meet the configured Passcode payload settings, the Passcode Compliance status will be reported as Not Compliant in inventory information for the device.

  7. (Optional) Use the Wi-Fi payload to configure how devices connect to your wireless network, including the necessary authentication information.

  8. (Optional) Use the VPN payload to configure how devices connect to your wireless network via VPN, including the necessary authentication information.

  9. (Optional) Use the Exchange ActiveSync (iOS only) payload to define settings for connecting to your Exchange server.

  10. (Optional) Use the Mail (iOS only) payload to define settings for connecting to POP or IMAP accounts.

  11. (Optional) Use the Calendar (iOS only) payload to define settings for configuration access to CalDAV servers.

  12. (Optional) Use the Contacts (iOS only) payload to define settings for configuration access to CardDAV servers.

  13. (Optional) Use the Subscribed Calendars (iOS only) payload to define settings for calendar subscriptions.

  14. (Optional) Use the Certificate payload to specify the X.509 certificates (.cer, .p12, etc.) you want to install on devices to authenticate the device access to your network.

  15. (Optional) Use the Security (Android only) payload to require encryption on Android devices.
    Warning: Android encryption is irreversible on most devices, and a factory reset must be performed to remove encryption from a device. In addition, failure to follow all onscreen instructions during the encryption process could lead to permanent loss of data.

  16. (Optional) Select the Apps (iOS only) payload and then do any of the following:

    • To distribute a managed app to personal iOS devices added to the site (or the full JSS) that the profile is assigned to, click Install next to the app name. (To distribute all managed apps, click Install All.)

    • To remove a previously distributed managed app from devices, click Remove next to the app name. (To remove all managed apps previously distributed with this profile, click Remove All.)

    • To clone an unmanaged app to add a managed version of the app to the JSS, click the unmanaged app name and then click Clone App and Make Managed. A managed version of the app is added to the JSS and is made available for installation.

  17. (Optional) To add messaging that displays during user-initiated enrollment if the user belongs to multiple LDAP user groups with access to multiple sites, do the following:

    1. Click the Messaging tab, and then click Add images/download/thumbnails/16433475/New_icon.png .

    2. Choose a language from the Language pop-up menu.

    3. Use the settings on the pane to specify the site/profile display name, as well as the text to describe the settings included with the profile. In the description for iOS devices, you can also list any managed apps that will be included with the profile.

    4. Click Done.

    5. Repeat this process as needed for other languages.

  18. Click Save.

If the profile is enabled in the General payload, it will be used to enroll personal devices with the JSS when users enter credentials for an LDAP directory account or a JSS user account that has access to the site (or to the full JSS).

Cloning, Editing, or Deleting a Personal Device Profile

Consider the following when cloning, editing, or deleting a personal device profile:

  • Cloning—You can only clone a personal device profile if there is an available site (or the full JSS) that does not have a profile assigned to it.

  • Editing—When a personal device profile is edited and saved, it is automatically redistributed to personal devices belonging to the site (or the full JSS) that the profile is assigned to.
    When editing an enabled profile, if you deselect the Enable personal device profile checkbox in the profile’s General payload, all personal devices belonging to the site that the profile is assigned to will continue to be managed by the JSS, but all settings and apps that were previously defined by the profile are removed.

  • Deleting—When a personal device profile is deleted, all personal devices belonging to the site that the profile is assigned to will automatically be changed to use the profile assigned to the full JSS if a profile for the full JSS is enabled. If an enabled profile for the full JSS does not exist, or if you are deleting the profile assigned to the full JSS, then the applicable devices will continue to be managed by the JSS, but all settings and apps that were previously defined by the profile are removed.
    Note: A personal device profile is automatically deleted if the site it is assigned to is deleted from the JSS.

Related Information

For related information, see the following sections in this guide:

Copyright | Privacy | Terms of Use | Security
© copyright 2002-2017 Jamf. All rights reserved.