User-Initiated Enrollment Experience for iOS Devices

The following steps outline the user experience for enrolling a personally owned iOS device:

1. Log in.
When users access the enrollment portal from their device, they must log in by entering credentials for an LDAP directory account or a JSS user account with user-initiated enrollment privileges.

2. Specify the device ownership type (if applicable).
If both institutionally owned device enrollment and personally owned device enrollment are enabled in the JSS, the user must select the personal device ownership option. When this option is selected, the user can view the personal device management description that has been entered on the Messaging pane Device Ownership tab in the User-Initiated Enrollment settings. This description represents the IT management capabilities for a personal device.

3. Accept the End User License Agreement (if applicable).
If an End User License Agreement (EULA) has been entered on the Messaging pane EULA tab in the User-Initiated Enrollment settings, the user must accept the EULA terms to continue with enrollment.

4. Choose a site (if applicable).
If the user is a member of multiple LDAP user groups and site access has been configured separately for those groups on the Access pane in the User-Initiated Enrollment settings, the user must select the site to use to enroll their personal device. If a profile description was entered on the Messaging pane when creating the personal device profile assigned to the selected site, that profile description is displayed.

5. Install the CA certificate (if applicable).
The user must tap through a series of screens to install the CA certificate.
Note: This step is skipped if the Skip certificate installation during enrollment checkbox is selected on the General pane in the User-Initiated Enrollment settings and the user’s environment has an SSL certificate that was obtained from an internal CA or a trusted third-party vendor.

6. Install the MDM profile.
The user must tap through a series of screens to install the MDM profile. On the first screen in the series, the user can tap the Information icon to view the personal device management description that has been entered on the Messaging pane Device Ownership tab in the User-Initiated Enrollment settings. This description represents the IT management capabilities for a personal device.

Enrollment is complete.
When notified that enrollment is complete, the device is enrolled with the JSS.

User-Initiated Enrollment Experience for Android Devices

The following steps outline the user experience for enrolling a personally owned Android device:

1. Log in.
When users access the enrollment portal from their device, they must log in by entering credentials for an LDAP directory account or a JSS user account with user-initiated enrollment privileges.

2. Accept the End User License Agreement (if applicable).
If an End User License Agreement (EULA) has been entered on the Messaging pane EULA tab in the User-Initiated Enrollment settings, the user must accept the EULA terms to continue with enrollment.

3. Choose a site (if applicable).
If the user is a member of multiple LDAP user groups and site access has been configured separately for those groups on the Access pane in the User-Initiated Enrollment settings, the user must select the site to use to enroll their personal device. If a profile description was entered on the Messaging pane when creating the personal device profile assigned to the selected site, that profile description is displayed.

4. Install Self Service Mobile for Android.
The user is prompted to go to Google Play to install Self Service Mobile, and then return to the enrollment portal. Self Service Mobile must remain installed on an enrolled Android device to keep the device managed by the JSS.
Note: If the user already has Self Service Mobile installed, they can skip the app installation step.

5. Install the MDM profile.
The user is prompted to continue to the MDM profile installation. On this screen, the user can tap the Information icon to view the personal device management description that has been entered on the Messaging pane Device Ownership tab in the User-Initiated Enrollment settings. This description represents the IT management capabilities for a personal device.

6. Activate Self Service Mobile as a device administrator.
When prompted, the user must activate Self Service Mobile as a device administrator.

Enrollment is complete.
When notified that enrollment is complete, the device is enrolled with the JSS.

(Optional) Install third-party apps.
The user can install the following third-party apps from Google Play to access institutional resources as appropriate for their environment:

• Divide—Allows the user to configure email, calendar, and contacts on their device.
  The user can tap a link to view the following guide for Divide installation and setup instructions:
  http://support.divide.com/hc/en-us/articles/201962740-Installation-Guide-Android

• Cisco AnyConnect—Allows the user to configure a VPN connection.
  The AnyConnect app must be configured to permit external configuration. This allows the VPN connection in AnyConnect to be configured automatically using the settings in the applicable personal device profile VPN payload.
  When the user taps the link to view setup instructions for AnyConnect, they are instructed to complete the following steps to enable external configuration:

1. 1. Tap the AnyConnect icon to open the app.

   2. Accept the End User License Agreement.

   3. In AnyConnect, tap Menu > Settings > Application Preferences.

   4. Tap External Control, and then tap Enabled.