Mobile Device PreStage Enrollments

A PreStage enrollment allows you to store enrollment and mobile device setup settings in Jamf Pro and use them to enroll new iOS and tvOS devices. This reduces the amount of time and interaction it takes to prepare mobile devices for use. For tvOS devices, this includes supervising devices, requiring users to apply the MDM profile for enrollment, and auto advancing through the Setup Assistant with optional settings to skip selected items during enrollment.

Before you can use a PreStage enrollment, you need to integrate Jamf Pro with Apple's Device Enrollment (formerly DEP). This creates a Device Enrollment instance in Jamf Pro. For more information, see Integrating with Apple's Device Enrollment. Only devices associated with a Device Enrollment instance can be enrolled with Jamf Pro using a PreStage enrollment.

After creating a Device Enrollment instance, you need to create a PreStage enrollment in Jamf Pro for the mobile devices you want to enroll. Creating a PreStage enrollment allows you to configure the enrollment settings and customize the user experience of the Setup Assistant. You can also specify the mobile devices that should be enrolled using the PreStage enrollment. In addition, you can specify that devices newly associated with the Device Enrollment instance be automatically added to the PreStage enrollment.

Mobile Device PreStage Enrollment Settings

When you create a PreStage enrollment, you use a payload-based interface to configure settings to apply to devices during enrollment. The following table displays the enrollment settings available in a PreStage enrollment:

Payload

Description

Requirements

General

This payload allows you to configure basic settings for the PreStage enrollment and customize the user experience of the Setup Assistant.

To increase the security of sensitive user information, it is recommended that you require users to authenticate during mobile device setup using an LDAP directory account or a Jamf Pro user account. If users authenticate with an LDAP directory account, user and location information is submitted during enrollment.

In addition, the General pane allows you to supervise devices. Supervising devices allows you to do the following:

  • Pair devices by allowing them to connect to Mac computers

  • Prevent unenrollment by disallowing a user to remove the MDM profile

  • Install configuration profiles on devices before a user is presented with the Setup Assistant screens

  • Enable Shared iPad

  • Configure Activation Lock behavior

If you automatically advance through the Setup Assistant for tvOS devices, you can configure the language and region so the locale on the device is automatically configured. These settings are designated by the International Organization for Standardization (ISO). For more information, see the following websites:

To require LDAP users or Jamf Pro users to authenticate during mobile device setup, you need an LDAP server set up Jamf Pro. For more information, see Integrating with LDAP Directory Services. In addition, authentication requires mobile devices with iOS 7.1 or later, or Apple TV devices with tvOS 10.2 or later.

To enable Shared iPad, you need the following:

For more information on Shared iPad, see the Supporting Apple’s Classroom App and Shared iPad Using Jamf Pro technical paper.

To enable Activation Lock directly on a device during enrollment, the device must be supervised with iOS 12 or later.

Mobile Device Names

This payload allows you to choose a method for assigning names to mobile devices.
This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

This payload is not required to configure a PreStage enrollment; however, choosing to configure the payload enables Jamf Pro to take action on device names during enrollment. The following options are available to use as the method for naming devices during enrollment:

  • Default Names—Depending on the enrollment status of the device, the following can happen when this option selected:

    • If the device is being re-enrolled with Jamf Pro, the value of the Mobile Device Name attribute field in the device's inventory information in Jamf Pro is assigned to the device at enrollment.

    • If the device is being enrolled for the first time with Jamf Pro, the current name of the device persists after enrollment.

  • Serial Numbers—The serial number of the device becomes the device's name during enrollment. You can add a suffix or a prefix to the serial number.

  • List of Names—You can enter names separated by a comma to assign to the devices during enrollment.

If this payload is not configured, Jamf Pro does not take action on mobile device names during enrollment. The name of the device at the time of enrollment persists after enrollment.

The Mobile Device Names payload is only displayed if you supervise devices in the General payload.

The "List of Names" naming method requires mobile devices with iOS 8 or later.

User and Location

You can use the User and Location payload to specify user and location information for the mobile devices.

Note: The User and Location Information payload is only displayed if you do not require LDAP users or Jamf Pro users to authenticate during setup.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

 

Purchasing

You can use the Purchasing payload to specify purchasing information for the mobile devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

 

Attachments

You can use the Attachments payload to upload attachments to store for mobile devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

 

Certificates

If the SSL certificate you are using is signed by an external CA (your organization's CA or a trusted third-party CA), use the Certificates payload to upload a certificate for the CA that you want mobile devices to trust at enrollment.

The anchor certificate is only displayed if the SSL certificate you are using is signed by the Jamf Pro built-in CA.

Configuring a Mobile Device PreStage Enrollment

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click PreStage Enrollments.

  4. Click New images/download/thumbnails/31064082/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the PreStage enrollment. In addition, you can do the following on the General pane:

    • To require that users authenticate with their username and password, select the Require Credentials for Enrollment checkbox.
      Note: The Require Credentials for Enrollment checkbox is only displayed if an LDAP server has been set up in Jamf Pro.

    • To enable Shared iPad during enrollment, select Supervise Devices and then select Enable Shared iPad. You must also select the maximum number of user accounts that can be stored with Shared iPad using the Number of users pop-up menu. This limits the number of user accounts that can be stored locally on the iPad.

    • To enable Activation Lock directly on a device without requiring end user interaction, select Prevent user from enabling Activation Lock, and then select Enable Activation Lock on the device.

    • To customize the user experience of the Setup Assistant, select which steps you want to skip in the Setup Assistant. If you choose to skip steps, the user can enable these settings after the device is configured unless otherwise restricted. For Apple TV devices, Ethernet connection is required.

  6. Use the rest of the payloads to configure the PreStage enrollment.

  7. Click the Scope tab and configure the scope of the PreStage enrollment by selecting the checkbox next to each mobile device you want to add to the scope.
    The mobile devices listed on the Scope tab are the mobile devices that are associated with Apple's Device Enrollment (formerly DEP) via the server token file (.p7m) you downloaded from Apple.
    Note: If you want to add mobile devices to the scope automatically as the devices become associated with the Device Enrollment instance, select the Automatically assign new devices checkbox in the General payload.

  8. Click Save.

Further Considerations

  • Jamf Pro automatically refreshes information about the mobile devices in the PreStage enrollment. If there is updated information about the devices in Device Enrollment (formerly DEP), this information is displayed in Jamf Pro. This information is automatically refreshed every five minutes.
    Note: There can be up to a five minute delay on the information refresh which can result in outdated information displayed in Jamf Pro. In addition, environment-specific factors can affect the refresh of information.

  • When cloning a PreStage enrollment, mobile devices in the scope of the original PreStage enrollment are not included in the scope of the cloned PreStage enrollment.

Related Information

For related information, see the following Jamf Knowledge Base video:

Creating a DEP PreStage for iOS Devices in Jamf Pro

For related information, see the following sections in this guide:

For related information, see the following Knowledge Base articles:

For related information, see the following technical paper:

Deploying iOS and tvOS Devices Using Apple Configurator 2 and Jamf Pro
Get step-by-step instructions on how to deploy iOS devices using Apple Configurator 2 and a PreStage enrollment.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.