About Computer Enrollment

Enrollment is the process of adding Mac computers to Jamf Pro. When computers are enrolled, inventory information for the computers is submitted to Jamf Pro.

Enrolling computers makes them managed by Jamf Pro. This allows you to perform inventory tasks and remote management and configuration tasks on the computers. When you enroll computers, you specify a local administrator account that you want to use to manage them (called the “management account”).

The management account is used to run the following tasks on the computer:

  • Screen sharing

  • Running policies

  • Enabling FileVault (when SecureToken is enabled)

  • Adding or removing users from FileVault (when SecureToken is enabled)

  • Generating a personal recovery key (when SecureToken is enabled)

  • Performing authenticated restarts (when SecureToken is enabled)

You must enable the management account in the User-Initiated Enrollment settings before the account can be created during enrollment. To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. You can see if a computer is managed by the management account by viewing the "Managed" criteria in the computer inventory information.

The following table explains the different types of enrollment methods:

Enrollment Method


User-initiated enrollment

You can allow users to enroll their own computers by having them log in to an enrollment portal where they follow the onscreen instructions to complete the enrollment process. Users will be prompted to download either an MDM profile or QuickAdd package during user-initiated enrollment based on the version of macOS on their computer.

User-initiated enrollment results in a User Approved MDM state for eligible computers. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

For detailed information on user-initiated enrollment, see User-Initiated Enrollment for Computers.

Use a PreStage enrollment

A PreStage enrollment allows you to store enrollment and computer setup settings in Jamf Pro and use them to enroll new computers with Jamf Pro. In addition to reducing the amount of time and interaction it takes to prepare new computers for use, this enrollment method makes the computers MDM capable. Computers with macOS 10.10 or later can also be managed automatically when using a PreStage enrollment.

Note: Enrolling computers with macOS 10.9 or earlier using a PreStage enrollment allows you to search and report on the computers as part of your inventory; however, this process alone does not make the computers managed by Jamf Pro.

PreStage enrollment results in a User Approved MDM state for eligible computers. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

This enrollment method requires an Apple School Manager or Apple Business Manager account. For more information, see the Integrating with Apple's Device Enrollment (formerly DEP) Knowledge Base article.

For detailed information on computer PreStage enrollments, see Computer PreStage Enrollments.

Use a QuickAdd package created with Recon

You can use Recon to create a QuickAdd package that enrolls computers when it is installed. This type of QuickAdd package can be deployed using almost any deployment tool, such as Apple Remote Desktop or Jamf Pro. You can also give the QuickAdd package to users to install.

For detailed information on creating QuickAdd packages with Recon, see QuickAdd Packages Created Using Recon.

Use the network scanner

You can remotely enroll multiple computers in specified IP ranges by using the network scanner in Recon. Recon scans the specified IP ranges and enrolls any computers that it can connect to over SSH (Remote Login).

For detailed on the network scanner, see Network Scanner.

Run Recon remotely on a single computer

If you know the IP address of the computer that you want to enroll and SSH (Remote Login) is enabled on the computer, you can enroll the computer by running Recon remotely.

Note: Because of increased user data protections with macOS 10.14 or later, you cannot enable remote management remotely using the SSH protocol. To enable remote management on computers with macOS 10.14, the user must select the Screen Sharing checkbox in System Preferences.

For detailed information on remote enrollment using Recon, see Remote Enrollment Using Recon.

Run Recon locally

If you have physical access to the computer that you want to enroll, you can run Recon locally on the computer.

For detailed information on local enrollment using Recon, see Local Enrollment Using Recon.

Image computers

You can enroll computers by imaging them with a configuration that is associated with a management account.

For detailed information on imaging computers, see About Imaging.

Related Information

For related information, see the following Knowledge Base articles:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.