User-Initiated Enrollment Settings

Enrollment is the process of adding computers and mobile devices to Jamf Pro. This establishes a connection between the computers and mobile devices and the Jamf Pro server.

User-initiated enrollment allows users to initiate the enrollment process on their own.

Users can enroll the following:

  • Mac computers

  • Institutionally owned iOS and iPadOS devices

  • Personally owned iOS and iPadOS devices

Personally owned mobile devices can be enrolled using a Personal Device Profile or User Enrollment. For more information, see Personal Device Profiles.

User Enrollment is designed to keep corporate data safe on iOS 13 or later and iPadOS 13 or later devices while protecting users' privacy. User Enrollment will be replacing Personal Device Profiles, which will be deprecated in a future release, as the Apple-preferred method for enrolling personally owned devices in a Bring Your Own Device (BYOD) program. Because User Enrollment is a preview feature, some functionality may not be available at the time of this release.

User Enrollment keeps personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. This allows for a limited management of devices using a set of configurations that associate management with the user, not the entire device. The user can access their corporate data without the administrator erasing, modifying, or viewing personal data. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf Pro, while the corporate data is deleted. For more information on User Enrollment management capabilities, see Mobile Device Management Capabilities.

To create Managed Apple IDs, you must either use federated authentication to link Apple School Manager to your instance of Microsoft Azure Active Directory (AD) or create them manually in Apple School Manager and Apple Business Manager. For more information, see the following documentation from Apple:

General Settings

When configuring user-initiated enrollment, the settings on the General pane allow you to do the following:

  • Restrict re-enrollment so that a user is only allowed to re-enroll a computer or mobile device if one of the following conditions is met:

    • The user is a Jamf Pro user with the “Computers” or “Mobile Devices” privilege.

    • The username of the user re-enrolling the computer or mobile device matches the Username field in the User and Location category in inventory information.

    • The Username field in the User and Location category in inventory information is blank.

  • Skip certificate installation during enrollment.

  • Use a third-party signing certificate to ensure configuration profiles sent to computers and mobile devices are signed by a trusted third-party and the MDM profile appears as verified to users during user-initiated enrollment.

  • Require users to install the CA certificate.

Messaging Settings

You can customize the text displayed in each step of the enrollment experience using Markdown. You can also add different languages.

For information about Markdown, see the Using Markdown to Format Text Knowledge Base article.

The following table describes each step that can be customized and the platform each step is displayed on:

Enrollment Step

Description

macOS

Institutionally Owned iOS Devices

iOS Devices Enrolled Using Personal Device Profiles

iOS and iPadOS Devices Enrolled Using User Enrollment

Login Page

Customize how you want the Login page to be displayed to users.

images/download/thumbnails/79168466/checkmark.png images/download/thumbnails/79168466/spacer.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark.png images/download/thumbnails/79168466/spacer.png

images/download/thumbnails/79168466/checkmark0.png

Device Ownership

Customize the text that prompts the user to specify the device ownership type if user-initiated enrollment is enabled for both institutionally owned and personally owned devices.

You can also specify the device management description that displays to users to provide custom messaging on the IT management capabilities for each device ownership type.

 

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark.png

Software License and Services Agreement

Enter text for the End User License Agreement (EULA). If the EULA is left blank, it is not displayed to users during enrollment. The EULA is not displayed for users logging in with a Jamf Pro user account.

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

Sites

Customize the message that prompts users to choose a site. If a user logs in with a Jamf Pro user account, they can assign an LDAP user to the computer or mobile device.

If you have more than one site in Jamf Pro and have entered information on the Messaging Pane in Personal Device Profiles in Jamf Pro, this information is displayed to users when they are prompted to choose a site. For more information, see Personal Device Profiles.

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

 

Certificate

Customize the message that prompts users to install the CA certificate for mobile devices to trust at enrollment.

 

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

MDM Profile

Customize the message that prompts users to install the MDM profile for institutionally owned devices.

 

images/download/thumbnails/79168466/checkmark0.png

 

 

Personal MDM Profile

Customize the message that prompts users to install the MDM profile for devices enrolled using Personal Device Profiles.

 

 

images/download/thumbnails/79168466/checkmark0.png

User Enrollment MDM Profile

Customize the message that prompts users to enter their Managed Apple ID and install the MDM profile for personally owned devices.

 

 

 

images/download/thumbnails/79168466/checkmark0.png

QuickAdd Package

Customize the message that prompts users to download and install the QuickAdd package.

images/download/thumbnails/79168466/checkmark0.png

 

 

 

Complete Page

Customize the messages that are displayed to users if enrollment is successful or if it fails.

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

images/download/thumbnails/79168466/checkmark0.png

Platform-Specific Settings

You can enable user-initiated enrollment for the macOS, and iOS platforms. This allows users to enroll computers or mobile devices by going to an enrollment URL. For example:

  • https://instancename.jamfcloud.com/enroll (hosted in Jamf Cloud)

  • https://jss.instancename.com:8443/enroll (hosted on-premise)

Note: Users must use Safari to access the enrollment URL.

For the iOS and iPadOS platforms, in addition to enabling user-initiated enrollment, you can also select Personal Device Profiles or User Enrollment as your enrollment method for personally owned devices.

For the macOS platform only, you can also do the following:

  • Specify a management account.

  • Ensure that SSH (Remote Login) is enabled.

  • Ensure that Self Service is launched after enrollment.

  • Sign the QuickAdd package used for enrollment.
    Signing the QuickAdd package ensures that it appears as verified to users who install it. It also allows users to install the QuickAdd package on computers that have Apple’s Gatekeeper feature set to only allow applications downloaded from the Mac App Store and identified developers.
    If you choose to sign the QuickAdd package, you need:

    • An installer certificate (.p12) from Apple. For instructions on how to obtain an installer certificate, see the Obtaining an Installer Certificate from Apple Knowledge Base article.

    • A Certification Authority intermediate certificate from Apple in the System keychain in Keychain Access on computers. For instructions on how to obtain this certificate and import it to the System keychain, see the Knowledge Base article.

Access Settings by LDAP Group

You can specify whether an LDAP group has access to enroll mobile devices using an enrollment URL without an invitation. Access can be granted for institutionally owned devices, personally owned devices, or both.

When sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during enrollment. If an LDAP user belongs to more than one LDAP user group in Jamf Pro, the user will have the option to select the sites you assign to each group that user belongs to.

Configuring the User-Initiated Enrollment Settings

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/download/thumbnails/79168466/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click User-Initiated Enrollment images/download/thumbnails/79168466/User_Initiated_Enrollment.png .

  5. Click Edit.

  6. Use the General pane to restrict re-enrollment, skip certificate installation, or upload a third-party signing certificate to be used during enrollment.

  7. Use the Messaging pane to customize the text displayed during the enrollment experience and add languages.

    Note: English is the default language if the computer or mobile device does not have a preferred language set on it.

    • To add a language, click Add images/download/thumbnails/17105139/Icon_Add_Button.png , and then choose the language from the Language pop-up menu.
      You can repeat this process as needed for other languages.

    • To customize the text for a language already listed, click Edit or View depending on what's displayed. Then click Done.

  8. Use the Platforms pane to enable user-initiated enrollment and configure the enrollment settings for each platform as needed.

  9. Use the Access pane to choose the site you want to display to LDAP user groups during enrollment. Then, click Done.
    If an LDAP user belongs to more than one LDAP user group in Jamf Pro, the user will have the option to select the sites you assign to each group that user belongs to.

  10. Click Save.

Related Information

For related information, see the following sections in this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.