About Computer Enrollment

Enrollment is the process of adding Mac computers to Jamf Pro. When computers are enrolled, inventory information for the computers is submitted to Jamf Pro.

Enrolling computers makes them managed by Jamf Pro. This allows you to perform inventory tasks, remote management, and configuration tasks on the computers. When you enroll computers, you specify a local administrator account that you want to use to manage them (called the “management account”).

The management account can be used to run the following tasks on the computer:

  • Screen sharing

  • Enabling FileVault using a policy (when SecureToken is enabled)

  • Adding or removing users from FileVault using a policy (when SecureToken is enabled)

  • Generating a personal recovery key using a policy (when SecureToken is enabled)

  • Performing authenticated restarts using a policy (when SecureToken is enabled)

You must enable the management account in the User-Initiated Enrollment settings before the account can be created during enrollment. To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.

The following table explains the different types of enrollment methods:

Enrollment Method

Description

Results in User Approved MDM State for Eligible Computer

(Recommended)
Use a PreStage enrollment

You can use a PreStage enrollment to customize the computer enrollment experience, distribute configuration profiles and packages during enrollment, and store setup settings in Jamf Pro to reduce the amount of time and interaction it takes to enroll computers with Jamf Pro. Using a PreStage enrollment, computers with macOS 10.10 or later can also be managed automatically.

Note: This enrollment method requires an Apple School Manager or Apple Business Manager account. For more information, see Integrating with Automated Device Enrollment.


images/download/thumbnails/79184190/checkmark.png

For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

(Recommended)
User-initiated enrollment

You can use the User-Initiated Enrollment settings to customize the enrollment experience for users, including the messaging that displays for each step of the enrollment process. Users can then enroll their own computers by logging in to a web-based enrollment portal and following the onscreen instructions. During enrollment, users are prompted to download either an MDM profile or QuickAdd package based on the version of macOS on their computer.

images/download/thumbnails/79184190/checkmark.png

For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.

 

Use a QuickAdd package created with Recon

You can use Recon to create a QuickAdd package that enrolls computers when it is installed. This type of QuickAdd package can be deployed using almost any deployment tool, such as Apple Remote Desktop or Jamf Pro. You can also give the QuickAdd package to users to install on their own.

 

Use the network scanner

You can remotely enroll multiple computers in specified IP ranges by using the network scanner in Recon. Recon scans the specified IP ranges and enrolls any computers that it can connect to over SSH (Remote Login).

 

Run Recon remotely on a single computer

If you know the IP address of the computer that you want to enroll and SSH (Remote Login) is enabled on the computer, you can enroll the computer by running Recon remotely.

Note: Because of increased user data protections with macOS 10.14 or later, you cannot enable remote management remotely using the SSH protocol. To enable remote management on computers with macOS 10.14, the user must select the Screen Sharing checkbox in System Preferences.

 

Run Recon locally

If you have physical access to the computer that you want to enroll, you can run Recon locally on the computer.

 

(Not Recommended)
Image computers

You can enroll computers by imaging them with a configuration that is associated with a management account.

 

Related Information

For related information, see the following Knowledge Base articles:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2019 Jamf. All rights reserved.