Mobile Device PreStage Enrollments

A PreStage enrollment allows you to create enrollment configurations and sync them to Apple. This enables you to enroll new iOS, iPadOS, and tvOS devices with Jamf Pro, reducing the amount of time and interaction it takes to prepare mobile devices for use. For tvOS devices, this includes supervising devices, requiring users to apply the MDM profile for enrollment, and auto advancing through the Setup Assistant with optional settings to skip selected items during enrollment.

Before you can use a PreStage enrollment, you need to integrate Jamf Pro with Automated Device Enrollment (formerly DEP). This creates an Automated Device Enrollment instance in Jamf Pro. For more information, see Integrating with Automated Device Enrollment. Only devices associated with the Automated Device Enrollment instance can be enrolled with Jamf Pro using a PreStage enrollment.

After creating an Automated Device Enrollment instance, you need to create a PreStage enrollment in Jamf Pro for the mobile devices you want to enroll. Creating a PreStage enrollment allows you to configure the enrollment settings and customize the user experience of the Setup Assistant. You can also specify the devices that should be enrolled using the PreStage enrollment and automatically add devices newly associated with the Device Enrollment instance to the PreStage Enrollment.

Jamf Pro automatically refreshes information about the mobile devices in the PreStage enrollment. If there is updated information about the devices in Automated Device Enrollment (formerly DEP), this information is displayed in Jamf Pro. This information is automatically refreshed every two minutes.

Note: There can be up to a two minute delay on the information refresh which can result in outdated information displayed in Jamf Pro. In addition, environment-specific factors can affect the refresh of information.

Mobile Device PreStage Enrollment Settings

When you create a PreStage enrollment, you use a payload-based interface to configure settings to apply to devices during enrollment. The following table displays the enrollment settings available in a PreStage enrollment:

Payload

Description

General

This payload allows you to configure basic settings for the PreStage enrollment, specify authentication and management requirements, add an Enrollment Customization configuration, and customize the Setup Assistant experience.

Mobile Device Names

This payload allows you to choose a method for assigning names to mobile devices. This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

User and Location

You can use the User and Location payload to specify user and location information for the mobile devices.

Note: Using Inventory Preload or authentication during enrollment can automatically populate this information for devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Purchasing

You can use the Purchasing payload to specify purchasing information for the mobile devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Attachments

You can use the Attachments payload to upload attachments to store for mobile devices.

This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

Certificates

You can use the Certificates payload to establish trust during enrollment if your Jamf Pro instance uses an SSL certificate that is not natively trusted by Apple products. The device attempts a secure connection with Jamf Pro using only this certificate to enroll.

For more information about the certificates that are trusted by Apple, see the Available trusted root certificates for Apple operating systems from Apple's support website.

Note: If your Jamf Pro instance uses an SSL certificate that was created by the Jamf Pro built-in CA, an anchor certificate for enrollment is automatically added to this payload.

If your Jamf Pro server URL ends with "jamfcloud.com" you should not configure this payload.

Enrollment Experience Customization

You can customize the enrollment experience for the user with the following in the PreStage enrollment:

  • Enrollment Customization configurations—You can use the General payload to add an Enrollment Customization configuration to the PreStage enrollment. For example, you can add an Enrollment Customization configuration to display an End User License Agreement (EULA) during enrollment or other custom messaging as the user advances through the Setup Assistant. For more information, see Enrollment Customization Settings.
    To add an Enrollment Customization configuration to the PreStage enrollment, you must have at least one configuration in the Enrollment Customization settings. Enrollment Customization configurations are applied to mobile devices with iOS 13 or later only.

  • Configuration profiles—You can use the General payload to distribute configuration profiles that define settings and restrictions for mobile devices during enrollment. This allows the profiles to be installed on devices before the user completes the Setup Assistant, enabling the user to access resources on your network immediately after their mobile device is enrolled with Jamf Pro. For example, you can distribute a profile that enables a user to automatically join your network during enrollment.
    To distribute configuration profiles during enrollment, you must create the profile prior to configuring the PreStage enrollment. For more information, see Mobile Device Configuration Profiles. All configuration profiles that the device falls into the scope of will be distributed to the device during enrollment.

    Note: Configuration profiles that contain payload variables may not replaced with the attribute values for the variable. If you want to distribute profiles that contain payload variables, it is recommended that you distribute the profile after the device is enrolled with Jamf Pro.

  • Time Zone—You can use the General payload to set the time zone on mobile devices during enrollment with Jamf Pro. This allows all devices with iOS 14 or later in the scope of the PreStage to have the Time Zone automatically configured for the user. After a device is enrolled with Jamf Pro, the user can reset the Time Zone on their device.

  • Setup Assistant steps—You can use the General payload to select Setup Assistant screens that you want the user to skip during enrollment (e.g., Apple ID login). When you select a step, that screen is not presented to the user during enrollment. For more information about the screens that can be skipped during enrollment, see Setup Assistant pane options in Apple devices in Apple's Mobile Device Management Settings.

Setup Assistant Steps

You can select Setup Assistant screens that you want the user to skip during enrollment. When you select a step, that screen is not presented to the user during enrollment.

When enrolling tvOS devices, you can also choose to automatically advance through the Setup Assistant. This option prevents the any of the Setup Assistant screens from being displayed to the user during enrollment. If you automatically advance through the Setup Assistant, you can configure the language and region so the locale on the device is automatically configured. These settings are designated by the International Organization fo Standardization (ISO). For more information, see the following websites:

For more information about the screens that can be skipped during enrollment, see Setup Assistant pane options in Apple devices in Apple's Mobile Device Management Settings.

Mobile Device Management Capability Settings

You can enable additional management capabilities. The following do not impact the user's enrollment experience, but do offer you additional remote management when applied:

  • User authentication—To increase the security of sensitive user information, it is recommended that you require users to authenticate during mobile device setup using an LDAP directory account or a Jamf Pro user account. If users authenticate with an LDAP directory account, user and location information is submitted during enrollment. Authentication requires mobile devices with iOS 7.1 or later, or Apple TV devices with tvOS 10.2 or later.
    To require LDAP users or Jamf Pro users to authenticate during setup, you need an LDAP server set up in Jamf Pro. For more information, see Integrating with LDAP Directory Services.
    If you add an Enrollment Customization configuration to the PreStage, this setting is ignored for devices with iOS 13 or later, and iPadOS 13 or later.

  • MDM Profile—The MDM Profile enables you to remotely manage mobile devices using Jamf Pro. Users are automatically required to apply the MDM profile on mobile devices with iOS 13 or later, or iPadOS 13 or later during enrollment with Jamf Pro.If the MDM profile is removed, you can no longer send remote commands or distribute configuration profiles to the mobile device. You can use Jamf Pro to prevent a user from removing this profile after enrollment.

  • Mobile device names—You can enable Jamf Pro to take action on mobile device names during enrollment.

  • Device Supervision—Choosing to supervise devices during enrollment offers you the following extended device management functionality:

    • Pairing—You can allow a mobile device to connect to Mac computers via USB

    • Shared iPad settings—You can allow devices with iPadOS 9.3 or later to be shared and configure additional functionality, such as the number of users or amount of storage to allocate to each user of the iPad.

    • Activation Lock functionality—You can enable Activation Lock for a device with iOS 12 or later without requiring user interaction. When the device is enrolled with Jamf Pro, Activation Lock is automatically enabled.
      You can also prevent a user from enabling Activation Lock for the mobile device during enrollment. When devices are enrolled with Jamf Pro, the user cannot enable Activation Lock on the device if they enable the Find My service.
      For more information about Activation Lock, see Using Activation Lock for Apple devices in Apple's Mobile Device Management Settings .

Mobile Device Names

You can use the Mobile Device Names payload to choose a method for assigning names to mobile devices. This information is stored in Jamf Pro for each mobile device enrolled using a PreStage enrollment.

This payload is not required to configure a PreStage enrollment; however, choosing to configure the payload enables Jamf Pro to take action on device names during enrollment. The following options are available to use as the method for naming devices during enrollment:

  • Default Names—Depending on the enrollment status of the device, the following can happen when this option selected:

    • If the device is being re-enrolled with Jamf Pro, the value of the Mobile Device Name attribute field in the device's inventory information in Jamf Pro is assigned to the device at enrollment.

    • If the device is being enrolled for the first time with Jamf Pro, the current name of the device persists after enrollment.

  • Serial Numbers—The serial number of the device becomes the device's name during enrollment. You can add a suffix or a prefix to the serial number.

  • List of Names—You can enter names separated by a comma to assign to the devices during enrollment.

  • Single Names—You can enter a single name that is assigned to all devices during enrollment.

If this payload is not configured, Jamf Pro does not take action on mobile device names during enrollment. The name of the device at the time of enrollment persists after enrollment.

Shared iPad Settings

You can use the General payload to enable Shared iPad and configure the following settings:

  • Number of Users—You can enter the maximum number of users that can be stored with the iPad. You can specify up to 99 users. This limits the number of user accounts that can be stored locally on the iPad.

  • Storage Quota Size—You can specify the maximum amount of storage (MB) allocated for each user on devices with iPadOS 13.4 or later. This overrides the maximum number of users. If the scope of the PreStage contains devices with iPadOS 13.3 or earlier, the device defaults to the maximum number of users.

If you add an Enrollment Customization configuration, the configuration is only applied once during the initial enrollment with Jamf Pro.

For more information about Shared iPad, see Shared iPad overview in Apple's Mobile Device Management Settings.

Configuring a Mobile Device PreStage Enrollment

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click PreStage Enrollments.

  4. Click New images/download/thumbnails/81554596/Icon_New_Button.png .

  5. Use the General payload to configure basic settings for the PreStage enrollment. In addition, you can do the following on the General pane:

    • To require that users authenticate with their username and password, select the Require Credentials for Enrollment checkbox.

      Note: The Require Credentials for Enrollment checkbox is only displayed if an LDAP server has been set up in Jamf Pro.

    • To enable Shared iPad during enrollment, select Supervise Devices and then select Enable Shared iPad. You must enter a maximum number of user accounts that can be stored with Shared iPad using the Number of Users text field. For devices with iPadOS 13.4 or later, you can use the storage quota size instead of the number of users.

    • To enable Activation Lock directly on a device without requiring end user interaction, select Prevent user from enabling Activation Lock, and then select Enable Activation Lock on the device.

    • To customize the user experience of the Setup Assistant, you can do the following:

      • Choose an Enrollment Customization configuration to apply to devices.

      • Select which steps you want to skip in the Setup Assistant. If you choose to skip steps, the user can enable these settings after the device is configured unless otherwise restricted. For Apple TV devices, Ethernet connection is required.

  6. Use the rest of the payloads to configure the PreStage enrollment.

  7. Click the Scope tab and configure the scope of the PreStage enrollment by selecting the checkbox next to each mobile device you want to add to the scope.
    The mobile devices listed on the Scope tab are the mobile devices that are associated with Automated Device Enrollment (formerly DEP) via the server token file (.p7m) you downloaded from Apple. If you clone a PreStage enrollment, mobile devices in the scope of the original PreStage enrollment are not included in the scope of the cloned PreStage enrollment.
    You can use the Select All button to add all associated devices to the scope. This adds all devices associated with Automated Device Enrollment via the server token file regardless of any results that have been filtered using the Filter Results search field. The Deselect All button removes all associated devices from the scope.

    Note: If you want to add mobile devices to the scope automatically as the devices become associated with the Automated Device Enrollment instance, select the Automatically assign new devices checkbox in the General payload.

  8. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Related Information

For related information, see the following section in this guide:

Components Installed on Mobile Devices
Learn about the components installed on mobile devices during enrollment.

For related information, see the following Knowledge Base articles:

Leveraging Apple's Activation Lock Feature with Jamf Pro
Learn about how you can use Jamf Pro to leverage Activation Lock in your environment.

For related information, see the following technical paper:

Deploying iOS and tvOS Devices Using Apple Configurator 2 and Jamf Pro
Get step-by-step instructions on how to deploy iOS devices using Apple Configurator 2 and a PreStage enrollment.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.