User-Initiated Enrollment Experience for Mobile Devices

When a user accesses the enrollment URL from a mobile device using Safari, they are guided through a series of steps to enroll the device.

iOS and iPadOS devices can be enrolled as institutionally owned or personally owned devices. This workflow describes how user-initiated enrollment can be used to enroll personally owned devices with Personal Device Profiles and institutionally owned devices. For more information on Personal Device Profiles, see Personal Device Profiles. For more information on how to enroll personally owned devices with User Enrollment, see User Enrollment for Mobile Devices.

  1. The user is prompted to enter credentials for an LDAP directory account, single sign-on (SSO) credentials, or Jamf Pro user account with user-initiated enrollment privileges, and then they must tap Log in.
    To allow users to use SSO credentials, you must integrate a third-party Identity Provider (IdP) and enable the Enable Single Sign-On for User-Initiated Enrollment setting. For more information, see Single Sign-On.

    images/download/attachments/80767749/Admin_login.png

    Note: If notified that the device cannot verify the identity of the Jamf Pro server when navigating to the enrollment URL, the user must proceed to the website to log in to the enrollment portal. This notification only appears if the Jamf Pro server uses an untrusted SSL certificate.

  2. The user is prompted to enter credentials for an LDAP directory account or a Jamf Pro user account with user-initiated enrollment privileges, and then they must tap Enroll.
    The login prompt is not displayed if the enrollment portal was accessed via an enrollment invitation for which the "Require Login" option is disabled. For more information about enrollment invitations, see User-Initiated Enrollment for Mobile Devices.

    images/download/attachments/80767749/Assign_to_user.png

  3. The user is prompted to enroll the device as a personally owned device or an institutionally owned device.
    This step is only displayed if both institutionally owned device enrollment and personally owned device enrollment are enabled in Jamf Pro.

    images/download/attachments/80767749/institutional_personal.png

    You can display a description to users who enroll a personally owned device. (For more information, see User-Initiated Enrollment Settings.)

    images/download/attachments/80767749/personal_description.png

    You can display a description to users who enroll an institutionally owned device. (For more information, see User-Initiated Enrollment Settings.)

    images/download/attachments/80767749/institutional_description.png

  4. When prompted, the user must choose the site that they are associated with.
    If the user is associated with multiple sites, they must select the site that will assign the appropriate settings to the device.
    If the user signed in with a Jamf Pro user account, they can assign an LDAP user to the device at this time.

    Note: To assign a user to a device, the Jamf Pro user account must have the "Assign Users to Mobile Devices" privilege.

    images/download/attachments/80767749/Site.png

  5. The user is prompted to continue to the CA certificate installation.
    images/download/attachments/80767749/CA_cert_continue.png

    Note: For mobile devices with iOS 11 or later, a pop-up window will display the following message: “This website is trying to open Settings to show you a configuration profile. Do you want to allow this?” The user must tap Allow. For devices with iOS 12.2 or later, the following additional message is displayed: "Complete installation of this profile in the Settings app." The user must tap Close, and then navigate to the Settings app to complete the installation.

  6. The user must tap Install to continue.

    images/download/attachments/80767749/CA_cert_install_2.PNG

  7. When notified that the profile will change settings on the device, the user must tap Install.
    If the device has a passcode, the user must enter the passcode.

    images/download/attachments/80767749/CA_cert_Warning.png

  8. To complete the installation, the user must tap Done.

    images/download/attachments/80767749/CA_cert_Done.png

  9. The user is prompted to continue to the MDM profile installation.
    Information about enrollment can be accessed by tapping the Information icon.

    images/download/attachments/80767749/Continue_MDM.png

    Note: For mobile devices with iOS 11 or later, a pop-up window will display the following message: “This website is trying to open Settings to show you a configuration profile. Do you want to allow this?” The user must tap Allow. For devices with iOS 12.2 or later, the following additional message is displayed: "Complete installation of this profile in the Settings app." The user must tap Close, and then navigate to the Settings app to complete the installation.

  10. The user must tap Install to continue.
    images/download/attachments/80767749/MDM_install.PNG

  11. When notified that installing the profile will change settings on the device, the user must tap Install.
    If the device has a passcode, the user must enter the passcode.

    images/download/attachments/80767749/MDM_2nd_install.PNG

  12. When notified that installing the profile will allow an administrator to remotely manage the device, the user must tap Install.

    images/download/attachments/80767749/Profile_Warning.png

  13. To complete the enrollment process, the user must tap Done.

    images/download/attachments/80767749/MDM_Profile_Done.png

  14. When the enrollment is complete, the device is enrolled with Jamf Pro.
    images/download/attachments/80767749/UIE_Complete.png

    If you chose to install Self Service for iOS, users are prompted to install the app from the App Store. For more information, see Jamf Self Service for iOS.
    images/download/attachments/80767749/Self_Service_Install.png

    Note: Apple has enabled an important security enhancement beginning with iOS 10.3. This security enhancement requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. For more information, see the Changes in User-Initiated Enrollment with Untrusted Certificate Authority (CA) Signed SSL Certificates in iOS 10.3 and Later Knowledge Base article.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.