User-Initiated Enrollment Settings

Enrollment is the process of adding computers and mobile devices to Jamf Pro. This establishes a connection between the computers and mobile devices and the Jamf Pro server. User-initiated enrollment allows users to initiate the enrollment process on their own by navigating to an enrollment URL. For example:

  • https://instancename.jamfcloud.com/enroll (hosted in Jamf Cloud)

  • https://jss.instancename.com:8443/enroll (hosted on-premise)

Note: Users must use Safari to access the enrollment URL on mobile devices.

Users can enroll the following:

  • Mac computers

  • Institutionally owned iOS and iPadOS devices

  • Personally owned iOS and iPadOS devices

Enrollment of Personally Owned Mobile Devices

Personally owned mobile devices can be enrolled using a Personal Device Profile or User Enrollment. User Enrollment will be replacing Personal Device Profiles as Apple's preferred method for enrolling personally owned devices in a Bring Your Own Device (BYOD) program. Personal Device Profiles will be deprecated in a future release. While you can continue to manage devices enrolled using a Personal Device Profile, any personal devices not yet enrolled in Jamf Pro should be enrolled using User Enrollment. For more information on how to migrate from Personal Device Profiles to User Enrollment, see the Building a BYOD Program with User Enrollment and Jamf Pro technical paper.

User Enrollment is designed to keep corporate data safe on devices with iOS 13.1 and iPadOS 13.1 or later while protecting users' privacy. User Enrollment keeps personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. This allows for a limited management of devices using a set of configurations that associate management with the user, not the entire device. The user can access their corporate data without the administrator erasing, modifying, or viewing personal data. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf Pro, while the corporate data is deleted. For more information on User Enrollment management capabilities, see Mobile Device Management Capabilities.

To create Managed Apple IDs, you must either use federated authentication to link Apple School Manager or Apple Business Manager to your instance of Microsoft Azure Active Directory (AD) or create them manually in Apple School Manager or Apple Business Manager. For more information, see the following Apple documentation:

Configuring the User-Initiated Enrollment Settings

Requirements

For computers with macOS 10.12.6 or earlier, if you choose to sign the QuickAdd package, you need:

Procedure

  1. Log in to Jamf Pro.

  2. In the top-right corner of the page, click Settings images/docs.jamf.com/technical-papers/jamf-pro/byod/10.17.0/images/download/thumbnails/79178989/Icon_Settings_Hover.png .

  3. Click Global Management.

  4. Click User-Initiated Enrollment images/docs.jamf.com/technical-papers/jamf-pro/byod/10.17.0/images/download/thumbnails/79178989/User_Initiated_Enrollment.png .

  5. Click Edit images/download/thumbnails/81532686/edit.png .

  6. Use the General pane to configure settings as needed for restricting re-enrollment, skipping certificate installation, or uploading a third-party signing certificate to be used during enrollment.

    Note: The certificate installation step is skipped by default.

  7. On the Messaging pane, do the following to customize the text displayed on devices during the enrollment experience and add languages:

    1. Do one of the following:

      • To add a language, click Add images/docs.jamf.com/technical-papers/jamf-pro/byod/10.17.0/images/download/thumbnails/79178989/Icon_Add_Button.png and then choose the language from the Language pop-up menu.

        Note: English is the default language if the device does not have a preferred language set on it.

      • To customize the text for a language already listed, click Edit next to the language.

    2. In the Page Title for Enrollment field, enter a page title to display at the top of all enrollment pages.

    3. On the Login tab, use the fields provided to customize how you want the Login page to be displayed to users.

    4. (Mobile devices only) Click the Device Ownership tab and use the fields provided to customize the text that is displayed to users based on their device ownership type. The text displayed and the enrollment page on which the text displays depends on the enrollment options that you enable:

      • If you are enabling user-initiated enrollment for both institutionally owned and personally owned mobile devices—Customize the text that prompts users to choose the appropriate device ownership type, and customize the device management description that explains the IT management capabilities for each device ownership type. When users select the personal or institutional device ownership type, the respective device management description is displayed.

      • If you are enabling user-initiated enrollment for personally owned devices only—Customize the device management description that explains the IT management capabilities for personal device ownership. This description is accessible to users by tapping the Information images/docs.jamf.com/technical-papers/jamf-pro/byod/10.17.0/images/download/thumbnails/79178989/iOS_MDM_info.png icon displayed on the Personal MDM Profile page during enrollment.

    5. Click the End User License Agreement tab and use the fields provided to specify an End User License Agreement (EULA) for personally owned devices. If the EULA fields are left blank, a EULA page is not displayed to users during enrollment.

    6. Click the Sites tab and use the fields provided to customize the message that prompts users to choose a site.
      If a user logs in with a Jamf Pro user account, they can assign an LDAP user to the computer or mobile device.
      If you have more than one site in Jamf Pro and have entered information on the Messaging Pane in Personal Device Profiles in Jamf Pro, this information is displayed to users when they are prompted to choose a site. For more information, see Personal Device Profiles.

      Note: This setting does not apply to User Enrollment.

    7. (Mobile devices only) Click the Certificate tab and use the fields provided to customize the message that prompts users to install the CA certificate for mobile devices to trust at enrollment.

    8. (Institutionally owned devices only) Click the Institutional Device MDM Profile tab and use the fields provided to customize the message that prompts users to install the MDM profile for institutionally owned devices.

    9. (Personally owned devices only) Click the Personal MDM Profile tab and use the fields provided to customize the message that prompts users to install the MDM profile for devices enrolled using Personal Device Profiles.

    10. (User Enrollment only) Click the User Enrollment MDM Profile tab and use the fields provided to customize the message that prompts users to install the MDM profile, including guidance for users on what to enter for their Managed Apple ID.

    11. (Computers only) Click the QuickAdd Package tab and use the fields provided to customize the message that prompts users to download and install the QuickAdd package.

    12. Click the Complete tab and use the fields provided to customize the messages that are displayed to users if enrollment is successful or fails.

    13. Click Save.

  8. Use the Platforms pane to enable user-initiated enrollment and configure the enrollment settings for each platform as needed.

    Note: If you have personally owned devices currently enrolled in Jamf Pro using a Personal Device Profile, enabling User Enrollment does not remove them from management.

  9. Use the Access pane to specify whether an LDAP group has access to enroll mobile devices using an enrollment URL without an invitation. When sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during enrollment.

    Note: If an LDAP user belongs to more than one LDAP user group in Jamf Pro, the user will have the option to select the sites you assign to each group that user belongs to.

  10. Click Save images/download/thumbnails/81531754/floppy-disk.png .

Related Information

For related information, see the following sections in this guide:

For related information on User Enrollment, see User Enrollment into MDM in Apple's Deployment Reference for iPhone and iPad.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.