Enrollment is the process of adding Mac computers to Jamf Pro. When computers are enrolled, inventory information for the computers is submitted to Jamf Pro.
Enrolling computers makes them managed by Jamf Pro. This allows you to perform inventory tasks, remote management, and configuration tasks on the computers. When you enroll computers, you can specify a local administrator account called the “management account” that you will use to manage them.
The management account can be used to perform the following tasks on the computer:
Enable FileVault using a policy (when SecureToken is enabled on the management account)
Add or remove users from FileVault using a policy (when SecureToken is enabled on the management account)
Generate a personal recovery key using a policy (when SecureToken is enabled on the management account)
Perform authenticated restarts using a policy (when SecureToken is enabled on the management account)
You must enable the management account in the User-Initiated Enrollment settings before the account can be created during enrollment. To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. When configuring the management account password settings in the User-initiated Enrollment settings, it is recommended that you choose the "Randomly generate passwords" option for maximum security. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.
There are two types of computer enrollment, with various methods to enroll a computer using that type:
Automated Device Enrollment—Automated Device Enrollment allows organizations to configure and manage devices from the moment the devices are removed from the box (known as zero-touch deployment). These devices become supervised, and the MDM profile can be configured to be unremovable by the user. Automated Device Enrollment is designed for devices owned by the organization. For more information, see Automated Device Enrollment into MDM in Apple's Deployment Reference for Mac.
Device Enrollment—Device Enrollment allows organizations to manually enroll devices and manage many different aspects of device use, including the ability to erase the device. If a user removes the MDM profile, all settings and apps that are being managed by the MDM solution are removed. For more information, see Device Enrollment into MDM in Apple's Deployment Reference for Mac.
Automated Device Enrollment for Computers
The only method you can use to enroll devices with Automated Device Enrollment and Jamf Pro is a PreStage enrollment. You can use a PreStage enrollment to customize the computer enrollment experience, distribute configuration profiles and packages during enrollment, and store setup settings in Jamf Pro to reduce the amount of time and interaction it takes to enroll computers with Jamf Pro. Using a PreStage enrollment, computers with macOS 10.10 or later can also be managed automatically. Before you can use a PreStage enrollment, you must enable user-initiated enrollment for macOS in Jamf Pro. For more information, see User-Initiated Enrollment Settings. For more information about how to enroll computers using a PreStage enrollment, see Computer PreStage Enrollments. This method is one way to achieve a User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.
Note: This enrollment method requires an Apple School Manager or Apple Business Manager account. For more information, see Integrating with Automated Device Enrollment.
Device Enrollment for Computers
There are several methods you can use to enroll computers with Device Enrollment and Jamf Pro:
(Recommended) User-initiated enrollment—You can use the User-Initiated Enrollment settings to customize the enrollment experience for users, including the messaging that displays for each step of the enrollment process. Users can then enroll their own computers by logging in to a web-based enrollment portal and following the onscreen instructions. During enrollment, users are prompted to download either an MDM profile or QuickAdd package based on the computer's macOS version. The MDM profile method is one way to achieve a User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro Knowledge Base article.
Use a QuickAdd package created with Recon—You can use Recon to create a QuickAdd package that enrolls computers when it is installed. This type of QuickAdd package can be deployed using almost any deployment tool, such as Apple Remote Desktop or Jamf Pro. You can also give the QuickAdd package to users to install on their own.
Use the network scanner—You can remotely enroll multiple computers in specified IP ranges by using the network scanner in Recon. Recon scans the specified IP ranges and enrolls any computers that it can connect to over SSH (Remote Login).
Run Recon remotely on a single computer—If you know the IP address of the computer that you want to enroll and SSH (Remote Login) is enabled on the computer, you can enroll the computer by running Recon remotely.
Note: Because of increased user data protections with macOS 10.14 or later, you cannot enable remote management remotely using the SSH protocol. To enable remote management on computers with macOS 10.14 or later, the user must select the Screen Sharing checkbox in System Preferences.
Run Recon locally—If you have physical access to the computer that you want to enroll, you can run Recon locally on the computer.
For related information, see the following section in this guide:
Components Installed on Managed Computers
See a list of the components installed on managed computers and find out how to remove them.