User-Initiated Enrollment for Mobile Devices

You can allow users to enroll mobile devices by having them log in to an enrollment portal where they are prompted to install the MDM profile and certificates. You can either choose to provide users with an enrollment URL in the way that best fits your environment or send an enrollment invitation to users.

General Requirements

To allow mobile devices to be enrolled with user-initiated enrollment, you need:

Note: For mobile devices with iOS 10.3 or later, Apple has enabled an important security enhancement that requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. For more information, see the Changes in User-Initiated Enrollment with Untrusted Certificate Authority (CA) Signed SSL Certificates in iOS 10.3 and Later Knowledge Base article.

Providing an Enrollment URL to Users

To direct users to the enrollment portal, you need to provide them with the enrollment URL. The enrollment URL is the full URL for the Jamf Pro server followed by “/enroll”. For example:

  • (hosted in Jamf Cloud)

  • (hosted on-premise)

You can provide the enrollment URL to users in the way that best fits your environment.

Note: Users must use Safari to access the enrollment URL.

Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account. When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro during enrollment. When a user logs in with a Jamf Pro user account, it allows an LDAP user to be assigned to the mobile device.

Sending a Mobile Device Enrollment Invitation for User-Initiated Enrollment

You can send an email or SMS invitation that contains the enrollment URL from Jamf Pro to one or more users enrolling institutionally owned mobile devices. Users tap the enrollment URL in the email or SMS message to access the enrollment portal. Enrollment invitations give you more control over user access to the enrollment portal by allowing you to do the following:

  • Set an expiration date for the invitation

  • Require users to log in to the portal

  • Allow multiple uses of the invitation

  • Add the mobile device to a site during enrollment

  • View the status of the invitation

Before you configure the invitation, make sure you have the email addresses or phone numbers of the users you want to send the invitation to.

Note: You cannot enroll personally owned devices with an enrollment invitation. You must provide the enrollment URL to those users by some other means.


To send an enrollment invitation to mobile devices, you need an SMTP server set up in Jamf Pro (For more information, see Integrating with an SMTP Server.).


  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Enrollment Invitations.

  4. Click New images/download/thumbnails/81929751/Icon_New_Button.png .

  5. Select User-Initiated Enrollment as the enrollment method.

  6. Follow the onscreen instructions to send the enrollment invitation.

An enrollment invitation is immediately sent to the email addresses or phone numbers you specified.

You can view the status of the enrollment invitation in the list of invitations.

Viewing Mobile Device Enrollment Invitation Usage

You can view a list of mobile devices that were enrolled with a specific enrollment invitation.

  1. Log in to Jamf Pro.

  2. Click Devices at the top of the page.

  3. Click Enrollment Invitations.

  4. Click the enrollment invitation you want to view usage for.

  5. Click View Enrolled Mobile Devices images/download/thumbnails/80749108/preview-content.png .

A list of mobile devices enrolled with the invitation is displayed.

Related Information

For related information, see the following sections in this guide:

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.