User Enrollment for Personally Owned Mobile Devices
You can allow users to enroll personally owned mobile devices by having them log in to an enrollment portal where they are prompted to install the MDM profile and certificates.
Disclaimer: Personal device profiles have been deprecated and are no longer recommended as a method of enrolling personally owned devices. User Enrollment is the Apple-preferred method for enrolling personally owned devices in a Bring Your Own Device (BYOD) program. For information on enrolling personally owned iOS or iPadOS devices with Jamf Pro, see the Building a BYOD Program with User Enrollment and Jamf Pro technical paper. For legacy documentation about Personal Device Profiles, see version 10.27.0 or earlier of the Jamf Pro Administrator's Guide.
Providing an Enrollment URL to Users
You can provide the enrollment URL to users in the way that best fits your environment.
Requirements
To allow personally owned mobile devices to be enrolled with user-initiated enrollment, you need:
-
A push certificate in Jamf Pro (For more information, see Push Certificates.)
-
User-initiated enrollment enabled (For more information, see User-Initiated Enrollment Settings.)
-
Mobile devices with iOS 13.1 or later, or iPadOS 13.1 or later
-
(LDAP log in only) An LDAP server set up in Jamf Pro (For more information, see Integrating with LDAP Directory Services.)
Note: For mobile devices with iOS 10.3 or later, Apple has enabled an important security enhancement that requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. For more information, see the Changes in User-Initiated Enrollment with Untrusted Certificate Authority (CA) Signed SSL Certificates in iOS 10.3 and Later Knowledge Base article.
Procedure
To direct users to the enrollment portal, you need to provide them with the enrollment URL. The enrollment URL is the full URL for the Jamf Pro server followed by “/enroll”. For example:
-
https://instancename.jamfcloud.com /enroll (hosted in Jamf Cloud)
-
https://jamf.instancename.com:8443/enroll (hosted on-premise)
You can provide the enrollment URL to users in the way that best fits your environment.
Note: Users must use Safari to access the enrollment URL.
Users can log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account. When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro during enrollment. When a user logs in with a Jamf Pro user account, it allows an LDAP user to be assigned to the mobile device.
Related Information
For related information, see the following sections in this guide:
-
User Enrollment Experience for Personally Owned Mobile Devices
Learn about the steps users take to enroll mobile devices using User Enrollment. -
Components Installed on Mobile Devices
Learn about the components installed on mobile devices during enrollment.
For related information, see the following sections in Apple's Mobile Device Management Settings:
-
User Enrollment payload list
Find out which payload settings can be applied to devices enrolled using User Enrollment. -
User Enrollment restrictions
Find out which restrictions can be applied to devices enrolled using User Enrollment.