User-Initiated Enrollment Experience for Institutionally Owned Mobile Devices

When a user accesses the enrollment URL from an institutionally owned iOS or iPadOS device using Safari, they are guided through a series of steps to enroll the device.

Note: Personally owned devices must be enrolled using User Enrollment. For information, see User Enrollment for Personally Owned Mobile Devices.

The following workflow describes how user-initiated enrollment can be used to enroll institutionally owned mobile devices:

  1. The user is prompted to enter credentials for an LDAP directory account, single sign-on (SSO) credentials, or Jamf Pro user account with user-initiated enrollment privileges, and then they must tap Log in.
    To allow users to use SSO credentials, you must integrate a third-party Identity Provider (IdP) and select the Enable Single Sign-On for User-Initiated Enrollment setting. For more information, see Single Sign-On.

    images/download/attachments/82684172/Admin_login.png

    Note: If notified that the device cannot verify the identity of the Jamf Pro server when navigating to the enrollment URL, the user must proceed to the website to log in to the enrollment portal. This notification only appears if the Jamf Pro server uses an untrusted SSL certificate.

  2. The user is prompted to enroll the device as a personally owned device or an institutionally owned device.
    This step is only displayed if both institutionally owned device enrollment and personally owned device enrollment are enabled in Jamf Pro.

    images/download/attachments/82684172/institutional_personal.png

    You can display a description to users who enroll an institutionally owned device. For more information, see User-Initiated Enrollment Settings.

    images/download/attachments/82684172/institutional_description.png

  3. When prompted, the user must choose the site that they are associated with.
    If the user is associated with multiple sites, they must select the site that will assign the appropriate settings to the device.
    If the user signed in with a Jamf Pro user account, they can assign an LDAP user to the device at this time.

    Note: To assign a user to a device, the Jamf Pro user account must have the "Assign Users to Mobile Devices" privilege.

    images/download/attachments/82684172/Site.png

  4. The user is prompted to continue to the CA certificate installation.
    images/download/attachments/82684172/CA_cert_continue.png

    Note: For mobile devices with iOS 11 or later, a pop-up window will display the following message: “This website is trying to open Settings to show you a configuration profile. Do you want to allow this?” The user must tap Allow. For devices with iOS 12.2 or later, the following additional message is displayed: "Complete installation of this profile in the Settings app." The user must tap Close, and then navigate to the Settings app to complete the installation.

  5. The user must tap Install to continue.

    images/download/attachments/82684172/CA_cert_install_2.PNG

  6. When notified that the profile will change settings on the device, the user must tap Install.
    If the device has a passcode, the user must enter the passcode.

    images/download/attachments/82684172/CA_cert_Warning.png

  7. To complete the installation, the user must tap Done.

    images/download/attachments/82684172/CA_cert_Done.png

  8. The user is prompted to continue to the MDM profile installation.
    Information about enrollment can be accessed by tapping the Information icon.

    images/download/attachments/82684172/Continue_MDM.png

    Note: For mobile devices with iOS 11 or later, a pop-up window will display the following message: “This website is trying to open Settings to show you a configuration profile. Do you want to allow this?” The user must tap Allow. For devices with iOS 12.2 or later, the following additional message is displayed: "Complete installation of this profile in the Settings app." The user must tap Close, and then navigate to the Settings app to complete the installation.

  9. The user must tap Install to continue.
    images/download/attachments/82684172/MDM_install.PNG

  10. When notified that installing the profile will change settings on the device, the user must tap Install.
    If the device has a passcode, the user must enter the passcode.

    images/download/attachments/82684172/MDM_2nd_install.PNG

  11. When notified that installing the profile will allow an administrator to remotely manage the device, the user must tap Install.

    images/download/attachments/82684172/Profile_Warning.png

  12. To complete the enrollment process, the user must tap Done.

    images/download/attachments/82684172/MDM_Profile_Done.png

  13. When the enrollment is complete, the device is enrolled with Jamf Pro.
    images/download/attachments/82684172/UIE_Complete.png

    If you chose to install Self Service for iOS, users are prompted to install the app from the App Store.
    images/download/attachments/82684172/Self_Service_Install.png

    Note: Apple has enabled an important security enhancement beginning with iOS 10.3. This security enhancement requires untrusted root certificates installed manually on unsupervised iOS devices to be manually trusted in Certificate Trust Settings during user-initiated enrollment, or installation of the MDM profile will fail. For more information, see the Changes in User-Initiated Enrollment with Untrusted Certificate Authority (CA) Signed SSL Certificates in iOS 10.3 and Later article.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.