Account-Driven User Enrollment for Personally Owned Mobile Devices

You can allow users to enroll personally owned mobile devices with Jamf Pro using Account-Driven User Enrollment. When a user authenticates to their device with a Managed Apple ID, the enrollment process initializes. Users are redirected to the enrollment portal and prompted to install the MDM profile on their device.

Disclaimer: Personal device profiles have been deprecated and are no longer recommended as a method of enrolling personally owned devices. User Enrollment is the Apple-preferred method for enrolling personally owned devices in a Bring Your Own Device (BYOD) program. For information on enrolling personally owned iOS or iPadOS devices with Jamf Pro, see the Building a BYOD Program with User Enrollment and Jamf Pro technical paper. For legacy documentation about Personal Device Profiles, see version 10.27.0 or earlier of the Jamf Pro Administrator's Guide .

Before you can allow users to enroll personally owned mobile devices using Account-Driven User Enrollment, you must define the Jamf Pro enrollment information in a .JSON file and host it on a web server. This allows a device to initiate a service discovery process to retrieve the information and direct the user to the enrollment portal on their device.

General Requirements

Account-Driven User Enrollment applies to mobile devices with iOS 15 or later, or iPadOS 15 or later.

Managed Apple IDs must belong to a verified domain. For more information , see the following:

For a device to initiate the service discovery process, you must define Jamf Pro enrollment information in a .JSON file and host the information on a web server that is accessible to any device you want enrolled with Jamf Pro. If the verified domain you use for Managed Apple IDs is already configured to host files, you can host the enrollment information at this hosting location. If your environment is not configured to do so, you must set up a web server to host the information. The web server must have the same fully qualified domain name (FQDN) as the verified domain that the Managed Apple IDs belong to, and web services must be enabled.

Important: When setting up a web server to host Jamf Pro enrollment information, keep in mind the following:

  • The .JSON file must be hosted on a server which supports HTTPS GET requests.

  • The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted root certificates on iOS devices, see Lists of available trusted root certificates in iOS from Apple's support website.

To allow personally owned mobile devices to be enrolled using Account-Driven User Enrollment via user-initiated enrollment, you need the following:

Defining Jamf Pro Enrollment Information for Account-Driven User Enrollment

For a device to initiate the service discovery process and direct a user to the enrollment portal, the device must authenticate with the Jamf Pro server. After the user signs in with their full Managed Apple ID, the device extracts the domain information (information following the "@" symbol) from the Managed Apple ID, sends an HTTP request to the web server hosting the enrollment information, and authenticates with the Jamf Pro server. For example, if the user Samantha Johnson signs in to a device with the Managed Apple ID "samantha.johnson@mycompany.com", the device extracts "mycompany.com" and uses the service discovery process to make an HTTP request for the enrollment information that is hosted at mycompany.com. The device uses that information to direct Samantha Johnson to the enrollment portal.

For a device to authenticate with the Jamf Pro server, you must define the following information in the .JSON file:

  • BaseURL—This is the full URL for the Jamf Pro server followed by “/servicediscoveryenrollment/v1/userenroll”.

  • Version —This is the version of enrollment.

    Important: This must be defined as "mdm-byod".

When compiled, the file should look similar to the following:

{
"Servers": [
{
"Version":"mdm-byod",
"BaseURL":"https://myorganiztion.org/servicediscoveryenrollment/v1/userenroll"
}
]
}

For more information about the service discovery process, see this documentation from the Apple Developer website.

Hosting Jamf Pro Enrollment Information on a Web Server for Account-Driven User Enrollment

To host the Jamf Pro enrollment information on a web server, you must define the path to your server. The resulting URL for the file must be similar to the following:

https://company.com/.well-known/com.apple.remotemanagement

Note: In the above example, "company.com" must be the same verified domain that the Managed Apple IDs belong to that are enrolling a device.

You must configure the server to return the appropriate Content-Type header with the file. This must be the following:

Content-Type is 'application/json'

Note: Your server software may refer to this as "MIME type".

Enrolling Personally Owned Mobile Devices with Account-Driven User Enrollment

To ensure users initiate the enrollment process, they must sign in with their Managed Apple ID. This action redirects the user to the enrollment portal where they are prompted to install the MDM profile on their device.

Users can then log in to the enrollment portal using an LDAP directory account or a Jamf Pro user account. When a user logs in with an LDAP directory account, user and location information is submitted to Jamf Pro during enrollment. When a user logs in with a Jamf Pro user account, it allows an LDAP user to be assigned to the mobile device.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.