Computer Enrollment Methods

Enrollment is the process of adding Mac computers to Jamf Pro. When computers are enrolled, inventory information for the computers is submitted to Jamf Pro.

Enrolling computers makes them managed by Jamf Pro. This allows you to perform inventory tasks, remote management, and configuration tasks on the computers.

There are two types of computer enrollment, with various methods to enroll a computer using that type:

  • Automated Device Enrollment

    Automated Device Enrollment allows organizations to configure and manage devices from the moment the devices are removed from the box (known as zero-touch deployment). These devices become supervised, and the MDM profile can be configured to be irremovable by the user. Automated Device Enrollment is designed for devices owned by the organization.

  • Device Enrollment

    Device Enrollment allows organizations to manually enroll devices and manage many different aspects of device use, including the ability to erase the device. If a user removes the MDM profile, all settings and apps that are being managed by the MDM solution are removed. For more information on enrollment types, see Apple device enrollment types and MDM in Apple Platform Deployment.

Automated Device Enrollment for Computers

The only method you can use to enroll devices with Automated Device Enrollment and Jamf Pro is a PreStage enrollment. You can use a PreStage enrollment to customize the computer enrollment experience. For more information, see Computer PreStage Enrollments.

This method is one way to achieve a User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the Managing User Approved MDM with Jamf Pro article.

Note:

This enrollment method requires an Apple School Manager or Apple Business Manager account. For more information, see Automated Device Enrollment Integration.

Device Enrollment for Computers

There are several methods you can use to enroll computers with Device Enrollment and Jamf Pro:

  • (Recommended) User-Initiated Enrollment for Computers

    You can use the User-Initiated Enrollment settings to customize the enrollment experience for users, including the messaging that displays for each step of the enrollment process. Users can then enroll their own computers by logging in to a web-based enrollment portal and following the onscreen instructions. During enrollment, users are prompted to download either an MDM profile or QuickAdd package based on the computer's macOS version. The MDM profile method is one way to achieve a User Approved MDM status. For more information about User Approved MDM and Jamf Pro, see the

    Managing User Approved MDM with Jamf Pro

    article.

  • QuickAdd Packages Created Using Recon

    You can use Recon to create a QuickAdd package that enrolls computers when it is installed. This type of QuickAdd package can be deployed using almost any deployment tool, such as Apple Remote Desktop or Jamf Pro. You can also give the QuickAdd package to users to install on their own.

  • Enrolling Multiple Computers Using the Recon Network Scanner

    You can remotely enroll multiple computers in specified IP ranges by using the network scanner in Recon. Recon scans the specified IP ranges and enrolls any computers that it can connect to over SSH (Remote Login).

  • Enrolling a Computer by Running Recon Remotely

    If you know the IP address of the computer that you want to enroll and SSH (Remote Login) is enabled on the computer, you can enroll the computer by running Recon remotely.

    Note:

    Because of increased user data protections with macOS 10.14 or later, you cannot enable remote management remotely using the SSH protocol. To enable remote management on computers with macOS 10.14 or later, the user must select the Screen Sharing checkbox in System Preferences.

  • Enrolling a Computer by Running Recon Locally

    If you have physical access to the computer that you want to enroll, you can run Recon locally on the computer.