User-Initiated Enrollment Settings

Enrollment is the process of adding computers and mobile devices to Jamf Pro. This establishes a connection between the computers and mobile devices and the Jamf Pro server. User-initiated enrollment allows users to initiate the enrollment process on their own by navigating to an enrollment URL. For example:

  • https://JAMF_PRO_URL.jamfcloud.com/enroll (hosted in Jamf Cloud)

  • https://JAMF_PRO_URL.com:8443/enroll (hosted on-premise)

Note:

Users must use Safari to access the enrollment URL on mobile devices.

Users can enroll the following:

  • Mac computers

  • Institutionally owned iOS and iPadOS devices

  • Personally owned iOS and iPadOS devices

Management Account Creation During Computer Enrollment

When you enroll computers, you must specify a local administrator account called the "management account". This is required for computers to be considered managed by Jamf Pro. However, choosing to create the management account on computers is optional and is only required for some workflows. The management account only needs to be created if you want to perform the following tasks on the computer:

Using a policy to administer the management account allows you to do the following:

  • Screen sharing using Jamf Remote

  • Authentication to initiate an SSH session using Jamf Remote for the computer to check in to Jamf Pro to run policies

  • Enrolling computers with macOS 10.15.7 or earlier using Recon, including creating a QuickAdd.pkg for Jamf binary enrollments

  • Enable FileVault using a policy (when SecureToken is enabled on the management account)

  • Add or remove users from FileVault using a policy (when SecureToken is enabled on the management account)

  • Generate a personal recovery key using a policy (when SecureToken is enabled on the management account)

  • Perform authenticated restarts using a policy (when SecureToken is enabled on the management account)

To enable the management account, you must enable user-initiated enrollment, and then configure the management account username and password. It is recommended that you choose the Randomly generate passwords option for maximum security. You can see if a computer is managed by the management account by viewing the Managed attribute field in the computer inventory information.

Important:

Jamf does not recommend using a common, known password for the management account or for logging in to computers locally. Additionally, you should not use the management account to log in to computers locally. If you need an account to log in locally to a computer, create a local administrator account for this purpose instead of using the management account. You can create a local administrator account using the following methods:

  • Configuring the Local Accounts payload of a policy

    For more information, see Local Accounts.

  • Configuring the local account in a computer PreStage enrollment

    For more information, see Computer PreStage Enrollments.

  • Creating a script

Enrollment of Personally Owned Mobile Devices

Personally owned mobile devices can be enrolled with Jamf Pro using Account-Driven User Enrollment (applies to iOS 15 or later, or iPadOS 15 or later) or User Enrollment (applies to iOS 13.1 or later, or iPadOS 13.1 or later). Both methods are designed to keep corporate data safe on devices while protecting users' privacy. Enrolling personally owned devices keeps personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. This allows for a limited management of devices using a set of configurations that associate management with the user, not the entire device. The user can access their corporate data without the administrator erasing, modifying, or viewing personal data. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf Pro, while the corporate data is deleted. For more information on User Enrollment management capabilities, see Mobile Device Management Capabilities.

To create Managed Apple IDs, you must either use federated authentication to link Apple School Manager or Apple Business Manager to your instance of Microsoft Azure Active Directory (AD) or create them manually in Apple School Manager or Apple Business Manager. For more information, see the following Apple documentation:

Disclaimer:

Personal device profiles have been deprecated and are no longer recommended as a method of enrolling personally owned devices. User Enrollment is the Apple-preferred method for enrolling personally owned devices in a Bring Your Own Device (BYOD) program. For information on enrolling personally owned iOS or iPadOS devices with Jamf Pro, see the Building a BYOD Program with User Enrollment and Jamf Pro technical paper. For legacy documentation about Personal Device Profiles, see version 10.27.0 or earlier of the Jamf Pro Administrator's Guide.

Configuring the User-Initiated Enrollment Settings

  1. In Jamf Pro, click Settings in the top-right corner of the page.
  2. In the Global Management section, click User-Initiated Enrollment .
  3. Click Edit .
  4. Use the General pane to configure settings as needed for restricting re-enrollment, skipping certificate installation, or uploading a third-party signing certificate to be used during enrollment.
    Note:

    The certificate installation step is skipped by default.

  5. On the Messaging pane, do the following to customize the text displayed on devices during the enrollment experience and add languages. You can use Markdown in the text fields to help customize the messages that will be displayed to your end users. For information about how to use Markdown to customize the messages, see the Using Markdown to Format Text article.
    1. Do one of the following:
      • To add a language, click Add and then choose the language from the Language pop-up menu.

        Note:

        English is the default language if the device does not have a preferred language set on it.

      • To customize the text for a language already listed, click Edit next to the language.

    2. In the Page Title for Enrollment field, enter a page title to display at the top of all enrollment pages.
    3. On the Login tab, use the fields provided to customize how you want the Login page to be displayed to users.
      Note:

      This is the only tab that you can customize for Account-Driven User Enrollment.

    4. (Mobile devices only) Click the Device Ownership tab and use the fields provided to customize the text that is displayed to users based on their device ownership type. The text displayed and the enrollment page on which the text displays depends on the enrollment options that you enable:
      • If you are enabling user-initiated enrollment for both institutionally owned and personally owned mobile devices—Customize the text that prompts users to choose the appropriate device ownership type, and customize the device management description that explains the IT management capabilities for each device ownership type. When users select the personal or institutional device ownership type, the respective device management description is displayed.

      • If you are enabling user-initiated enrollment for personally owned devices only—Customize the device management description that explains the IT management capabilities for personal device ownership. This description is accessible to users by tapping the Information icon displayed on the Personal MDM Profile page during enrollment.

    5. Click the End User License Agreement tab and use the fields provided to specify an End User License Agreement (EULA) for personally owned devices. If the EULA fields are left blank, a EULA page is not displayed to users during enrollment.
    6. Click the Sites tab and use the fields provided to customize the message that prompts users to choose a site.
 If a user logs in with a Jamf Pro user account, they can assign an LDAP user to the computer or mobile device.
 If you have more than one site in Jamf Pro and have entered information on the Messaging Pane in Personal Device Profiles in Jamf Pro, this information is displayed to users when they are prompted to choose a site.
      Note:

      This setting does not apply to User Enrollment.

    7. (Mobile devices only) Click the Certificate tab and use the fields provided to customize the message that prompts users to install the CA certificate for mobile devices to trust at enrollment.
    8. (Institutionally owned devices only) Click the Institutional Device > MDM Profile tab and use the fields provided to customize the message that prompts users to install the MDM profile for institutionally owned devices.
    9. (Personally owned devices only) Click the Personal MDM Profile tab and use the fields provided to customize the message that prompts users to install the MDM profile for devices enrolled using Personal Device Profiles.
    10. (User Enrollment only) Click the User Enrollment MDM Profile tab and use the fields provided to customize the message that prompts users to install the MDM profile, including guidance for users on what to enter for their Managed Apple ID.
    11. (Computers only) Click the QuickAdd Package tab and use the fields provided to customize the message that prompts users to download and install the QuickAdd package.
    12. Click the Complete tab and use the fields provided to customize the messages that are displayed to users if enrollment is successful or fails.
    13. Click Save.
  6. Use the Platforms pane to enable user-initiated enrollment and configure the enrollment settings for each platform as needed.
    Note:

    If you have personally owned devices currently enrolled in Jamf Pro using a Personal Device Profile, enabling Account-Driven User Enrollment or User Enrollment does not remove them from management.

  7. Use the Access pane to specify whether an LDAP group has access to enroll mobile devices using an enrollment URL without an invitation. When sites are defined in Jamf Pro, you can choose a site to display to LDAP user groups during enrollment.
    Note:

    If an LDAP user belongs to more than one LDAP user group in Jamf Pro, the user will have the option to select the sites you assign to each group that user belongs to.

  8. Click Save .