Setting up Account-Driven User Enrollment

Setting up Account-Driven User Enrollment involves creating and hosting enrollment information in a JSON file on a web server. This allows devices to initiate a service discovery process to retrieve the information and direct the user to the Jamf Pro enrollment portal on their device.

Defining Jamf Pro Enrollment Information for Account-Driven User Enrollment

For a device to initiate the service discovery process and direct a user to the enrollment portal, the device must authenticate with the Jamf Pro server.

After the user signs in with their full Managed Apple ID the following process occurs:

  1. The device extracts the domain information (information following the @ symbol) from the Managed Apple ID

  2. The device sends an HTTP request to the web server hosting the enrollment information, and authenticates with the Jamf Pro server.

    Example:

    If the user Samantha Johnson signs in to a device with the Managed Apple ID samantha.johnson@mycompany.com, the device extracts mycompany.com and uses the service discovery process to make an HTTP request for the enrollment information that is hosted at mycompany.com.

  3. The device uses that information to reddirect Samantha Johnson to the Jamf Pro enrollment portal.

For more information about the service discovery process, see this documentation from the Apple Developer website.

For a device to authenticate with the Jamf Pro server, you must create JSON file named com.apple.remotemanagement and define the following properties in it:
BaseURL

The full URL for your Jamf Pro instance followed by /servicediscoveryenrollment/v1/userenroll

Version
The enrollment version.
Important:

This must be defined as "mdm-byod".

The contents of the JSON file should look similar to the following

{
"Servers": [
{
"Version":"mdm-byod",
"BaseURL":"https://JAMF_PRO_URL.org/servicediscoveryenrollment/v1/userenroll"
}
]
}

Hosting Jamf Pro Enrollment Information on a Web Server for Account-Driven User Enrollment

To host the Jamf Pro enrollment information on a web server, you must define the path to your server. If the verified domain you use for Managed Apple IDs is already configured to host files, you can host the enrollment information at this hosting location. If your environment is not configured to do so, you must set up a web server to host the information.

Note:

Jamf recommends consulting your internal web services and hosting team to help you complete this task.

Requirements

  • The web server must have the same fully qualified domain name (FQDN) as the verified domain that the Managed Apple IDs belong to, and web services must be enabled.

  • The JSON file must be hosted on a server which supports HTTPS GET requests.

  • The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted root certificates on iOS devices, see Lists of available trusted root certificates in iOS from Apple's support website.

The resulting URL for the file must be similar to the following:

https://company.com/.well-known/com.apple.remotemanagement

Note:

In the above example, company.com must be the same verified domain that the Managed Apple IDs belong to that are enrolling a device.

You must configure the server to return the appropriate Content-Type header with the file. This must be the following:

Content-Type is 'application/json'

Note:

Your server software may refer to this as "MIME type".

For more information about how to modify the MIME type, see the following documentation:

To verify the contents of the JSON file are hosted correctly, execute the following:
curl -I https://JAMF_PRO_URL/.well-known/com.apple.remotemanagement

The command should print something similar to the following:

HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Day, 00 Month Year 00:00:00 GMT
Content-Type: application/json
Content-Length: 150
Last-Modified: Day, 00 Month Year 00:00:00 GMT
Connection: keep-alive
ETag: "xxxxxx-xxxxxx"
Accept-Ranges: bytes

Account-Driven User Enrollment Experience

Account-Driven User Enrollment initializes when a user signs in to their device with a Managed Apple ID. After sign-in, users are redirected to your organization's enrollment portal and prompted to install the MDM profile on their device.

The text displayed in the enrollment portal may vary depending which text or languages are customized for your organization with Jamf Pro's user-initiated enrollment settings.

Note:

If users are re-enrolling a device previously enrolled using a legacy Personal Device Profile, Jamf Pro recommends you remove the device's previous record from Jamf Pro before re-enrollment.

The following workflow describes how Account-Driven User Enrollment can be used to enroll personally owned mobile devices with Jamf Pro:

  1. The user signs in to their device using a Managed Apple ID by navigating to Settings > General > VPN & Device Management > Sign In to Work or School Account:

  2. The user is prompted to enter a Managed Apple ID:

    Important:

    The user must enter the full Managed Apple ID. For example, "samantha.johnson@mycompany.com"

    After the user enters the Managed Apple ID, the user taps Continue.

  3. The enrollment portal displays and prompts the user to enter their Jamf Pro User Account, single sign-on credentials, or directory credentials (for example, LDAP).

    After entering single sign-on or directory credentials, the user taps Log In.

  4. The user is directed to the Settings app and enters their Managed Apple ID email address and password when prompted.

    After entering the Managed Apple ID and password, the user taps Continue.

  5. The user is prompted to allow remote management.

    The MDM Profile downloads on the device when the user taps Allow Remote Management.