Setting up Account-Driven User Enrollment
Setting up Account-Driven User Enrollment involves creating and hosting enrollment information in a JSON file on a web server. This allows devices to initiate a service discovery process to retrieve the information and direct the user to the Jamf Pro enrollment portal on their device.
Defining Jamf Pro Enrollment Information for Account-Driven User Enrollment
For a device to initiate the service discovery process and direct a user to the enrollment portal, the device must authenticate with the Jamf Pro server.
After the user signs in with their full Managed Apple ID the following process occurs:
The device extracts the domain information (information following the
@
symbol) from the Managed Apple IDThe device sends an HTTP request to the web server hosting the enrollment information, and authenticates with the Jamf Pro server.
Example:If the user Samantha Johnson signs in to a device with the Managed Apple ID
samantha.johnson@mycompany.com
, the device extractsmycompany.com
and uses the service discovery process to make an HTTP request for the enrollment information that is hosted atmycompany.com
.The device uses that information to reddirect Samantha Johnson to the Jamf Pro enrollment portal.
For more information about the service discovery process, see this documentation from the Apple Developer website.
BaseURL
The full URL for your Jamf Pro instance followed by
/servicediscoveryenrollment/v1/userenroll
Version
- The enrollment version. Important:
This must be defined as "
mdm-byod
".
The contents of the JSON file should look similar to the following
{
"Servers": [
{
"Version":"mdm-byod",
"BaseURL":"https://JAMF_PRO_URL.org/servicediscoveryenrollment/v1/userenroll"
}
]
}
Hosting Jamf Pro Enrollment Information on a Web Server for Account-Driven User Enrollment
To host the Jamf Pro enrollment information on a web server, you must define the path to your server. If the verified domain you use for Managed Apple IDs is already configured to host files, you can host the enrollment information at this hosting location. If your environment is not configured to do so, you must set up a web server to host the information.
Jamf recommends consulting your internal web services and hosting team to help you complete this task.
The web server must have the same fully qualified domain name (FQDN) as the verified domain that the Managed Apple IDs belong to, and web services must be enabled.
The JSON file must be hosted on a server which supports HTTPS GET requests.
The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted root certificates on iOS devices, see Lists of available trusted root certificates in iOS from Apple's support website.
The resulting URL for the file must be similar to the following:
https://company.com/.well-known/com.apple.remotemanagement
In the above example, company.com
must be the same verified domain that the Managed Apple IDs belong to that are enrolling a device.
You must configure the server to return the appropriate Content-Type
header with the file. This must be the following:
Content-Type
is 'application/json'
Your server software may refer to this as "MIME type".
For more information about how to modify the MIME type, see the following documentation:
Adding Static Content MIME Mappings from Microsoft's documentation
Apache Module mod_mime from Apache's documentation
Full Example Configuration from NGINX's documentation
curl -I https://JAMF_PRO_URL/.well-known/com.apple.remotemanagement
The command should print something similar to the following:
HTTP/1.1 200 OK
Server: nginx/1.18.0 (Ubuntu)
Date: Day, 00 Month Year 00:00:00 GMT
Content-Type: application/json
Content-Length: 150
Last-Modified: Day, 00 Month Year 00:00:00 GMT
Connection: keep-alive
ETag: "xxxxxx-xxxxxx"
Accept-Ranges: bytes
Account-Driven User Enrollment Experience
Account-Driven User Enrollment initializes when a user signs in to their device with a Managed Apple ID. After sign-in, users are redirected to your organization's enrollment portal and prompted to install the MDM profile on their device.
The text displayed in the enrollment portal may vary depending which text or languages are customized for your organization with Jamf Pro's user-initiated enrollment settings.
If users are re-enrolling a device previously enrolled using a legacy Personal Device Profile, Jamf Pro recommends you remove the device's previous record from Jamf Pro before re-enrollment.
The following workflow describes how Account-Driven User Enrollment can be used to enroll personally owned mobile devices with Jamf Pro:
The user signs in to their device using a Managed Apple ID by navigating to :
The user is prompted to enter a Managed Apple ID:
Important:The user must enter the full Managed Apple ID. For example, "samantha.johnson@mycompany.com"
After the user enters the Managed Apple ID, the user taps Continue.
The enrollment portal displays and prompts the user to enter their Jamf Pro User Account, single sign-on credentials, or directory credentials (for example, LDAP).
After entering single sign-on or directory credentials, the user taps Log In.
The user is directed to the Settings app and enters their Managed Apple ID email address and password when prompted.
After entering the Managed Apple ID and password, the user taps Continue.
The user is prompted to allow remote management.
The MDM Profile downloads on the device when the user taps Allow Remote Management.