Using Apple Configurator 2.5 or Later to Prepare Mobile Devices for Automated Device Enrollment

Beginning with Apple Configurator 2.5, you can add mobile devices to your Apple deployment account regardless of where they were purchased. If you already use Automated Device Enrollment and want to supervise mobile devices that were purchased outside of your Apple deployment account, this workflow allows you to enroll any iPad, iPhone, or Apple TV with Automated Device Enrollment, and then with Jamf Now.

Apple Configurator 2 is a free program from Apple that helps you configure devices. For more information about Apple Configurator 2, see the Apple Configurator 2 User Guide.

Note:

You can also prepare Mac computers for Automated Device Enrollment with Apple Configurator for iPhone. For more information, see the Apple Configurator User Guide.

Requirements
  • Ensure that you are registered in Apple Business Manager or Apple School Manager, and that this account is linked with Jamf Now. For more information, see Setting Up Automated Device Enrollment.
  • Back up the device with iCloud, and then wipe the device to restore it to factory defaults. You can restore the device using Apple Configurator 2.
  • Turn off Find My iPhone from the Settings app to disable Activation Lock.
  • Confirm that the device has a valid network connection.
  1. Connect your device to a computer with a Lightning-to-USB cable for iPad or iPhone, or an ethernet cable for Apple TV.
  2. If the Trust This Computer? pop-up window occurs, tap Trust.
  3. Open Apple Configurator 2.5 or later and do the following:
    • Ensure you are not signed in to Apple Configurator's Accounts menu with your Apple Business Manager or Apple School Manager account credentials. If you are, Jamf Now's ability to enroll new devices and install managed apps will be disrupted.

    • Verify that the device is displayed and that it is not currently supervised.

    • Note the device's serial number (available from the Info view in Apple Configurator 2). You will need it later to assign the device to the MDM server synced with Jamf Now.

  4. Select the device and click Prepare.
  5. In the Prepare Devices dialog box:
    1. Select the Prepare with Manual Configuration and Add to Apple School Manager or Apple Business Manager checkboxes.
    2. Do not select the Activate and Complete Enrollment or Enable Shared iPad checkboxes.
    3. "Supervise Device" will automatically be selected. Leave it selected.
    4. (Optional) We recommend you also select "Allow devices to pair with other computers".
    5. Click Next.
  6. In the Enroll in MDM Server dialog box:
    • If this is your first time using Apple Configurator 2, select New Server.

    • If you have previously used Apple Configurator 2, select your MDM server from the list.

  7. Click Next.
  8. In the "Define an MDM Server" dialog box:
    1. Enter a display name for your server (for example, "Acme MDM".
    2. Enter your Jamf Now Enrollment URL.
      Note:
      To verify your Jamf Now Enrollment URL, log in to Jamf Now, click Open Enrollment, and review the link under the Open Enrollment Link section. Your Jamf Now Enrollment URL is unique to your account and matches your Open Enrollment Link. For example, if your link is https://go.jamfnow.com/xyz, then your URL will be mdm-na1.jamfcloud.com/mdm/enroll/xyz/dep. The next time you use Apple Configurator 2, your unique URL will be available from a selectable list.
      Screen shot of the Open Enrollment link location
  9. Click Next.
    Note:

    The following error message may appear. Disregard this message and click Next.

    Screen shot of error message
  10. You will be prompted to add trust anchor certificates for the MDM server. To do so, follow these steps:
    1. Confirm that you see the following: *.jamfcloud.com.

    2. Select it, and then click Next.

    3. Sign in to your Apple deployment account. Be sure to use the same Apple ID that you used to enroll in Apple Business Manager or Apple School Manager. You may be prompted to verify your identity with two-factor authentication.

  11. Generate or choose a supervision identity. If this is your first time using Apple Configurator 2, select Generate a new supervision identity.
  12. Select which setup steps you want to show on the device. We suggest testing this workflow with a few users to ensure your current configuration is correct.
  13. Connect the device to a non-restricted network in one of the following ways:
    • Use cellular connectivity.

      Devices with a valid cellular connection should not need to connect to Wi-Fi.

    • Create and upload a Wi-Fi profile in the "Choose Network Profile" step. Use Apple Configurator to create this profile by navigating to File > New Profile.

      This is the recommended option when preparing multiple devices because it bypasses the need to manually enter the Wi-Fi password for each individual device.

    • Manually connect the device to Wi-Fi during the initial Setup Assistant.

    Important:

    The device must have a valid network connection before completing step 14, or enrollment in to Apple Business Manager or Apple School Manager will fail, and you will need to redo the following process.

  14. Click Prepare.

    If your device is already set up, you will be prompted to erase the device. You may be prompted to enter your Apple ID password for the Apple deployment account. The device will reboot and be added to your account. This may take several minutes. Once the "Hello" screen is displayed, leave until step 17.

  15. Log in to Apple Business Manager or Apple School Manager, and assign the device to the MDM server synced with Jamf Now by performing the following steps:
    1. Navigate to the Devices tab and enter the serial number of the device you want to assign in the Search Devices field.
    2. Click Edit Device Management, and then select the Jamf Now MDM server tied to your Jamf Now account in the Choose Device Management pop-up menu.
  16. Confirm that the device appears under the Auto-Enrollment > Devices tab in Jamf Now. If the device does not appear under Auto-Enrollment immediately, click Sync Devices to sync with Apple Business Manager or Apple School Manager.
  17. On the mobile device, go through the setup steps. When you see Remote Management displayed, that means enrollment is working.
Your mobile device is enrolled in Jamf Now as a supervised device enrolled with Automated Device Enrollment. The device will also appear under the supervised tab in Apple Configurator 2.
Note:

When you add an iPad, iPhone, or Apple TV using Apple Configurator 2, the device is provisionally managed. Provisional management means that the device will give the user the ability to leave remote management for the first 30 days of management. During that period, a user will see a banner notifying them of the updated management state and will be able to remove MDM management in the Settings menu. Provisional management will end after 30 days. At this point, the banner will disappear and the user will no longer be able to opt out of MDM management.