Automated Device Enrollment

Automated Device Enrollment (formerly DEP) allows you to automate the enrollment process and prevent users from removing the MDM profile from the devices. This is the enrollment method recommended by Apple. Automated Device Enrollment is one of the methods in which a computer can achieve a User Approved MDM status in Jamf School. User Approved MDM is required for certain performance and security enhancements, like managing kernel extensions. By enrolling devices using Automated Device Enrollment, you can use all the device management capabilities Jamf School offers.

Enrolling devices using Automated Device Enrollment involves the following steps:

  • Assign devices to Jamf School

  • Create an Automated Device Enrollment profile

  • Assign an Automated Device Enrollment profiles to devices

You can also customize the enrollment experience by creating agreements to display during enrollment and requiring authentication.

Note: If Jamf School is integrated with Microsoft Azure or Google, you can require enrollment authentication when enrolling devices via Automated Device Enrollment.

General Requirements

To enroll devices using Automated Device Enrollment, you must first download the public key before adding the Jamf School server to Apple School Manager. For more information, see Integrating Jamf School with Apple School Manager.

If the devices were previously enrolled in another MDM, you must remove the MDM profile before using Automated Device Enrollment. For more information, see Removing an MDM Profile Manually.

Creating an Automated Device Enrollment Profile

Requirements

To create an Automated Device Enrollment profile, you must automatically or manually assign devices in Apple School Manager to the Jamf School server. To automatically add devices you purchase to Jamf School, see Change MDM server default device assignment in Apple School Manager in the Apple School Manager User Guide. To manually assign devices to Jamf School after purchasing them, see Assign purchased devices to Apple School Manager in the Apple School Manager User Guide.

To require enrollment authentication with Microsoft Azure or Google Sign-In when enrolling devices via Automated Device Enrollment, you must integrate Jamf School with Microsoft Azure or Google Sign-In. For more information, see Integrating with Microsoft Azure and Setting Up Google Sign-In in Jamf School.

Procedure

  1. In Jamf School, navigate to Profiles > Automated Device Enrollment Profiles in the sidebar.

  2. Select the type of profile you would like to create.

  3. Use the pop-up dialog to configure basic settings, including a profile name. In addition, you can do the following on the Automated Device Enrollment profile pop-up dialog:

    • Enter a support phone number and department name that users can reach out to if they need assistance during enrollment.

    • To automatically configure device names during enrollment, enter a device name schema using variables in the Set Device Name field.
      For more information on the variables you can use, see Payload Variables.

    • To allow the devices enrolled with this Automated Device Enrollment profile to connect to other computers, select the Allow pairing with other computers checkbox.

    • To allow users to remove the MDM profile, select the Allow removal of the MDM profile checkbox.

      Important: If a user removes the MDM profile, you cannot manage the device.

    • To enable the devices as a Shared iPad, select the Enable Shared iPad checkbox.

    • To activate eSIM automatically during enrollment, select the Configure eSIM checkbox and enter the carrier's URL in the Carrier URL field.

    • To customize the user experience of the Setup Assistant, you can select which steps you want to skip in the Setup Assistant. If you choose to skip steps, the user can enable these settings after the device is configured unless otherwise restricted. For Apple TV devices, Ethernet connection is required. You can also choose to auto advance through all Setup Assistant steps by selecting Automatically advance through Setup Assistant.

      Note: An Apple ID must be associated with the device before any apps can be installed. If this step is skipped during the Setup Assistant, it must be completed later. If you choose to skip the Location Services step, the device will not automatically set the date and time and will not be able to use Find my iPad.

    • To require authentication during enrollment, select the Require authentication for enrollment checkbox. Additionally, you can make the authenticated user the device owner by selecting the Make authenticated user the device owner checkbox.

      Note: If you want users to authenticate with Microsoft Azure after enrollment using a web clip, do not enable the the Make authenticated user the device owner checkbox. Only iOS and iPadOS devices can authenticate after enrollment using the Azure web clip.

    • To automatically install Rosetta 2 on computers to use apps built for a Mac with an Intel processor, select the Automatically install Rosetta 2 on Mac computers with Apple silicon checkbox.

  4. Click Save.
    It can take up to five minutes before the profile is pushed to new devices.

Note: A managed administrator created is eligible to receive a SecureToken when it logs in to a computer with macOS 10.15 or later if a bootstrap token has been escrowed to Jamf School. For more information about bootstrap token, see Using Secure and Bootstrap tokens in deployments in Apple's Deployment Reference for Mac.

Assigning Automated Device Enrollment Profiles to Devices

Requirements

To install an Automated Device Enrollment profile, you must erase all content and settings on your mobile devices or reinstall macOS on computers because the Automated Device Enrollment profile can only install during Setup Assistant. For more information, see the following articles from Apple's support website:

Procedure

  1. In Jamf School, navigate to Devices > Automated Device Enrollments in the sidebar.

  2. Select the devices you want to assign an Automated Device Enrollment profile to.

  3. Click Assign profile.

  4. In the pop-up dialog, select the Automated Device Enrollment profile you want to assign to the selected devices.

  5. Click Save.
    The profile is now successfully assigned to the selected devices.

Removing an Automated Device Enrollment Profile from Devices

If you want to reset and manage a device under different conditions, the settings applied via Automated Device Enrollment can be removed. If the devices already have the Automated Device Enrollment profile applied, you must wipe and reactivate the devices before removing the Automated Device Enrollment profile.

  1. In Jamf School, navigate to Devices > Automated Device Enrollments in the sidebar.

  2. Select the devices you want to remove the Automated Device Enrollment profile from.

  3. Click Unassign profile.

  4. Click Save.

Related Information

For related information, see the following sections in this guide:

For related information, see Automated Device Enrollment into MDM in Apple's Deployment Reference for iPhone and iPad.

For related information, see Automated Device Enrollment into MDM in Apple's Deployment Reference for Mac.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2021 Jamf. All rights reserved.