User Enrollment and On-Device Enrollment

If you choose to not enroll a device using Automated Device Enrollment (formerly DEP) or Apple Configurator 2, you can manually enroll them using User Enrollment or on-device enrollment. Both User Enrollment and on-device enrollment result in an unsupervised device state, users can remove the MDM profile, and you cannot perform all management tasks on them. User Enrollment and on-device enrollment are two ways in which a computer can achieve a User Approved MDM status.

User Enrollment

User Enrollment is a method of mobile device management for enrolling personally owned devices in the Bring Your Own Device (BYOD) program. It is designed to keep personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. User Enrollment allows for a limited management of devices using a set of configurations and policies that associate management with the user, not the entire device. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf School, while the corporate data is deleted.

Because the device is personally owned, a limited set of payloads and restrictions that can be applied to a device enrolled using User Enrollment. For more information, see the following documentation from Apple's Mobile Device Management Settings:

To create Managed Apple IDs, you must either use federated authentication to link Apple School Manager to your instance of Microsoft Azure Active Directory (AD) or create them manually in Apple School Manager. For more information, see the following documentation from Apple's Apple School Manager User Guide:

On-Device Enrollment

If a device is institutionally owned, it is recommended you enroll it using on-device enrollment. Institutional and personal data on devices enrolled using on-device enrollment is stored together. Because this enrollment method is for institutionally owned devices, your management capabilities are more extensive than those for devices enrolled using User Enrollment. You can perform any management tasks that do not require device supervision on devices enrolled using on-device enrollment.

On-device enrollment prevents administrators from:

  • Clearing the device passcode or reducing the security of the device

  • Enforcing certain restrictions

  • Accessing any cellular features

  • Adding payloads that collect logs on the device

  • Adding any supervised restrictions to the user’s device


To enroll a device using on-device enrollment, you need:

To enroll a device using User Enrollment, you need

  • (Mobile devices only) A push certificate in Jamf School (For more information, see Creating, Renewing, or Deleting an Apple Push Certificate.)

  • Mobile devices with iOS 13.1 or later, or iPadOS 13.1 or later

  • Computers with macOS 10.15 or later

  • Managed Apple IDs in Apple School Manager

Enrolling Devices Using On-Device or User Enrollment

  1. In Jamf School, navigate to Devices > Enroll Device(s) in the sidebar.

  2. For Enrollment Options, click On-device enrollment (iOS & macOS).

  3. Do one of the following:

    • (On-device enrollment and iOS only) On the device you want to enroll, open the Camera app and scan the QR code.

    • On the device you want to enroll, navigate to the full URL for your Jamf School server, followed by "/enroll". For example:

      Note: If you want the user to authenticate during enrollment, the user must navigate to the redirect URI for your Jamf School server. The redirect URI can be found by navigating to Organization > Settings > Authentication in Jamf School. You must also enable authentication by navigating to Organization > Settings > Enrollment and selecting the On Device Enrollment Authentication checkbox.

  4. On the device you want to enroll, do the following:

    1. Enter your network ID in the Network ID field.

      Note: Your network ID is listed in On-device enrollment (iOS & macOS) in Jamf School.

    2. (User Enrollment only) Enter the user's Managed Apple ID in the Managed Apple ID field.

    3. Click or tap Enroll.

    4. Click Install on the Install Profile screen.

    5. (iOS only) If the device has a passcode, enter the device passcode.

    6. Click or tap Install.

    7. Click or tap Trust to allow remote management.

The device is now enrolled in Jamf School.

Related Information

For related information, see the following technical paper:

Enrolling Devices with User Enrollment and Jamf School
Find out how to enroll devices in Jamf School with User Enrollment using step-by-step instructions.

Copyright     Privacy Policy     Terms of Use     Security
© copyright 2002-2020 Jamf. All rights reserved.