Overview

Apple's recommended method for enrolling or migrating personally owned iOS and iPadOS devices in Jamf Pro is User Enrollment. Administrators can choose from and configure two different User Enrollment methods:

  • Account-Driven User Enrollment(iOS 15 and iPadOS 15 or later) Users open the Settings app and navigate to General > VPN & Device Management and sign in with a Managed Apple ID. After sign-in, users are re-directed to your organization's Jamf Pro enrollment portal.
  • Profile-Driven User Enrollment(iOS 13 and iPadOS 13 or later) Also known as "User-Initiated Enrollment via URL". Users are provided a direct Jamf Pro enrollment URL that opens the enrollment portal in Safari.

These User Enrollment methods allow administrators to build a Bring Your Own Device (BYOD) program with the following device and data privacy and security advantages:

Transparency

Users can review the IT management capabilities of personally owned iOS and iPadOS devices before enrolling their device. User Enrollment results in an unsupervised device state, allowing users to remove the MDM profile.

Data Separation, Access, and Privacy
Users can securely access institutional resources such as email, contacts, calendars, Wi-Fi, and VPN, while keeping their personal data secure. Users maintain a personal Apple ID for their personal data and use a Managed Apple ID for institutional data.
Security
IT can only remove institutional data from the device, ensuring protection of the user's personal data, such as photos and documents. Since users must interactively complete enrollment, User Approved MDM status is achieved and grants administrators additional device management privileges.

Building a BYOD Program

Building a Bring Your Own Device (BYOD) program involves the following steps:

  1. Configure User-Initated Enrollment settings in Jamf Pro.

    Use Jamf Pro's global settings for user-initiated enrollment to setup and customize User Enrollment and enable Account-Driven User Enrollment or Profile-Driven User Enrollment (User-Initiated Enrollment via URL).

  2. (Optional) Remove the MDM profile from devices enrolled using Personal Device Profiles.

    To migrate devices from Personal Device Profiles, which are deprecated, to Account-Driven User Enrollment or Profile-Driven User Enrollment, you must temporarily un-enroll these devices, and then re-enroll them.

  3. Allow users to enroll personally owned devices.

    Depending on the method, users enroll via Account-Driven User Enrollment or Profile-Driven User Enrollment

  4. Manage settings and distribute apps for personal devices.

    Create configuration profiles and distribute managed apps to personal devices enrolled via User Enrollment.

  5. Manage personal devices.

    Perform a subset of mobile device management capabilities, such as remote commands and viewing inventory information, on personally owned mobile devices.