Profile-Driven User Enrollment for Personally Owned Mobile Devices

Profile-Driven User Enrollment initiates via an enrollment URL, when opened on the device in Safari. Your organization's enrollment URL is your Jamf Pro instance URL with /enroll added at the end:

https://JAMF_PRO_URL.jamfcloud.com/enroll

The text displayed in the enrollment portal may vary depending which text or languages are customized for your organization with Jamf Pro's user-initiated enrollment settings.

Note:

If users are re-enrolling a device previously enrolled using a legacy Personal Device Profile, Jamf Pro recommends you remove the device's previous record from Jamf Pro before re-enrollment.

The following workflow describes how user enrollment can be used to enroll personally owned mobile devices:

  1. The user is prompted to log in with either their directory credentials or a Jamf Pro user account with user-initiated enrollment privileges. Directory credentials may include one of the following authentication types:

    • LDAP

    • Single sign-on (SSO)

    • Cloud identity provider (IdP)

    After entering their credentials, the user must click Log In. If the user is authenticating via a single sign-on provider, the user will be redirected to their organization's login page.

  2. The user is prompted to enroll the device as a personally owned device or an institutionally owned device.

    This step is only displayed if both institutionally owned device enrollment and personally owned device enrollment are enabled in Jamf Pro. Any customized text for your organization with Jamf Pro's User-Initiated Enrollment settings is also displayed.

  3. If prompted to select a site, the user may choose a site to associate their device with. This will apply the appropriate site settings as defined by your organization to the device.

  4. If the Skip certificate installation during enrollment checkbox is deselected in Jamf Pro's User-Initiated Enrollment settings, the user is prompted to install a profile with the CA certificate before they install the MDM profile.

    The user must follow the onscreen instructions to install the CA certificate. After the CA certificate is installed, the user must return to Safari to install the MDM profile.

  5. When prompted, the user must enter their Managed Apple ID email address to download their MDM profile.

  6. A Profile Downloaded dialog will be displayed. The user must click Close.

  7. In the Settings app, the user taps Enroll in YOUR ORGANIZATION  to continue and follows the onscreen enrollment prompts. The user must sign in using the same Managed Apple ID that they entered earlier. If the user authenticates using a Managed Apple ID that does not match the one entered prior to downloading the MDM profile, the enrollment will fail and the user must restart the enrollment process from the beginning.

    For more information on the sign-in process for Profile-Driven User Enrollment, see User Enrollment MDM information in Apple Platform Deployment.

    Important:

    The user has eight minutes to install the enrollment profile before iOS discards the profile. If this occurs, the user must restart the enrollment process.

  8. When the user returns to the Safari web browser, the following message will be displayed indicating that the device is enrolled with Jamf Pro.