User-Enrollment in iOS/iPadOS 13+

If you choose to not enroll a device using Automated Device Enrollment (formerly DEP) or Apple Configurator 2, you can manually enroll them using User Enrollment or on-device enrollment. Both User Enrollment and on-device enrollment result in an unsupervised device state, users can remove the MDM profile, and you cannot perform all management tasks on them.

User Enrollment

User Enrollment is a method of mobile device management for enrolling personally owned devices in the Bring Your Own Device (BYOD) program. It is designed to keep personal and institutional data separate by associating a personal Apple ID with personal data and a Managed Apple ID with corporate data. User Enrollment allows for a limited management of devices using a set of configurations and policies that associate management with the user, not the entire device. This separation allows users to keep their personal data protected and intact once the device is removed from Jamf School, while the corporate data is deleted.

  • User Enrollment prevents administrators from:
  • Setting the complex alphanumeric passcode restriction
  • Clearing the device passcode or reducing the security of the device
  • Enforcing certain restrictions
  • Managing apps installed by users
  • Issuing an MDM command or query gathering information about apps downloaded with the user’s personal Apple ID
  • Accessing any cellular features
  • Adding payloads that collect logs on the device
  • Adding any supervised restrictions to the user’s device 

To create Managed Apple IDs, you must either use federated authentication to link Apple School Manager to your instance of Microsoft Azure Active Directory (AD) or create them manually in Apple School Manager. For more information, see the following documentation from Apple's Apple School Manager User Guide:

  • Configure federated authentication with Microsoft Azure AD for Apple School Manager
  • Create Managed Apple IDs in Apple School Manager

On-Device Enrollment

If a device is institutionally owned, it is recommended you enroll it using on-device enrollment. Institutional and personal data on devices enrolled using on-device enrollment is stored together. Because this enrollment method is for institutionally owned devices, your management capabilities are more extensive than those for devices enrolled using User Enrollment. You can perform any management tasks that do not require device supervision on devices enrolled using on-device enrollment. 

On-device enrollment prevents administrators from:

  • Clearing the device passcode or reducing the security of the device
  • Enforcing certain restrictions
  • Accessing any cellular features
  • Adding payloads that collect logs on the device
  • Adding any supervised restrictions to the user’s device

Requirements

To enroll a device using User Enrollment, you need

  • Mobile devices with iOS 13.1 or later, or iPadOS 13.1 or later
  • Managed Apple IDs for the users you want to enroll

Enrolling Devices Using On-Device or User Enrollment

  1. In ZuluDesk, navigate to Devices > Enroll Device(s) in the sidebar.
  2. For Enrollment Options, click On-device enrollment (iOS & macOS).

Do one of the following:

  • (On-device enrollment and iOS only) On the device you want to enroll, open the Camera app and scan the QR code.
  • On the device you want to enroll, navigate to the URL https://enroll.zuludesk.com

4. On the device you want to enroll, do the following:

Note: Your network ID is listed in On-device enrollment (iOS & macOS) in ZuluDesk.
 
a. Enter your network ID in the Network ID field.

b. (User Enrollment only) Enter the user's Managed Apple ID in the Managed Apple ID field. 
c. Click or tap Enroll.
d. Click Install on the Install Profile screen.
e. (iOS only) If the device has a passcode, enter the device passcode. 
f. Click or tap Install. 
g. Click or tap Trust to allow remote management.

The device is now enrolled in ZuluDesk.

Have more questions? Submit a request

0 Comments

Please sign in to leave a comment.