Automated Device Enrollment and MDM
Automated Device Enrollment is designed for all Apple devices owned by the organization. Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box. You can also use all the available payloads and restrictions defined by Apple, and you have the option to prevent the mobile device management (MDM) enrollment profile from being removed by the user.
For these devices, the following MDM enrollment options can be configured.
Option | Usage | ||||||||||
---|---|---|---|---|---|---|---|---|---|---|---|
Prevent unenrollment | A supervised device can’t be unenrolled by the user. On Mac computers, this prevents unenrollment from System Settings for macOS 13 or later, or from System Preferences for macOS 12.0.1 or earlier, as well as from the | ||||||||||
Automatically advance through Setup Assistant | A supervised Mac computer using macOS 11 or later or Apple TV is automatically configured without any user intervention, provided no other Setup Assistant panes are enabled. | ||||||||||
Language | The language to set on the device if using Auto Advance. | ||||||||||
Region | The region to set on the device if using Auto Advance. | ||||||||||
Hold device in Setup Assistant | Holds the device in the Setup Assistant to allow MDM to apply any critical configurations or install critical apps. The device can then proceed through or exit Setup Assistant after instructed by the MDM solution. A similar option can be used for Shared iPad to hold the device in Setup Assistant after user authentication to ensure the device is ready to go when the user presented with the Home Screen. | ||||||||||
Configuration web URL | URL that the device should load in the Setup Assistant. This can be used for authentication, custom branding, consent text, or more. | ||||||||||
Setup Assistant panes to skip | Optional: Which panes should be skipped in the Setup Assistant to streamline the device setup process for the user. | ||||||||||
Enforce FileVault | An MDM solution can require a Mac computer with macOS 14 or later to turn on FileVault during Setup Assistant. This helps ensure that the internal storage is always encrypted before being used. An organization can then decide whether to show the recovery key and optionally escrow it to MDM. This functionality should be used in conjunction with holding the device in Setup Assistant to ensure that the MDM solution has all necessary information before proceeding. | ||||||||||
Configure as Shared iPad (Shared iPad only) | Enables Shared iPad. | ||||||||||
Number of Shared iPad users (Shared iPad only) | Enter the number of students who may potentially use this iPad. For best results, the number of students should be low. |
Auto Advance and Automated Device Enrollment (macOS)
Auto Advance is an additional option for Automated Device Enrollment that allows you to skip all Setup Assistant panes automatically with a Mac computer that is plugged into Ethernet. With Auto Advance configured in MDM, organizations can order Mac computers and, after they arrive, simply plug them into Ethernet and power them on. The Mac locates the assigned MDM solution and is automatically configured based on settings from the MDM solution, including skipping all Setup Assistant panes. The user then enters a known user name and password at the Login window. For a Mac to take advantage of Auto Advance, it must be using macOS 11 or later and meet all the following additional criteria:
The computer’s serial number must appear in Apple School Manager, Apple Business Manager, or Apple Business Essentials.
It must have Automated Device Enrollment settings, including the Auto Advance key applied to the Mac using an MDM solution.
It must be plugged into a power source (recommended but not required).
It must be plugged into an active Ethernet connection (initial configuration only).
It must be able to access the MDM solution through an internal network or the internet.
Enforcing a minimum version of iOS, iPadOS, and macOS
MDM solutions can enforce a minimum operating system version on enrolling devices when using Automated Device Enrollment. If the device doesn’t meet the minimum version expected by MDM, the user is guided through a software update or upgrade before they can continue with Setup Assistant. This ensures that devices owned by an organization are on the necessary version required before being put into production.
Enforcing Automated Device Enrollment
In macOS 14 or later, if a Mac that’s registered to Apple School Manager or Apple Business Manager doesn’t enroll into device management during the first setup, a full-screen setup experience is displayed.
The user can choose “Not now” once, which causes the screen to be dismissed for 8 hours. During those 8 hours, the user sees a follow-up option in System Settings to start the enrollment. After the time expires, an administrator must enroll the device.
This replaces the current notification experience and ensures that the device must be enrolled into device management in order to be used. Enforcing device enrollment results in fewer unmanaged organization-owned devices.
How Apple separates user data from organization data
The table below shows how Apple separates user data from the organization’s data with Automated Device Enrollment.
MDM can | MDM can’t |
---|---|
View and set the device name | View personal mail, calendars, contacts |
Query the phone number | View SMS or iMessages |
Query the serial number | View Safari browser history |
Query the model name and number | View FaceTime or phone call logs |
View capacity and space available | View personal reminders and notes |
Query operating system version number | Collect the frequency of app usage |
Install Managed Apps |
|
Configure all restrictions |
|
Configure global HTTP proxy |
|
Remotely erase all content and settings on the device |
|
Manage Activation Lock |
|
Access roaming status |
|
Enable Lost Mode |
|