Enroll iOS Devices Using Account Driven User Enrollment



Note: Ensure that the device(s) to be enrolled is currently running iOS 13 or above, has a managed Apple ID, and are unsupervised.

Before users can enroll their personal mobile devices, you must create a .JSON file containing SureMDM enrollment information and host it on a web server. This allows Apple service discovery to identify the enrollment URL.


To enroll iOS Devices Using Account Driven User Enrollment follow below steps:

Prerequisites

  • Account-Driven User Enrollment is supported on iOS 15 or later, and iPadOS 15 or later.
  • Managed Apple IDs.
  • The .JSON file with enrollment information must be hosted on a web server.


Configuring SureMDM for Account-Driven User Enrollment

For Apple discovery to work during Enrollment, enrollment information must be in a .JSON file, hosted on a web server which should be accessible for devices to enroll. If you already have verified domain hosting files, use that location. Otherwise, set up a web server with the same fully qualified domain name (FQDN) as the verified domain of the Managed Apple ID and enable web services.


Key Considerations for Web Server Setup:

  • The .JSON file must be on a server that supports HTTPS GET requests.
  • The SSL certificate for the server must come from a trusted certificate authority. For a list of trusted root certificates on iOS devices, see Apple's support website.


Creating JSON file

To authenticate a device with the SureMDM server, the following information must be included in the .JSON file:

  • BaseURL—This is the full URL for the SureMDM server followed by “/servicediscoveryenrollment/v1/userenroll”.
  • Version —This is the version of enrollment.

    Note: This must be defined as "mdm-byod".

The JSON file should be structured like this example:

{"Servers":[{"Version":"mdm-byod","BaseURL":"https://companyname.suremdm.io/enroll/byod"}]}


Hosting SureMDM Enrollment Information on a Web Server

You should host the SureMDM enrollment information on a web server, specifying the server path and verified domain. The resulting URL should be as follows: https://company.com/.well-known/com.apple.remotemanagement



You must configure the server to return the appropriate Content-Type header with the file which should be 'application/json.

Note: In the above example, "company.com"  should be replaced with your domain that employees sign into during enrollment. To verify the configuration, open the modified URL in a browser. The response should be an XML page with the Base URL referring to your SureMDM FQDN.


Steps for Device Enrollment

Follow these steps to enroll a personal device using the streamlined User Enrollment process in iOS 15 and iPadOS 15 or later:

1. On the device, navigate to Settings > General > VPN & Device Management.


2. Tap the Sign In to Work or School Account button.


3. Enter your Managed Apple ID. Service discovery will automatically identify the MDM solution’s enrollment URL.


4. Enter your organization's Account ID and click Enroll Device


5. A prompt from the iCloud for Work screen appears. Click Sign in to iCloud.


6. Enter the Password for the managed Apple ID and click Continue.

7. Click Allow Remote Management. The device will be enrolled using the user enrollment type.


8. If the device has a password, the user must authenticate to allow remote management. It may take a few minutes to authenticate.


9. To validate user enrollment, the user can navigate to Settings > General > VPN & Device Management > Managed Account.


By following these steps, users can easily enroll their personal devices while ensuring that personal and organizational data remain separate and secure.