User Enrollment
42Gears supports User Enrollment, the latest way to enroll macOS devices into an MDM solution. User Enrollment is an effective way to provide a secure end-user experience while securing and managing corporate data on BYOD devices.
Enroll macOS Devices Using Account Driven User Enrollment
Ensure that the device(s) to be enrolled is currently running macOS 15.0 or above and has a managed Apple ID.
Before users can enroll their personal mobile devices, you must create a .JSON file containing SureMDM enrollment information and host it on a web server. This allows Apple service discovery to identify the enrollment URL.
To enroll macOS Devices Using Account Driven User Enrollment follow the below steps:
Prerequisites
- Account-Driven User Enrollment is supported on macOS 15.0 or later.
- Managed Apple IDs.
- The .JSON file with enrollment information must be hosted on a web server.
Configuring SureMDM for Account-Driven User Enrollment
For Apple discovery to work during Enrollment, enrollment information must be in a .JSON file, hosted on a web server which should be accessible for devices to enroll. If you already have verified domain hosting files, use that location. Otherwise, set up a web server with the same fully qualified domain name (FQDN) as the verified domain of the Managed Apple ID and enable web services.
Key Considerations for Web Server Setup:
The .JSON file must be on a server that supports HTTPS GET requests. The SSL certificate for the server must come from a trusted certificate authority. For a list of trusted root certificates on iOS devices, see Apple's support website.
Creating JSON file
To authenticate a device with the SureMDM server, the following information must be included in the .JSON file:
BaseURL — This is the full URL for the SureMDM server followed by “ servicediscoveryenrollment/v1/userenroll”.
- You can get the BaseURL in JSON format from this path in Console: SureMDM Web Console > Settings > Apple Platform Management > Miscellaneous > General Configuration > JSON for Account Driven User Enrollment > Download / Copy
Version — This is the enrollment version.
Hosting SureMDM Enrollment Information on a Web Server
You should host the SureMDM enrollment information on a web server, specifying the server path and verified domain. The resulting URL should be as follows:
https://company.com/.well-known/com.apple.remotemanagement
You must configure the server to return the appropriate Content-Type header with the file which should be 'application/json.
In the above example, "company.com" should be replaced with your domain that employees sign into during enrollment. To verify the configuration, open the modified URL in a browser. The response should be an XML page with the Base URL referring to your SureMDM FQDN.
Steps for Device Enrollment
Follow these steps to enroll a personal device using the streamlined User Enrollment process in macOS 13 or later:
- On the device, navigate to Settings > Privacy & Security > Profiles.
Click Sign In button available on the Work or School Account section.
Enter your Managed Apple ID and click Continue. Service discovery will automatically identify the MDM solution’s enrollment URL. Specify the Managed Apple ID.
- Once the Apple ID is validated, then the below popup will appear. Click Open Browser to continue.
- Now you will be directed to the Enrollment page in the browser. Provide the Account ID and click Enroll Device.
- A prompt from the iCloud for Work screen appears. Click Sign in to iCloud.
Enter the Password for the managed Apple ID and click Continue.
Once the Apple ID authentication is completed, the popup below will appear. Click Continue to sign into your organization mail account.
- Enter the mail credentials and click Next.
Authentication page will appear if your organization enabled MFA for the mail account.
- Click Allow Remote Management. The device will be enrolled using the user enrollment type.
- If the device has a password, then it must be authenticated to allow remote management. After providing the password, click Enroll. It may take a few minutes to authenticate.
- After successful enrollment, the SureMDM profile must be visible on the Profiles section in the target device.
By following these steps, users can easily enroll their personal devices while ensuring that personal and organizational data remain separate and secure.