When IT administrators manage Apple devices, there are various tools and workflows to consider for device enrollment.
The place to start is with the types of devices that IT will need to manage: Are they BYOD or corporate-owned? Then, IT admins should determine what they need to secure on those devices: email, corporate data and communications are all candidates. The organization will need to use mobile device management (MDM) from a vendor such as Jamf to bring all these pieces together.
Once IT has those components aligned, an organization, with the help of its end users, can enroll their devices to properly gain access to work-related resources.
Enrolling devices is a simple and quick process. However, there are different enrollment methods depending on whether a device is personally owned or corporate-owned. The device ownership affects the type of configurations and security controls available for that device. Apple has two ownership models: corporate-owned and user-owned. And within those, there are three main enrollment methods: Automated Device Enrollment, Device Enrollment and User Enrollment.
Automated Device Enrollment
This enrollment method is tied to corporate-owned models and uses Apple Business Manager (ABM) to link devices to an organization's MDM -- in this case, Jamf's offering -- and supervise devices. Supervision gives organizations the highest privileges on a device, such as hiding system apps and customizing the home screen layout and additional configurations such as silent application updates and web filtering. Supervision is only available on devices enrolled in an organization's Apple Business Manager, which also requires Apple or an approved reseller to enroll company devices into a customer's ABM.
When IT admins use this method, they can automatically enroll iOS, iPadOS, macOS and tvOS devices into their organization's Jamf MDM. They can also lock a device into management so an end user cannot unenroll or take personal control. A great example of a useful function of Automated Device Enrollment is the ability to drop-ship a device directly to an end user, have the end-user power the device on, and have the device automatically enroll itself in management once it connects to Wi-Fi. This zero-touch enrollment allows IT to streamline device deployment to end users and departments regardless of their location.
Device Enrollment may be the most common method of enrollment. IT can use this method in both user-owned and corporate-owned models. Device enrollment requires enrollment through either a URL or application agent on the device. When an end user enrolls the iOS device, the device will download a profile that the end user will need to manually install via the device's Settings.
Once the user enrolls their device with the Jamf management platform, IT administrators can manage different aspects of the device, including the ability to restrict certain device features and the ability to erase the device. While Device Enrollment does not allow all the supervised settings and configurations of Automated Device Enrollment, it does allow for a larger set of security restrictions and configurations that IT can apply to a device.
This enrollment method is most often tied to BYOD models where the end user's personal device accesses corporate applications and data. In this model, an end user will self-enroll into their organization's MDM via a URL or application agent with a Managed Apple ID. After the user completes enrollment, the end user's device will have access to company resources, including configuration profiles such as Wi-Fi and passcode requirements, applications and security compliance settings.
When end users enroll via User Enrollment, they will need a Managed Apple ID. To create a Managed Apple ID, an organization will need access to Apple Business Manager within Jamf. From there, organizations can federate their Active Directory to allow automated creation of Managed Apple IDs, or an admin can manually create each account.
One of the biggest draws of User Enrollment is its privacy-centered focus. Unlike the other enrollment models, Apple has restricted some settings from the MDM to ensure end-user privacy.