Apple User Enrollment

MDM extends Apple's User Enrollment (Account Driven User Enrollment) support for Personal Devices (BYOD). When a device is enrolled via User Enrollment, a separate volume is created on the device for the corporate space. With this capability, admins can manage the corporate data on the employee's personal device (BYOD) without invading their privacy. The users can enroll their iPhones, iPads, Mac machines using the Managed Apple ID provided by their organization. User Enrollment mainly focuses on enhancing user privacy while protecting the enterprise security.

Prerequisites

Ensure that you meet the following pre-requisites before enrolling the devices via User Enrollment:

1. Add and verify your domain in Apple Business Manager.

   

2. iPhones/iPads must be running iOS/iPadOS 18.2 and above.
3. Mac devices must be running macOS 15.2 and above.
4. Ensure the MDM is integrated with Automated Enrolment (ABM/ASM).
5. Ensure you have configured Automatic Device Assignment to Default Server in Apple Business/School Manager (ABM/ASM).

   

6. Ensure you have created Managed Apple IDs for your employees using your organization's Apple Business Manager account:
   • Log in to ABM/ASM as an administrator.
   • Go to Accounts → Users → Click (+) to add a new user.
   • Enter the required details (name, email, role).
   • Choose the appropriate role for the employee (e.g., Manager, Staff, or a custom role defined by your organization).
   • The user will receive an email to set up their Managed Apple ID.
7. To ensure users can sign in with their Managed Apple IDs on any device, log in to ABM/ASM as an administrator, navigate to Access Management > Apple Services > Allow Managed Apple Account On setting. If it is currently set to "Managed Devices Only" or "Supervised Devices Only," change it to "Any Device" and save the update.

   

8. Directory services should be configured for authenticating users during enrollment.

Enable Apple User Enrollment in MDM console

1. On MDM console navigate to Enrolment->Self Enrolment->Click on Modify if the Self enrolment is configure else configure the Self Enrolment and follow the below steps.

   

2. Check the "Apple User Enrollment" checkbox. Specify your organization’s Managed Apple ID domain(s). You can provide multiple domains as per the organization's need. Click on save.

   
   

Apple User Enrollment Experience

Follow the steps below to enroll the device:

1. Navigate to Settings → VPN & Device Management → Sign in with Work or School Account.
2. Enter your Managed Apple ID and click Continue.
3. When the Apple user enrolment is enabled in the MDM Console by the IT administrator and the user login with the Managed Apple ID then the device will detect the MDM server and proceed with user authentication.

   

4. Once authentication is successful, the MDM profile will be downloaded, and the device will display the MDM details. When the user proceeds, the MDM profile will be installed successfully on the device.
                                    

Troubleshooting tips

The following are possible errors that may occur during enrollment. To resolve these errors, refer to the below mentioned steps.

1. Error occurred while authenticating users
   While authenticating, the users should enter the same Directory credentials associated with the Managed Apple ID provided by their organization.
    
2. Internal server error occurred
   Contact mdm-support@manageengine.com

If you are still unable to fix the errors even after following the solution we provided, you can contact support for additional help.