Apple Device Management
Apple Device Management in MDM empowers IT admins to seamlessly configure, secure, and manage macOS, iOS, iPadOS, and tvOS devices across their organization. This document outlines the different Apple management types supported through MDM, including Automated Device Enrollment (via Apple Business Manager/Apple School Manager), User Enrollment, and manual enrollment methods. It also provides a comparison of features based on the management type, enabling admins to evaluate the right approach for their environment. With these options, admins can simplify large-scale deployments, enforce compliance, and deliver a consistent and secure experience for all Apple devices.
iOS Management Mode |
Scenarios |
Enrollment Methods |
|---|---|---|
| Personal device management (Device Enrolment or User Enrolment) (Unsupervised) |
|
|
| Company-owned device management (Device enrolment or Automated device enrolment) (supervised) |
|
|
Apple Device Management Types
- Company-Owned Device Management: For devices purchased and owned by the organization, ensuring full control and security.
Enrollment Methods:
- Automated Device Enrollment (ABM/ASM):
When to Use:
- Apple Business Manager (ABM) or Apple School Manager (ASM) Availabile in Your Country or Region.
- Devices purchased directly from Apple or an authorized reseller. If there are company-owned devices purchased otherwise, it is possible to add them to Apple Business/ School Manager's Automated Device Enrollment program via the Apple Configurator app in iPhone or Mac.
Verify the above device eligibility and enroll devices in MDM through Automated Device enrollment (ABM/ASM).
- Manual Enrollment via Apple Configurator
When to Use: If Apple Business Manager (ABM) or Apple School Manager (ASM) is not available in your Country or Region.
- Automated Device Enrollment (ABM/ASM):
- Personal Device Management (BYOD - Bring Your Own Device):For employee-owned Personal devices accessing corporate resources.
Management Mode: There are two different Management mode. Devices can be enrolled either Account-Driven (using a Managed Apple ID) or Profile-Based (via an installation profile). If a user removes the enrollment profile, all associated configurations, policies, and managed apps are automatically revoked, ensuring corporate data remains protected when devices exit management. This approach maintains security while allowing flexibility in deployment. MDM supports multiple manual enrollment methods, including Invite Enrollment, Self Enrollment, and Apple User Enrollment, providing flexibility for different deployment scenarios.
Enrollment Methods:
- Self-Enrollment:
When to Use: Employees need to enroll their personal devices for work access.
Enrolment Type:
- Self Enrollment using AD Credentials: Users can self-enroll personal devices by scanning a QR code or visiting a self-enrollment URL, authenticated via Active Directory credentials. Visit our Self Enrollment guide for detailed information.
- Apple User Enrollment (Managed Apple IDs): Users can self-enroll personal devices via Apple User Enrollment (iOS 13+/macOS 10.15+) using their Managed Apple ID. For step-by-step instructions, refer to our Apple User enrollment Guide.
- Invite Enrollment
When to Use: IT Admins want to send a secure enrollment invitation(email) to employees. Useful for BYOD scenarios where users need a guided setup.
Invite enrollment can be sent to a individual user to enroll a single device and can also be sent in bulk to multiple users for enrolling their devices. For detailed instructions on sending enrollment invitations, please refer to our Invite Enrollment Guide.
- Self-Enrollment:
Comparison of Supported Functionality by Management Type
This section outlines the key functionality available for each Apple device management type, helping IT admins choose the right approach based on security and functionality requirements.
iOS/iPadOS
|
Company-Owned Device Management |
Personal Device Management (Un-Supervised) |
|||
|---|---|---|---|---|
| Functionality | Automated Device Enrollment iOS/iPadOS (Non-Shared) |
Automated Device Enrollment Shared iPad | Invite Enrollment/Self Enrollment | Apple User Enrolment |
| Policy | ||||
| Passcode |  |
 |
|
Limited Capability |
| Restrictions | |
|
|
Limited Restrictions |
| Wi-Fi | |
|
|
|
| Virtual Private Network (VPN) | |
|
|
|
| Per-App VPN | |
|
|
|
|
|
|
|
|
| Exchange ActiveServer(EAS) | |
|
|
|
| Kiosk | |
|
|
|
| Web Shortcut | |
|
|
|
| Web Content Filter | |
|
|
|
| App Notification | |
|
|
|
| Managed Web Domains | |
|
|
|
| Wallpaper | |
|
|
|
| Asset Tag | |
|
|
|
| AirPrint | |
|
|
|
| Global HTTP Proxy | |
|
|
|
| Enterprise SSO | |
|
|
|
| Extensible SSO | |
|
|
|
| Certificate | |
|
|
|
| Simple Certificate Enrollment Protocol(SCEP) | |
|
|
|
| ACME | |
|
|
|
| Shared iPad Configuration | |
|
|
|
| LDAP | |
|
|
|
| Contact Sync | |
|
|
|
| Calendar Sync | |
|
|
|
| Subscribed Calendars | |
|
|
|
| Access Point Name | |
|
|
|
| Fonts | |
|
|
|
| Accessibility Settings | |
|
|
|
| eSIM | |
|
|
|
| APPS & UPDATE MANAGEMENT | ||||
| Silent Installation of Store Apps | |
|
User will prompted to install the apps. Alternatively, the App will be listed in the App Catalog and user need to install the app manually. |
User will prompted to install the apps. Alternatively, the App will be listed in the App Catalog and user need to install the app manually.
|
| Installation of apps without Apple ID | |
|
|
|
| Silent Installation of in-house Apps | |
|
|
User will prompted to install the apps. Alternatively, the App will be listed in the App Catalog and user need to install the app manually. |
| Restricting side-loaded Apps | |
|
|
|
| Automate OS Updates | |
|
|
|
| Schedule and Automate app updates | |
|
|
|
| Blocklisting Apps | |
|
|
|
| Multiple versions of in-house Apps | |
|
|
|
| INVENTORY | ||||
| Device details such as model name, manufacturer name, UDID, etc. | Required details will be fetched. | |||
| Tracking Device Battery Level | |
|
|
|
| Locate Device | |
|
|
|
| Restart Device | |
|
|
|
| Shutdown Device | |
|
|
|
| Remove Screen Time Passcode | |
|
|
|
| Logout Users | |
|
|
|
| Delete Users | |
|
|
|
| TOOLS | ||||
| Announcements | |
|
|
|
| Remote Troubleshooting(Only remote view is possible) | |
|
|
|
| SECURITY MANAGEMENT | ||||
| Complete Wipe of the device | |
|
|
|
| Corporate Wipe of the device | |
|
|
|
| Remote Lock | |
|
|
|
| Lost Mode | |
|
|
|
| Clear/ Reset Passcode | |
|
|
|
MacOS
| Company-Owned Device Management | Personal Device Management | ||
|---|---|---|---|
| Functionality | Automated Device Enrollment | Invite Enrollment/Self Enrollment | Apple User Enrolment |
| Policy | |||
| Passcode | |
|
|
| Restrictions | |
Limited Restrictions |
|
| Wi-Fi | |
|
|
| Virtual Private Network(VPN) | |
|
|
| Per-App VPN | |
|
|
| Web Content Filter | |
|
|
| App Notifications | |
|
|
| FileVault Encryption | |
|
|
| Firewall | |
|
|
| AirPrint | |
|
|
| Global HTTP Proxy | |
|
|
| Extensible SSO | |
|
|
| Certificate | |
|
|
| SCEP | |
|
|
| AD Asset Binding | |
|
|
| AD Certificate Policy | |
|
|
| Recovery lock / Firmware password | |
|
|
| System extensions | |
|
|
| Background service management | |
|
|
| PPPC | |
|
|
| Fonts | |
|
|
| APPS & UPDATE MANAGEMENT | |||
| Installation of apps without Apple ID | |
|
|
| Schedule and Automate app updates (VPP) | |
|
|
| Inventory | |||
| Device details such as model name, manufacturer name, UDID, etc. | Required details will be fetched. | ||
| Locate Device | |
|
|
| Restart Device | |
|
|
| Shutdown Device | |
|
|
| Delete User | |
|
|
| SECURITY MANAGEMENT | |||
| Complete Wipe of the device | |
|
|
| Corporate Wipe of the device | |
|
|
| Remote Lock | |
|
|