Administrators can enroll devices on behalf of users in a process called device staging. Staging devices serves to streamline the process of registration and to enroll iOS devices shared by multiple users. You can also stage devices to provision an entire device fleet quickly with Apple Configurator.
Consideration #1: Use of Device Staging
Unless you are using Apple Configurator, administrators must stage devices one-by-one. For large deployments, consider the time and staffing this effort requires.
Whereas administrators can stage new devices easily, employees already using corporate-owned devices must ship devices in or collect them on-site to have devices staged.
If you have thousands of devices to pre-enroll, device staging can take time. Therefore it works best when you have a new batch of devices being provisioned, since you can gain access to the devices before employees receive them.
Device staging can be performed for Android and iOS devices in following ways.
- Single User (Standard) – Used when you are staging a device which any user can enroll.
Note: As indicated, this enrollment flow is intended for unattended devices. If you are using this flow for zero touch user enrollment, you are responsible for ensuring that staged devices are delivered to the intended user.
- Single User (Advanced) – Used when you are staging and enrolling a device for a particular user.
Note: The staging user/administrator must ensure that the device is checked out to the registered user.
- Multi User – Used when you are staging a device to be shared among multiple users.
Consideration #2: Are You Participating in Apple's Device Enrollment Program?
To maximize the benefits of Apple devices enrolled in Mobile Device Management (MDM), Apple has introduced the Device Enrollment Program (DEP). With DEP, you can perform the following.
- Install a non-removable MDM profile on a device, preventing end users from deleting it.
- Provision devices in Supervised mode (iOS only). Devices in Supervised mode can access additional security and configuration settings.
- Enforce an enrollment for all end users.
- Meet your organization's needs by customizing and streamline the enrollment process.
- Prevent iCloud back up by disabling users from signing in with their Apple ID when generating a DEP profile.
- Force OS updates for all end users.
Consideration #3: Use of Apple Configurator
Apple Configurator enables IT administrators to deploy and manage Apple iOS devices effectively. Organizations such as retail stores, classrooms, and hospitals find it especially useful to pre-enroll devices for multiple end users to share.
Using Configurator to enroll pre-registered devices meant for a single user is supported by adding serial number/IMEI information to a user's registered device in the Console. A major benefit of Apple Configurator is that you can use a USB hub or iOS device cart to provision multiple devices in minutes.
Consideration #4: Use of Workspace ONE Direct Enrollment
Device staging through Workspace ONE Direct Enrollment is not supported. If you must stage a device, whether for single or multiple users, you must enroll the device using Workspace ONE Intelligent Hub instead of Workspace ONE Direct Enrollment.
For more information, see Workspace ONE Direct Enrollment.
Consideration #5: Single User Staging or Registration?
If you are considering staging devices for a single user, registration might be preferred. The difference between staging for a single user and registering a device is subtle but important.
Registration – When you register a device, you do so for an individual, named user. This procedure means that the device expects the first user who logs in to be the same user to whom it was registered. If another user attempts to log in to a registered device, security purposes dictate that the device is locked out and cannot be enrolled.
Single User Staging – When you stage a device, you do so for any user qualified to enroll in Workspace ONE UEM. In theory, you might hand a staged device to any qualified user, and that user might successfully log in to the device and enroll in Workspace ONE UEM.
The staging workflow allows you to prepare the device and then start the Workspace ONE Intelligent Hub, where any qualified enrollment user can log in. Workspace ONE UEM then performs a one-time reassignment to associate the device to that user.