Configure devices to allow for automatic enrollment using Apple's Device Enrollment Program (DEP).

Automated Enrollment for Apple Configurator

Overview

Before beginning, ensure that you uploaded a supervised identity when setting up DEP. Then, navigate to Apple Configurator 2 on your desktop and create a Wi-Fi configuration profile for your organization’s network and a blueprint with MDM information and a supervised identity attached. For more information on Wi-Fi profiles and blueprints, see the Apple Configurator 2 help documentation.

Use functionality in Apple Configurator 2 to create a Wi-Fi profile and apply a blueprint that allows devices to automatically enroll with the UEM console.

  1. Navigate to File > New Profile in Apple Configurator 2.
  2. Select Wi-Fi >  Configure and enter the profile information. Optionally, choose to sign the profile. Then save the profile configuration.
  3. Navigate to Blueprints > Edit Blueprints > New to prepare a blueprint to apply to the profile.
  4. Select the blueprint and select Prepare.
  5. Choose Automated Enrollment from the Configuration drop-down menu. Select Next.
  6. Choosethe configuration profile that you just created. Select Next.
    1. If required, enter the credentials for the MDM server if Authentication was turned on when configuring a Device Enrollment Program profile.
  7. Select Prepare.
  8. Navigate to the device browser and select a device or device group.
  9. Select Actions > Apply and choose the blueprint needed for enrollment.

All blueprint actions and profiles are pushed to devices.

Apple Configurator Manual Enrollment

Manual Enrollment refers to the process of manually creating user accounts and user groups for each of your organization's users. If your organization is not integrating Workspace ONE UEM with a directory service, this is how you create user accounts.

Set up manual enrollment through an Prepare a Blueprint to Enroll with an MDM Profile or Prepare a Blueprint to Enroll with an Enrollment URL. You can save time and effort of uploading individual user account details filling out and uploading CSV (comma-separated values) template files that contain all user information through the batch import feature.

Generate the MDM Enrollment Profile or Enrollment URL for Apple Configurator Enrollments

Create an enrollment profile for the desired organization group in the UEM console.

The enrollment profile contains MDM enrollment settings along with a certificate that uniquely identifies the MDM server URL, group ID, and username to assign to the device.

  1. Navigate to Devices > Device Settings > Devices & Users > Apple > Automated Enrollment.
  2. Select Enable Automated Enrollment.

    You may need to Override the current organization group to do this.

  3. Select the Platform for staging.
  4. Select the appropriate Staging Mode depending on how the device is going to be used. Pre-register devices by selecting None or Single User mode to pre-assign an end user to each device.

    If you do not register any devices, the enrollment user is dependent on the Staging Mode selected.

    • None – Does not stage device for other users. For non-registered devices, all devices will be enrolled under the Default Enrollment User. In this case, only non-staging users are available as default staging user options.

      Important: If you do not pre-register your devices and select None and specify a default enrollment user, then all devices that receive the .mobileconfig file will be enrolled to that user. To ensure devices are enrolled to distinct users, pre-register them to specific users or create a staging user account and select Single User as your Staging Mode.
    • Single User – Stages device for a single, known or unknown user. Only staging users are available as Default Enrollment User options. When end users open the Workspace ONE Intelligent Hub, they must enter credentials to fully enroll the staged device. At that time, the device details will update in the UEM console and the device is associated with that end user.

    • Multi User – Places device into Shared Device Mode. This stages the device for multiple, known or unknown users. Only staging users are available as Default Enrollment User options. When end users open the Workspace ONE Intelligent Hub, they must enter credentials to check out the device for use.

  5. Select Copy and follow the prompt to copy the MDM Server URL. Save this information so you can paste into an Apple Configurator 2 blueprint later.

    Alternatively, select Export to save a .mobileconfig file that includes the name of the organization group.

    • If you performed this step on a macOS computer, note that your macOS device may display a System Preferences window asking you to install the profile. Select Cancel.
    • If you performed this step on a Windows PC, then transfer the file to the macOS computer that is running Apple Configurator 2.
  6. Select Save and Copy URL to save the staging settings.

Prepare a Blueprint to Enroll with an MDM Profile

Use Apple Configurator 2 on the staging macOS computer to manually prepare devices.

This workflow allows you to enroll devices, add supervision and choose what screens are seen during device's Setup Assistant.

  1. Navigate to File > New Profile in Apple Configurator 2.
  2. Select Wi-Fi >  Configure and enter the profile information. Optionally, choose to sign the profile. Then save the profile configuration.
  3. Navigate to Blueprints > Edit Blueprints > New to prepare a blueprint to apply to the profile.
  4. Name
  5. Select the blueprint and select Prepare.
  6. Choose Manual as the enrollment type. Select Next.
  7. Select Do not enroll in MDM. Select Next.
  8. Choose the Server for device management.
  9. Select Supervision to the management capabilities.
  10. Select whether to Allow devices to connect to other computers. Select Next.
  11. Choose the Organization to assign devices. Select Next.
  12. Configure the iOS Setup Assistant steps by selecting which screens are available to the end user.
  13. Select Prepare.
  14. Select Add > Profiles in the Apple Configurator 2 window.
  15. Choose the Wi-Fi profile that you created earlier and add it to the blueprint.

What to do next

Next, deploy this blueprint using the steps found in Deploy Enrollment Profiles for Apple Configurator 2 Enrollments.

Then Add an Enroll Blueprint with Add an Enroll Blueprint to Enroll with an MDM Profile.

Add an Enroll Blueprint to Enroll with an MDM Profile .

This is the second step to enrolling with an MDM profile through Apple Configurator 2.

Create an Enroll blueprint in addition to the Prepare blueprint you created earlier and push these two blueprints to devices together

  1. Navigate to Blueprints > Edit Blueprints > New to prepare a blueprint to apply to the profile.
  2. Namethis blueprint Enroll.
  3. Select the blueprint and select Add > Profiles.
  4. Choose the .mobileconfig profile that you created in the UEM console and add it to the blueprint.

    Do not prepare the blueprint.

    What to do next

    Deploy the enrollment profiles using Deploy Enrollment Profiles for Apple Configurator 2 Enrollments.

    Prepare the blueprint to enroll with an MDM profile, using Prepare a Blueprint to Enroll with an MDM Profile..

Prepare a Blueprint to Enroll with an Enrollment URL

Configure devices so that users can enroll directly in to an organization group instead of adding an MDM profile to the device.
  1. Navigate to Blueprints > Edit Blueprints > New to prepare a blueprint to apply to the profile.
  2. Select the blueprint and select Prepare.
  3. Name the blueprint Enroll.
  4. Choose Manual as the enrollment type. Select Next.
  5. Choose New Server from the drop-down menu. Select Next.
  6. Enter the Name of the new server.
  7. Paste the enrollment URL that was generated in the UEM console into the text box.
  8. Add the anchor certificates as required.
  9. Select supervision to the management capabilities.
  10. Select whether to Allow devices to connect to other computers. Select Next.
  11. Choose the Organization to assign devices. Select Next.
  12. Configure the iOS Setup Assistant steps by selecting which screens are available to the end user.
  13. Select Prepare.
  14. Select Add > Profiles in the Apple Configurator 2 window.
  15. Choose the Wi-Fi profile that you created earlier and add it to the blueprint.

What to do next:

Add an Enroll blueprint using Add an Enroll Blueprint to Enroll with an MDM Profile.

Deploy Enrollment Profiles for Apple Configurator 2 Enrollments

Configure device for enrollment by deploying profiles to devices.

Configure devices with an enrollment profile by pushing both the Prepare and Enroll blueprint, or, configure devices to enroll through a URL by pushing the Enroll blueprint that was set up with an enrollment URL.

  1. Connect iOS devices to the macOS staging computer using USB.

    The number of devices attached to staging computer appears in a badge.

  2. Navigate to the device browser and select a device or device group.
  3. Select Actions > Apply and choose the Prepare blueprint.
  4. If you are configuring devices with an enrollment profile, repeat the previous step and choose the Enroll blueprint.

    The devices are configured with settings from the Prepare blueprint and enrolled using the profile added to the Enroll blueprint.