This article explains how to configure Account-Driven Enrollment in SimpleMDM and how to enroll devices using this method. Please note that this enrollment method will require changes to your own web server.
Create the Enrollment
- In SimpleMDM, click 'Devices > Enrollments' on the left side of the screen.
- Click "Add Enrollment".
- Select "Group Enrollment".
- Give the enrollment a name and select the "Initial device group" that you want devices to be assigned to when they enroll.
- If you would like devices to be enrolled using User Enrollment (BYOD), set "User Enrollment" to "Yes".
- Otherwise, if you prefer devices to be enrolled as a regular device enrollment, leave this set to "No".
- Refer to the 3. Choosing An Enrollment Method article for more information about the differences between User Enrollment and regular Device Enrollment.
- Check the box labeled "Account-driven enrollment".
- In the "Managed Apple ID domain" field, enter the domain used for Managed Apple IDs in your organization Apple Business Manager or Apple School Manager account.
- Click "Save".
For this to work, the domain must be verified in your Apple Business Manager or Apple School Manager account. If you wish to enable this for multiple domains, you will need to create multiple enrollments.
Configuring the Well-Known Endpoint on Your Web Server
For Account-Driven Enrollment to function, Apple requires a service discovery endpoint to be configured on your domain. The exact steps to configure this may vary depending on your server.
Once you have created the Enrollment, the SimpleMDM admin interface will display embedded instructions for:
- Nginx
- Apache
- Cloudflare
- Other
Click the server type and follow the instructions listed.
Notes on server configuration:
- If your Managed Apple ID looks like
user@example.com, the service discovery endpoint should behttps://example.com/.well-known/com.apple.remotemanagement - The specific URL to redirect the well-known endpoint will be displayed in the instructions within your account. It will follow a format like:
https://a.simplemdm.com/device/enrollment/well_known/XXXXXX-0000-0000-0000-123456abcdef - The file should be in JSON format with content-type set to application/json.
- HTTPS is required.
- This configuration must remain on your server for the enrollment to continue to function.
- The enrollment will not work until the configuration has been verified.
Verifying the Server Configuration
Once you have completed the process above, click "Verify Configuration". SimpleMDM will send a test request to this endpoint to verify it is configured correctly.
If successful, the SimpleMDM admin interface will show "Success: This enrollment has been verified. The well-known JSON has been configured correctly."
Alternatively, if it is not configured correctly, you will receive an error message.
Enrolling a Device Using Account-Driven Enrollment
After your server configuration has been verified, you are ready to start enrolling devices. To enroll a device using Account-Driven Enrollment:
- Open the "Settings" app on your device.
- Navigate to 'General > VPN & Device Management'.
- Select "Sign In to Work or School Account".
- When prompted, enter your Managed Apple ID.
- You will be prompted with a "Sign In to iCloud" screen – enter your Managed Apple ID password and select "Continue".
- The next screen will display a "Remote Management" prompt – select "Allow Remote Management" and the enrollment will be complete.
You may be prompted to complete MFA when signing in to your Managed Apple ID. Additionally, if you have Enrollment Authentication enabled, you will be prompted to authenticate with your identity provider after Step 4 above.
Apple Business Manager, Managed Apple Accounts & Access Management
Apple Business Manager allows admins to customize what services and applications users can access through their Managed Apple Account (MAA). It also allows admins to control what devices can be used to sign in to a Managed Apple Account (any device, MDM-managed devices only, or supervised MDM-managed devices only). These options can be found under the Access Management section of Apple Business Manager. For more details on this topic, review the following links from Apple's documentation:
- Apple Business Manager User Guide: Customize user access to certain apps and services using Apple Business Manager
- Apple Platform Deployment Guide: Service access with Managed Apple Accounts
Some of these Access Management settings in Apple Business Manager require the MDM service to support a specific capability (known as the GetToken endpoint) in order to function. SimpleMDM does support this capability. Keep reading for details on configuration.
If Access Management restrictions are enabled for MAAs that require MDM enrollment and the devices are not enrolled in MDM or the MDM service is not configured for this, users won't be able to access those services on their devices.
Additionally, it is worth noting that these settings can also impact whether or not a device can enroll in MDM using the Account-Driven Enrollment flow. For example, if the ABM Access Management settings are configured to allow Managed Apple Account sign-in on "Supervised Devices Only", users won't be able to enroll their personal devices using Account-Driven User Enrollment (ADUE), which is a common workflow for BYOD deployments.
Configuring SimpleMDM for ABM Access Management
To configure SimpleMDM for use with ABM Access Management:
- First, connect an MDM server token from ABM to SimpleMDM - this is done by creating an Automated Enrollment. This allows SimpleMDM to "see" your Apple Business Manager account and communicate with it to know that a device is associated with a Managed Apple Account from your organization.
- After connecting an Automated Enrollment, go to Enrollments > Settings. Under "Account-Driven Enrollment: ABM Organization for Access Management", click the dropdown and select the Automated Enrollment created in step 1. SimpleMDM will use this token to establish the association with your ABM account for use with Access Management settings
Important Note: If the MDM server that you are using for Account-Driven Enrollment is deleted in Apple Business Manager, it could cause devices to lose access to certain MAA services and/or become unenrolled from MDM, depending on how your Access Management settings are configured. For this reason, it is suggested that you create a separate MDM server token in ABM dedicated specifically for this. It does not matter if the token itself expires, but it must continue to exist in ABM.
Additional Information
You can optionally enable enrollment authentication and a welcome screen for this enrollment.
