This article explains how to configure Account-Driven Enrollment in SimpleMDM and how to enroll devices using this method. Please note that this enrollment method will require changes to your own web server.
Create the Enrollment
- In SimpleMDM, click 'Devices > Enrollments' on the left side of the screen.
- Click "Add Enrollment".
- Select "Group Enrollment".
- Give the enrollment a name and select the "Initial device group" that you want devices to be assigned to when they enroll.
- If you would like devices to be enrolled using User Enrollment (BYOD), set "User Enrollment" to "Yes".
- Otherwise, if you prefer devices to be enrolled as a regular device enrollment, leave this set to "No".
- Refer to the 3. Choosing An Enrollment Method article for more information about the differences between User Enrollment and regular Device Enrollment.
- Check the box labeled "Account-driven enrollment".
- In the "Managed Apple ID domain" field, enter the domain used for Managed Apple IDs in your organization Apple Business Manager or Apple School Manager account.
- Click "Save".
For this to work, the domain must be verified in your Apple Business Manager or Apple School Manager account. If you wish to enable this for multiple domains, you will need to create multiple enrollments.
Configuring the Well-Known Endpoint on Your Web Server
For Account-Driven Enrollment to function, Apple requires a service discovery endpoint to be configured on your domain. The exact steps to configure this may vary depending on your server.
Once you have created the Enrollment, the SimpleMDM admin interface will display embedded instructions for:
- Nginx
- Apache
- Cloudflare
- Other
Click the server type and follow the instructions listed.
Notes on server configuration:
- If your Managed Apple ID looks like
user@example.com, the service discovery endpoint should behttps://example.com/.well-known/com.apple.remotemanagement - The specific URL to redirect the well-known endpoint will be displayed in the instructions within your account. It will follow a format like:
https://a.simplemdm.com/device/enrollment/well_known/XXXXXX-0000-0000-0000-123456abcdef - The file should be in JSON format with content-type set to application/json.
- HTTPS is required.
- This configuration must remain on your server for the enrollment to continue to function.
- The enrollment will not work until the configuration has been verified.
Verifying the Server Configuration
Once you have completed the process above, click "Verify Configuration". SimpleMDM will send a test request to this endpoint to verify it is configured correctly.
If successful, the SimpleMDM admin interface will show "Success: This enrollment has been verified. The well-known JSON has been configured correctly."
Alternatively, if it is not configured correctly, you will receive an error message.
Enrolling a Device Using Account-Driven Enrollment
After your server configuration has been verified, you are ready to start enrolling devices. To enroll a device using Account-Driven Enrollment:
- Open the "Settings" app on your device.
- Navigate to 'General > VPN & Device Management'.
- Select "Sign In to Work or School Account".
- When prompted, enter your Managed Apple ID.
- You will be prompted with a "Sign In to iCloud" screen – enter your Managed Apple ID password and select "Continue".
- The next screen will display a "Remote Management" prompt – select "Allow Remote Management" and the enrollment will be complete.
You may be prompted to complete MFA when signing in to your Managed Apple ID. Additionally, if you have Enrollment Authentication enabled, you will be prompted to authenticate with your identity provider after Step 4 above.
Additional Information
You can optionally enable enrollment authentication and a welcome screen for this enrollment.
