Category filter
Intro to different Apple device enrollment types in Hexnode
Hexnode UEM offers a variety of enrollment methods specifically designed for Apple devices. The enrollment type you choose should be based on your workplace’s specific needs and requirements. This document will guide you in selecting the most suitable method for enrolling the Apple devices at your workplace.
- Apple DEP Enrollment
- Apple Configurator Enrollment
- User Enrollment
- Device Enrollment
Apple Automated Device Enrollment
Automated Device Enrollment (ADE) or previously called Apple Device Enrollment Program (DEP), is a deployment program by Apple that allows you to enroll and set up a fleet of devices. By leveraging the Apple Business Manager (ABM) or Apple School Manager (ASM) portals, ADE allows you to automate the entire enrollment process and facilitate over-the-air management of Apple devices. ADE also offers advanced management features such as device supervision which provide enhanced control over Apple devices.
For instance, if an organization plans to deploy a large number of iPhones for corporate use, the IT department can enroll the devices using ADE through ABM (or ASM, in the case of schools). Devices are handed over to the employees after adding them in the ABM/ASM portal using your Apple Customer Number or Reseller Number. You can view and identify the devices added in ABM by their serial number, date of assignment and so on.
Moreover, the synchronization between ABM/ASM and the organization’s MDM system enables the configuration of DEP profiles and DEP accounts. The DEP profile will help to dictate the setup steps and key management capabilities prior to the devices’ enrollment such as,
- Enabling supervision,
- Enrolling devices in MDM, or
- Allow MDM profile removal, which prevents the users from removing the downloaded MDM profile from their device manually or by wiping it.
Once employees receive their iPhones, they can simply power them on, and the Apple Setup Assistant will guide them through the setup and enrollment process. During this process, the necessary configurations and apps are automatically downloaded and applied, ensuring the devices are ready for use right out of the box and compliant with company policies from the moment they are activated.
Moreover, ADE is integrated with the Volume Purchase Program (VPP) allowing you to purchase apps in bulk and distribute them to the devices.
Only the following OS versions can be eligible for ADE:
- iOS 11 or later
- macOS 10.9 or later
- tvOS 10.2 or later
Apple Configurator Enrollment
Apple Configurator is an application using which you can enroll Apple devices to your MDM. Apple Configurator enables you to manually add devices that were not originally purchased from Apple or Apple authorized resellers to ABM/ASM. Once added you can leverage the benefits of ABM/ASM such as supervision and ensure integration with your organization’s MDM system.
Alternatively, if you do not have an ABM/ASM account, Apple Configurator also offers the provision to enroll and supervise Apple devices without requiring one. This provides a flexible solution for managing Apple devices, allowing you to set up and control them without relying on DEP.
You can add the devices of the following versions to ABM using Apple Configurator:
- iOS/iPadOS 16+
- macOS 12.0.1+
User Enrollment
User Enrollment is the enrollment type that is designed for BYOD (bring-your-own-device) deployments. In this case, the user’s personal device can be enrolled in the organization’s MDM using their Managed Apple Account, ensuring that corporate data and personal data exist separately on the device. Managed Apple Accounts are owned and managed by the organization and exist separately on the device from the users’ personal Apple Account. Users can access the work-related apps and data using their Managed Apple Account and can simultaneously use their device for personal use through their personal Apple Account.
This type of enrollment enhances the productivity of employees and allows organizations to manage work-related apps, data, and settings on the device without impacting the user’s personal apps or data.
User Enrollment severely restricts the capabilities of an MDM on the user device. Rather than having full control of the device, the MDM is only allowed to manage a restricted section on the device. This enables users to access corporate data and services without having to sacrifice their own privacy. Thus, User Enrollment brings a balance to the table in the way security and privacy for both enterprise and the user in device management.
The following OS versions are eligible for User Enrollment:
- iOS/iPadOS 15+
- macOS 14+
- visionOS 1.1+
However, it’s important to note that user enrollment offers a restricted scope of management. With this approach, MDM can only manage the apps and services associated with the user’s Managed Apple Account.
Here’s an overview of the functionalities available for user-enrolled iOS devices through Hexnode UEM.
| Functionality | Feature |
|---|---|
| Remote Actions |
|
| Restrictions |
|
| Network |
|
| Security |
|
| Accounts |
|
| Expense Management |
|
| Configurations |
|
Here’s an overview of the functionalities available for user-enrolled macOS devices through Hexnode UEM.
| Functionality | Feature |
|---|---|
| Remote Actions |
|
| Restrictions |
|
| Network |
|
| Accounts |
|
| Security |
|
| Configurations |
|
Hexnode UEM supports two enrollment methods associated with user enrollment:
- Profile-driven User enrollment: By enrolling devices through profile-driven user enrollment method, users can download the enrollment profile from an external link through the Safari browser. This process requires authentication with the user’s Managed Apple Account credentials.
- Account-driven User enrollment: By enrolling devices through account-driven user enrollment method, end-users can directly enroll Apple devices into the organization’s MDM from the device (Settings > VPN & Device Management) and by signing into the work account using their Managed Apple Account credentials. This enrollment method simplifies the enrollment procedure by eliminating the need for users to download an MDM profile from an external link unlike profile-driven enrollment.
- Profile-driven User enrollment is not supported from iOS 18+ and macOS 15+.
- Account-driven User enrollment is supported on devices running iOS 15, iPadOS 15, macOS 14, and visionOS 1.1 or later.
Device Enrollment
Device Enrollment is the enrollment type specifically designed for enrolling organization-owned devices. It enables users to manually enroll their devices into the organization’s MDM system. Under device enrollment the entire device would be managed by the MDM including system settings, apps, network configurations, and data and enforce device-wide restrictions. On Mac computers running macOS 11 or later, Device Enrollment also enables supervision, providing additional control and management capabilities.
Hexnode UEM supports two enrollment methods associated with device enrollment:
- Profile-driven Device enrollment: In enrolling devices through profile-driven device enrollment method, users can download the enrollment profile from an external link through the Safari browser. Then, they can install the profile from device Settings.
- Account-driven Device enrollment: By enrolling devices through account-driven device enrollment method, end-users can directly enroll the organization’s Apple devices into the organization’s MDM from the device (Settings > VPN & Device Management) by signing into the work account using their Managed Apple Account credentials. This enrollment method simplifies the enrollment procedure by eliminating the need for users to download an MDM profile from an external link unlike profile-driven enrollment.
Account-driven device enrollment is supported on devices running iOS 17, iPadOS 17, macOS 14, and visionOS 1.1 or later.
