Set up Account driven enrollment for Apple devices

Learn how to set up Account driven enrollment for Apple devices enrolling in Hexnode.

Account driven enrollment method allows end users to enroll their devices directly by signing in through their Managed Apple Account. This method simplifies the enrollment process by eliminating the need for users to download an MDM profile from an external link. After the users sign in, the device is redirected to the organization’s enrollment portal where they can install the MDM profile.

Account driven enrollment is particularly beneficial in:

• BYOD (Bring Your Own Device) scenarios, where employees use personal devices for work, enabling easy access to corporate resources with minimal IT intervention.
• Organization-owned devices that are not enrolled in Apple’s Device Enrollment Program (DEP), providing an alternative seamless enrollment method. Unlike DEP, account-driven enrollment allows the devices to be enrolled without a factory reset or prior setup.

Account driven enrollment

Account driven enrollment ensures devices are automatically enrolled into the MDM when users sign in with their Managed Apple Account. It supports:

• Account Driven Device Enrollment: for company-owned devices.
• Account Driven User Enrollment: for BYOD, enabling personal devices to be managed through corporate policies.

This guide outlines the steps for enrolling Apple devices using account driven enrollment in Hexnode UEM.

Steps to perform Account driven enrollment

Step 1: Set up a web server with enrollment information

Before initiating account driven enrollment in the Hexnode UEM portal, you need to generate and host enrollment details in a JSON file on a web server. This enables devices to start a service discovery process, during which the device fetches the enrollment information from the web server and redirects the user to the Hexnode UEM enrollment portal.

Process overview

When a user enters their Managed Apple Account on the device:

• The device extracts the domain information (information following the @ symbol) from the Managed Apple account.
• Then the device sends an HTTP request to the web server hosting the enrollment information (JSON file).
• The device uses this information to redirect the user to the Hexnode’s enrollment portal.

For instance, if the user John signs in to a device with the Managed Apple Account john@mycompany.com, the device extracts mycompany.com and uses the service discovery process to make an HTTP request for the enrollment information that is hosted at mycompany.com.

Refer to the Apple Developer website for comprehensive details on the authentication flow between the user, client, web server, and Apple services.

Create the JSON file

For a device to communicate with the Hexnode UEM server, you must create a JSON file and define the following properties in it:

• Version: Specifies the enrollment type (mdm-byod or mdm-adde).
• Base URL: The URL of your Hexnode UEM portal.

Example JSON format

For Account Driven User Enrollment:

For Account Driven Device Enrollment:

Replace PortalName with your organization’s actual Hexnode portal name.

Requirements for hosting the enrollment information on the web server

The requirements for hosting the enrollment information on the web server are:

1. The JSON file must be hosted on a web server which supports HTTPS GET requests. The web server URL must be in the format:
   web server URL

   https://company.com/.well-known/com.apple.remotemanagement

   1	https://company.com/.well-known/com.apple.remotemanagement

   In the above URL, company.com must match the verified domain associated with the Managed Apple Accounts.

2. The web server must have the same domain name as the verified domain that the Managed Apple Accounts belongs to.
3. The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted root certificates on iOS devices, see lists of available trusted root certificates in iOS from Apple’s support website.

Step 2: Configure enrollment settings in Hexnode UEM

1. Login to your Hexnode UEM portal.
2. Navigate to Enroll > Settings.
3. Select the Authentication Mode and scroll to the Enrollment Ownership section.
4. In the Enrollment Ownership section:
   • If you have selected No Authentication as the Authentication Mode:

     For both Corporate and Personal ownerships, check the Account driven option under Apple Enrollment type.

     

   • If you have selected Enforce Authentication as the Authentication Mode:
     1. For both Corporate and Personal ownerships, check the Account driven option under Apple Enrollment type.
     2. For Personal and Choose while sending enrollment requests ownership options under the Profile-driven section, select either Device Enrollment or User Enrollment. In the Account driven section, you can select both Device Enrollment and User Enrollment.

        

     Note:

     The enrollment type must be configured on your organization’s Managed Apple Account and should align with the enrollment type chosen in the Hexnode UEM portal. For instance, if you want to perform Device Enrollment, ensure both Hexnode UEM portal and Managed Apple Account domain are configured for Device Enrollment, otherwise the enrollment will fail. The same applies to User Enrollment, both the portal and Managed Apple Account domain must be set up for User Enrollment. If there’s a mismatch between the two configurations, the enrollment process will fail.

5. After configuring these enrollment settings, click Save.

Step 3: Initiate enrollment from the device

1. On iPhones or iPads: navigate to Settings > General > VPN & Device Management > Sign in to Work or School Account.

   

   On Macs: navigate to Settings > General > Device Management > Work or School Account > Sign In.

   

2. In the pop-up, enter your Managed Apple Account and tap Continue.

   

3. On the following screen, the Hexnode enrollment page will appear, along with the EULA. Review the EULA, agree to the terms, and click Enroll.

   

4. If you have selected No Authentication in the portal, there will be no prompt for authentication. Otherwise, authentication will be required.

   

5. After authentication, the device will prompt you to sign in to iCloud.

   

6. Enter the Managed Apple Account password and tap Continue.
7. On the next page the device will prompt you to allow Remote Management.

   

8. After accepting remote management, the device will enroll in the specified Hexnode UEM portal, and the managed account will be displayed in the Profile & Device Management section.

   

   

Post enrollment overview

Once the enrollment is complete,

• Users will be prompted to install the Hexnode UEM app (iPhones and iPads only).
• The device will be listed in the Hexnode UEM portal under the Devices section within the Manage tab.
• The enrollment details will be visible in the Device Summary > Enrollment Details section in the Hexnode portal.