Configuring Account-Driven Enrollment and Enrolling a Personal Device in Jamf Pro

 In today's mobile-driven world, organisations need efficient and secure ways to manage employee devices. Apple's Account-Driven Enrollment (ADE) offers a streamlined solution, allowing users to enroll their personal devices in mobile device management (MDM) using their existing Managed Apple IDs. This article explores the benefits of ADE and guides you through the steps of configuring it with Azure Active Directory (AD) and Jamf Pro.

Benefits of Account-Driven Enrollment:

• Simplified User Experience: Users can enroll their devices using familiar credentials, eliminating the need for dedicated enrollment profiles.
• Reduced IT Overhead: Organisations no longer need to create and manage individual enrollment profiles for each user.
• Enhanced Security: Federated authentication provides an additional layer of security, leveraging existing user credentials.
• Improved BYOD Support: ADE facilitates BYOD programs by allowing users to enroll their personal devices for work purposes.

Prerequisites:

• Apple Business Manager
• Microsoft Azure AD subscription
• Jamf Pro MDM solution
• Access to the organization’s web host

1. Verifying Domain and Federating Microsoft Azure with Apple Business Manager

Prerequisites:

• Apple Business Manager/School Manager account
• Microsoft Azure Active Directory (Azure AD) account with appropriate permissions

Steps:

1. Sign in to Apple Business Manager.
2. Navigate to Settings > Accounts > Domains.
3. Click Add Domain.
4. Enter your domain name and click Next.
5. Follow the on-screen instructions to verify your domain ownership. This typically involves adding a TXT record to your DNS.
6. Once verified, click Next.
7. Select the "Federate" option.
8. Click "Sign in to Microsoft Azure Portal."
9. Enter your Azure AD credentials and sign in.
10. Review and accept the application agreement.
11. Click "Done."
12. In Azure AD, ensure the Apple Business Manager application is configured with the appropriate permissions.
13. Back in Apple Business Manager, test the federation by signing in with an Azure AD user.

Resources:

• Apple documentation: https://support.apple.com/guide/apple-business-manager/intro-to-federated-authentication-axmb19317543/web
• Microsoft documentation: https://learn.microsoft.com/en-us/entra/identity/saas-apps/apple-business-manager-provision-tutorial

2. Configuring Account-Driven Enrollment in Jamf Pro

Prerequisites:

• Jamf Pro 10.33 or later
• Managed Apple IDs associated with users
• Web server for hosting the enrollment information JSON file

Setting on Webserver Hosting

Setting up Account-Driven User Enrollment involves creating and hosting enrollment information in a JSON file on a web server. This allows devices to initiate a service discovery process to retrieve the information and direct the user to the enrollment portal on their device.

Defining Jamf Pro Enrollment Information for Account-Driven Device Enrollment

A device must authenticate with the Jamf Pro server to initiate the service discovery process and direct a user to the enrollment portal.

After a user signs in with a full Managed Apple ID, the following process occurs:

1. The device extracts the domain information (information following the @ symbol) from the Managed Apple ID.

2. The device sends an HTTP request to the web server hosting the enrollment information and authenticates it with the Jamf Pro server.
3. The device uses that information to redirect the user to the Jamf Pro enrollment portal.

For more information about the service discovery process, see the Discover Authentication Servers documentation from the Apple Developer website.

The contents of the JSON file should look similar to the following:

{

"Servers": [

{

"Version":"mdm-adde",

"BaseURL":"https://JAMF_PRO_URL.com/servicediscoveryenrollment/v1/deviceenroll"

}

]

}

Save with the specific file name of com.apple.remotemanagement.

 Upload this file to your domain host in this specific location:

https://YOUR-WEB-SERVER-FQDN-HERE/.well-known/com.apple.remotemanagement

NOTE: The steps to upload your JSON file will differ based on the entity that hosts your domain

services.

To verify the contents of the JSON file are hosted correctly, execute the following command:

curl -I https://mycompany.com/.well-known/com.apple.remotemanagement

The command should print something similar to the following:

HTTP/1.1 200 OK

Server: nginx/1.18.0 (Ubuntu)

Date: Day, 00 Month Year 00:00:00 GMT

Content-Type: application/json

Content-Length: 150

Last-Modified: Day, 00 Month Year 00:00:00 GMT

Connection: keep-alive

ETag: "xxxxxx-xxxxxx"

Accept-Ranges: bytes

Configuring an Azure AD Cloud Identity Provider Connection in Jamf Pro

1. Log in to Jamf Pro. 

2. In the top-right corner of the page, click Settings .

3. Click System Settings. 

4. Click Cloud Identity Providers.

5. Click New.

6. Choose Azure and click Next. You are redirected to the administrator consent page in Microsoft. 

7. Enter your Microsoft Azure credentials and follow the onscreen instructions to grant the permissions requested by the Jamf Pro Azure AD Connector application. 

8. After the request completes, in Jamf Pro configure the settings on the Server Configuration tab. Consider the following: 

   • The display name for the configuration must be unique. 

   • The Tenant ID value is pre-populated with information from Microsoft. 

   • When single sign-on (SSO) with Azure is configured in Jamf Pro, select Transitive groups for SSO to enforce transitive membership lookups in the user and group directory. This ensures that all Azure groups that a group is a member of are included in a directory lookup. There is no need to run recursive queries to list groups for which a user is a member of. You can configure a specific user mapping in the User Mapping from the SAML Assertion field. This allows you to adjust username mapping during transitive membership requests and match the user identifier from the SAML single sign-on settings in the Azure configuration. 

   • Select Transitive membership lookups to enforce membership lookups for directory workflows that include all groups that a user or group is a member of. This is recursive and checks more than only the direct membership. 

   • It is recommended to set the Connection Timeout value to 5. 

9. Use the Mappings tab to specify user attribute mappings and group attribute mappings. See the "Default Attribute Mappings for Azure AD as a Cloud Identity Provider" section below for default mappings reference and use it while troubleshooting the connection. 

   Important: To ensure the configuration works as expected, consider the following: 

   • The values for the User Id mapping must support the $filter parameter in Azure AD. 

   • The value for the Group Id mapping defaults to "id" and cannot be changed. 

10. Click Save 

    
    

Configuring Account-driven User Enrolment settings

1. In Jamf Pro
2. Settings
3. Click Global
4. Click User-Initiated Enrolment 
5. Click Edit
6. Click iOS
7. Under Account-Driven User Enrolment, Select the checkbox for personally owned devices
8. Click Access
9. Click Edit
10. Select the checkbox for Allow the group to enrol personally owned devices via Account-Driven user Enrolment
11. Click Save.

Setting Up Content Distribution to Personally Owned Devices

Personally owned devices do not report a serial number to Jamf Pro; therefore, you must assign App Store apps directly to users (user-based assignment) before distributing them to devices enrolled using Account-Driven User Enrollment or Profile-Driven User Enrollment.

You can distribute content to devices individually or use a mobile device smart group to distribute apps and books to all devices enrolled via Account-Driven User Enrollment or Profile-Driven User Enrollment.

Distributing apps and books to personally owned devices enrolled via User Enrollment involves the following steps in Jamf Pro:

1. Automatically registering users who have Managed Apple IDs with volume purchasing

• In Jamf Pro, click Users in the sidebar.
• Click Smart User Groups in the sidebar.
• Click New.
• In the General pane, enter a Display Name, such as Managed Apple IDs.
• In the Criteria pane, add the following device criteria that includes all Managed Apple IDs in the smart group:
• Criteria : Managed Apple ID Operator : like  Value: yourdomain.com
• Click Save
• In Jamf Pro, Click users in the Sidebar
• Click invitations
• In the General pane, enter a Display Name, such as Invitation for Managed Apple IDs.
• Choose "Automatically register only users with Managed Apple IDs and skip invitation" from the Distribution Method pop-up menu.
• In the Scope pane, add your smart group that contains Managed Apple IDs as a target for the invitation.
• Click Save 

 

2. Creating a volume assignment

• In Jamf Pro, click Users in the sidebar.
• Click Volume Assignments in the sidebar.
• Click New.
• Use the General payload to configure basic settings for the volume assignment, including the location.
• Use the Apps and eBooks payloads to select the checkbox for each app and book you want to assign.
• Click the Scope tab and configure the scope of the assignment.
• Click Save

3. Creating a smart group for personally owned devices.

• In Jamf Pro, click Devices in the sidebar.
• Click Smart Device Groups in the sidebar.
• Click New.
• In the General pane, enter a Display Name, such as Personally Owned Devices.
• In the Criteria pane, add the the criteria:  Device Ownership Type  Operator : is and Value: Personal (user Enrolment)
• add the the criteria:  Device Ownership Type  Operator : is and Value: Personal (Account Driven user Enrolment)
• Click Save

Enrolling an iOS or iPadOS Devices

• On your iPad, tap settings
• Tap General
• Tap VPN & Device Management
• Tap sign in to work or school Account
• Enter your Managed Apple ID
• Tap Continue
• This will pop up Azure login screen, sign in with Azure ID and Password and verify
• Tap sign in to iCloud 
• Follow on-screen Instruction
• Tap Allow Remote Management
• Enter your device passcode
• The iCloud settings for your managed Apple ID will appear

System administrators can manage only an organisation’s accounts, settings and information provisioned with MDM, never a user’s personal account. In fact, the same features that keep data secure in organisation-owned Managed Apps also protect a user’s personal content from entering the corporate data stream.

MDM can	MDM can’t
Configure accounts	See personal information, usage data or logs
Access inventory of Managed Apps	Access inventory of personal apps
Remove managed data only	Remove any personal data
Install and configure apps	Take over management of a personal app
Require a passcode	Require a complex passcode or password
Enforce certain restrictions	Access device location
Configure Per App VPN	Access unique device identifiers
	Remotely wipe the entire device
	Manage Activation Lock
	Access roaming status
	Turn on Lost Mode

Resources:

• Jamf Pro documentation: https://learn.jamf.com/bundle/technical-paper-byod-current/page/Introduction_BYOD.html
• Discover Authentication Servers
• https://developer.apple.com/videos/play/wwdc2021/10136/

For more information please contact us at https://brilyant.com/contact/