Configure Automated Device Enrollment

Remotely enroll macOS, iOS, and iPadOS devices in Mobile Device Management (MDM). Automated Device Enrollment lets you automatically enroll devices into JumpCloud MDM during the device out-of-box experience. After devices are enrolled in JumpCloud MDM, IT Admins have management and configuration control over managed devices. With a customized setting, Zero-Touch Automated Device Enrollment Onboarding can also automatically bind the user to the device after authentication.

Summary: You will configure Automated Device Enrollment for your organization. Next, you will add your device to the MDM server. Then, you will sync the device with Apple. Finally, you will configure your end users’ zero-touch experience.

• Step 1 – Configure Automated Device Enrollment for your Organization

• Step 2 – Add Device to the MDM Server

• Step 3 – Sync Device to JumpCloud

• Step 4 – Configure your End Users’ Experience

• Step 5 – Renew Your Automated Device Enrollment Token Annually

Step 1: Configure Automated Device Enrollment for your Organization

1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.

2. Go to DEVICE MANAGEMENT > MDM.

3. On the MDM home page, click get started under Automated Device Enrollment Configuration.

4. In Set Up Apple’s Automated Device Enrollment, click download under Generate a Key. JumpCloud downloads a certificate that contains a key. Apple uses this to encrypt the Automated Device Enrollment token.

5. Under Sign in to Apple, click sign into Apple Business Manager and enter your credentials. If you have an education account, click sign into Apple School Manager.

6. Add your MDM server:

7. Select your profile name, then select Preferences.

8. Select MDM Server Assignment, then click Add MDM Server.

9. Enter a name for your company’s MDM server and leave Allow this MDM Server to release devices selected.

10. Click Choose File.

11. Locate the jumpcloud-dep.pem file downloaded in Step 4, select it, and click Open.

12. Click Save.

13. Download the token by selecting the server and clicking Download Token, then clicking Download Server Token.

14. In the Admin Portal, go to Set Up Apple’s Automated Device Enrollment and under Upload Automated Device Enrollment Token, install the new token by clicking Browse or dragging and dropping the server token for your MDM server. 

15. Click complete setup.

For more information on Apple’s Automated Device Enrollment, see the Getting Started Guide for Apple Business Manager. 

Step 2: Add the Device to the MDM Server

1. Log in to ABM or ASM.

2. Click Devices and select your device. You may want to search for it by serial number.

3. Click Edit MDM Server.

4. Select Assign to the following MDM and choose your MDM server from the list.

5. Click Continue, then click Confirm. 

6. Verify that the device was added to your MDM server.

The sync process between Apple and JumpCloud ensures the device will contact JumpCloud’s MDM server on first boot to enroll in MDM.

Step 3: Sync the Device to JumpCloud

Tip: Perform these steps every time you add new devices in ABM or ASM.

1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.

2. Go to DEVICE MANAGEMENT > MDM.

3. On the MDM home tab, click sync with Apple under Automated Device Enrollment Devices to ensure that your list of JumpCloud Automated Device Enrollment devices matches what is in ABM or ASM.

From here, you can configure your end users’ experience on company-owned Apple devices from day 1. 

Step 4: Configure your End Users’ Experience

Configure your macOS users’ zero-touch experience

1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.

2. Go to DEVICE MANAGEMENT > MDM.

3. Under Automated Device Enrollment Configuration in the MDM Home tab, click configure macOS to configure your zero-touch experience.

4. Select the JumpCloud device group to automatically bind to this device. Default device groups can use a policy to ensure that all devices enrolling in Automated Device Enrollment get the security and compliance levels applied immediately during enrollment.

   • None – This device won’t be bound to a device group.

   • An existing group – Select a macOS group that you already created.

   • New group – Click Create New Group to add a new device group and then return here to bind it to the device.

Tip: Verify that you’ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.

5. Customize the Welcome screen title, description, button name, and logo that your users see:

   • Screen Title – Update the title of the Welcome screen.

   • Description – Add critical information to the Welcome screen.

   • Button – Type a new name for the button. The default is continue.

   • Logo – Add your logo to the Welcome screen by going to Settings, selecting Organization Profile, and uploading it.

6. Select the screens that you do not want your users to see during account configuration. Controlling what users see can help you troubleshoot any onboarding issues:

   • Select all – None of these screens show during account configuration.

   • Select a screen – Select a specific screen to exclude it during account configuration.

7. Select Enable to turn on User authentication, which requires users to authenticate during Automated Device Enrollment. A successful macOS authentication automatically binds the user’s JumpCloud account to the device with Sudo Admin permissions. If users aren’t prompted to authenticate when they power up their devices, you didn’t enable user authentication here.

Tip: After the macOS user authenticates, you can change the user’s permissions to remove Sudo Admin permissions.

8. Click save.

9. You can require users to change a password when authenticating during Automated Device Enrollment:

   1. Go to USER MANAGEMENT > Users.

   2. Select the checkbox for one user or select all users, then click more actions.

   3. Choose Force Password Change. The user must reset the password when authenticating during Automated Device Enrollment.

   4. Click force change. 

10. After the user authenticates, verify that the user was automatically bound to the macOS device and has Sudo permissions:

    1. Go to DEVICE MANAGEMENT > Devices.

    2. Select the device and select the Users tab.

    3. Verify that the correct user appears as an Admin with Sudo permissions on the device. Each macOS device requires at least one admin account per device as part of MDM enrollment. 

If an unsupported macOS device is assigned to the JumpCloud MDM server in ABM, it will attempt to install the agent, which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.

Configure your iOS users’ zero-touch experience

1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.

2. Go to DEVICE MANAGEMENT > MDM.

3. Under Automated Device Enrollment Configuration in the MDM home tab, click configure iOS and iPadOS to configure your zero-touch experience.

4. Select a JumpCloud iOS device group to automatically bind to this device. Default device groups can use a policy to ensure that all devices enrolling in Automated Device Enrollment get the security and compliance levels applied immediately during enrollment.

   • None – This device won’t be assigned to a device group.

   • An existing group – Select an iOS device group that you already created.

   • New group – Click Create New Group to add a new group and then return here to bind the group to the device.

Tip: Verify that you’ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.

5. Customize the Welcome screen title, description, and button name that your users see:

   1. Screen Title – Update the title of the Welcome screen.

   2. Description – Add critical information to the Welcome screen.

   3. Button – Type a new name for the button. The default is continue.

   4. Logo – Add your logo to the Welcome screen by going to Settings, selecting Organization Profile, and uploading your logo.

6. Select the screens that you do not want your iOS users to see during device configuration. Controlling what users see can help you troubleshoot any issues:

   1. Select all – None of these screens show during device configuration.

   2. Select a screen – Select the screens to exclude during configuration.

7. Select Enable to turn on User authentication, which requires users to authenticate during Automated Device Enrollment. A successful iOS authentication automatically assigns the JumpCloud user to the device. If users aren’t prompted to authenticate when they power up their devices, you did not enable user authentication here.

8. Click save.

9. To increase device security, you can require users to change their password when authenticating during Automated Device Enrollment:

   1. Go to USER MANAGEMENT > Users.

   2. Select the checkbox for one user or select all users, then click more actions.

   3. Choose Force Password Change. The user must reset the password when authenticating during Automated Device Enrollment.

   4. Click force change. 

10. After the user authenticates, verify that the user is assigned to the device and that the device appears in the Devices list.

    1. Go to DEVICE MANAGEMENT > Devices.

    2. Select Devices, select the device, then select Users.

Step 5: Renew Your Automated Device Enrollment Token Annually

You need to renew Apple’s Automated Device Enrollment server token every year to continue enrolling new devices with Automated Device Enrollment. Your token expiration date is visible in the MDM home page under Automated Device Enrollment Configuration.

1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.

2. Go to DEVICE MANAGEMENT > MDM.

3. On the MDM home tab, click renew under Automated Device Enrollment Configuration.

4. Under Sign in to Apple, click sign into Apple Business Manager, then enter your credentials. (If you have an education account, click sign into Apple School Manager.)

5. In ABM or ASM, select your profile name and choose Preferences.

6. Under Your MDM Servers, select your MDM server. 

7. Click Download Token, then click Download Server Token.

8. In the JumpCloud Admin Portal, return to the Renew Apple’s Automated Device Enrollment page.

9. Under Upload Automated Device Enrollment Token, click Browse or drag and drop the new Automated Device Enrollment token for your MDM server.

10. Click complete. A message on the MDM home tab indicates that your Automated Device Enrollment configuration was renewed.