top of page
Chris Schasse

Setting Up Account-Driven Enrollment in Jamf Pro - A Comprehensive Guide

Introduction

Account-driven enrollment is a new approach to enrolling Apple devices into Jamf Pro. This method allows IT administrators to enroll devices, including Macs, iPhones, and iPads, without requiring each one to be registered in Apple Business Manager (ABM) or Apple School Manager (ASM). This is particularly beneficial for institutions or businesses that work with BYOD (Bring Your Own Device) policies, enabling secure management without full device ownership.


This article will cover the necessary prerequisites, detailed setup steps, and troubleshooting tips for account-driven enrollment in Jamf Pro, providing IT teams with a practical guide to streamline device onboarding and management.


Prerequisites for Account-Driven Enrollment

Before starting, ensure that you have the following items prepared and configured. Some steps may require collaboration with other departments or teams, as the setup involves domain verification and web server configurations.


  1. Apple Business Manager (ABM) or Apple School Manager (ASM) Account: This account is essential as it enables the management of devices and user accounts. If your organization does not yet have this, you’ll need to go through the ABM or ASM setup process, which may take some time due to verification procedures with Apple.

  2. Admin Access to Jamf Pro: You’ll need administrative rights in Jamf Pro to adjust the necessary enrollment settings.

  3. Domain Verification: Your organization’s domain must be verified through ABM or ASM to use it with managed Apple IDs. This will involve adding a DNS TXT record to your domain’s settings to prove ownership.

  4. Well-Known URL Setup: Apple requires a specific URL on your web server (known as the "well-known URL") to authenticate devices during enrollment. To do this, you’ll need access to your website’s file structure and the ability to upload files. This URL will help connect Apple’s servers to your Jamf Pro server for device management.


Step-by-Step Guide to Setting Up Account-Driven Enrollment


Step 1: Verifying Your Domain in Apple Business Manager (ABM)


  1. Login to ABM: Go to the Apple Business Manager portal and log in with administrative credentials.

  2. Navigate to Preferences: Click on Preferences under your account name, then select Managed Apple IDs. Here, you’ll see an option to add a domain.

  3. Add Your Domain: Enter your organization’s domain (e.g., example.com) and click Verify. Apple will provide a TXT record that you need to add to your domain’s DNS settings.

  4. Access DNS Settings: Log into your domain registrar’s account (e.g., GoDaddy, BlueHost) and go to DNS settings. Add the TXT record Apple provided to the DNS records.

  5. Verify the Domain: After adding the TXT record, return to ABM and click Verify. Apple may take up to 24–48 hours to recognize the DNS change.


Note: If DNS changes do not propagate quickly, you can use an online DNS checker to verify that the TXT record is in place.


Step 2: Creating Managed Apple IDs

Managed Apple IDs are necessary for users to authenticate devices via account-driven enrollment. Follow these steps:


  1. Add New User: In the ABM portal under Users, choose Add User.

  2. Enter User Details: Provide the user’s name, email, and select their role (e.g., Staff). ABM will generate a managed Apple ID based on your domain (e.g., user@example.com).

  3. Set Temporary Password: A temporary password will be generated, which can be used to log into the Apple ID for initial setup.

  4. Download or Record Credentials: Save the user’s credentials (username and temporary password), as you’ll need these for the device enrollment process.


Step 3: Configuring the Well-Known URL

The well-known URL links Apple’s servers to Jamf Pro for enrollment. Here’s a breakdown of how to set it up:


  1. Create a JSON File: Apple requires a JSON file to be placed at a specific location on your web server. This file needs to include your Jamf Pro URL. Here’s an example of the JSON structure:


{
"Servers": [
{
"Version":"mdm-adde",
"BaseURL":"https://JAMF_PRO_URL.com/servicediscoveryenrollment/v1/deviceenroll"
}
]
}

  • Version: This can be one of two options

    • mdm-adde: Use this for Account-driven Device Enrollment for Institutional Devices

    • mdm-byod: Use this for Account-driven User Enrollment for Personal Devices

  • BaseURL: This should include your Jamf Pro server URL followed by /servicediscoveryenrollment/v1/deviceenroll


  1. Upload the JSON File to the Well-Known Folder: Log into your hosting provider’s file manager (e.g., CPanel or FTP) and navigate to the root directory (often public_html). Inside, create a .well-known folder if it doesn’t exist and place the JSON file there.

  2. Configure Content-Type as JSON: To ensure Apple’s servers recognize the file, it must be served as application/json. Add the following directive to your .htaccess file if you’re on an Apache server:

<Files "apple.json">
     ForceType application/json 
</Files>

Step 4: Enabling Account-Driven Enrollment in Jamf Pro

Once your domain and well-known URL are verified, you’ll need to enable the enrollment options in Jamf Pro:


  1. Log into Jamf Pro: Use your admin credentials to access Jamf Pro.

  2. Go to Settings > User-Initiated Enrollment: Under Settings, navigate to User-Initiated Enrollment and choose Edit.

  3. Enable Enrollment Options:

    1. Enable Account-Driven User Enrollment if you plan to allow user-owned (BYOD) devices.

    2. Enable Account-Driven Device Enrollment for devices fully managed by your organization.

    3. If using a directory service like Federated Authentication, enable the appropriate options to support directory accounts.

  4. Save Your Settings: Once you’ve configured these options, save the settings to activate account-driven enrollment.


Testing Account-Driven Enrollment

Testing your setup is essential to ensure devices can be enrolled correctly. Here’s how to test the enrollment process:


  1. On the Test Device:

    1. Go to the Profiles area of Settings on your device

    2. Select the prompt to log in with an Apple Business or School Manager account.

      1. Note: You will only see this prompt if your device is not currently enrolled in MDM

  2. Login with Managed Apple ID: Use the managed Apple ID you set up earlier. This should initiate the enrollment process.

  3. Verify the Enrollment:

    1. If successful, the device should connect to Jamf Pro and display as managed.

    2. If you encounter an error, double-check the JSON file’s accessibility, content type, and Jamf Pro URL. Errors can also occur if the well-known URL is not correctly configured.


Common Troubleshooting Issues

  • DNS Not Propagating: If Apple cannot verify your domain, use a DNS checker to confirm the TXT record has propagated.

  • Well-Known URL Not Recognized: Ensure the JSON file is accessible from a web browser and shows as application/json. If you see plain text, verify your .htaccess configuration.

  • Login Issues: If the device displays a “Your Apple ID does not support the expected services” error, recheck the well-known URL configuration or JSON file.


Benefits of Account-Driven Enrollment

By configuring account-driven enrollment, you gain several advantages:


  • Streamlined Device Onboarding: Enrollment is simplified, especially for user-owned devices, eliminating the need for IT teams to manually add devices to Apple Business Manager.

  • Enhanced BYOD Support: This process supports Bring Your Own Device setups by allowing limited management without enrolling personal devices fully in MDM.

  • Improved Security and Compliance: Devices can be remotely managed, ensuring they meet organization-wide security policies even if they aren’t corporate-owned.


Conclusion

Account-driven enrollment in Jamf Pro is a powerful tool for IT teams managing Apple devices in complex environments. This setup provides the flexibility needed to handle a mix of organization-owned and BYOD devices, making it easier to meet security and compliance standards without requiring each device to be registered in Apple Business Manager. By following this guide, administrators can implement account-driven enrollment effectively, simplifying device onboarding and ensuring a secure, well-managed Apple ecosystem.


As more organizations adopt this enrollment method, Jamf Pro continues to enhance IT administrators' ability to control and manage Apple devices seamlessly.

29 views0 comments

Comments


bottom of page