Automated Device Enrollment (ADE) allows configuration so that devices are automatically enrolled in Mobile Device Management (MDM) and supervised over the air during setup.
Requirements
- Apple Business Manager
- An automated device enrollment token configured in your Addigy
Once you’ve done the token exchange to enable communication between your Addigy policy and Apple Business Manager, you can configure the behavior of the computer after it activates and have it automatically enroll into Addigy. Some settings are reliant upon other settings and do not become available until the other setting is configured. For instance, “Configure User Accounts” requires “Supervised Mode” and “Await Device Configured.”
Settings
Mandatory during device setup
The user is not allowed to skip the enrollment process
Supervised mode
Allows greater management flexibility, especially for iOS and iPadOS. Also required for some of the other options available. More information on supervision can be found here.
Enable activation lock
Requires supervised mode. This will enable activation lock on the device and escrow the code as the MDM Bypass code on GoLive>Security.
Await device configured
Requires supervised mode. If toggled on, the device awaits a command from the MDM confirming the device is configured.
Configure user accounts
Requires await device configured to be toggled on. Allows you to define account creation settings.
Skip setup for primary accounts
Suppresses the macOS account creation screen normally encountered during Setup Assistant. Toggle this on when you are deploying Addigy Identity during ADE. This will suppress the macOS account creation screen and allow Addigy Identity to take over. This is also useful when the only account you want created is the ADE created local admin (see Add User below).
Create primary accounts as regular (non-admin) users
If toggled off, the macOS account the end user is prompted to create will be an admin user. If toggled on, the account will be a standard user.
Disable modification of primary account, Full name for primary account, and Account name for primary account fields
Use these fields to pre-populate account information. This is NOT the ADE-created admin account. Generally not recommended except for specific situations, such as shared computers with the same username on all devices (like a lab). Leaving disable modification of primary account toggled off will allow the end user to change this information during Setup Assistant. Toggling disable modification of primary account to on will not allow the user to change the pre-populated information.
Add User, Short Name, Full Name, Password and Confirm Password fields
This is used to automatically create an admin user during Setup Assistant, called the ADE created admin above. This is required if you also want to enable skip setup for primary accounts as referenced above.
Note: If FileVault is enabled, this user account will not be granted a Secure Token until the first time it logs in or is granted a Secure Token by an already enabled user account.
Hidden User
When toggled on, this will hide the ADE-created admin user.
Allow user to remove Automated Device Enrollment profile
If enabled, the user can remove the MDM Enrollment profile, which will unenroll the device from Addigy. If disabled, the MDM Profile will be locked to the device without the ability to remove it, except via the Devices Page. If disabled, this will also enable Supervised mode.