Account Driven Enrollment is built for BYOD (Bring your own device) scenarios where end users enroll their devices into Addigy.
Account Driven User Enrollment allows the end user to sign in directly from the System Settings application on the device with their Managed Apple Account. The benefit of this is that the company is able to push down a limited set of MDM profiles to the device, while having total data separation between corporate and an end-user's personal data. When the user unenrolls their device, all corporate data is removed, preserving just the user's personal data on the device. Users can also have ease of mind knowing that their company will have no access to any of their personal information.
There are two types of Account Driven Enrollment: User Enrollment and Device Enrollment.
User Enrollment is traditional BYOD - the company has no information about the device, and they are limited in what can be deployed. More information from Apple here.
Device Enrollment grants a little more privilege to the corporate entity, but still preserves the end users' data and information. More information from Apple here.
For more information on User Privacy and Account Driven Enrollment, Apple provides this document detailing how personal data and corporate data are separated.
Requirements
Account Driven Enrollment requires Apple Business Manager or Apple School Manager and Managed Apple Accounts.
Account Driven User Enrollment:
- iOS 15+
- iPadOS 15+
- macOS 14+
Account Driven Device Enrollment:
- iOS 17+
- iPadOS 17+
- macOS 14+
Configuring Account Driven Enrollment
To configure this, navigate to Add Devices > Choose a policy > Account Driven Enrollment.
Select 'Edit Settings' to bring up the following window.
Here, you will need to choose the type of Account Driven Enrollment: User or Device. Only one type can be supported per domain. Enter the Domain information used for the Managed Apple Accounts. More information on this process can be found here.
Note: Account Driven Enrollment can only be set up ONCE per AxM instance (Apple Business/School Manager) domain. Once set up in AxM, it can only be attached to one policy in Addigy. It can be moved in Addigy later, but the same configuration can not exist in two policies.
Once the domain information has been entered, select Enable Account Driven Enrollment. Next, you must determine whether you want to enroll devices by configuring the JSON or by leveraging the fallback option.
Recommended: Configuring the Fallback for Enrollment
For Devices on iOS/ iPadOS 18.2+ and MacOS 15.2+, you can select ADE token(s) to use as a fallback for Account Driven Enrollment. If a JSON file is hosted at the domain, devices will use that instead. You do not need to host the JSON file in order to leverage this fallback option. It is recommended to only use this option if you are enrolling supported devices.
To configure this:
- Define the ADE token (aka MDM server) that is attached to the policy that devices are enrolling in.
Note: The ADE token must be directly assigned to the policy where you are configuring this. Enrollment will fail if the ADE token is in a child, parent, or completely separate policy. - Log in to Apple Business Manager/Apple School Manager
- Navigate to Preferences > Management Assignment > Default Assignments. For more information, see this guide.
- Select the corresponding MDM server that is attached to your Account Driven Enrollment policy in Addigy.
Once this is set up, devices will be able to enroll without needing to set up JSON file on the domain.
Configuring the JSON for Enrollment
Note: Leveraging this JSON method for Account Driven Enrollment should only be needed if you must enroll devices that do not support iOS/iPadOS 15.2 and/or macOS 15.2. If your devices support those OS versions, it is best to use the fallback method for enrollment, as that is much easier to configure compared to this JSON method. If you plan on using the fallback for enrollment, you do not need to configure and host this JSON.
Addigy will generate a JSON file with the policy information and enrollment type. This JSON file will need to be hosted at the root of the domain at the following address: https://insert-your-domain.com/.well-known/com.apple.remotemanagement.
The JSON provided out of the box almost always requires additional configuration. This is because each domain provider has unique steps to configure certain parameters that allow the MDM provider (Addigy) to obtain certain details to complete the enrollment. This is an example of what to use if you are leveraging CloudFlare Workers:
export default {
async fetch(request) {
const url = new URL(request.url);
const searchParams = url.searchParams;
const data = {
Servers: [
{
Version: "mdm-byod",
BaseURL: `https://mdm-prod.addigy.com/mdm/enrollment/servicediscovery/(redacted)/userenroll?${searchParams.toString()}`,
}
]
};
return Response.json(data);
},
};If you are unsure how to configure this, it may be best to contact your provider for insight on what is required. Alternatively, if your devices support the fallback method, leverage that for enrollment.
Configuring the End User Experience
The end-user experience can be configured to provide a more personalized enrollment. This will be displayed to end users when they enroll their device from the settings app. You can configure this in the Optional Settings section.
Management Capabilities
Devices appear in Addigy with the enrollment type of BYOD or ADDE, depending on whether they were enrolled with Account Driven User Enrollment (BYOD) or Account Driven Device Enrollment (ADDE). Each enrollment type supports different payloads. The device will install any MDM profile payload that is eligible for the enrollment type.
Note: Apple Apps (Apps & Books) deployment is only available on devices enrolled via ADDE. On macOS, the Addigy Agent will install on devices enrolled via ADDE.
All devices will install eligible payloads from the policy they are currently in. Unsupported payloads will report that they are unsupported within the Deployment Status of the policy.
Account Driven User Enrollment
Devices enrolled through Account Driven User Enrollment have the BYOD enrollment type and will have limited GoLive tabs based on what is supported on that device. Profiles can be installed via GoLive, and events will be recorded as usual.
If you would like to see if a device is enrolled through this method, you can reference this device fact via the Devices page or GoLive.
For details on what MDM payloads are supported and can be managed on Account Driven User Enrollment, see this article.
Account Driven Device Enrollment
Devices enrolled through Account Driven Device Enrollment have the ADDE Enrollment type in GoLive. These devices provide the MDM with a little more information, such as the serial number. Because of this, there are more tabs available in GoLive and MDM Apple Apps can be remotely deployed to these devices. On macOS, the Addigy Agent is installed, and all Agent processes will work as expected.
If you would like to see if a device is enrolled through this method, you can reference this device fact via the Devices page or GoLive.
With ADDE, you can also send Scheduled Update Declarations and deploy apps via Apple Apps (Apps & Books). On macOS, since our agent will be installed, you will be able to view and manage things that are dependent on our agent.
For more details on what MDM payloads are supported and can be managed on Account Driven Device Enrollment, see this article from Apple.
Common Issues
"Sign In to Work or School Account" Missing in Settings App
This setting is the core to enrolling a device via Account Driven Enrollment. If this is missing, it is likely because the device has been enrolled as supervised.
If you intend to enroll a supervised device via Account Driven Enrollment, you will need to release the device from the MDM server in Apple Business/School Manager and erase the device. The device must be erased because it was enrolled as supervised, which will then hide the "Sign In to Work or School Account" setting. This is controlled by Apple, and at the moment, it is not possible to change this workflow.
Error: "Sign In Failed - Your Apple Account does not support the expected services on this device."
This error usually means the device is assigned to an MDM server in Apple Business/School Manager. To verify this, log in to Apple Business Manager/Apple School Manager and select the "Devices" tab. Then, search the device serial number and verify whether it is released or not. If it is not released, you must release it to enroll via Account Driven Enrollment.
If you need to add the device back into Apple Business/School Manager later, you can do so using Apple Configurator.
Error: "Error getting account driven enrollment configuration."
This error typically means there is a misconfiguration. If you are leveraging the JSON option, it's likely that it is not correctly hosted, or there are details missing in the JSON. For example, if you are using our default JSON (example below), it is likely missing certain query parameters. More information here.
{
"Servers": [
{
"Version": "mdm-adde",
"BaseURL": "https://mdm-prod.addigy.com/mdm/enrollment/servicediscovery/(redacted)/deviceenroll"
}
]
}