Account Driven Enrollment is built for BYOD (Bring your own device) scenarios where end users enroll their devices into Addigy.
Account Driven User Enrollment allows the end user to sign in directly from the System Settings application on the device with their Managed Apple ID. The benefit of this is that the company is able to push down a limited set of MDM profiles to the device, while having total data separation between corporate and an end-user's personal data. When the user unenrolls their device, all corporate data is removed, preserving just the user's personal data on the device. Users can also have ease of mind knowing that their company will have no access to any of their personal information.
There are two types of Account Driven Enrollment- User Enrollment and Device Enrollment.
User Enrollment is traditional BYOD - the company has no information about the device and they are limited in what can be deployed. More information from Apple here.
Device Enrollment grants a little more privileges to the corporate entity, but still preserves the end users data and information. More information from Apple here.
For more information on User Privacy and Account Driven Enrollment, Apple provides this document detailing how personal data and corporate data are separated.
Requirements
Account Driven User Enrollment:
- iOS 15+
- iPadOS 15+
- macOS 14+
Account Driven Device Enrollment:
- iOS 17+
- iPadOS 17+
- macOS 14+
Configuring Account Driven Enrollment
The new Account Driven Enrollment can be found in Add Devices > Choose a policy > Account Driven Enrollment.
Note: Account Driven Enrollment can only be set up ONCE per AxM (ABM/ASM) domain. Once set up in AxM, it can only be attached to one policy in Addigy. It can be moved in Addigy later, but the same configuration can not exist in two policies.
Hit Edit Settings to bring up the following modal.
The Admin will need to choose the type of Account Driven Enrollment: User or Device. Only one type can be supported per domain. Enter the Domain information used for the Managed Apple Accounts. More information on this process can be found here.
Once the domain information is entered in select Enable Account Driven Enrollment. Addigy will generate a JSON file with the policy information and enrollment type. This JSON file will need to be hosted at the root of the domain at the following address: https://insert-your-domain.com/.well-known/com.apple.remotemanagement.
If you would like to change the enrollment type, simply update the JSON file at the above address.
Note: Hosting a JSON file on the domain is the only way to use account driven enrollment for devices on iOS/ iPadOS 15- 18.1 and MacOS 14- 15.1.
For Devices on iOS/ iPadOS 18.2+ and MacOS 15.2+, you can select ADE token(s) to use as a fallback for Account Driven Enrollment. This is optional - if a JSON file is hosted at the domain, devices will use that instead.
Recommended: if all devices are above iOS/ iPadOS 18.2+ or MacOS 15.2+, a JSON file is not required to be hosted at the domain. This ADE token method is easier to configure and manage.
These tokens must be attached to the Policy as ADE tokens (in Integrations and Settings > Automated Device Enrollment), and must exist in the Apple Business or School Manager domain that is being configured.
- Select the token(s) to be used as the fallback in Addigy.
- Log into Apple Business Manager/ Apple School Manager
- Go to Preferences > Management Assignment > Default Assignments. For more information, see this guide
- Select the corresponding MDM server that generated the ADE token for each device type.
Once this is set up, devices will be able to enroll without needing to set up JSON file on the domain.
Configuring the End User Experience
The end-user experience can be configured to provide a more personalized enrollment. This will be displayed to end users when they enroll their device from the settings app. You can configure this in the Optional Settings section.
Managing Account Driven Devices
Devices appear in Addigy with the enrollment type of BYOD or ADDE - depending on if they were enrolled with Account Driven User Enrollment (BYOD) or Account Driven Device Enrollment (ADDE). Each enrollment type supports different payloads. The device will install any MDM profile payload that is eligible. MDM App Deployment is only available on Account Driven Device enrolled devices. On macOS, the Addigy Agent will install on Account Driven Device Enrolled Devices.
All devices will install eligible payloads from the policy they are currently in. Unsupported payloads will specify that they are unsupported in the Deployment Status of a policy.
Account Driven User Enrollment
Devices enrolled through Account Driven User Enrollment have the BYOD enrollment type and will have limited GoLive tabs based on what is supported on that device. Profiles can be installed via GoLive, and events will be recorded as usual.
There is also a Device Fact for Account Driven User Enrollment that will show as True.
For details on what MDM payloads are supported and can be managed on Account Driven User Enrollment, see this article.
Account Driven Device Enrollment
Devices enrolled through Account Driven Device Enrollment have the ADDE Enrollment type in GoLive. These devices provide the MDM with a little more information, such as the serial number. Because of this, there are more tabs available in GoLive and MDM Apple Apps can be remotely deployed to these devices. On macOS, the Addigy Agent is installed, and all Agent processes will work as expected.
There is also a Device Fact for Account Driven Device Enrollment that will show as True.
For details on what MDM payloads are supported and can be managed on Account Driven Device Enrollment see this article.