Automated Device Enrollment (ADE) enables administrators to configure and manage corporate-owned Apple devices from the moment they are removed from the box.
Addigy provides the ability to associate a unique MDM Server per Policy, allowing for multiple Automated Device Enrollment connections within a single Addigy environment.
Table of Contents
- Creating the MDM Server
- Assigning Devices to Your MDM Server in Apple Business/School Manager
- Configure the Automated Device Enrollment Profile
- Automated Device Enrollment Settings
- End-User Setup Assistant Experience
- Ensure Devices are Ready to Enroll
- Upkeep
Creating the MDM Server
See Apple's documentation, link to a third-party MDM Server in Apple Business Manager, or follow the instructions below:
In Apple Business/School Manager
, sign in with a user that has the role of Administrator or Device Enrollment Manager.- Select Devices at the top of the page, and then go to the Management page.
- Scroll to the bottom of the Management page and click Add next to "Add device management service".
- Select "Connect external device management".
- In a separate tab, head on over to your Addigy environment, go to the Policies page, and select the desired Policy.
- Click the Integrations & Settings tab in the policy navigation section and select the Automated Device Enrollment tab.
- Select Get Addigy Public Key from the page.
- In Apple Business/School Manager and upload this key by selecting Choose File... Be sure to name the MDM Server as well.
- Download the Server Token from your newly created MDM Server and upload it into your Addigy policy via the Upload New Token option.
Assigning Devices to Your MDM Server in Apple Business/School Manager
Since a new MDM Server has been made, you will need to assign any pre-existing devices to this new MDM Server. If you do not have any devices in your Apple Business/School Manager portal yet, you can skip this for now.
Note: If you are assigning a new device that has not been set up yet, these steps should be done before going through Setup Assistant. It can take an arbitrary amount of time for the device to shift to the new server, and if everything is completed too quickly, the device may not see the Remote Management screen, which is responsible for performing the enrollment.
- Sign in to Apple Business/School Manager.
- Select the Devices > Device to assign > Assign Device Management and select the intended MDM Server from the list.
- Confirm the assignment. The device will enroll into the policy that contains the MDM Server's token.
Configure the Automated Device Enrollment Profile
For the integration to be considered complete, you must set up an ADE Profile. First, enter all the company information you want to be reflected on devices during ADE enrollment and thereafter.
Then complete the ADE Enrollment Settings and End-User Setup Assistant Experience sections (see below). Note that each Operating System's enrollment behavior and options will vary (e.g., macOS, tvOS, iOS).
Automated Device Enrollment Settings
These settings will determine what the device does upon setup and enrollment. For a full list of each setting's functions, please refer to Automated Device Enrollment Settings.
End-User Setup Assistant Experience
This section will determine what your end-users see during enrollment. You can configure branding to make it clear where the device is enrolling, configure authentication, and determine which steps of Setup Assistant the user will see.
Authentication
Addigy allows admins to secure how users are able to enroll devices through Automated Device Enrollment. There are currently three authentication methods available for admins:
- No Authentication: Authentication is not needed to proceed through Setup Assistant.
- Passcode: The user must enter this passcode to complete Setup Assistant. The passcode needs to be a minimum of a 4-character alphanumeric string with a maximum of 15. Users who do not have this passcode will not be able to proceed through enrollment.
- SSO Enrollment: To complete Set Up Assistant, the user must enter their Identity Provider login. Only users assigned to the application on the identity provider side can complete enrollment. To learn more about this setup, please refer to the following KBs: Okta, Microsoft Entra ID, and Google.
Custom Branding and Content Window
In this section, you can set your own image and a custom message that the user will see before continuing through the ADE process. Here is an example:
These are the recommended image settings for optimal formatting:
- Image Type: PNG
- Max Height Constraint: 96px
- Max Width Contraint: 250px
Skip Setup Assistant Screens
If you do not want the user to see anything from Setup Assistant, you can just select the "Skip All" checkbox.
After you've configured everything according to your preferences, click Save Settings at the bottom of the page. Once the Automated Device Enrollment Profile is saved, your Automated Device Enrollment devices will install Addigy during their initial setup.
Ensure Devices are Ready to Enroll
As soon as your Apple Automated Device Enrollment account is linked to the policy, your Automated Device Enrollment enrolled devices will appear in the table below the setup. Before setting up any devices, be sure that they appear as "assigned". For more information on the ADE status meanings, please review the following article: Automated Device Enrollment Profile Status.
You can validate that devices are enrolled in this process when they are powered on for the first time and they reach the Remote Management screen, or the Profile is visible in System Preferences.
Upkeep
Server tokens generated by Apple Business/School Manager will be up for renewal 1 year after creation. In order to renew these server tokens, please see the following article: Renewing an Automated Device Enrollment Token