User Enrollment

Introduction

With user enrollment, private iOS and macOS devices can be enrolled without the owner having to give up all control over the devices. Based on the Bring Your Own Device approach (BYOD), private devices of students or employees can be integrated and used in the school or company context while maintaining the protection of private data.

Devices must not be in Monitored Mode/Supervised Mode for Apple user enrollment.

Two variantes of enrollment are available: account-based and profile-based (conventional manual enrollment)

Profile-based User Enrollment is no longer supported starting with iOS 18

Benefits

  • Administrators cannot view privately installed apps.
  • Devices remain under control of users.

Disadvantages

  • Not all actions and policy configurations are possible.
  • Managed Apple IDs are required.

Prepare enrollment in Relution

Starting in the Relution organization, a manual enrollment for iOS or macOS devices can be created classically and the enrollment link can be sent to the desired students or employees.

The basic prerequisite for the creation of a user enrollment is the assignment of users. For these, either a ‘Managed Apple ID’ or ‘Email address’ must be stored in the user details. Afterwards the corresponding users can be added and the enrollment can be completed. Users assigned to devices can no longer be changed or removed from enrolled devices via user enrollment.

User-based user enrollment (only up to iOS 17)

The received enrollment link will perform the device enrollment on the iOS or macOS device using the users’ Managed Apple IDs and the device will automatically appear in the device inventory of the corresponding Relution organization.

Account-based user enrollment

Relution supports account-based user enrollment of iOS and macOS devices that are not in Supervised Mode.

To use account-based user enrollment, you will need the following:

  • Service Discovery Well-Known Hosts

You need to configure a service discovery so that Apple can transfer the devices to the correct MDM server. To do this, you need to store a http well-known resource file at the domain that users will use to log in. Apple must be able to retrieve this file via an HTTP GET at the following URL:

https://yourdomain.com/.well-known/com.apple.remotemanagement”

You must enter the domain that you also use for your Apple ID’s under yourdomain.com.

The file you create must be stored on a domain that can handle HTTP GET requests. Create the file in JSON format with content type application/json.

To enter the correct information in the file, you can copy the required information directly from your Relution Portal. To do this, open:

  1. Settings
  2. Device Management / Device Management
  3. Account-based Apple user registration
  4. Set the slider for on
  5. copy the text in the curly brackets and insert it into your file.

Important: for the file to work properly, it must not have any file extension.

Example: maxmustermann@musterhausen.de

In this example, the domain of the ID would be musterhausen.de so you would have to store the service discovery there.

Option 2 makes it much easier to register personal devices in Relution. As soon as Relution users register on private devices via the option Log in to work or school account... in VPN & Device Management of the general settings, user enrollments are automatically generated in Relution. Using the Managed Apple ID of the respective users, the enrollment URL of the respective MDM solution is automatically identified. After logging in with the users login credentials from Relution, the devices automatically show up in the device inventory of the corresponding Relution organization after successful authentication.