Jamf Pro Device Enrollment Guide

Discover how to enroll devices into Jamf Pro using User-Initiated Enrollment

Introduction

Now that you have access to a Jamf Pro environment, it’s time to get started on the development and testing of workflows. Whether you’re making API calls to gather information about devices or testing the deployment of your application to a managed device, most workflows require that a device has been enrolled into Jamf Pro.

While the majority of customer environments utilize Apple Business Manager and Automated Enrollment, we understand that most partners do not have these prerequisites available. If your integration or product requires zero-touch deployment of Apple products, please consider enrolling in Apple Business Manager. This article describes how to enroll devices using the User-Initiated Enrollment workflow.

Server Configuration and Setup

Apple Push Notification Certificate

Creation of an APNs certificate is required for enrollment of iOS devices and macOS devices. This certificate enables secure communication between Jamf Pro and Apple’s servers which support and enable MDM protocols, such as automated deployment of apps, configuration profiles and remote commands.

It’s important to note that this certificate must be renewed annually using the same Apple ID that is used to create the certificate. If for any reason, the original Apple ID cannot be used during the renewal process, all devices will need to be re-enrolled. It may make sense to create an Apple ID solely for this purpose.

Please follow the instructions in this article to create the APNs certificate, once you’ve identified an appropriate Apple ID to use.

Configuring User-Initiated Enrollment Settings

Before enrolling devices, the server must be configured to support user-initiated enrollment. Follow the steps below to enable enrollment of both iOS and macOS devices.

  1. Login to Jamf Pro.
  2. In the top-right corner of the page, click Settings.
  3. Click User-Initiated Enrollment.
  4. Click Edit.
  5. The default settings for the General and Messaging tabs should be sufficient, but feel free to customize your end user experience as desired.
  6. Click Platforms and from the macOS tab, check the box for Enable user-initiated enrollment for computers.
    i. In the Username field, enter any username for the administrative account that will be associated with the managed device.
    Note: Although required, configuration of this field is only relevant for use of the Jamf Remote application.
  7. Click the iOS tab and check the box for Enable user-initiated enrollment for institutionally owned iOS devices.
  8. Click Save in the bottom-right corner of the page. Your environment is now configured to allow users to enroll devices without the use of Apple Business Manager.

Supervising Mobile Devices

Prior to enrolling mobile devices, it’s important to determine if the workflows you’re intending to test require the use of a supervised device. Although there is not a comprehensive list of all workflows and features that require supervision, please review the Jamf Pro Administrator’s Guide for the specific workflow you intend to test. Deployment of some specific settings via Configuration Profiles also require supervised devices to function, and can be identified within Jamf Pro by navigating to the Configuration Profile payload and viewing the description of each setting (example below).

2282

Requirements such as supervision and minimum iOS version are depicted within the Jamf Pro UI.

Enrolling Mobile Devices

  1. On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
  2. On the Login screen, enter the credentials for the account used to login to Jamf Pro, then tap Log in.
  3. On the Assign to user screen, tap Enroll without entering anything in the text box.
    Important: Entering data into the text box will prevent enrollment if no LDAP servers are configured (none are by default).
  4. Tap Continue when prompted to install the MDM Profile.
  5. Tap Allow when prompted to download the configuration profile.
  6. Close the browser, open the Settings app on the device and tap General from the left pane.
  7. Tap Profile from the right pane, then tap MDM Profile followed by Install in the top-right corner.
  8. Follow the on-screen prompts to complete the installation process.
    Note: If a warning prompts about the authenticity of the MDM Profile, tap Install. This is expected when Jamf Pro is configured to skip certificate installation during enrollment.
    More information and screenshots of the end user experience can be found in the Jamf Pro Administrator’s Guide.

Enrolling Computers

  1. On the test device you intend to deploy the app to, navigate to https://yourInstanceName.jamfcloud.com/enroll
  2. On the Login screen, enter the credentials for the account used to login to Jamf Pro, then click Log in.
  3. On the Assign to user screen, click Enroll without entering anything in the text box.
    Important: Entering data into the text box will prevent enrollment if no LDAP servers are configured (none are by default).
  4. Tap Continue when prompted to install the MDM Profile.
  5. System Preferences should automatically prompt you to install the MDM Profile, click Continue to proceed with enrollment.
    Follow the on-screen prompts to complete the installation process.
    Note: If a warning prompts about the authenticity of the MDM Profile, click Install. This is expected when Jamf Pro is configured to skip certificate installation during enrollment.

After the MDM profile has been installed, jamf binary, agents and other management tools will automatically begin installing in the background, please allow a few minutes for this process to complete before attempting to perform management tasks on the device. More information and screenshots of the end user experience can be found in the Jamf Pro Administrator’s Guide.

FAQ

When creating an APNs certificate, why do I receive an error message when prompted to enter my Jamf Nation credentials?

The credentials used to login to Jamf Pro are different than the credentials used for Jamf Nation. Make sure to use the credentials used to authenticate here, or create a new account if you haven’t done so already. When creating a new account, be sure to use your corporate email address so your account can be automatically linked to your Jamf Pro environment. If you continue to experience issues, contact [email protected].

What about Automated Enrollment via Apple Business Manager?

Enrolling devices using Apple Business Manager is supported, however it requires the device to be wiped in order to initiate the enrollment process. Work with the team that manages your Apple Business Manager account at your organization to follow these instructions and setup Automated Enrollment with Jamf Pro.

Updated almost 3 years ago