Before users can start accessing corporate resources from their own or organization owned devices, enrollment process normally takes place. Usually this indicates enrolling device under control by Mobile Device Management (MDM) solution. Small scale deployments might not require use or MDM and apply Apple Configurator 2 or other tools indicating a similar process of putting iOS device under organizational control. The related Preparation process with Prepare Assistant under which MDM may not be necessarily used is described in Apple Configurator 2 section.
If MDM is used, user-initiated enrolment via OTA can be applied in case of user owned devices. Under this scenario, users who need to use corporate resources are encouraged to enroll into MDM via its enrollment web address. The link with instruction can be sent to the users by iMessage, email or text message service, published on site, captive portal redirect etc. After authentication, user will download enrollment profile and install it. Profiles published via MDM are linked to enrolment profile. If user removes enrolment profile, other MDM installed profiles are also automatically removed. User might also be able to unenroll by visiting MDM portal self-service. This will result in removal of enterprise resources and connections.
Use Apple Device Enrollment Program (DEP) to enroll devices in MDM wirelessly. Imagine - just open the box and hand iPad to corporate user who can start using it almost immediately. Administrators can automate MDM enrollment and setup of iOS devices according to organization policies without performing physical configuration work. Thanks to DEP, this happens automatically - once a user starts the device for the first time and proceeds with Setup Assistant. Furthermore, administrators can simplify setup process for user by eliminating steps in the Setup Assistant such as, showing Terms and Conditions, Send Diagnostics, Location Services etc.
How does DEP achieve the delivery of such a great enterprise user experience? This involves multiple setups and processes. Administrators can link DEP to their MDM servers in DEP portal on http://deploy.apple.com. Administrators will also need to setup the enrollment settings in their MDM system – such as in example from Apple Profile Manager MDM. The device information is transferred to DEP upon purchasing of devices from Apple, Apple Authorized Reseller or carrier for DEP enrolled organizations. Administrators can assign devices to users. When users go through the Setup Assistant on their devices, MDM configurations and restrictions are automatically applied by receiving settings from DEP which instructs device to enroll to MDM server. From this point, MDM takes over the device management.
Sample of enrollment configuration in Apple Profile Manager MDM
