Overview
Please note that this service is not active on standard datajar.mobi instances. Please raise a ticket with our support team if you would like to find out more or configure this functionality in your instance.
Using Apple's Account Driven User Enrolment workflow, datajar.mobi offers customers the option for their users to enrol their personally owned devices so they can receive limited management. For example, this might be a subset of managed apps for securely accessing work resources or settings for baseline passcode policy and Wi-Fi connectivity to the organisation's network.
A device enrolled this way is managed with a more limited set of capabilities than a device owned by the organisation. The user's personal data on the device is kept separate from organisational data and is not visible/accessible within the managed instance or Jamf Insights.
Once in place, users enrol their personal devices into datajar.mobi by signing into their organisation-provided Managed Apple ID via the Settings app, using the same credentials/authentication method as they do for signing into other organisation resources. For transparency, before they enrol, users can review how their device will be managed.
Contents
- How is User Enrolment different from Automated Device Enrolment (ADE)?
- Implementation Requirements
- User experience during enrolment
- Managing Personal devices with Jamf Insights and other recommendations
- Further resources
How is User Enrolment different from Automated Device Enrolment (ADE)?
User Enrolment is designed for devices owned by users themselves and it centres on their privacy as the top priority, whilst giving organisations the critical capabilities they require. For devices owned by the organisation, Automated Device Enrolment should always be used.
The table below outlines common management capabilities and how they differ between both types of device enrolment method:
Capability | User Enrolment (personal owned device) | Automated Device Enrolment (organisation owned device) |
Install and remove managed apps (automatic or Self Service) | Yes (users prompted to allow each app install) | Yes |
View installed apps | Managed apps only | All apps |
Require a passcode and specify the complexity | Yes | Yes |
Configure organisational accounts (Mail, Contacts, Calendar) | Yes | Yes |
Configure restrictions | Limited | Yes |
Configure organisational network connections (e.g. VPN, Wi-Fi with 802.1X authentication) | Yes | Yes |
View Inventory information | Limited | Yes |
Access device location (Lost Mode) | No | Yes |
Manage Activation Lock | No | Yes |
Remotely wipe the entire device | No | Yes |
Remotely wipe managed apps/settings (unmanage device) | Yes | Yes |
dataJAR offers support for Account Driven User Enrolment; where users open the Settings app on their device and sign in with their organisation-provided Managed Apple ID to begin the process.
Implementation Requirements
Before users can enrol their personal iOS/iPadOS devices into datajar.mobi, the following requirements must be met. dataJAR can offer further advice and guidance if needed, and full support for prerequisites configured inside the datajar.mobi instance itself.
- (Customer) A recommended identity provider configured and in place:
- Microsoft Entra ID
- Google Workspace
- Okta (alongside one of the above ecosystems in place)
- (Customer) An Apple Business Manager or Apple School Manager instance (AxM), with administrator access
- (Customer) Customer domain verified with AxM
- (Customer) Provision of Managed Apple IDs inside the AxM instance, where:
- Usernames match the user's email address/username attribute from the organisational identity provider
- Federated authentication is configured (Entra ID and Google Workspace supported, but other identity providers can be used through one of these services - e.g. where users sign into their Google or Office 365 accounts through Okta)
- Directory sync is configured (Entra ID and Google Workspace supported)
- (dataJAR/Customer) A JSON file hosted on a website with the customer's verified domain name (dataJAR will create this file and provide it for you to host)
- (dataJAR/Customer) Identity Services Integration between your datajar.mobi instance and your identity provider (dataJAR can support the integrations):
- Entra ID
- Okta
- Google Workspace
- Other Identity Providers supporting SAML/SSO and LDAPS
User experience during enrolment
- The user opens Settings and navigates to General > VPN & Device Management > Sign In to Work or School Account
- They enter their work email address (which is the same as their Managed Apple ID username provided by the organisation):
- They are directed to sign into the managed instance to allow their device to enrol and sign in through your organisation's identity provider single-sign-on (SSO) authentication flow, so the screens they see here will vary depending on your identity provider:
- The user is prompted to sign into their Managed Apple ID. They sign in using your organisation's identity provider single-sign-on (SSO) authentication flow, so the screens they see here will vary depending on your identity provider:
- They are prompted to allow remote management, after which the device is enrolled and managed:
After enrolment, users are prompted for permission install any apps that are configured for automatic deployment. This includes the Self Service as a minimum. For the best possible user experience, it is recommended that further managed apps are made available for users to install via Self Service rather than installed automatically, as this will otherwise cause multiple prompts/interruptions for users.
Managing Personal devices with Jamf Insights and other recommendations
For managed instances with User Enrolment configured, a search filter for "All Personal Devices" is available in the Mobile Devices section of Jamf Insights. Managing personal devices is similar to managing organisation-owned devices, with the following exceptions:
- The serial number is not shown
- The device does not show as Supervised
- The device does not show as having a Passcode set (even if it does)
- Whilst all MDM commands are visible, only the following work:
- Update inventory
- Lock device
Further resources:
- Link to new domains in Apple Business Manager
- Use Managed Apple IDs in Apple Business Manager
- Intro to federated authentication with Apple Business Manager
- User Enrolment and MDM (Apple Platform Deployment)
- Setting up Account-Driven User Enrolment (Jamf):
- User Enrolment MDM Information (Apple)
- Okta Integration Guides including Office 365/Google Workspace (Okta)