This document outlines the process for enrolling macOS devices into your datajar.mobi instance via Bring Your Own Device (BYOD) user enrollment, previously known as User-Initiated Enrollment. Whilst we provide partial support for such workflows, we understand the requirement in regions where Automated Device Enrolment might not be available. Please be aware, through our network of procurement partners, that the supply of hardware through the correct channels will always be the best route to delivering a consistent user experience and security posture for your organisation.
Where possible, all compatible devices, such as Intel (with T2 processor) or Apple Silicon should be added to Apple Business Manager or Apple School Manager. If your hardware vendor is not able to do this before shipping, you can manually add them using the following steps, please see:
Adding computers to Apple Business Manager / Apple School Manager with Apple Configurator
In situations where this is not possible, and upon request via our support desk, devices can be enrolled via a BYOD workflow to ensure a low level of security and visibility of the device.
What does partial support for BYOD mean?
The below table details the differences between Apple’s Automated Device Enrollment (ADE), which essentially places devices in a supervised (enterprise-managed) state and ensures the organisation maintains control versus BYOD which ensures the user of the device is in control.
|ADE (full support)
|BYOD (partial support)
|Device can be purchased from anywhere
|Device is fully supported
|IdP required (Okta/Microsoft/Google)
|1:1 configuration support
|Shared configuration support
|Out of the box enrolment (zero-touch)
|Recovery OS Lock
|Security product enforcement (dataJAR Defend/Crowdstrike etc.)
|Remote lock and wipe (EACS) of devices (in case of theft)
|Automated Filevault encryption key escrow
|Requires local administrator privileges
|Opt-out of device management
Due to the opt-in nature of BYOD, our support team will have limited access and capabilities when providing support on a device enrolled via this method (as detailed above).
As BYO devices can be enrolled in an unknown state and should support be provided, we will first request the device be wiped and prepared following the exact Pre-enrolment steps below before we can continue to provide support services.
Please see: Erase your Mac and reset it to factory settings
Prior to enrolment, there are some additional steps required. Unlike the ADE enrolment, these steps must be performed each time a device is redeployed.
- Connect the device to power and a network connection. A wired connection is strongly suggested, but wireless is also possible (although this may be slower). To ensure all services are available, please review our Network Requirements.
- Ensure the device drive has been wiped and the latest OS has been installed.
- For Intel Macs, boot the device to the recovery partition, erase the internal hard drive and reinstall a fresh version of the latest supported OS. More details on this step can be found here: Preparing your devices for datajar.mobi
- For Apple Silicon Macs, run the software update utility to install the latest compatible OS and then wipe the drive using Erase All Content and Settings. More details on this step can be found here: Preparing your devices for datajar.mobi
- Once the OS is installed, ensure the device still has a network connection (if using wireless, this will need to be reconnected) and proceed through the Apple Setup Assistant.
- As part of the Setup Assistant, you will be prompted to create a user account. Create a valid user account matching your organisation’s policies for your identity provider (IdP). This will ensure that when the user account from your IdP calls back to the device, the user accounts will be linked.
Please note: do not use a temporary or a local administrator/service account. This action can result in further issues with full disk encryption which will require a full redeployment. For more details please see Secure Token Requirements and Considerations.
- Once on the Desktop, launch the Safari application. This is typically in the default Dock.
- Navigate to the enrolment page for your instance. This will be of the format:
If you are unsure of your instance URL, please reach out to our support team.
- Authenticate to the enrolment page using organisational credentials.
- Once authenticated, use the "assign to" user box to enter the end user's username), assign the device and continue.
- Follow the on-screen instructions to download and install the enrolment / MDM profile.
- For macOS 13 Ventura and later, open System Settings and navigate to Privacy & Security > Profiles, then select the “datajar.mobi MDM Profile” and choose Install.
- For macOS 12 Monterey or macOS 11 Big Sur, open System Preferences and choose Profiles, then select the “datajar.mobi MDM Profile” and choose Install.
- Once enrolment is complete, quit Safari and System Settings.
- Within a few minutes, our enrollment screen will appear, prompting you for a device name (optional depending on implementation requirements) and the device role (required).
- Select a device role and optionally provide a device name then click the continue button.
- The device will install the required software. Once complete, the device will automatically restart.
- The device is now ready for use.
Need further support?
Automate. Simplify. Succeed. If you still require assistance with us or have any further questions, please raise a ticket with our support team.
Alternatively, please see our frequently updated knowledge base articles for reference.