Apple Platform Deployment
- Welcome
- Intro to Apple platform deployment
- What’s new
-
-
- Accessibility payload settings
- Active Directory Certificate payload settings
- AirPlay payload settings
- AirPlay Security payload settings
- AirPrint payload settings
- App Lock payload settings
- Associated Domains payload settings
- Automated Certificate Management Environment (ACME) payload settings
- Autonomous Single App Mode payload settings
- Calendar payload settings
- Mobile payload settings
- Mobile Private Network payload settings
- Certificate Preference payload settings
- Certificate Revocation payload settings
- Certificate Transparency payload settings
- Certificates payload settings
- Conference Room Display payload settings
- Contacts payload settings
- Content Caching payload settings
- Directory Service payload settings
- DNS Proxy payload settings
- DNS Settings payload settings
- Fonts payload settings
- Domains payload settings
- Energy Saver payload settings
- Exchange ActiveSync (EAS) payload settings
- Exchange Web Services (EWS) payload settings
- Extensible Single Sign-on payload settings
- Extensible Single Sign-on Kerberos payload settings
- Extensions payload settings
- FileVault payload settings
- Finder payload settings
- Firewall payload settings
- Fonts payload settings
- Global HTTP Proxy payload settings
- Google Accounts payload settings
- Home Screen Layout payload settings
- Identification payload settings
- Identity Preference payload settings
- Kernel Extension Policy payload settings
- LDAP payload settings
- Lights Out Management payload settings
- Lock Screen Message payload settings
- Login Window payload settings
- Managed Login Items payload settings
- Mail payload settings
- Network Usage Rules payload settings
- Notifications payload settings
- Parental Controls payload settings
- Passcode payload settings
- Printing payload settings
- Privacy Preferences Policy Control payload settings
- Relay payload settings
- SCEP payload settings
- Security payload settings
- Setup Assistant payload settings
- Single Sign-on payload settings
- Smart Card payload settings
- Subscribed Calendars payload settings
- System Extensions payload settings
- System Migration payload settings
- Time Machine payload specifics
- TV Remote payload settings
- Web Clips payload settings
- Web Content Filter payload settings
- LDAP payload settings
-
- Declarative app configuration settings
- Authentication credentials and identity asset settings
- Calendar declarative settings
- Certificates declarative configuration
- Contacts declarative configuration
- Exchange declarative configuration
- Google Accounts declarative configuration
- LDAP declarative configuration
- Legacy interactive profile declarative configuration
- Legacy profile declarative configuration
- Mail declarative configuration
- Passcode declarative configuration
- Passkey Attestation declarative configuration
- Screen Sharing declarative configuration
- Service configuration files declarative configuration
- Software Update declarative configuration
- Subscribed Calendars declarative configuration
- Glossary
- Document revision history
- Copyright
Device Enrolment allows organisations to have users manually enrol devices into a mobile device management (MDM) solution and then manage many different aspects of device use, including the ability to erase the device. On Mac computers using macOS 11 or later, Device Enrolment also enforces supervision on the Mac.
When a user removes an enrolment profile, all configuration profiles, their settings and Managed Apps based on that enrolment profile are removed with it.
Device Enrolment has a larger set of payloads that can be applied to the device. For the complete list, see Device Enrolment MDM payload list.
Account-driven Device Enrolment
In iOS 17, iPadOS 17, macOS 14 and visionOS 1.1, or later, organisations can use an account-driven Device Enrolment process, built into Settings and System Settings to make it easier for users to enrol devices.
To do this, the user navigates to Settings > General > VPN & Device Management or to System Settings > Privacy & Security > Profiles and then selects the Sign In to Work or School Account button.
As the user enters their Managed Apple ID, service discovery identifies the MDM solution’s enrolment URL. The user then enters their organisation user name and password. After the authentication succeeds, the enrolment profile is sent to the device. A session token is also issued to the device to allow ongoing authorisation. The device then begins the MDM enrolment process and prompts the user to sign in with their Managed Apple ID. On iPhone, iPad and Apple Vision Pro, the authentication process can be streamlined by using enrolment single sign-on to reduce repeated authentication prompts. After a user is signed in, the new managed account is displayed prominently within Settings and System Settings.
As with User Enrolment, organisational data is cryptographically separated from personal data (see How Apple separates user data from organisation data). Due to this separation, some changes are required to the way apps and backups are handled. For example:
Apps installed before MDM enrolment can’t be converted to become Managed Apps.
Managed Apps are always removed during unenrolment.
Restoring from a backup doesn’t restore MDM enrolment.
Users who sign in with their personal Apple ID can’t accept an invitation for Managed App distribution.
Because the discovery process uses the same com.apple.remotemanagement
discovery file as User Enrolment, organisations can choose — based on the device model and Managed Apple ID of the user — which account-driven enrolment type (User Enrolment or Device Enrolment) should be used.
How Apple separates user data from organisation data
The table below shows how Apple separates user data from the organisation’s data with Device Enrolment.
Data | Can MDM see it? | Supported operating systems |
---|---|---|
Capacity and space available | Yes | iOS iPadOS macOS visionOS 1.1 |
Device name | Yes | iOS iPadOS macOS tvOS visionOS 1.1 |
Installed apps | Yes | iOS iPadOS macOS tvOS visionOS 1.1 |
Model name and number | Yes | iOS iPadOS macOS tvOS visionOS 1.1 |
Operating system version number | Yes | iOS iPadOS macOS tvOS visionOS 1.1 |
Phone number | Yes | iOS |
Serial number | Yes | iOS iPadOS macOS tvOS visionOS 1.1 |
Device location | No | iOS (Supervised) iPadOS (Supervised) |
FaceTime or phone call logs | No | iOS iPadOS macOS visionOS 1.1 |
Frequency of app use | No | iOS iPadOS macOS tvOS visionOS 1.1 |
iMessage or SMS messages | No | iOS iPadOS macOS visionOS 1.1 |
Personal calendars, contacts, mail, notes, reminders | No | iOS iPadOS macOS visionOS 1.1 |
Safari browser history | No | iOS iPadOS macOS visionOS 1.1 |
Thanks for your feedback.