Device Management MDM

Apple Smart Enrollment

If you have ever dreamed of automating 100% the device enrollment process and conditional policy assignment based on user data (name, email, user groups) or the device data (IMEI, Serial Number, etc), Smart Enrollments are the tool you were looking for.

Introduction #

Smart Enrollments are the most efficient way to manage device enrollments in an unattended manner since will allow you to define a set of rules and conditions that must be met for a device to be enrolled and, in addition, will allow you to conditionally assign policies based on these rule sets.

Smart Enrollments are useful for:

  • Limit device enrollment
    • Based on user authentication through SSO integrations (user groups or email patterns)
    • Based on device information (IMEI, Serial Number)
  • Conditionally assign different policies based on rules
  • Automate Apple DEP enrollments to enable unattended zero-touch experiences
  • Create local accounts based on user information retrieve after the authentication through Applivery Connect (SSO integration)

Note that Smart Enrollments is a feature that only works with devices that are enrolled through Apple Device Enrollment Program (DEP). You can read more about Apple DEP here.

Smart Enrollment configuration #

Let’s get started configuring your first Smart Enrollment. First go to Device Management > Configuration and choose, Smart Enrollment from the Apple left menu. Then click the + Create Smart Enrollment button.

In the modal view fill out the form:

  • Name: choose a friendly name for your new smart enrollment
  • Description: choose a friendly description for your new smart enrollment
  • Policy: choose the policy that will be applied to the device from the policies library. If you still don’t have any pre-defined policies, just type a name and a new empty policy will be created.
  • VPP Location: Choose the VPP Location that will be used to manage app licenses will be associated automatically to this device from this ABM location.
  • Optionally, configure the Account configuration form to create local accounts automatically. Note that both Admin and Primary accounts can be created at the same time. You can also use placeholders that will be replaced automatically with the information coming from the SSO authentication process. 
    • Admin account supports configuring the Full name, User name and password of the user. You can also hide it from the login window and some other options.
    • Primary account supports configuring just the Full name and Username. The password must be selected by the user when configuring the device for the very first time

If you click Save at this point, you will have finished setting up your basic Smart Enrollment and will be able to start enrolling devices.

Applying conditions and rules #

Now that you have your basic Smart Enrollment configured, you can add Conditions (1) and Rules (2) that will make it smarter.

Use the “Add condition” option to enable enrollment limits based on user information (such as email patterns or groups) and device information (IMEI, Serial number, etc). You can use conditional operators to make it as complex as you need.

You can also use the “Add additional rule” option to create groups of conditions, each of them with a target policy. As you will see, each group of conditions will also contain it’s own VPP Location, Activation lock configuration and local account configuration and, of course, as many Conditions as you need.

Once done, click Save.

Deploying Smart Enrollments #

To finish, you have to assign Smart Enrollments to your ABM DEP devices so head to Device Management > Configuration and click DEP under the Apple menu.

Click in one of your DEP devices and click Configure below the Smart Enrollment option that will appear in the side panel.

Last, choose an Smart Enrollment from the dropdown list and then click Assign to finish.