Add Company-Owned Apple Devices to MDM with Device Enrollment

If your company-owned macOS device wasn't added to your Apple Business Manager (ABM) or Apple School Manager (ASM) account, you can't use Apple’s Automated Device Enrollment (ADE) to enroll the device. Instead, you can use Device Enrollment to download, distribute, and install your organization’s JumpCloud MDM enrollment profile. Enrollment profiles aren't device-specific, and you can download the profile from the MDM or Devices tab in the JumpCloud Admin Portal. The disadvantage of enrolling devices with this method is that the process can be time-intensive and might require physical access to the machine.

Prerequisites:

• Device Enrollment is only appropriate for devices running macOS 11.0 Big Sur or later that aren't enrolled via Automated Device Enrollment (ADE).
• MDM has to be configured for your org. See Set Up Apple MDM to learn more.
• End-user network connectivity has to be available for device provisioning. 

Considerations:

• Installing the enrollment profile also installs the JumpCloud agent.

• Apple's Stolen Device Protection, when activated, may impose a one hour Security Delay for MDM enrollments if the device is not in a familiar location. To avoid delay or errors during enrollment, ensure the user is in a familiar location, or temporarily deactivate the feature before attempting enrollment. See Apple's Use Stolen Device Protection to learn more.

Adding macOS Devices to MDM

Follow this process to use Device Enrollment to enroll a company-owned macOS device in MDM:

1. (IT Admin) Download your org's MDM enrollment profile: This gives you an enrollment profile that you'll use to enroll devices. 
2. (IT Admin) Distribute the enrollment profile: This delivers the profile to your end users.
3. (End User) Install the enrollment profile: This installs the JumpCloud agent and service account on the device.
4. (IT Admin) Bind the device to the user in the JumpCloud Admin Portal: This allows the user that's bound to the device to be managed in JumpCloud.

Downloading your org’s MDM enrollment profile

You can access and download the MDM enrollment profile from two locations in the Admin Portal.

Option 1: Download from MDM Settings

1. Log in to the JumpCloud Admin Portal.
2. Go to Device Management > MDM and click the Apple tab.
3. Under APNs Configuration for MDM, click Download Profile. This downloads the enrollment profile file directly to your computer. The default filename is profile_jc.mobileconfig.

Option 2: Download from the Devices List

1. From the JumpCloud Admin Portal, go to Device Management > Devices.
2. Click (+) Device.
3. Under Add Device, click the Mac tab.
4. Under Mac Install - Enrollment Method, select Install via MDM Enrollment Profile.
5. Choose one of the following distribution methods:
   • Download MDM Enrollment Profile - Downloads the enrollment profile file directly to your computer for distribution via email, Slack, or a shared drive. This is the same file from option 1.
   • Copy Download Link - Copies a URL to the clipboard that you can send directly to users.

Distributing the enrollment profile

1. Distribute (either through email, Slack, or a physical transfer) the enrollment profile file to each user. The enrollment profile is the same for all users.
   1. If you email the enrollment profile file to users, note that JumpCloud enforces settings that are applied to a device and not a specific user.
   2. When transferring files physically, USB ports could be disabled by a policy, so check your policies in the JumpCloud Admin Portal if you are using this method.

Installing the enrollment profile on macOS 13 Ventura and Later

1. Double-click the enrollment profile file that your Admin provided.
2. Open System Settings and navigate to the location matching your macOS version:
   • macOS 15 Sequoia and later - Go to General > Device Management.
   • macOS 13 Ventura and 14 Sonoma - Go to Privacy & Security > Profiles.
3. Double-click on the MDM Enrollment Profile, then click Enroll.
   
4. You'll be prompted for your device’s account password.
   1. Allow two to three minutes for MDM Configuration Profiles and the JumpCloud agent to install.
   2. Upon completion, a list of profiles will populate in the list.
5. The JumpCloud Service Account Utility will automatically open and prompt you to choose your username and enter your device’s account password.
   

6. Select your user account from the dropdown menu, enter your password, then click Create Account.
   • If your username isn't listed in the dropdown, contact your Admin for help.
7. The Mac is now enrolled in the JumpCloud Admin Portal.
   1. Notify your Admin that the installation is complete on your end.
   2. When your Admin has finished the binding process, they'll prompt you to log out of your Mac user account and log back in. Confirm your previous password and your new JumpCloud password when prompted.

Installing the enrollment profile on macOS Monterey and earlier

1. Double-click on the enrollment profile that your Admin provided. 
2. Go to System Preferences > Profiles to view the MDM Enrollment profile. 
   

3. Click Install….
4. You'll be prompted for your device’s account password.
   1. Allow two to three minutes for MDM Configuration Profiles and the JumpCloud agent to install.
   2. Upon completion, a list of profiles will populate in the sidebar.
5. The JumpCloud Service Account Utility will automatically open and prompt you to choose your username and enter your device’s account password.
   

6. Select your user account from the dropdown menu, enter your password, then click Create Account.
   • If your username is not listed in the dropdown, contact your Admin for help.
7. The Mac is now enrolled in the JumpCloud Admin Portal.
   1. Notify your Admin that the installation is complete on your end.
   2. When your Admin has finished the binding process, they'll prompt you to log out of your Mac user account and log back in. Confirm your previous password and your new JumpCloud password when prompted.

Binding the macOS device to the user in JumpCloud

1. Verify that the service account was created for the macOS device.
   • See Install and Use the Service Account for MacOS to learn more.
2. From the JumpCloud Admin Portal, go to User Management > Users.
3. Select the user.
4. Click the Devices tab and select the device that you want to bind to this user.
5. To bind the user to a device, click Save User.

Adding iOS Devices to MDM 

Prerequisites:

• This info applies to company-owned iOS devices only. For personal devices, see Add Personal Apple Devices to MDM with User Enrollment to learn more.

There are two ways to enroll a company-owned iOS device in MDM. The method depends on whether you have the device in hand (QR code) or not (enrollment profile):

1. QR code: Scan the QR code in the Admin Portal and set up the device before handing it to the employee.
   • If you don't have access to the company-owned device, you can also email the Direct Link to the QR code to the user to scan.
2. Enrollment profile: Download and distribute your org’s JumpCloud MDM enrollment profile, and have the user install the profile on the device.

Enrolling via QR code

Have the iOS device handy because you’ll scan a QR code and set the device up before handing it over to the employee.

1. From the JumpCloud Admin Portal, go to Device Management > MDM and click the Apple tab.
2. Under iOS Enrollment > Company-owned Device Enrollment, click View QR Code.

3. Follow the steps to scan the QR code, download the MDM enrollment profile, and install it on the device.
   • If for some reason the QR code does not scan, click Direct Link to enroll the device.

4. View the enrolled device by going to Device Management > Devices. 
5. Select the device you just enrolled and click the Insights tab to view more info, such as OS version, serial number, MDM Device ID, and storage usage.
6. (Optional) If you want to enforce lock timers and PIN codes, you can create and apply a policy. See Configure Settings for iOS and iPadOS Policies to learn more.
7. Deliver the enrolled device to the user.

Enrolling via enrollment profile

If a company-owned iOS device was not added to your ABM or ASM account, you can’t use Apple’s Automated Device Enrollment. You can instead download and distribute your organization’s JumpCloud MDM enrollment profile, and have users install it. 

1. Download your org's enrollment profile.
2. From the JumpCloud Admin Portal, go to Device Management > MDM and click the Apple tab.
3. Under iOS Enrollment > Company-owned Device Enrollment, click View QR Code, then click Direct Link below the QR code to download the iOS MDM enrollment profile. The iOS MDM enrollment profile expires after 1 hour.
4. Distribute the enrollment profile file to each user. If you email the enrollment profile file to users, note that JumpCloud enforces settings that are applied to a device and not a specific user. 
5. Verify that the user is on the device you want to manage when the user installs and approves the enrollment profile. 
6. Instruct the user to install the enrollment profile on their devices and approve the profile:
   1. Tap Allow to download the profile.
   2. Tap Close to go to the profile in Settings.
   3. Tap Profile Downloaded, then tap Install to install the MDM enrollment profile.
   4. Tap Trust to enroll this device in MDM.
   5. After the profile is installed, tap Done.
      
      

7. Assign the device to the user.
   1. From the JumpCloud Admin Portal, go to User Management > Users.
   2. Select a user.
   3. Click the Devices tab and select the iOS device that you want to assign to this user.
   4. Click Save User.