Configure Automated Device Enrollment

Remotely enroll macOS, iOS, and iPadOS devices in Mobile Device Management (MDM). Automated Device Enrollment lets you automatically enroll devices into JumpCloud MDM during the device out-of-box experience. After devices are enrolled in JumpCloud MDM, IT Admins have management and configuration control over managed devices. With a customized setting, Zero-Touch Automated Device Enrollment Onboarding can also automatically bind the user to the device after authentication.​​​​​

Summary: You will configure Automated Device Enrollment for your organization. Next, you will add your device to the MDM server. Then, you will sync the device with Apple. Finally, you will configure your end users' zero-touch experience.

  • Step 1 – Configure Automated Device Enrollment for your Organization
  • Step 2 – Add Device to the MDM Server
  • ​​Step 3 – Sync Device to JumpCloud
  • Step 4 – Configure your End Users’ Experience
  • Step 5 – Renew Your Automated Device Enrollment Token Annually

Step 1: Configure Automated Device Enrollment for your Organization

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to DEVICE MANAGEMENT > MDM.
  3. On the MDM home page, click get started under Automated Device Enrollment Configuration.
  4. ​​​In Set Up Apple’s Automated Device Enrollment, click download under Generate a Key. JumpCloud downloads a certificate that contains a key. Apple uses this to encrypt the Automated Device Enrollment token.
  5. Under Sign in to Apple, click sign into Apple Business Manager and enter your credentials. If you have an education account, click sign into Apple School Manager.
  6. Add your MDM server:
  7. Select your profile name, then select Preferences.
  8. Select MDM Server Assignment, then click Add MDM Server.
  9. Enter a name for your company’s MDM server and leave Allow this MDM Server to release devices selected.
  10. Click Choose File.
  11. Locate the jumpcloud-dep.pem file downloaded in Step 4, select it, and click Open.
  12. Click Save.
  13. Download the token by selecting the server and clicking Download Token, then clicking Download Server Token.
  14. In the Admin Portal, go to Set Up Apple’s Automated Device Enrollment and under Upload Automated Device Enrollment Token, install the new token by clicking Browse or dragging and dropping the server token for your MDM server. 
  15. Click complete setup.

For more information on Apple’s Automated Device Enrollment, see the Getting Started Guide for Apple Business Manager

Step 2: Add the Device to the MDM Server

  1. Log in to ABM or ASM.
  2. Click Devices and select your device. You may want to search for it by serial number.
  3. Click Edit MDM Server.
  4. Select Assign to the following MDM and choose your MDM server from the list.
  5. Click Continue, then click Confirm
  6. Verify that the device was added to your MDM server.

The sync process between Apple and JumpCloud ensures the device will contact JumpCloud’s MDM server on first boot to enroll in MDM.

Step 3: Sync the Device to JumpCloud

Tip:

Perform these steps every time you add new devices in ABM or ASM.

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to DEVICE MANAGEMENT > MDM.
  3. On the MDM home tab, click sync with Apple under Automated Device Enrollment Devices to ensure that your list of JumpCloud Automated Device Enrollment devices matches what is in ABM or ASM.

From here, you can configure your end users' experience on company-owned Apple devices from day 1. For macOS users, see Configure your macOS users' zero-touch experience. For iOS users, see Configure your iOS users' zero-touch experience.

Step 4: Configure your End Users’ Experience

Configure your macOS users’ zero-touch experience

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to DEVICE MANAGEMENT > MDM.
  3. Under Automated Device Enrollment Configuration in the MDM Home tab, click configure macOS to configure your zero-touch experience.
  4. Select the JumpCloud device group to automatically bind to this device. Default device groups can use a policy to ensure that all devices enrolling in Automated Device Enrollment get the security and compliance levels applied immediately during enrollment.
    • None – This device won’t be bound to a device group.
    • An existing group – Select a macOS group that you already created.
    • New group – Click Create New Group to add a new device group and then return here to bind it to the device.

Note:

If the default device group you select is configured to update group membership dynamically, ensure that the group's membership rules are compatible with the devices you're expecting to auto-enroll. See Configure Dynamic Device Groups for more information.

Tip:

Verify that you’ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.

  1. Customize the Welcome screen title, description, button name, and logo that your users see:
    • Screen Title – Update the title of the Welcome screen.
    • Description – Add critical information to the Welcome screen.
    • Button – Type a new name for the button. The default is continue.
    • Logo – Add your logo to the Welcome screen by going to Settings, selecting Organization Profile, and uploading it.
  2. Select the screens that you do not want your users to see during account configuration. Controlling what users see can help you troubleshoot any onboarding issues:
    • Select all – None of these screens show during account configuration.
    • Select a screen – Select a specific screen to exclude it during account configuration.
  3. Select Enable to turn on User authentication, which requires users to authenticate during Automated Device Enrollment. A successful macOS authentication automatically binds the user’s JumpCloud account to the device with Sudo Admin permissions. If users aren’t prompted to authenticate when they power up their devices, you didn’t enable user authentication here.

Tip:

After the macOS user authenticates, you can change the user's permissions to remove Sudo Admin permissions. See Set Admin/Sudo Permissions.

  1. Click save.
  2. You can require users to change a password when authenticating during Automated Device Enrollment:
    1. Go to USER MANAGEMENT > Users.
    2. Select the checkbox for one user or select all users, then click more actions.
    3. Choose Force Password Change. The user must reset the password when authenticating during Automated Device Enrollment.
    4. Click force change
  3. After the user authenticates, verify that the user was automatically bound to the macOS device and has Sudo permissions:
    1. Go to DEVICE MANAGEMENT > Devices.
    2. Select the device and select the Users tab.
    3. Verify that the correct user appears as an Admin with Sudo permissions on the device. Each macOS device requires at least one admin account per device as part of MDM enrollment. 

To see a simulation of what your macOS user will see when they open the box to log into their new device, see Set Up a New Mac DeviceNote: The actual screens might be slightly different depending on the screens that you chose when you customized the zero-touch settings.

If an unsupported macOS device is assigned to the JumpCloud MDM server in ABM, it will attempt to install the agent, which will generate an error and cause the device to hang at the install screen. The device will need to have the JumpCloud MDM server unassigned in ABM. This can be done by removing the JumpCloud MDM server from the Default Device Assignment under Device Management Settings or by changing the Device Management settings for the individual device.

Configure your iOS users’ zero-touch experience

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to DEVICE MANAGEMENT > MDM.
  3. Under Automated Device Enrollment Configuration in the MDM home tab, click configure iOS and iPadOS to configure your zero-touch experience.
  4. Select a JumpCloud iOS device group to automatically bind to this device. Default device groups can use a policy to ensure that all devices enrolling in Automated Device Enrollment get the security and compliance levels applied immediately during enrollment.
    • None – This device won’t be assigned to a device group.
    • An existing group – Select an iOS device group that you already created.
    • New group – Click Create New Group to add a new group and then return here to bind the group to the device.

Tip:

Verify that you’ve included all the policies you want for the device group. Do not include the JumpCloud MDM Enrollment policy, as this is already implemented during automated enrollment.

  1. Customize the Welcome screen title, description, and button name that your users see:
    • Screen Title – Update the title of the Welcome screen.
    • Description – Add critical information to the Welcome screen.
    • Button – Type a new name for the button. The default is continue.
    • Logo – Add your logo to the Welcome screen by going to Settings, selecting Organization Profile, and uploading your logo.
  2. Select the screens that you do not want your iOS users to see during device configuration. Controlling what users see can help you troubleshoot any issues:
    • Select all – None of these screens show during device configuration.
    • Select a screen – Select the screens to exclude during configuration.
  3. Select Enable to turn on User authentication, which requires users to authenticate during Automated Device Enrollment. A successful iOS authentication automatically assigns the JumpCloud user to the device. If users aren’t prompted to authenticate when they power up their devices, you did not enable user authentication here.
  4. Click save.
  5. To increase device security, you can require users to change their password when authenticating during Automated Device Enrollment:
    1. Go to USER MANAGEMENT > Users.
    2. Select the checkbox for one user or select all users, then click more actions.
    3. Choose Force Password Change. The user must reset the password when authenticating during Automated Device Enrollment.
    4. Click force change
  6. After the user authenticates, verify that the user is assigned to the device and that the device appears in the Devices list.
    1. Go to DEVICE MANAGEMENT > Devices.
    2. Select Devices, select the device, then select Users.

Step 5: Renew Your Automated Device Enrollment Token Annually

You need to renew Apple’s Automated Device Enrollment server token every year to continue enrolling new devices with Automated Device Enrollment. Your token expiration date is visible in the MDM home page under Automated Device Enrollment Configuration.

  1. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com.
  2. Go to DEVICE MANAGEMENT > MDM.
  3. On the MDM home tab, click renew under Automated Device Enrollment Configuration.
  4. Under Sign in to Apple, click sign into Apple Business Manager, then enter your credentials. (If you have an education account, click sign into Apple School Manager.)
  5. In ABM or ASM, select your profile name and choose Preferences.
  6. Under Your MDM Servers, select your MDM server. 
  7. Click Download Token, then click Download Server Token.
  8. In the JumpCloud Admin Portal, return to the Renew Apple’s Automated Device Enrollment page.
  9. Under Upload Automated Device Enrollment Token, click Browse or drag and drop the new Automated Device Enrollment token for your MDM server.
  10. Click complete. A message on the MDM home tab indicates that your Automated Device Enrollment configuration was renewed.

Troubleshooting

Repairing an Out-of-Sync Automated Device Enrollment Token

You can repair an out-of-sync Automated Device Enrollment token when it is invalidated or when a Mobile Device Management (MDM) server in ABM has been deleted.

Prerequisites:

  • An account with Apple Business Manager (ABM) or Apple School Manager (ASM) is required, with the role of Administrator or Content Manager.

Repairing Automated Device Enrollment and ABM Synchronization

If your MDM server token is out of sync, you can re-upload a JumpCloud-generated Automated Device Enrollment Key into your MDM Device Server to re-sync your Apple devices with JumpCloud.

When an MDM Server token is out of sync, the JumpCloud Admin Portal displays the following message when attempting to refresh your Automated Device Enrollment Device List:

JumpCloud's list of Automated Device Enrollment devices could not be updated to match your Apple Business Manager list. Please try again.

  1. Retrieve your MDM ID using the JumpCloud API and the curl command from a supported command line interface like Terminal on macOS. After JumpCloud MDM is configured, a unique MDM ID is generated. This ID is necessary to make changes to your MDM settings. Start by fetching your MDM ID. The output of this GET request will generate your MDM ID (id).

curl -X GET https://console.jumpcloud.com/api/v2/applemdms \
-H 'accept: application/json' \
-H 'content-type: application/json' \
-H 'x-api-key: {API_KEY}'

  1. Use your MDM ID to generate your JumpCloud Automated Device Enrollment Key:

curl -X GET https://console.jumpcloud.com/api/v2/applemdms/{MDM_ID_FROM_ABOVE_HERE}/depkey \
-H 'Accept: application/x-pem-file' \
-H 'content-type: application/json' \
-H 'x-api-key: {API_KEY}'

  1. The resulting certificate should resemble the output below:

-----BEGIN CERTIFICATE-----
Q2xvdWQgTURNMB4XDTIxMDgxMzE3MDEyNloXDTIxMDkxMjE3MDEyNlowGDEWMBQG
ggEBAKU3pjvrGUi4pZfEbiN0C8tJmIHBkBSAl3nlcIXFaJ/o9thtwEQ8iXrQRIq1
apwKAz5cF+J9M155Qj04mjrEIrZc3x34S5dvAKkDfxTzGBqBxBeCFfWa+IM9FOqt
C7gOW70rxPUyC1pYkYo4rwTU9PH406iCnMaL2amTPbdsQQjgI8zui04AcyRhsoGB
GEUattwIFK/1XnyUE8fqnS0nnL5yH4a8nROb6SOMwrd8F4H/U+kpUcnDIX3L8j2a
A1UEAxMNSnVtcENsb3VkIE1ETTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoC
rbx0O2hzag0x2rih0jQ+pdQ+HsUCAwEAAaMCMAAwDQYJKoZIhvcNAQELBQADggEB
ABI9C9zUsVVCVoyAoCD7Qqcx1EbsN4q9KcCkp0fIwe0ttKKBxWwQPVzWwwjAtDoZ
mOG6Ow1Avnd7EQzItDdqbtOA+Waji7NWdzvwSx7t0HcgrzUFE4zd57hZVemrwkK4
t34z2S+vcsK+8zazDYdSnRmAhvwkoHkaWpj7pM6lg9gvZhau3eGffaQBqLhm/0sN
eTVrJuE/+FZtcF5+7aQuK8YXMikwonMtOhN0wcgpgjQVUZw1VMROBcWkgUAS87wT
1I4PFW/iPHZg7apOW8VCzeka/ZXvwAEh+5qtXxE8zbxTS0YZHq6HMy1thLNlQETh
MIICrTCCAZWgAwIBAgIBATANBgkqhkiG9w0BAQsFADAYMRYwFAYDVQQDEw1KdW1w
F+QRpHuWQHkTB4xAxqRPnfADH4dQq0nTjRkj89zsZI3umtav40gy+dScgrrWAGlw
mVqzP/HnSggPQ3LusHdNop8=
-----END CERTIFICATE-----

  1. Create a new .pem file using the following command: touch jc_depkey.pem
  2. Copy and paste the Automated Device Enrollment key, including Begin Certificate and End
  3. Save the .pem file.
  4. Log in to your ABM or ASM account.
  5. Select your profile name, then click Preferences.
  6. Select MDM Server Assignment, then select the MDM server you want to sync with JumpCloud.
  7. Click Edit.
  8. Under MDM Server Settings, click Upload New, then upload the JC_depkey.pem file.
  9. Click Save.
  10. Click Download Token.
  11. Log in to the JumpCloud Admin Portal: https://console.jumpcloud.com/login.
  12. Go to DEVICE MANAGEMENT > MDM.
  13. In the MDM Home page under Automated Device Enrollment Configuration, click renew.
  14. Upload the newly downloaded token from ABM or ASM.
  15. Click Complete.
  16. After the token is renewed, click sync with Apple to refresh your Automated Device Enrollment Device List. A successful synchronization will display the following message, and your Automated Device Enrollment devices will be listed as expected.

List IconIn this Article

Still Have Questions?

If you cannot find an answer to your question in our FAQ, you can always contact us.

Submit a Case