![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/note-icon.png\"){kind=icon}
<\/p><\/div>
This process must be used for all devices running iOS\/iPadOS 18 or later. Profile-based user enrollment, where the user downloads a configuration profile onto their device, will fail for personal device enrollments on devices running iOS\/iPadOS 18 or later.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Considerations<\/strong>:<\/p>\n\n\n\n
- \n
- Account-driven user enrollment is supported on iOS\/iPadOS 15 and later.<\/li>\n\n\n\n
- Account-driven user enrollment on macOS and visionOS is not supported in JumpCloud at this time.<\/li>\n\n\n\n
- Account-driven device enrollments are not supported in JumpCloud at this time.<\/li>\n<\/ul>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
- \n
- Users must have a Managed Apple Account (formally known as Managed Apple ID, or MAID) associated with their JumpCloud user account. Jump to Creating Managed Apple Accounts<\/a><\/li>\n\n\n\n
- Your Apple Business Manager must be configured correctly to validate that the Apple account used to sign in to iCloud is managed by your organization.\n
- \n
- In Apple Business Manager, go to Access Management<\/strong> > Apple Services<\/strong> and set Allow Managed Apple Account<\/strong> to Any<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
Creating Managed Apple Accounts<\/h2>\n\n\n\n
First, create Managed Apple Accounts either through federated authentication between Apple and your identity provider (Google Workspace, Microsoft Entra ID, or other)*, or manually in Apple Business Manager or Apple School Manager.<\/p>\n\n\n\n
*Federation between Apple and JumpCloud is in active development.<\/p>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nReference the following Apple documentation on creating Managed Apple Accounts:<\/p>\n\n\n\n
- \n
- (PDF) Overview of Managed Apple IDs for Business<\/a><\/li>\n\n\n\n
- Managed Apple IDs for Apple devices – Apple Support<\/a><\/li>\n\n\n\n
- Intro to federated authentication with Apple Business Manager<\/a><\/li>\n\n\n\n
- Use Managed Apple IDs in Apple Business Manager – Apple Support<\/a><\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
After the Managed Apple Accounts are created, they need to be associated with JumpCloud user accounts. See Run the MAID Import Script<\/a> for instructions.<\/p>\n\n\n\n
Setting Up a Well-Known URL<\/h2>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
- \n
- The well-known URL must be hosted on a domain that can handle HTTP GET requests and is the same domain that your end users sign in to. This allows devices to initiate a service discovery process to retrieve the information and direct your users to the JumpCloud enrollment endpoint.<\/li>\n<\/ul>\n\n\n\n
On your web server, implement the following well-known URL for MDM service discovery, replacing
yourdomain.com<\/code> with your org’s domain:<\/p>\n\n\n\nhttps:\/\/yourdomain.com\/.well-known\/com.apple.remotemanagement<\/code><\/code><\/p>\n\n\n\nNext, configure the redirect from this URL or host a file at this URL.<\/p>\n\n\n\nConfiguring a Redirect<\/h2>\n\n\n\nTo configure account-driven user enrollment using a redirect:<\/strong><\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>. <\/li>\n\n\n\n
- On the Apple<\/strong> > Home<\/strong> tab, scroll to iOS Enrollment<\/strong>.<\/li>\n\n\n\n
- Under Account-driven User Enrollment Configuration<\/strong>, select Redirect<\/strong>.
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/10\/adue-redirect.png\")
<\/li>\n\n\n\n - On your web server, define a redirect rule from the well-known URL you implemented above to the JumpCloud service discovery URL, making sure to place your JumpCloud org ID accordingly.\n
- \n
- From:
https:\/\/yourdomain.com\/.well-known\/com.apple.remotemanagement<\/code><\/li>\n\n\n\n To:https:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXX<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n<\/p><\/div>Note:<\/strong> \nThe steps to configure the redirect will look different depending on your solution. Below are resources for placing a redirect with popular web servers:<\/p>\n\n\n\n
- \n
- Apache: Redirect Directive<\/a><\/li>\n\n\n\n
- NGINX: Beginner’s Guide<\/a><\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Configuring a Redirect in Cloudflare<\/h3>\n\n\n\n
See Cloudflare’s Create rule in the dashboard<\/a> for more information on this process.<\/p>\n\n\n\n
To set up a redirect using Cloudflare Rules<\/strong>:<\/p>\n\n\n\n
- \n
- Log in to your Cloudflare account.<\/li>\n\n\n\n
- Select the domain you want to redirect.<\/li>\n\n\n\n
- From the Rules<\/strong> tab, click Redirect Rules<\/strong>.<\/li>\n\n\n\n
- Click Create Rule<\/strong> and give the rule an descriptive name.<\/li>\n\n\n\n
- Under When incoming requests match<\/strong>, select Wildcard pattern<\/strong>.<\/li>\n\n\n\n
- In the Request URL<\/strong> field, enter
https:\/\/example-domain.com\/.well-known\/com.apple.remotemanagement*<\/code> whereexample-domain.com<\/code> is your root domain. Remember to include the asterisk after com.apple.remotemanagement.<\/li>\n\n\n\n In the Target URL<\/strong> field, enterhttps:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXXXXXXXX<\/code> where XXXXXXXXXXXXXXXXXXXXX is replaced with your JumpCloud Organization ID.<\/li>\n\n\n\nFor Status Code<\/strong>, choose 301.<\/li>\n\n\n\nLeave Preserve Query String<\/strong> unchecked.<\/li>\n\n\n\nClick Deploy<\/strong>.<\/li>\n<\/ol>\n\n\n\nOnce the redirect rule is active, any requests to the specified path will be redirected to the specified URL. It may take some time for the rule to take effect due to Cloudflare’s caching.<\/p>\n\n\n\n
Configuring a Redirect in Shopify<\/h3>\n\n\n\n
See Shopify’s Creating and managing URL redirects<\/a> for more information on this process.<\/p>\n\n\n\n
To set up a URL redirect in Shopify<\/strong>:<\/p>\n\n\n\n
- \n
- From your Shopify admin, go to Settings<\/strong> > Apps and sales channels<\/strong>.<\/li>\n\n\n\n
- From the Apps and sales<\/strong> channels page, click Online store<\/strong>.<\/li>\n\n\n\n
- Click Open sales channel<\/strong>.<\/li>\n\n\n\n
- Click Navigation<\/strong>.<\/li>\n\n\n\n
- Click View URL Redirects<\/strong>.<\/li>\n\n\n\n
- Click Create URL redirect<\/strong>.<\/li>\n\n\n\n
- In Redirect from<\/strong>, enter
\/.well-known\/com.apple.remotemanagement<\/code><\/li>\n\n\n\n In Redirect to, enterhttps:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXXXXXXXX <\/code>whereXXXXXXXXXXXXXXXXXXXXX<\/code> is replaced with your JumpCloud Organization ID.<\/li>\n\n\n\nClick Save redirect<\/strong>.<\/li>\n<\/ol>\n\n\n\nConfiguring a Redirect in Squarespace<\/h3>\n\n\n\n
See Squarespace’s URL mappings documentation<\/a> for more information on this process.<\/p>\n\n\n\n
To set up a URL redirect in Squarespace<\/strong>:<\/p>\n\n\n\n
- \n
- Open Developer Tools<\/strong>.<\/li>\n\n\n\n
- Click URL Mappings<\/strong>.<\/li>\n\n\n\n
- Click into the text field to add the redirect, following this format, where
XXXXXXXXXXXXXXXXXXXXX<\/code> is replaced with your JumpCloud Organization ID.:<\/li>\n<\/ol>\n\n\n\n\n\/.well-known\/com.apple.remotemanagement -> https:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXXXXXXXX 301<\/code><\/p>\n<\/div><\/div>\n\n\n\n- Click Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Configuring a Self-Hosted File<\/h2>\n\n\n\n
Although a self-hosted file is less flexible than a Redirect, it may be useful if you do not have access to your web server configuration. <\/p>\n\n\n\n
![](\"\/wp-content\/themes\/jumpcloud\/assets\/images\/gutenberg-blocks\/tip-icon.png\")
<\/p><\/div>Tip:<\/strong> \nFor more information about the service discovery process, see Apple\u2019s Discover Authentication Servers<\/a> from the Apple Developer website.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure account-driven user enrollment using a self-hosted file:<\/strong><\/p>\n\n\n\n
- \n
- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>. <\/li>\n\n\n\n
- On the Apple<\/strong> > Home<\/strong> tab, scroll to iOS Enrollment<\/strong>.<\/li>\n\n\n\n
- Under Account-driven User Enrollment Configuration<\/strong>, select Self Host<\/strong>.
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/10\/adue-self-host.png\")
<\/li>\n\n\n\n - A JSON configuration snippet appears. Click Download JSON<\/strong>.<\/li>\n\n\n\n
- Publish the file on the well-known URL you created above.<\/li>\n<\/ol>\n\n\n\n
Setting up a Web Server to Host the File<\/h3>\n\n\n\n
To host the JumpCloud enrollment information on a web server, you must define the path to your web server. If the verified domain you use for Managed Apple Accounts is already configured to host files, you can host the enrollment information at the same hosting location. If your environment is not configured to do so, you must set up a web server to host the information.<\/p>\n\n\n\n
<\/p><\/div>Note:<\/strong> \nJumpCloud recommends consulting your internal web services and hosting team to help you complete this task.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
- \n
- The web server must have the same fully qualified domain name (FQDN) as the verified domain that the Managed Apple Accounts belong to, and web services must be enabled.<\/li>\n\n\n\n
- The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted root certificates, see Apple’s List of available trusted root certificates<\/a>.<\/li>\n\n\n\n
- The JSON file must be hosted on a server that supports HTTPS GET requests. Requests contain query parameters, such as user-identifier<\/strong> and model-family<\/strong>, which are passed through to JumpCloud when the device is redirected for enrollment.<\/li>\n<\/ul>\n\n\n\n
The resulting URL for the file must be similar to the following, where
example_domain.com<\/code> is the same format and domain as the Managed Apple Accounts’ email address:https:\/\/example_domain.com\/.well-known\/com.apple.remotemanagement<\/code><\/p>\n\n\n\nConfigure the server to return the appropriate Content-Type<\/strong> header with the file, as follows:Content-Type is ‘application\/json’<\/code><\/p>\n\n\n\n<\/p><\/div>Note:<\/strong> \nYour server software may refer to Content-Type as “MIME type.”<\/p>\n\n\n\n
For more information about how to modify the MIME type, see the following documentation:<\/p>\n\n\n\n
- \n
- Apache: Apache Module mod_mime<\/a> <\/li>\n\n\n\n
- NGINX: Full Example Configuration<\/a> <\/li>\n\n\n\n
- Microsoft: Adding Static Content MIME Mappings<\/a> <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Testing the Enrollment Configuration<\/h2>\n\n\n\n
To test your configuration<\/strong>:<\/p>\n\n\n\n
- \n
- Back in the JumpCloud Admin Portal, under Under Account-driven User Enrollment Configuration<\/strong>, enter your domain in the Test Your Configuration<\/strong> field and click Test<\/strong>.<\/li>\n\n\n\n
- If successful, the JumpCloud Admin Portal returns a success message: “Account-driven Configuration Successful for {Entered Domain}”<\/li>\n\n\n\n
- Alternatively, if incorrectly configured, you will receive an error message similar to the following: \u201cAn error occurred. Account-driven Configuration for {Entered Domain} could not be verified.\u201d<\/li>\n<\/ol>\n\n\n\n
Troubleshooting Error Messages<\/h3>\n\n\n\n
- \n
- Verification failed to get a well-known URL. Please check your info and try again.<\/strong> – Invalid domain entered. Check the configuration.<\/li>\n\n\n\n
- An issue occurred during verification. Refer to the help article for remediation tips.<\/strong> – A status code other than 200 was returned. Check the configuration.<\/li>\n\n\n\n
- During verification, an unexpected content type was returned. Please check your info and try again<\/strong>. – Content not in JSON format was returned.<\/li>\n\n\n\n
- Either unknown content or improper content length was detected during verification. Refer to the help article for remediation tips.<\/strong> – Response length received from the domain was too large. Check the configuration, as we expect a simple JSON response.<\/li>\n\n\n\n
- Verification failed to read the response body. Refer to the help article for remediation tips. <\/strong>– Unreadable data in response. Check whether the response contains the proper data.<\/li>\n\n\n\n
- Verification failed to understand the JSON response. Refer to the help article for remediation tips.<\/strong> – Readable data was returned in unexpected JSON format. Check the JSON configuration.<\/li>\n\n\n\n
- There was an invalid configuration of a well-known URL response during verification. Refer to the help article for remediation tips.<\/strong> – Either the version or baseurl parameters in the JSON configuration is incorrect.<\/li>\n\n\n\n
- There were too many redirects during verification. Refer to the help article for remediation tips.<\/strong> – Check that the well-known url is properly redirected and not in a redirection loop.<\/li>\n<\/ul>\n\n\n\n
After ADUE has been configured in the Admin Portal, users can follow the steps to enroll their devices (iOS 15+). See Users: Enroll Your Personal iOS Device<\/a>.<\/p>\n\n\n\n
\n - Click Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
- From:
- The well-known URL must be hosted on a domain that can handle HTTP GET requests and is the same domain that your end users sign in to. This allows devices to initiate a service discovery process to retrieve the information and direct your users to the JumpCloud enrollment endpoint.<\/li>\n<\/ul>\n\n\n\n
- In Apple Business Manager, go to Access Management<\/strong> > Apple Services<\/strong> and set Allow Managed Apple Account<\/strong> to Any<\/strong>.<\/li>\n<\/ul>\n<\/li>\n<\/ul>\n\n\n\n
![\"\"](\"https:\/\/jumpcloud.com\/wp-content\/uploads\/2024\/10\/personal-device-enrollment-allow.png\")
<\/p>\n <\/div><\/div><\/div><\/div>\n","protected":false},"excerpt":{"rendered":"