This article explains how to enable and configure account-driven user enrollment within the JumpCloud Admin Portal. You must configure enrollment before users are able to enroll their iOS and iPadOS devices to be managed by your organization.<\/p>\n\n\n\n
Account-driven enrollment is the preferred method for enrolling Apple iOS\/iPadOS devices into JumpCloud MDM. With this method, end users can enroll their devices directly by using a Managed Apple Account provided by your organization instead of downloading a profile from an external link or scanning of a QR code in the JumpCloud User Portal.<\/p>\n\n\n\n
<\/p><\/div>
This process must be used for all devices running iOS\/iPadOS 18 or later. Profile-based user enrollment, where the user downloads a configuration profile onto their device, will fail for personal device enrollments on devices running iOS\/iPadOS 18 or later.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Considerations<\/strong>:<\/p>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
First, create Managed Apple Accounts either through federated authentication between Apple and your identity provider (Google Workspace, Microsoft Entra ID, or other)*, or manually in Apple Business Manager or Apple School Manager.<\/p>\n\n\n\n
*Federation between Apple and JumpCloud is in active development.<\/p>\n\n\n\n
<\/p><\/div>
Reference the following Apple documentation on creating Managed Apple Accounts:<\/p>\n\n\n\n
After the Managed Apple Accounts are created, they need to be associated with JumpCloud user accounts. See Run the MAID Import Script<\/a> for instructions.<\/p>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
On your web server, implement the following well-known URL for MDM service discovery, replacing yourdomain.com<\/code> with your org’s domain:<\/p>\n\n\n\n
https:\/\/
yourdomain.com\/.well-known\/com.apple.remotemanagement<\/code><\/code><\/p>\n\n\n\n
Next, configure the redirect from this URL or host a file at this URL.<\/p>\n\n\n\n
Configuring a Redirect<\/h2>\n\n\n\nTo configure account-driven user enrollment using a redirect:<\/strong><\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>. <\/li>\n\n\n\n
- On the Apple<\/strong> > Home<\/strong> tab, scroll to iOS Enrollment<\/strong>.<\/li>\n\n\n\n
- Under Account-driven User Enrollment Configuration<\/strong>, select Redirect<\/strong>.
<\/li>\n\n\n\n - On your web server, define a redirect rule from the well-known URL you implemented above to the JumpCloud service discovery URL, making sure to place your JumpCloud org ID accordingly.\n
\n- From:
https:\/\/yourdomain.com\/.well-known\/com.apple.remotemanagement<\/code><\/li>\n\n\n\n
To: https:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXX<\/code><\/li>\n<\/ul>\n<\/li>\n<\/ol>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nThe steps to configure the redirect will look different depending on your solution. Below are resources for placing a redirect with popular web servers:<\/p>\n\n\n\n
\n- Apache: Redirect Directive<\/a><\/li>\n\n\n\n
- NGINX: Beginner’s Guide<\/a><\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Configuring a Redirect in Cloudflare<\/h3>\n\n\n\n
See Cloudflare’s Create rule in the dashboard<\/a> for more information on this process.<\/p>\n\n\n\n
To set up a redirect using Cloudflare Rules<\/strong>:<\/p>\n\n\n\n
\n- Log in to your Cloudflare account.<\/li>\n\n\n\n
- Select the domain you want to redirect.<\/li>\n\n\n\n
- From the Rules<\/strong> tab, click Redirect Rules<\/strong>.<\/li>\n\n\n\n
- Click Create Rule<\/strong> and give the rule an descriptive name.<\/li>\n\n\n\n
- Under When incoming requests match<\/strong>, select Wildcard pattern<\/strong>.<\/li>\n\n\n\n
- In the Request URL<\/strong> field, enter
https:\/\/example-domain.com\/.well-known\/com.apple.remotemanagement*<\/code> where example-domain.com<\/code> is your root domain. Remember to include the asterisk after com.apple.remotemanagement.<\/li>\n\n\n\n
In the Target URL<\/strong> field, enter https:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXXXXXXXX<\/code> where XXXXXXXXXXXXXXXXXXXXX is replaced with your JumpCloud Organization ID.<\/li>\n\n\n\n
For Status Code<\/strong>, choose 301.<\/li>\n\n\n\n
Leave Preserve Query String<\/strong> unchecked.<\/li>\n\n\n\n
Click Deploy<\/strong>.<\/li>\n<\/ol>\n\n\n\nOnce the redirect rule is active, any requests to the specified path will be redirected to the specified URL. It may take some time for the rule to take effect due to Cloudflare’s caching.<\/p>\n\n\n\n
Configuring a Redirect in Shopify<\/h3>\n\n\n\n
See Shopify’s Creating and managing URL redirects<\/a> for more information on this process.<\/p>\n\n\n\n
To set up a URL redirect in Shopify<\/strong>:<\/p>\n\n\n\n
\n- From your Shopify admin, go to Settings<\/strong> > Apps and sales channels<\/strong>.<\/li>\n\n\n\n
- From the Apps and sales<\/strong> channels page, click Online store<\/strong>.<\/li>\n\n\n\n
- Click Open sales channel<\/strong>.<\/li>\n\n\n\n
- Click Navigation<\/strong>.<\/li>\n\n\n\n
- Click View URL Redirects<\/strong>.<\/li>\n\n\n\n
- Click Create URL redirect<\/strong>.<\/li>\n\n\n\n
- In Redirect from<\/strong>, enter
\/.well-known\/com.apple.remotemanagement<\/code><\/li>\n\n\n\n
In Redirect to, enter https:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXXXXXXXX <\/code>where XXXXXXXXXXXXXXXXXXXXX<\/code> is replaced with your JumpCloud Organization ID.<\/li>\n\n\n\n
Click Save redirect<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Configuring a Redirect in Squarespace<\/h3>\n\n\n\n
See Squarespace’s URL mappings documentation<\/a> for more information on this process.<\/p>\n\n\n\n
To set up a URL redirect in Squarespace<\/strong>:<\/p>\n\n\n\n
\n- Open Developer Tools<\/strong>.<\/li>\n\n\n\n
- Click URL Mappings<\/strong>.<\/li>\n\n\n\n
- Click into the text field to add the redirect, following this format, where
XXXXXXXXXXXXXXXXXXXXX<\/code> is replaced with your JumpCloud Organization ID.:<\/li>\n<\/ol>\n\n\n\n
\n\/.well-known\/com.apple.remotemanagement -> https:\/\/apple.mdm.jumpcloud.com\/account-driven-service-discovery?organization_id=XXXXXXXXXXXXXXXXXXXXX 301<\/code><\/p>\n<\/div><\/div>\n\n\n\n
\n
- Click Save<\/strong>.<\/li>\n<\/ol>\n\n\n\n
Configuring a Self-Hosted File<\/h2>\n\n\n\nAlthough a self-hosted file is less flexible than a Redirect, it may be useful if you do not have access to your web server configuration. <\/p>\n\n\n\n
<\/p><\/div>
Tip:<\/strong> \nFor more information about the service discovery process, see Apple\u2019s Discover Authentication Servers<\/a> from the Apple Developer website.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
To configure account-driven user enrollment using a self-hosted file:<\/strong><\/p>\n\n\n\n
\n- Log in to the JumpCloud Admin Portal<\/a>.<\/li>\n\n\n\n
- Go to DEVICE MANAGEMENT<\/strong> > MDM<\/strong>. <\/li>\n\n\n\n
- On the Apple<\/strong> > Home<\/strong> tab, scroll to iOS Enrollment<\/strong>.<\/li>\n\n\n\n
- Under Account-driven User Enrollment Configuration<\/strong>, select Self Host<\/strong>.
<\/li>\n\n\n\n - A JSON configuration snippet appears. Click Download JSON<\/strong>.<\/li>\n\n\n\n
- Publish the file on the well-known URL you created above.<\/li>\n<\/ol>\n\n\n\n
Setting up a Web Server to Host the File<\/h3>\n\n\n\nTo host the JumpCloud enrollment information on a web server, you must define the path to your web server. If the verified domain you use for Managed Apple Accounts is already configured to host files, you can host the enrollment information at the same hosting location. If your environment is not configured to do so, you must set up a web server to host the information.<\/p>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nJumpCloud recommends consulting your internal web services and hosting team to help you complete this task.<\/p>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Prerequisites<\/strong>:<\/p>\n\n\n\n
\n- The web server must have the same fully qualified domain name (FQDN) as the verified domain that the Managed Apple Accounts belong to, and web services must be enabled.<\/li>\n\n\n\n
- The SSL certificate for the web server must be issued by a trusted certificate authority. For a list of trusted root certificates, see Apple’s List of available trusted root certificates<\/a>.<\/li>\n\n\n\n
- The JSON file must be hosted on a server that supports HTTPS GET requests. Requests contain query parameters, such as user-identifier<\/strong> and model-family<\/strong>, which are passed through to JumpCloud when the device is redirected for enrollment.<\/li>\n<\/ul>\n\n\n\n
The resulting URL for the file must be similar to the following, where example_domain.com<\/code> is the same format and domain as the Managed Apple Accounts’ email address: https:\/\/example_domain.com\/.well-known\/com.apple.remotemanagement<\/code><\/p>\n\n\n\n
Configure the server to return the appropriate Content-Type<\/strong> header with the file, as follows: Content-Type is ‘application\/json’<\/code><\/p>\n\n\n\n
<\/p><\/div>
Note:<\/strong> \nYour server software may refer to Content-Type as “MIME type.”<\/p>\n\n\n\n
For more information about how to modify the MIME type, see the following documentation:<\/p>\n\n\n\n
\n- Apache: Apache Module mod_mime<\/a> <\/li>\n\n\n\n
- NGINX: Full Example Configuration<\/a> <\/li>\n\n\n\n
- Microsoft: Adding Static Content MIME Mappings<\/a> <\/li>\n<\/ul>\n <\/div><\/div><\/div><\/div>\n\n\n\n
Testing the Enrollment Configuration<\/h2>\n\n\n\nTo test your configuration<\/strong>:<\/p>\n\n\n\n
\n- Back in the JumpCloud Admin Portal, under Under Account-driven User Enrollment Configuration<\/strong>, enter your domain in the Test Your Configuration<\/strong> field and click Test<\/strong>.<\/li>\n\n\n\n
- If successful, the JumpCloud Admin Portal returns a success message: “Account-driven Configuration Successful for {Entered Domain}”<\/li>\n\n\n\n
- Alternatively, if incorrectly configured, you will receive an error message similar to the following: \u201cAn error occurred. Account-driven Configuration for {Entered Domain} could not be verified.\u201d<\/li>\n<\/ol>\n\n\n\n
Troubleshooting Error Messages<\/h3>\n\n\n\n\n- Verification failed to get a well-known URL. Please check your info and try again.<\/strong> – Invalid domain entered. Check the configuration.<\/li>\n\n\n\n
- An issue occurred during verification. Refer to the help article for remediation tips.<\/strong> – A status code other than 200 was returned. Check the configuration.<\/li>\n\n\n\n
- During verification, an unexpected content type was returned. Please check your info and try again<\/strong>. – Content not in JSON format was returned.<\/li>\n\n\n\n
- Either unknown content or improper content length was detected during verification. Refer to the help article for remediation tips.<\/strong> – Response length received from the domain was too large. Check the configuration, as we expect a simple JSON response.<\/li>\n\n\n\n
- Verification failed to read the response body. Refer to the help article for remediation tips. <\/strong>– Unreadable data in response. Check whether the response contains the proper data.<\/li>\n\n\n\n
- Verification failed to understand the JSON response. Refer to the help article for remediation tips.<\/strong> – Readable data was returned in unexpected JSON format. Check the JSON configuration.<\/li>\n\n\n\n
- There was an invalid configuration of a well-known URL response during verification. Refer to the help article for remediation tips.<\/strong> – Either the version or baseurl parameters in the JSON configuration is incorrect.<\/li>\n\n\n\n
- There were too many redirects during verification. Refer to the help article for remediation tips.<\/strong> – Check that the well-known url is properly redirected and not in a redirection loop.<\/li>\n<\/ul>\n\n\n\n
After ADUE has been configured in the Admin Portal, users can follow the steps to enroll their devices (iOS 15+). See Users: Enroll Your Personal iOS Device<\/a>.<\/p>\n\n\n\n