Enrolling BYOD Apple devices (account-based user enrollment)

Read this section to understand how the users can enroll BYOD Apple devices running iOS 18+ or macOS 15+ to MDM.

Before you begin

Before enrolling a device using Account-Based User Enrollment, ensure the following requirements are met:

  • Managed Apple ID: The user must have a Managed Apple ID from Apple Business Manager (ABM) or Apple School Manager (ASM).

  • Enrollment policy configured in BigFix MCM & BigFix Mobile

  • Service Discovery configuration

  • Apple device requirements:

    • The device must run iOS 18 +

    • The device must have internet access.

    Note: Support for macOS 15+ is not tested with MCM v3.3 release.
  • AD/LDAP credentials: Ensure you have the Active Directory credentials with associated Apple Business Manager account.
    Note: Third-party authentication support like Okta is planned for future releases

About this task

With iOS 18+, Apple has discontinued Profile-Based User Enrollment and requires Account-Based User Enrollment for BYOD (Bring Your Own Device) management. This new method enhances security and automation by using Service Discovery to locate the correct MDM server for enrollment.
To enrol a device using account-driven User Enrolment or account-driven Device Enrolment, follow these steps:

  1. Initiate enrollment from iOS 18+

    1. Open Settings app.

    2. Navigate to VPN & Device Management.

    3. Select “Sign in to Work or School Account…”.

    4. The device then connects to the MDM server’s initial enrollment page.

  2. Authenticate with Managed Apple ID
    1. Enter the Managed Apple ID. (Example, user@company.com). Apple verifies the ID and performs Service Discovery. If the discovery file is correctly configured, the system identifies the MDM server.
    2. The OS uses service discovery to retrieve the MDM server details from the JSON file.

  3. Authenticate with Active Directory: Enter AD/LDAP credentials when prompted.

  4. Enroll:Click Enroll to download the Apple enrollment profile.

  5. OSX opens this Enrollment Profile and shows users the information about the MDM deployment they are about to enroll in. If things look okay, click Install to enroll the device in MDM.

Results

  • Once enrolled, the MDM profile is installed.
  • A corporate-controlled workspace is created within the personal device.
  • The organization does not have access to the personal profile and hence cannot wipe, lock, or impose any control over the personal use of the device.
  • IT administrators can configure settings, push work apps, and manage policies in the corporate-controlled workspace while keeping personal data private.