Enrollment methods in Apple Business Essentials
To view critical device facts, send apps and settings, or push commands to a device, devices must be enrolled into device management in Apple Business Essentials.
There are different ways a device can be enrolled based on the plan you choose. A device can be enrolled with only one MDM solution at any point, regardless of the MDM or enrollment method used.
Employees can use the following enrollment methods to get devices managed:
Account-driven User Enrollment: User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device.
Device Enrollment: Device Enrollment is designed for company-owned devices already in use by the employee. Device Enrollment allows users to manually enroll them without requiring the device to be erased.
Automated Device Enrollment: Automated Device Enrollment is designed for new or erased devices. Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box and turned on. This method of enrollment can be used for both employee plans and device plans.
To use Auto Advance for Mac computers, the internet connection must use Ethernet. For more information, see Auto Advance and Automated Device Enrollment in Apple Platform Deployment.
Employee plans in Apple Business Essentials allow up to three devices per employee. All the employee needs to do is sign in on their device with their Managed Apple Account to get their device managed. To view all plan options, see Manage plans.
After a device is successfully enrolled and managed, the device gets all of the configured settings and assigned apps, has the Apple Business Essentials app installed, and gets access to work iCloud storage.
MDM enrollment method features with Apple Business Essentials
Feature | Account-driven User Enrollment | Account-driven Device Enrollment | Profile-based Device Enrollment | Automated Device Enrollment |
---|---|---|---|---|
Minimum supported operating system versions | iOS 15 iPadOS 15 macOS 14 visionOS 1.1 | iOS 17 iPadOS 17 macOS 14 visionOS 1.1 | iOS 15 iPadOS 15 macOS 12.0.1 visionOS 1.1 | iOS 15 iPadOS 15 macOS 12.0.1 visionOS 1.1 tvOS 15 (device plan only) |
Plans | User | User | User | Device User |
Supervision | No | No (iPhone, iPad, Apple Vision Pro) Yes (Mac) | No (iPhone, iPad, Apple Vision Pro) Yes (Mac) | Yes |
Data separation | Yes | Yes | No | No |
Use a personal Apple Account | Yes | Yes | Yes | No (user plan) No (device plan) |
Account-driven User Enrollment
You can use User Enrollment to enroll an employee’s personal iPhone, iPad, and Mac with iOS 15, iPadOS 15, and macOS 14, or later, into Apple Business Essentials. To require that an iPhone, iPad, or Mac enroll as a User Enrollment when signed in with a Managed Apple Account, do the following:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select your name at the bottom of the sidebar, select Preferences, then select “Apple Business Essentials” under “Your MDM Servers.”
Select the Device Enrollment tab.
Select “Enroll as personal device” for all device types you want to enroll with Device Enrollment upon sign in with a Managed Apple Account.
See Use a Managed Apple Account to enroll your device for instructions on how employees enroll a device with a Managed Apple Account.
Note: User Enrollment leads to unsupervised management, meaning administrators have limited management over User Enrolled devices. This method of enrollment is best for personally owned devices, or organizationally-owned devices that don’t need to be supervised. Any iPhone or iPad that requires supervision should enroll using Automated Device Enrollment. For more information, see About Apple device supervision in Apple Platform Deployment.
Account-driven Device Enrollment
You can use Device Enrollment on any organization-owned Mac that is already in use by an employee or hasn’t been linked to your Apple Customer Number or Reseller Number.
Employees can use Account-driven Device Enrollment to enroll any Mac with macOS 14.1 or later.
To require an iPhone, iPad, or Mac enroll using Device Enrollment when signed in with a Managed Apple Account, do the following:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select your name at the bottom of the sidebar, select Preferences, then select “Apple Business Essentials” under “Your MDM Servers.”
Select the Device Enrollment tab.
Select “Enroll as company-owned device” for all device types you want to enroll with Device Enrollment upon sign in with a Managed Apple Account.
Note: These settings apply only to devices with iOS 17.1,iPadOS 17.1, macOS 14.1, or later. For devices with previous versions, signing in with a Managed Apple Account results in User Enrollment.
See Use a Managed Apple Account to enroll your device for instructions on how employees enroll a device with a Managed Apple Account.
When a device uses Device Enrollment by signing in with a Managed Apple Account, the following occurs:
Apple Business Essentials app installed: Yes
Assigned apps available: In the Apple Business Essentials app
Settings applied: Yes
Device supervised: Mac: Yes. iPhone, iPad: No
Personal and work data separated: Yes
Personal Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Profile-based Device Enrollment
For Mac computers with macOS 13 or earlier, Device Enrollment can be achieved with the use of an enrollment profile. To enroll a device with a profile:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select Users in the sidebar, then select or search for a user who you’d like to send an enrollment profile to in the search field. See How to search.
If the user has no devices enrolled, select “View Instructions” in the Devices section. Otherwise select “Send Enrollment Instructions.”
In the screen that appears, make sure the “Mac” checkbox is selected, then select “Send.”
When the user receives the email, they can select the link contained in the Note at the bottom of the Mac enrollment instructions and follow the directions on the webpage to get their device managed.
When a Mac uses Device Enrollment with an enrollment profile, the following then occurs:
Apple Business Essentials app installed: Yes
Assigned apps available: In the Apple Business Essentials app
Settings applied: Yes
Device supervised: Yes
Personal and work data separated: No
Personal Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Automated Device Enrollment (all devices)
You can use Automated Device Enrollment with an employee plan on any company owned iPhone, iPad, Mac, and Apple TV.
Link your Apple Customer Number or Reseller Number to Apple Business Essentials.
After a device appears in Apple Business Essentials, assign it to the Apple Business Essentials MDM server. See Device workflow.
If your device doesn’t appear in Apple Business Essentials, you can add it using Apple Configurator. See Add devices from Apple Configurator.
The devices must be connected to the internet and powered on. A specified user must then finish Setup Assistant for iPhone, iPad, and Mac (Apple TV finishes the Setup Assistant automatically).
Users then sign in to Setup Assistant with their Managed Apple Account user name and password.
After the employee signs in to Setup Assistant with their Managed Apple Account and password, their device is managed and the following occurs:
Apple Business Essentials app installed: Yes (Not available for AppleTV)
Assigned apps available: In the Apple Business Essentials app for user plans, or downloaded immediately for device plans
Settings applied: Yes
Device supervised: Yes
Personal Apple Account iCloud storage: Unavailable
Organization Managed Apple Account iCloud storage: Available (Not available for AppleTV)
Automated Device Enrollment (Devices that use a device plan)
To keep your organization secure, any device with a device subscription must be manually approved by any user with the role of Administrator or Device Enrollment Manager before it can be managed. You can either do this when adding the device to a device plan, or after the device has enrolled.
To approve devices when adding them to a device plan, simply select “Approve recently added devices for management without manual review” at the time of plan confirmation. This is possible only on devices that are newly added to a device plan and have never previously been approved and managed by Apple Business Essentials.
For Automated Device Enrollment with a device subscription, the task Automated Device Enrollment (all devices) must be completed first. To approve devices after they’ve been enrolled:
In Apple Business Essentials, sign in with a user that has the role of Administrator or Device Enrollment Manager.
Select Devices in the sidebar, then select or search for a device in the search field. See How to search.
To search for specific devices, you can paste up to 1024 serial numbers from a text file, with each serial number separated by a comma.
Select the device you want managed.
Review the enrollment details, including the date and time of enrollment, the operating system, and the certificate fingerprint. (This step is important. Ensure that all this information is correct before approving any devices for management.)
To find the certificate fingerprint, do one of the following:
iPhone or iPad: Find the certificate fingerprint of your iPhone or iPad by navigating to Settings > your Managed Apple Account > More Details > Device Identity Certificate. The certificate fingerprint is found at the bottom of the page under Fingerprints > SHA-256.
Mac: Find the certificate fingerprint of your Mac computer by navigating to Keychain > Certificates > Systems and then selecting the entry with a random UUID that has “Issued by: Apple MDM RSA CA 1 - G1.” Open the window and scroll down. The certificate fingerprint is found under Fingerprints > SHA-256.
Do one of the following:
If the enrollment details are correct, approve the device for management.
If the enrollment details are incorrect, deny the device for management. Denying a device removes the enrollment profile, and won’t be managed.
Send enrollment instructions to a single user
To send instructions to an employee directing them to signing into a device with a Managed Apple Account, do the following:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select Users in the sidebar, then select or search for a user who you’d like to send an enrollment profile to in the search field. See How to search.
If the user has no devices enrolled, select “View Instructions” in the Devices section. Otherwise select “Send Enrollment Instructions.”
Select the platforms you want to send instructions for, then select “Send.”
Send enrollment instructions to multiple users
To send instructions to multiple employees at once directing them to signing into a device with a Managed Apple Account, do the following:
In Apple Business Essentials, sign in with a user that has the role of Administrator.
Select Users in the sidebar, then either select “All Users” at the top, or select the users you want by using Shift-click.
Next to “Send Device Enrollment Instructions”, select the button that says “Send to X users.”
Select the platforms you want to send instructions for, then select “Send.”
Apple Business Essentials app
With Apple Business Essentials and the Apple Business Essentials app, employees can:
Download the work apps they’ve been assigned by their organization.
View all of their managed devices.
Directly access AppleCare+ for Business Essentials support.
Request, track, and cancel repairs covered under AppleCare+ for Business Essentials.
After users enroll in device management, the app is automatically downloaded to their iPhone, iPad, or Mac. See the Apple Support article About the Apple Business Essentials app.
See Use a Managed Apple Account to enroll your device for instructions on how employees enroll a device with a Managed Apple Account.