Device enrolment configuration options
Before you enrol devices, you should decide on the enrolment type from those listed below.
Automated Device Enrolment
Automated Device Enrolment is designed for devices owned by the organisation. Automated Device Enrolment lets organisations configure and manage devices from the moment the devices are removed from the box. You can also use all the available payloads and restrictions defined by Apple, and you have the option to prevent the MDM enrolment profile from being removed by the user.
Device Enrolment
Device Enrolment allows organisations to have users manually enrol devices into a mobile device management (MDM) solution and then manage many different aspects of device use, including the ability to erase the device. On Mac computers with macOS 11 or later, Device Enrolment also enforces supervision on the Mac.
For more information on enrolment types and Auto Advance deployment, see Device Enrolment and MDM in Apple Platform Deployment.
For more information about Automated Device Enrolment payloads and restrictions, see Automated Device Enrolment MDM information and Automated Device Enrolment MDM payload list in Apple Platform Deployment.
Shared iPad enrolment
As soon as Shared iPad is enabled in your MDM solution, the iPad restarts into a shared environment after the next activation and MDM enrolment. Every iPad must be supervised in Apple School Manager to support Shared iPad. And with Shared iPad, all Setup Assistant panes after activation are automatically skipped. To remove a device from Shared iPad, the iPad must be erased and reactivated with Apple.
Required MDM enrolment
Many educational organisations choose to require MDM enrolment to enforce management and policies. When a device in Apple School Manager is activated, the user is presented with a new screen to enrol the device in MDM. If MDM enrolment isn’t required by Apple School Manager, the user can skip enrolment to prevent the device from enrolling in MDM.
Authenticated MDM enrolment
MDM solutions can also choose to require a username and password to complete MDM enrolment in Setup Assistant. This authenticated enrolment is enforced by the MDM solution and can prevent unauthorised users from completing the setup and using the device. Authenticated enrolment also enables the MDM solution to associate the user with the device, allowing MDM management by user or user group, as well as by device or device group.
Prevent unenrolment from MDM
When a device is enrolled in MDM using Apple School Manager, the MDM enrolment profile can be made non-removable for supervised devices. This prevents users from unenrolling from your MDM solution and means only your MDM solution can unenrol a device.
Disable Setup Assistant panes
Devices enrolled in your MDM solution whose serial numbers appear in Apple School Manager can have specific panes of Setup Assistant disabled to streamline the user experience. However, the first three panes of Setup Assistant for iPad — panes for selecting a language, selecting a country or region, and choosing a Wi-Fi network — can’t be skipped with Apple School Manager. These panes appear before the device activates and before a configuration is retrieved.
If your organisation is using Apple School Manager to enrol devices and your MDM solution to manage them, then you set up all devices. In this case:
A device can be kept in Setup Assistant while it’s configured by your MDM solution, before the student starts interacting with it
When a Setup Assistant pane is skipped, the default setting for that feature is used
Unless you also permanently restrict these features using your MDM solution, users can set up any of them after the Apple device is set up.
For more information on the Setup Assistant panes, see Manage Setup Assistant for Apple devices in Apple Platform Deployment.
Disable pairing of an iPad to a computer
Supervised devices can be restricted from connecting to a Mac or PC to sync content, view books with the Books app, or transfer photos and videos from the camera. If pairing is disabled at activation, it can’t be enabled later. If pairing is enabled, it may be restricted or enabled remotely by your MDM solution with a configuration profile. Allowing pairing provides the best experience in any device deployment. For more information, see Manage Thunderbolt and USB pairing with Apple devices in Apple Platform Deployment.