Device enrollment configuration options
Before you enroll devices, you should decide on the enrollment type from those listed below.
Automated Device Enrollment
Automated Device Enrollment is designed for devices owned by the organization. Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box. You can also use all of the available payloads and restrictions defined by Apple, and you have the option to prevent the MDM enrollment profile from being removed by the user.
Device Enrollment allows organizations to have users manually enroll devices into a mobile device management (MDM) solution and then manage many different aspects of device use, including the ability to erase the device. On Mac computers running macOS 11 or later, Device Enrollment also enforces supervision on the Mac.
For more information on enrollment types and Auto Advance deployment, see Device Enrollment and MDM in Apple Platform Deployment.
For more information about Automated Device Enrollment payloads and restrictions, see Automated Device Enrollment MDM information and Automated Device Enrollment MDM payload list in Apple Platform Deployment.
Shared iPad enrollment
As soon as Shared iPad is enabled in your MDM solution, the iPad restarts into a shared environment after the next activation and MDM enrollment. Every iPad must be supervised in Apple School Manager to support Shared iPad. And with Shared iPad, all Setup Assistant panes after activation are automatically skipped. To remove a device from Shared iPad, the iPad must be erased and reactivated with Apple.
Required MDM enrollment
Many educational organizations choose to require MDM enrollment to enforce management and policies. When a device in Apple School Manager is activated, the user is presented with a new screen to enroll the device in MDM. If MDM enrollment isn’t required by Apple School Manager, the user can skip enrollment to prevent the device from enrolling in MDM.
Authenticated MDM enrollment
MDM solutions can also choose to require a user name and password to complete MDM enrollment in Setup Assistant. This authenticated enrollment is enforced by the MDM solution and can prevent unauthorized users from completing the setup and using the device. Authenticated enrollment also enables the MDM solution to associate the user with the device, allowing MDM management by user or user group, as well as by device or device group.
Prevent unenrollment from MDM
When a device is enrolled in MDM using Apple School Manager, the MDM enrollment profile can be made nonremovable for supervised devices. This prevents users from unenrolling from your MDM solution and means only your MDM solution can unenroll a device.
Disable Setup Assistant panes
Devices enrolled in your MDM solution whose serial numbers appear in Apple School Manager can have specific panes of Setup Assistant disabled to streamline the user experience. However, the first three panes of Setup Assistant for iPad—panes for selecting a language, selecting a country or region, and choosing a Wi-Fi network—can’t be skipped with Apple School Manager. These panes appear before the device activates and before a configuration is retrieved.
If your organization is using Apple School Manager to enroll devices and your MDM solution to manage them, then you set up all devices. In this case:
A device can be kept in Setup Assistant while it’s configured by your MDM solution, before the student starts interacting with it
When a Setup Assistant pane is skipped, the default setting for that feature is used
Unless you also permanently restrict these features using your MDM solution, users can set up any of them after the Apple device is set up.
For more information on the Setup Assistant panes, see Manage Setup Assistant for Apple devices in Apple Platform Deployment.
Disable pairing of an iPad to a computer
Supervised devices can be restricted from connecting to a Mac or PC to sync content, view books with the Books app, or transfer photos and videos from the camera. If pairing is disabled at activation, it can’t be enabled later. If pairing is enabled, it may be restricted or enabled remotely by your MDM solution with a configuration profile. Allowing pairing provides the best experience in any device deployment. For more information, see Manage Thunderbolt and USB pairing with Apple devices in Apple Platform Deployment.