Device enrollment configuration options

Automated Device Enrollment

Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box (in a process known as Auto Advance deployment). These devices become supervised, and you have the option to prevent the MDM profile from being removed by the user. Automated Device Enrollment is designed for devices owned by the organization.

Device Enrollment

Device Enrollment allows organizations to have users manually enroll devices, then manage many different aspects of device use, including the ability to erase the device. If a payload or restriction is supervised, it can be used only with Automated Device Enrollment.

For more information on enrollment types and Auto Advance deployment, see Device Enrollment into mobile device management in Mobile Device Management Settings for IT Administrators.

Shared iPad enrollment

Once Shared iPad is enabled in your MDM solution, the iPad restarts into a shared environment after the next activation and MDM enrollment. Every iPad must be supervised in Apple School Manager to support Shared iPad. And with Shared iPad, all Setup Assistant panes after activation are automatically skipped. To remove a device from Shared iPad, the iPad must be erased and reactivated with Apple.

Required MDM enrollment

Many educational organizations choose to require MDM enrollment to enforce management and policies. When a device in Apple School Manager is activated, the user is presented with a new screen to enroll the device in MDM. If MDM enrollment isn’t required by Apple School Manager, the user can skip enrollment to prevent the device from enrolling in MDM.

Authenticated MDM enrollment

MDM solutions can also choose to require a user name and password to complete MDM enrollment in Setup Assistant. This authenticated enrollment is enforced by the MDM solution and can prevent unauthorized users from completing the setup and using the device. Authenticated enrollment also enables the MDM solution to associate the user with the device, allowing MDM management by user or user group, as well as by device or device group.

Prevent unenrollment from MDM

When a device is enrolled in MDM using Apple School Manager, the MDM enrollment profile can be made nonremovable for supervised devices. This prevents users from unenrolling from your MDM solution and means only your MDM solution can unenroll a device.

Disable Setup Assistant panes

Devices enrolled in your MDM solution whose serial numbers appear in Apple School Manager can have specific panes of Setup Assistant disabled to streamline the user experience. However, the first three panes of Setup Assistant for iPad—panes for selecting a language, selecting a country or region, and choosing a Wi-Fi network—can’t be skipped with Apple School Manager. These panes appear before the device activates and before a configuration is retrieved.

If your organization is using Apple School Manager to enroll devices and your MDM solution to manage them, then you set up all devices. In this case:

• A device can be kept in Setup Assistant while it’s configured by your MDM solution, before the student starts interacting with it.

• When a Setup Assistant pane is skipped, the default setting for that feature is used.

Unless you also permanently restrict these features using your MDM solution, users can set up any of them after the Apple device is set up.

For more information on the Setup Assistant panes, see Setup Assistant panes in Mobile Device Management Settings for IT Administrators.

Disable pairing of an iPad to a computer

Supervised devices can be restricted from connecting to a Mac or PC to sync content, view books with the Books app, or transfer photos and videos from the camera. If pairing is disabled at activation, it can’t be enabled later. If pairing is enabled, it may be restricted or enabled remotely by your MDM solution with a configuration profile. Allowing pairing provides the best experience in any device deployment.