Automated Device Enrolment and device management
Automated Device Enrolment is designed for all Apple devices that an organisation owns. Automated Device Enrolment lets organisations configure and manage devices from the moment someone removes a device from its box. You can also use all the available Apple-defined payloads and restrictions, and you have the option to prevent the user from removing the device management service’s enrolment profile.
With Automated Device Enrolment, IT administrators can manage even more settings and see more information than with Device Enrolment or User Enrolment. For more information, see How enrolment methods help to protect the user’s privacy.
For these devices, you can configure the following device management service enrolment options:
Option | Minimum supported operating system versions | Description | |||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Prevent unenrollment | iOS 7 iPadOS 7 macOS 10.9 tvOS 10.2 visionOS 2 | A supervised device can’t be unenrolled by the user. On Mac computers, this prevents unenrolment from System Settings for macOS 13 or later, or from System Preferences for macOS 12.0.1 or earlier, as well as from the | |||||||||
Automatically advance through Set-up Assistant | macOS 11 tvOS 11.3 visionOS 2 | A supervised Mac using macOS 11 or later or Apple TV is automatically configured without any user intervention, provided no other Set-Up Assistant panes are enabled. | |||||||||
Language | macOS 11 tvOS 11.3 visionOS 2 | The language to set on the device if using Auto Advance. | |||||||||
Region | macOS 11 tvOS 11.3 visionOS 2 | The region to set on the device if using Auto Advance. | |||||||||
Hold device in Set-Up Assistant | iOS 9 iPadOS 9 macOS 10.9 tvOS 10.2 visionOS 2 | Holds the device in the Set-Up Assistant to allow the device management service to apply any critical configurations or install critical apps. The device can then proceed through or exit Set-Up Assistant after receiving instructions from the device management service. A similar option can be used for Shared iPad to hold the device in Set-Up Assistant after user authentication to ensure the device is ready to go when the user presented with the Home Screen. | |||||||||
Configuration web URL | iOS 13 iPadOS 13 macOS 10.15 visionOS 2 | The URL that the device should load in the Set-Up Assistant. This can be used for authentication, custom branding, consent text or more. | |||||||||
Set-Up Assistant panes to skip | iOS 7 iPadOS 7 macOS 10.9 tvOS 10.2 visionOS 2 | Optional: Which panes should be skipped in the Set-Up Assistant to streamline the device setup process for the user. | |||||||||
Enforce FileVault | macOS 14 | A device management service can require a Mac with macOS 14 or later to turn on FileVault during Set-Up Assistant. This helps ensure encryption of the internal storage before someone uses it. An organisation can then decide whether to show the recovery key and optionally escrow it to the service. You use this functionality in conjunction with holding the device in Set-Up Assistant to ensure that the service has all necessary information before proceeding. | |||||||||
Configure as Shared iPad (Shared iPad only) | iPadOS 9.3 | Enables Shared iPad. | |||||||||
Number of Shared iPad users (Shared iPad only) | iPadOS 9.3 | Enter the number of students who may potentially use this iPad. For best results, the number of students should be low. | |||||||||
Auto Advance and Automated Device Enrolment (macOS)
Auto Advance is an additional option for Automated Device Enrolment that allows you to skip all Set-Up Assistant panes automatically with a Mac computer that is plugged into Ethernet. After configuring Auto Advance in your device management service, organisations can order Mac computers and, after they arrive, simply plug them into Ethernet and turn them on. The Mac locates the assigned device management service and undergoes an automatic configuration based on settings from the service, including skipping all Set-Up Assistant panes. The user then enters a known username and password at the login window. For a Mac to take advantage of Auto Advance, it needs to have macOS 11 or later, and meet all the following additional criteria:
The computer’s serial number needs to appear in Apple School Manager or Apple Business Manager.
A device management service needs to apply the Automated Device Enrolment settings, including the Auto Advance key, to the Mac.
It needs to be plugged into a power source (recommended but not required).
It needs to be plugged into an active Ethernet connection (initial configuration only).
It needs to be able to access the device management service through an internal network or the internet.
Enforcing a minimum version of iOS, iPadOS and macOS
Device management services can enforce a minimum operating system version on enrolling devices when using Automated Device Enrolment. If the device doesn’t meet the minimum version that the service expects, the operating system guides the user through a software update or upgrade before they can continue with Set-Up Assistant. This ensures that organisation-owned devices are on the necessary version required before being put into production.
Enforcing Automated Device Enrolment
If a Mac with macOS 14 or later that’s registered to Apple School Manager or Apple Business Manager doesn’t enrol into device management during the first set-up, a full-screen set-up experience is displayed.
The user can choose “Not now” once, which causes the screen to be dismissed for 8 hours. During those 8 hours, the user sees a follow-up option in System Settings to start the enrolment. After the time expires, an administrator needs to enrol the device.
This replaces the current notification experience and ensures that the device needs to be enrolled into device management in order to be used. Enforcing device enrolment results in fewer unmanaged organisation-owned devices.