Automated Device Enrollment and device management
Automated Device Enrollment is designed for all Apple devices that an organization owns. Automated Device Enrollment lets organizations configure and manage devices from the moment someone removes a device from its box. You can also use all the available Apple-defined payloads and restrictions, and you have the option to prevent the user from removing the device management service’s enrollment profile.
With Automated Device Enrollment, IT administrators can manage even more settings and see more information than with Device Enrollment or User Enrollment. For more information, see How enrollment methods help to protect the user’s privacy.
For these devices, you can configure the following device management service enrollment options:
Option | Usage | ||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|
Prevent unenrollment | A supervised device can’t be unenrolled by the user. On Mac computers, this prevents unenrollment from System Settings for macOS 13 or later, or from System Preferences for macOS 12.0.1 or earlier, as well as from the | ||||||||||
Automatically advance through Setup Assistant | A supervised Mac using macOS 11 or later or Apple TV is automatically configured without any user intervention, provided no other Setup Assistant panes are enabled. | ||||||||||
Language | The language to set on the device if using Auto Advance. | ||||||||||
Region | The region to set on the device if using Auto Advance. | ||||||||||
Hold device in Setup Assistant | Holds the device in the Setup Assistant to allow the device management service to apply any critical configurations or install critical apps. The device can then proceed through or exit Setup Assistant after receiving instructions from the device management service. A similar option can be used for Shared iPad to hold the device in Setup Assistant after user authentication to ensure the device is ready to go when the user presented with the Home Screen. | ||||||||||
Configuration web URL | The URL that the device should load in the Setup Assistant. This can be used for authentication, custom branding, consent text, or more. | ||||||||||
Setup Assistant panes to skip | Optional: Which panes should be skipped in the Setup Assistant to streamline the device setup process for the user. | ||||||||||
Enforce FileVault | A device management service can require a Mac with macOS 14 or later to turn on FileVault during Setup Assistant. This helps ensure encryption of the internal storage before someone uses it. An organization can then decide whether to show the recovery key and optionally escrow it to the service. You use this functionality in conjunction with holding the device in Setup Assistant to ensure that the service has all necessary information before proceeding. | ||||||||||
Configure as Shared iPad (Shared iPad only) | Enables Shared iPad. | ||||||||||
Number of Shared iPad users (Shared iPad only) | Enter the number of students who may potentially use this iPad. For best results, the number of students should be low. | ||||||||||
Auto Advance and Automated Device Enrollment (macOS)
Auto Advance is an additional option for Automated Device Enrollment that allows you to skip all Setup Assistant panes automatically with a Mac computer that is plugged into Ethernet. After configuring Auto Advance in your device management service, organizations can order Mac computers and, after they arrive, simply plug them into Ethernet and power them on. The Mac locates the assigned device management service and undergoes an automatic configuration based on settings from the service, including skipping all Setup Assistant panes. The user then enters a known user name and password at the login window. For a Mac to take advantage of Auto Advance, it needs to have macOS 11 or later, and meet all the following additional criteria:
The computer’s serial number needs to appear in Apple School Manager or Apple Business Manager.
A device management service needs to apply the Automated Device Enrollment settings, including the Auto Advance key, to the Mac.
It needs to be plugged into a power source (recommended but not required).
It needs to be plugged into an active Ethernet connection (initial configuration only).
It needs to be able to access the device management service through an internal network or the internet.
Enforcing a minimum version of iOS, iPadOS, and macOS
Device management services can enforce a minimum operating system version on enrolling devices when using Automated Device Enrollment. If the device doesn’t meet the minimum version that the service expects, the operating system guides the user through a software update or upgrade before they can continue with Setup Assistant. This ensures that organization-owned devices are on the necessary version required before being put into production.
Enforcing Automated Device Enrollment
If a Mac with macOS 14 or later that’s registered to Apple School Manager or Apple Business Manager doesn’t enroll into device management during the first setup, a full-screen setup experience is displayed.
The user can choose “Not now” once, which causes the screen to be dismissed for 8 hours. During those 8 hours, the user sees a follow-up option in System Settings to start the enrollment. After the time expires, an administrator needs to enroll the device.
This replaces the current notification experience and ensures that the device needs to be enrolled into device management in order to be used. Enforcing device enrollment results in fewer unmanaged organization-owned devices.