Enrollment methods for built-in device management
Overview
To view critical device facts, send apps and settings, or push commands to a device, devices need to be enrolled into the built-in device management service in Apple Business.
The enrollment method depends on how the device will be used and whether apps are assigned to a user or a device. Some methods use data separation, which keeps organizational and personal data separate and ensures organizational data is automatically removed when the enrollment profile is removed. It’s available with Account-driven User Enrollment and Account-driven Device Enrollment. Automated Device Enrollment doesn’t provide data separation regardless of Blueprint assignment.
You can use the following enrollment methods to manage devices:
Account-driven User Enrollment: Account-driven User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device.
Device Enrollment: Account-driven Device Enrollment is designed for organization-owned devices already in use by the user. It allows users to manually enroll the device without requiring it to be erased.
Automated Device Enrollment: Automated Device Enrollment is designed for new or erased devices. Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box and turned on. This method of enrollment can be used for Blueprints assigned to users or devices . All the user needs to do is sign in on their device with their Managed Apple Account to get their device managed.
Note: For Automated Device Enrollment with a Blueprint assigned to a device, a personal Apple Account isn’t part of the managed experience. Apple Business doesn’t recognize or manage it. However, a user can optionally sign in with a personal Apple Account in Settings after enrollment.
After a device is successfully enrolled and managed, the device gets all of the configured settings, assigned apps, and has the Apple Business app installed. Depending on the enrollment method, not all apps and features are available to sync with iCloud. See Service access with Managed Apple Accounts.
Choosing an enrollment method
The enrollment method depends on who owns the device, how it will be used, and how much separation you want between organizational and personal data. Use the following guidance to match your deployment scenario to the recommended approach.
The device is organizationally owned, new or erased, and requires full supervision
Use Automated Device Enrollment with a Blueprint assigned to the user or user group.
The user signs in with their Managed Apple Account during Setup Assistant, which becomes the only iCloud account on the device. When Setup Assistant completes, the device is supervised and fully managed. This provides the highest level of organizational control and is appropriate for deployments where the device is fully dedicated to work use. If your deployment also requires users to access personal apps and services on the same device, consider Account-driven Device Enrollment instead.
The device is organizationally owned, already in use, and you want work and personal data separated
Use Account-driven Device Enrollment with a Blueprint assigned to the user or user group.
The user signs in with their personal Apple Account and their Managed Apple Account and retains access to personal apps and services while organizational data remains separate. On a Mac, this results in it being supervised. On iPhone, iPad, and Apple Vision Pro devices, the device isn’t supervised. Data separation ensures organizational data is kept separate from personal data and is automatically removed when the enrollment profile is removed, without affecting the user’s personal data.
The device is personally owned (BYOD)
Use Account-driven User Enrollment with a Blueprint assigned to the user or user group.
The user signs in with their Managed Apple Account and organizational management is restricted to that Managed Apple Account and managed apps. The user’s personal Apple Account and personal data are never touched by management. Data separation ensures organizational data is kept separate from personal data and is automatically removed when the enrollment profile is removed, without affecting the user’s personal data.
The device is shared or dedicated to a single function
Use Automated Device Enrollment with a Blueprint assigned to the device by serial number.
Enrollment method summary
Note: Obsolete devices (seven years after introduction) may work, but aren’t supported. For a complete list, see the Apple Support article Obtaining service for your Apple product after an expired warranty.
Deployment scenario | Recommended enrollment method/Supervision/Blueprint assignment | Minimum operating system version and account requirements | Data separation |
|---|---|---|---|
Fully managed—new or erased, supervised | Automated Device Enrollment Supervised User or user group | iOS 15 iPadOS 15 macOS 12.0.1 tvOS 15 (device Blueprint only) visionOS 26.4 (if the beta feature is turned on) Managed Apple Account: Required Personal Apple Account: Not permitted |  |
Organization-owned device, work and personal data separated | Account-driven Device Enrollment Not supervised (iPhone, iPad, Apple Vision Pro) Supervised (Mac) User or user group | iOS 17 iPadOS 17 macOS 14 visionOS 26.4 Managed Apple Account: Required Personal Apple Account: Optional |  |
BYOD—personally-owned device | Account-driven User Enrollment Not supervised User or user group | iOS 15 iPadOS 15 macOS 14 visionOS 26.4 Managed Apple Account: Required Personal Apple Account: Optional | |
Shared or dedicated-use device | Automated Device Enrollment Supervised Device (by serial number)1 | iOS 15 iPadOS 15 macOS 12.0.1 tvOS 15 (device Blueprint only) visionOS 26.4 (if the beta feature is turned on) Managed Apple Account: Required Personal Apple Account: Optional | |
1No Managed Apple Account is required. This is appropriate for shared devices, dedicated-use devices, or any scenario where the device—not the user—is what’s being managed. After enrollment, a user can optionally sign in with a personal Apple Account in Settings. Organizations that require tighter control over data flows in this configuration can upload custom configuration profiles.
Account-driven User Enrollment
You can use Account-driven User Enrollment to enroll an user’s personal iPhone, iPad, Mac, and Apple Vision Pro, into Apple Business.
After the user signs in with their Managed Apple Account, the following occurs:
Apple Business app installed: Yes
Assigned apps available: In the Apple Business app
Settings applied: Yes
Device supervised: Mac: No. iPhone, iPad, Apple Vision Pro: No
Personal and work data separated: No
Unmanaged (personal)Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Requirements
This feature requires iOS 15, iPadOS 15, macOS 14, visionOS 26.4, or later. To require the device enroll using Account-driven User Enrollment when signed in with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to manage devices.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Devices > Management Services.
Select the Device Enrollment tab.
Select Enroll as personal device for all device types you want to enroll with Device Enrollment upon sign in with a Managed Apple Account.
Note: User Enrollment leads to unsupervised management, meaning your IT department has limited management over User Enrolled devices. This method of enrollment is best for personally owned devices, or organizationally-owned devices that don't need to be supervised. Any iPhone or iPad that requires supervision needs to enroll using Automated Device Enrollment. See About Apple device supervision in Apple Platform Deployment.
Account-driven Device Enrollment
You can use Account-driven Device Enrollment on any organization-owned Mac that’s already in use by a user or hasn’t been linked to your Apple Customer Number or Reseller Number. The user signs in with their personal Apple Account and their Managed Apple Account and retains access to personal apps and services while organizational data remains separate. Data separation ensures organizational data is kept separate from personal data and is automatically removed when the enrollment profile is removed, without affecting the user’s personal data. Assign a Blueprint to the user or user group to deliver apps and settings.
After the user signs in with their Managed Apple Account, the following occurs:
Apple Business app installed: Yes
Assigned apps available: In the Apple Business app
Settings applied: Yes
Device supervised: Mac: Yes. iPhone, iPad, Apple Vision Pro: No
Personal and work data separated: Yes
Unmanaged (personal) Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Requirements
This feature requires iOS 17.1, iPadOS 17.1, macOS 14.1, visionOS 26.4, or later. For devices with previous versions, signing in with a Managed Apple Account results in User Enrollment.
To require an iPhone, iPad, Mac, or Apple Vision Pro to enroll using Account-driven Device Enrollment when signed in with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to manage devices.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Devices > Management Services.
Select the Device Enrollment tab.
Select Enroll as an organization-owned device for all device types you want to enroll with Device Enrollment upon sign in with a Managed Apple Account.
Automated Device Enrollment (all devices)
You can use Automated Device Enrollment with a with a Blueprint assigned to a user on any on any organization-owned iPhone, iPad, Mac, Apple TV, and Apple Vision Pro (if the beta feature is turned on). The Managed Apple Account used during Setup Assistant becomes the only iCloud account on the device. If your deployment also requires users to access personal apps and services on the same device, consider Account-driven Device Enrollment instead, which provides data separation alongside a personal Apple Account. Assign a Blueprint to the user or user group to deliver apps and settings.
After the user signs in during Setup Assistant with their Managed Apple Account, the following occurs:
Apple Business app installed: Yes (Not available for Apple TV)
Assigned apps available: In the Apple Business app for Blueprint assigned to users, or downloaded immediately for device plans
Settings applied: Yes
Device supervised: Yes
Unmanaged (personal)Apple Account iCloud storage: Unavailable
Organization Managed Apple Account iCloud storage: Available (Not available for Apple TV)
Requirements
This feature requires iOS 15, iPadOS 15, macOS 12.0.1, tvOS 15, visionOS 26.4, or later. To require the device enroll using Automated Device Enrollment when signed in with a Managed Apple Account, do the following:
Link your Apple Customer Number or Reseller Number to Apple Business. See Manage device suppliers.
After a device appears in Apple Business, assign it to the Apple Business device management service. See Device workflow.
If your device doesn’t appear in Apple Business, you can add it using Apple Configurator. See Add devices from Apple Configurator.
The devices need to be connected to the internet and powered on. A specified user can then finish Setup Assistant for iPhone, iPad, and Mac. Apple TV finishes the Setup Assistant automatically.
Users then sign in to Setup Assistant with their Managed Apple Account user name and password.
Automated Device Enrollment (Devices that use a Blueprint assigned to a device)
To keep your organization secure, before a device can be managed, any device with a device subscription needs to be manually approved by any user whose role has permissions to purchase Apple Business subscriptions. You can either do this when you add the device to a Blueprint or after the device has enrolled.
To automatically approve devices when you add them to a device Blueprint, select Approve recently added devices for management without manual review at the time of Blueprint confirmation. This is possible only on devices that are newly added to a Blueprint assigned to a device and have never previously been approved and managed by Apple Business.
When a Blueprint is assigned to a device by serial number, Automated Device Enrollment is the only supported enrollment method. No Managed Apple Account is required—making this the choice for shared devices, dedicated-use devices, or any scenario where the device—not the user—is the unit of management. After enrollment, a user can optionally sign in with a personal Apple Account in Settings. This configuration does not provide data separation between personal and organizational data; organizations that need to restrict data flows in this scenario can upload custom configuration profiles to supplement the built-in controls. Assign a Blueprint to the device by serial number to deliver apps and settings.
Requirements
This feature requires iOS 15, iPadOS 15, macOS 12.0.1, tvOS 15, visionOS 26.4, or later. For Automated Device Enrollment with a device subscription, first complete the task Automated Device Enrollment (all devices).
To approve devices after they’ve been enrolled:
In Apple Business, sign in with a user whose role has permissions to manage devices.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the device in the search field. See How to search.
To search for specific devices, you can paste up to 1024 serial numbers from a text file, with each serial number separated by a comma.
Select the device you want to manage.
Review the enrollment details, including the date and time of enrollment, the operating system, and the certificate fingerprint. (This step is important. Ensure that all this information is correct before approving any devices for management.)
To find the certificate fingerprint, do one of the following:
iPhone, iPad, Apple Vision Pro: Find the certificate fingerprint of your iPhone, iPad, or Apple Vision Pro by navigating to Settings > your Managed Apple Account > More Details > Device Identity Certificate. The certificate fingerprint is found at the bottom of the page under Fingerprints > SHA-256.
Mac: Find the certificate fingerprint of your Mac by navigating to Keychain > Certificates > Systems and then selecting the entry with a random UUID that has Issued by: Apple MDM RSA CA 1 - G1. Open the window and scroll down. The certificate fingerprint is found under Fingerprints > SHA-256.
Choose one of the following:
If the enrollment details are correct, approve the device for management.
If the enrollment details are incorrect, deny the device for management. Denying a device removes the enrollment profile, and won’t be managed.
Send enrollment instructions to a single user
To send instructions to a user directing them to sign in to a device with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list, then select Enroll Devices
.Choose the device instructions to send to the user:
Mac
iPhone, iPad, Apple Vision Pro
Select Send.
When the user receives the email, they can select the link contained in the note at the bottom of the Mac enrollment instructions and follow the directions on the webpage to get their device managed.
Send enrollment instructions to multiple users
To send instructions to multiple users at once directing them to sign in to a device with Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to create, edit, and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the users in the search field. See How to search.
Select the users from the list, then select Send Device Enrollment Instructions
.Choose the device instructions to send to the users:
Mac
iPhone, iPad, Apple Vision Pro
Select Send.
When the users receives the email, they can select the link contained in the note at the bottom of the Mac enrollment instructions and follow the directions on the webpage to get their device managed.
Apple Business app
With Apple Business and the Apple Business app, users can:
Download the work apps they’ve been assigned by their organization.
View all of their managed devices.
Directly access AppleCare+ for Business support.
Request, track, and cancel repairs covered under AppleCare+ for Business.
After users enroll in device management, the app is automatically downloaded to their iPhone, iPad, Mac, or Apple Vision Pro. See the Apple Support article About the Apple Business app.