Using Apple Configurator For Automated Enrollment

I have covered Apple Configurator in a couple of different articles already. But one question I’ve gotten a number of times is how to do automated enrollment of iOS devices into an MDM solution, such as Profile Manager. Each device that gets enrolled into Profile Manager will require a Trust Profile (installed under the Profiles tab of the MyDevices portal) and an Enrollment Profile (installed under the Devices tab of the MyDevices portal). The Trust Profile requires about 3 or 4 taps to install and the Enrollment Profile requires about the same.

The best way I’ve seen for doing automated enrollment is actually to do semi-automated enrollment. Basically, each device gets the Trust Profile deployed in a profile, likely alongside an SSID that the wireless network users will use for actual enrollment. I usually advocate a temporary network according to how complicated the standard wireless network is (e.g. if you use certificates with 802.1x then during enrollment your device won’t necessarily be a supplicant).  Apple Configurator can very easily provide a Trust Profile and the SSID. Should take about 3 minutes worth of work if you have an existing Profile Manager deployment (if you don’t, see this article).

Chances are, many will want their devices tied to a user account. For example, if you use Payload Variables at all, then you’ll need a user associated with a device at enrollment time in order to expand the Payload Variables into short names, email addresses, etc. Therefore, I would recommend deploying a web clip for the enrollment site, along with a Trust Profile and the SSID access to the enrollment network. This makes enrollment 4 taps, a username and a password. This will give users a customized ActiveSync environment, password policies, restrictions, VPN, web clips, as many SSIDs as you care to deploy, etc.

To setup an enrollment environment for users, we’ll first need to download the Trust Profile. To do so, I usually just log into the MyDevices portal of Profile Manager from the computer running Apple Configurator, by first visiting the https://<nameofserver>/MyDevices URL. Here, click on the Profiles tab.

Click on the Install button for the Trust Profile entry, which pulls the mobileconfig file from https://mdm.pretendco.com/devicemanagement/api/profile/get_ssl_cert_profile if the URL were mdm.pretendco.com. This URL redirects to an administrative page. When the download is complete, Apple Configurator will open automatically as installing Apple Configurator changes the default application for .mobileconfig files from System Preferences to Apple Configurator. Once downloaded, close and then reopen Apple Configurator.

Once re-opened, double-click on the Trust Profile that was just installed.

The General screen shows information about the profile.

This profile can easily act as a Trust profile. But we also need the device enrolled in a wireless network that can be used to access the Profile Manager server. Click on WiFi, click Configure and add the settings for your network.

We’re also going to add a link to enroll the devices using the MyDevices portal. Click on Web Clips and then enter the name that you want the user to see in the Label field and the link to the MyDevices portal in the URL field.

Finally, we don’t want users prompted with petty SSL errors. This server doesn’t have a publicly signed certificate. Click on Credentials and note that the Trust is already added. We will also grab the certificate for the server from Keychain and click the plus sign to add another certificate. Import the one exported from the Keychain.  Then click on Save and you’ll have a good Trust Profile.

Next, we’ll need to export the Enrollment Profile as well. To do so, go to the Profile Manager portal again and click on the Enrollment Profile entry in the sidebar. Uncheck the box to restrict devices (unless you’ve imported all the devices for your environment into Profile Manager) and then click on Download and the Enrollment profile is downloaded to the client.

Quit and re-open Apple Configurator. The Enrollment Profile is now listed in the Profiles field.

Next, click on the checkbox for the Trust profile and then click on Prepare. On the iOS device you’ll then see the the enrollment process. Tap on the Install buttons until the profile is enrolled.

One would think that the device would then be able to be enrolled automatically. You can Enroll manually by logging into the My Devices portal (using the Web Clip) and clicking on the Enroll button and following the default buttons presented to users. You can also email Enrollment Profiles, text them or install them via iPhone Configuration Utility.

To also install the enrollment profile and complete the entire enrollment process, just click that other checkbox in Apple Configurator. Now, the concern in doing so would again be that you don’t know which user is associated with which device, taking Payload Variables out of the equation. Leaving the fields that you might otherwise place those into blank simply allows for user input when that part of the MDM profile is run.

  • Dave

    Great post. I am curious to know how you see this part “But we also need the device enrolled in a wireless network that can be used to access the Profile Manager server.” working in a typical enterprise environment.

    Have you had a chance to try and make profile manager run through a proxy?

    • http://www.krypted.com Charles

      I haven’t, but I do have a project coming up to do so, so I’ll post how it goes!

  • Derick

    Charles, great article.

    I was able to successfully enroll a device using Configurator over USB. Because it had been previously enrolled, the user account remained the same.

  • macman

    I just tried preparing ipad’s installing a few apps with apple configurator. managing from lion server profile manager.
    I’ve added apple configurator prepared ipads to a group in lion server profile manager with wireless setting, SSID and password.

    I tried installing trust profile and device enrollment and not installing any profiles with apple configurator.
    In both cases wireless settings LAN is not removed when ipad is removed from the profile manager wireless group. The wireless group settings are removed via push from the ipad but wifi password remains

    I’m able to tap on the wireless and rejoin, no prompts to enter password which should have been removed via push