I’ve written a number of articles on automating MDM enrollments using Apple Configurator in the past. In Apple Configurator 2, there are some new options that make the process much easier than it’s ever been in the past. To get started, let’s open Apple Configurator 2 and click on a Blueprint we’d like to apply to devices being prepared during a mass iPad or iPhone enrollment through Apple Configurator. Control-click on the Blueprint to set up for automated enrollment and click on the Prepare button.
At the Organization screen, select the organization you’d like to enroll your device in and click on the Next button.
At the Server screen, select to enroll in an MDM server.
At the Define an MDM Server screen, type the name of a server and click Next.
The server is then located and provided the Apple Configurator 2 system can communicate with the server, you’ll get a choice of the MDM service to enroll into. Select the certificate and click Next.
At the Supervise Devices screen, select whether you’d like to supervise devices enrolled using Apple Configurator 2. Click Next.
At the Configure iOS Setup Assistant screen, choose whether to skip some screens during the initial configuration of the device and click on Prepare.
Now, during the preparation in Apple Configurator, you’ll be able to enroll iOS devices into Profile Manager (or another MDM) en masse.
Additionally, the traditional method of enrollment (Configurator 1) still works. Here, you’d download a trust profile, done using the name in the upper right corner of the Profile Manager interface and then choosing Download Trust Profile.
You’ll also need the Enrollment Profile, accessed using the plus sign (+) in the lower left corner of the screen and choosing Enrollment Profile.
The two are then added to the Profiles of a blueprint in Apple Configurator 2. You can also use the Settings for a device group to set placeholders for devices so they’re automatically assigned to a group during mass enrollments like this.
Overall the options in Apple Configurator 2 with Profile Manager or another MDM are way easier to use than in previous versions. I think a lot of new administrators will be able to easily get used to this workflow. Enjoy!
krypted November 4th, 2015
Posted In: Apple Configurator, iPhone, Mac OS X Server, Mass Deployment
Apple Configurator 2, Automated Enrollment, Casper, file wave, ios, iPad, iPhone, MAC, mdm enrollment, prepare devices, profile manager
I have covered Apple Configurator
in a couple of different
articles already. But one question I’ve gotten a number of times is how to do automated enrollment of iOS devices into an MDM solution, such as Profile Manager. Each device that gets enrolled into Profile Manager will require a Trust Profile (installed under the Profiles tab of the MyDevices portal) and an Enrollment Profile (installed under the Devices tab of the MyDevices portal). The Trust Profile requires about 3 or 4 taps to install and the Enrollment Profile requires about the same.
The best way I’ve seen for doing automated enrollment is actually to do semi-automated enrollment. Basically, each device gets the Trust Profile deployed in a profile, likely alongside an SSID that the wireless network users will use for actual enrollment. I usually advocate a temporary network according to how complicated the standard wireless network is (e.g. if you use certificates with 802.1x then during enrollment your device won’t necessarily be a supplicant). Apple Configurator can very easily provide a Trust Profile and the SSID. Should take about 3 minutes worth of work if you have an existing Profile Manager deployment (if you don’t, see this article
Chances are, many will want their devices tied to a user account. For example, if you use Payload Variables
at all, then you’ll need a user associated with a device at enrollment time in order to expand the Payload Variables into short names, email addresses, etc. Therefore, I would recommend deploying a web clip for the enrollment site, along with a Trust Profile and the SSID access to the enrollment network. This makes enrollment 4 taps, a username and a password. This will give users a customized ActiveSync environment, password policies, restrictions, VPN, web clips, as many SSIDs as you care to deploy, etc.
To setup an enrollment environment for users, we’ll first need to download the Trust Profile. To do so, I usually just log into the MyDevices portal of Profile Manager from the computer running Apple Configurator, by first visiting the https://<nameofserver>/MyDevices URL. Here, click on the Profiles tab.
Click on the Install button for the Trust Profile entry, which pulls the mobileconfig file from https://mdm.pretendco.com/devicemanagement/api/profile/get_ssl_cert_profile if the URL were mdm.pretendco.com. This URL redirects to an administrative page. When the download is complete, Apple Configurator will open automatically as installing Apple Configurator changes the default application for .mobileconfig files from System Preferences to Apple Configurator. Once downloaded, close and then reopen Apple Configurator.
Once re-opened, double-click on the Trust Profile that was just installed.
The General screen shows information about the profile.
This profile can easily act as a Trust profile. But we also need the device enrolled in a wireless network that can be used to access the Profile Manager server. Click on WiFi, click Configure and add the settings for your network.
We’re also going to add a link to enroll the devices using the MyDevices portal. Click on Web Clips and then enter the name that you want the user to see in the Label field and the link to the MyDevices portal in the URL field.
Finally, we don’t want users prompted with petty SSL errors. This server doesn’t have a publicly signed certificate. Click on Credentials and note that the Trust is already added. We will also grab the certificate for the server from Keychain and click the plus sign to add another certificate. Import the one exported from the Keychain. Then click on Save and you’ll have a good Trust Profile.
Next, we’ll need to export the Enrollment Profile as well. To do so, go to the Profile Manager portal again and click on the Enrollment Profile entry in the sidebar. Uncheck the box to restrict devices (unless you’ve imported all the devices for your environment into Profile Manager) and then click on Download and the Enrollment profile is downloaded to the client.
Quit and re-open Apple Configurator. The Enrollment Profile is now listed in the Profiles field.
Next, click on the checkbox for the Trust profile and then click on Prepare. On the iOS device you’ll then see the the enrollment process. Tap on the Install buttons until the profile is enrolled.
One would think that the device would then be able to be enrolled automatically. You can Enroll manually by logging into the My Devices portal (using the Web Clip) and clicking on the Enroll button and following the default buttons presented to users. You can also email Enrollment Profiles, text them or install them via iPhone Configuration Utility.
To also install the enrollment profile and complete the entire enrollment process, just click that other checkbox in Apple Configurator. Now, the concern in doing so would again be that you don’t know which user is associated with which device, taking Payload Variables out of the equation. Leaving the fields that you might otherwise place those into blank simply allows for user input when that part of the MDM profile is run.
krypted April 2nd, 2012
Posted In: iPhone, Mac OS X Server
Apple Configurator, Automated Enrollment, Automatic Enrolling, Edit Profile, Join Network, mobileconfig, payload variables, profile manager, SSID, vpn, Web Clip