Enrolling mobile devices

There are two ways to enroll a device in Mac Device Enrollment. The first way is automated device enrollment, which allows a device reseller to pre-configure a device to communicate with your Apple enrollment system, either Apple Business Manager or Apple School Manager. Your enrollment system then instructs the enrolling device to contact Mac Device Enrollment to configure initial settings through enrollment profiles, and to install a set of initial applications. The second way to enroll a device is user-assisted enrollment, which allows users to enroll a device using the Tanium MDM enrollment portal.

Automated device enrollment

Automated device enrollment automatically adds devices to Mac Device Enrollment and allows you to automatically configure devices as they enroll with your Apple enrollment system. When you use this method, a device reseller pre-configures devices to communicate with your Apple enrollment system when the devices are first turned on. The Apple enrollment system then instructs the devices to contact Mac Device Enrollment for initial device configuration settings through enrollment profiles and to install a set of initial applications. Complete the following tasks to configure automated device enrollment:

  1. Import one or more server tokens from your Apple enrollment system. When devices enroll in an Apple enrollment system, they are assigned to a server token. When you import a server token into Mac Device Enrollment, the list of devices assigned to the server token is identified to Tanium. You can import as many server tokens as necessary into Mac Device Enrollment.

    See Upload server tokens from an Apple enrollment system.

  2. Create device enrollment profiles. Enrollment profiles contain general settings, such as whether a device can be shared between two users or if users can delete MDM profiles from the device. The enrollment profile also contains settings that determine details of the initial device setup experience, such as whether users are asked to create an Apple ID, set up biometrics, or set up a passcode. For information, see Creating enrollment profiles

    .
  3. (Optional) Add initial applications. This is a predefined list of applications that are installed on any new device that enrolls with Mac Device Enrollment. These applications are typically the most critical, such as administrative tools like the Tanium Client or antivirus software. For information, see Specifying initial applications.

After a device is enrolled and has received an enrollment profile, you can create device configuration profiles in Enforce to make additional changes to device settings.

  • If you created a device configuration profile in Enforce and designated it as the base policy, then the base policy is also applied to the device when it enrolls.

  • When a newly enrolled device is automatically added to a mobile device group, if that group is targeted by an enforcement, the device configuration profile associated with the enforcement is also applied to the device when it enrolls.For more information about mobile device groups, see Creating mobile device groups.

You can also use Enforce to perform other management tasks such as locking, wiping and resetting a device. For information about managing devices in Enforce, including device configuration profiles and choosing a base policy, see Enforce User Guide: Managing devices with Mac Device Enrollment.

User-assisted enrollment

Choose user-assisted enrollment if you do not use an Apple enrollment system or if devices were previously enrolled in another MDM, and you do not want to reset the devices. Each device that enrolls through the Tanium MDM enrollment portal receives a default profile to identify that the device is enrolled with Mac Device Enrollment. For information about the Tanium MDM enrollment portal, see Using the Tanium MDM enrollment portal.

You cannot apply enrollment policies or initial applications to devices that enroll through user-assisted enrollment.

After a device is enrolled, you can create device configuration profiles in Enforce to configure device settings.

  • If you created a device configuration profile in Enforce and designated it as the base policy prior to device enrollment, then the base policy is also applied to the device when it enrolls.

  • When a newly enrolled device is automatically added to a mobile device group, if that group is targeted by an enforcement, the device configuration profile that is associated with the enforcement is also applied to the device when it enrolls. For more information about mobile device groups, see Creating mobile device groups.

You can use Enforce to perform other management tasks, such as locking, wiping and resetting a device. For information about managing devices in Enforce, including device configuration profiles and choosing a base policy, see Enforce User Guide: Managing devices with Mac Device Enrollment.

Mac and macOS are trademarks of Apple Inc., and registered in the U.S. and other countries and regions.