Regardless of where schools purchase iPads, the next step is to get these devices enrolled into a management solution so IT can configure, secure and equip devices for users.
How do you go about doing just that? We'll use the standard for Apple device management — Jamf Pro — as an example to explain three workflows that make it happen.
Workflow One: Use Apple School Manager to enroll devices.
If you purchased devices through Apple or an authorized Apple reseller, this is the preferred and easiest way to get devices enrolled.
- Get public key from Jamf Pro under Global Management > Automated Device Enrollment
- In Apple School Manager, go to Settings > Device Management Settings > Add New MDM Server; upload the public key and download the server token
- Back in Jamf Pro, go to the same automated device enrollment location and select "New;" upload your server token
- You'll now be able to go into "PreStage Enrollments" on the left column, and select "New"
- Customize your setup assistant, and then select the "Scope" tab to pick which devices will be going through this particular enrollment
Workflow Two: Use Apple Configurator 2.5 to bring devices into Apple School Manager
This workflow is ideal for devices you purchased through a non-Apple authorized reseller, for donated devices or for re-adding a device that was accidentally released from Apple School Manager.
- In Apple Configurator 2.5, go to Preferences > Organizations and add a new organization (use your Apple School Manager Apple ID)
- Generate a new supervision identity
- Then select the servers icon and create a new server
- Enter a display name for your MDM server and the complete URL of your Jamf Pro server
- Select "Next" when "Unable to verify the server's enrollment URL" page loads
- Select your iPad and then "Prepare"
- Select Manual Configuration and "Add to Device Enrollment Program." Then, supervise the device and allow the device to pair with others
- Select the MDM server that you created in step four
- Select the organization you created in step two
- Select the steps you want to show
- Add a Wi-Fi profile, if wanted, and select "Prepare"
- This will wipe the device
- Once device is wiped and displays the setup assistant, you will see a message that the MDM profile can be removed within 30 days. (Be sure to let those devices wait for the 30 days so they cannot be removed from Apple School Manager)
- In Apple School Manager, go to "Settings" and under the "MDM Servers" section, select "Apple Configurator 2." Then select "Show Devices" and then select one or several devices. Select "Edit Device Management" and move them to your chosen MDM server
- In Jamf Pro, confirm your devices are available under Global Management > Automated Device Enrollment. Once confirmed, go to your PreStage and make sure your new devices are selected. Then, wipe your devices again to have them enroll into your Jamf Pro server
Workflow Three: User-initiated enrollment
Note: This method of enrollment will allow your users to remove the MDM profile, and will not supervise your devices over the air. This method is most typically used when devices are already in use and cannot be wiped. It's still highly recommended that you add these devices into Apple School Manager as another layer of security if the device is stolen and wiped.
- On your iPad, go to your Jamf Pro server URL, and at the end, add "/enroll." For example: https://mycompany.jamfcloud.com/enroll or https://mycompany.edu:8443/enroll
- Log in with your Jamf Pro credentials or your enrollment only credentials.
- If you have the option, select "Institutionally Owned" when specifying who owns the device, then select "Enroll"
- (Optional) Assign a user and/or site only if applicable to your environment. Otherwise select "Enroll"
- Tap "Continue"
- Select "Allow" to open settings
- You'll see the prompt, "Profile Downloaded." Select close and go to Settings > General > Profiles. You'll see a "Downloaded Profile" header with "MDM Profile." Select "MDM Profile"
- Select Install on the top right corner
- You'll see "The authenticity of 'MDM Profile' cannot be verified." Select the "Install" option on the top right again. You'll receive a prompt, "Install Profile." Select "Install"
- You'll receive a warning page; select "Install" at the top right corner again
- Tap "Trust" on the remote management notification
- Hit "Done"
That's it! You now have a device enrolled into your Jamf Pro instance that is managed and ready to receive your applications and settings. Want to see these workflows in action? Check out this video.
Ready to put these workflows to the test in your environment?
Take Jamf Pro for a free test drive and tell us what you think.