Jamf Blog
November 15, 2021 by Jesus Vigo

Account-driven User Enrollment + Service Discovery

Striking a balance between managing security and maintaining user privacy while supporting your organization’s BYOD initiative just got easier to IT and end-users alike, regardless of where they are or what network connection they're using to stay productive.

With its release of iOS/iPadOS 15, Apple announced several notable features for end-users to great fanfare. With decidedly less fervor, there were a few features included that primarily benefit IT admins, but also help to make life easier for users relying on their personal devices to accomplish work-related tasks.

Two of these features in question – Account-driven User Enrollment and Service Discovery – are at the forefront of simplifying the enrollment process of personally owned devices into the BYOD program supported by your organization.

Some of the benefits to users when IT enables these features are:

  • Privacy is protected by separating personal and business data
  • Automated discovery of the company’s device management portal
  • Secure device enrollment over any network connection, from anywhere
  • Support for personal and managed Apple ID’s

The solution Apple and Jamf have adopted addresses security concerns maintains user privacy and empowers users to enroll devices themselves without compromising work/life balance or personal safety.

Service Discovery

In this age of remote and hybrid work environments, access to company resources may require users to jump through several hoops in order to securely access the apps, services and data they need to stay productive – regardless of whether their device is personally or company-owned.

Since company-owned devices typically give IT greater management control over the hardware and software, the focus of Service Discovery centers on personally owned devices that users are enrolling into an organization’s BYOD program.

In the past, Apple frameworks required IT to share enrollment profiles manually with end-users to pre-enroll the device, requiring physical authorization by the user to complete the enrollment process. Even still, IT had only a very limited set of management commands available to them to manage devices, and more importantly, any corporate data that may sit on personal devices as they access company resources.

This scenario has been deprecated since the release of iOS and iPadOS 15 due to the inherent security concerns at multiple phases of this process. Additionally, the remote and hybrid work environment has made it so that users may not be in proximity to corporate networks or face-to-face IT support.

Devices running iOS or iPadOS 15 or later can now initiate a Service Discovery process – which allows a device to identify its organization’s MDM server – from the Settings app on the device. To kick-off, the process, define Jamf Pro enrollment information in a .JSON file and host the information on a web server that is accessible to any device you want to be enrolled with Jamf Pro. By doing so, users will be automatically directed to their company’s Jamf Pro instance, specifically the device enrollment portal, securely over any network connection and from anywhere in the world to begin enrolling their personal devices themselves.

Account-driven User Enrollment

With the User-Enrollment method used previously, limited management of devices was made possible through configurations that managed the user themselves – not the device. While privacy inroads were made possible by segmenting personal and corporate data by tying them to personal and managed Apple ID’s respectively, IT had a very limited set of management commands at their disposal to effectively manage devices and any cooperate data they contained. This presented a great risk to the organization should devices become lost or stolen, for example, with no way to erase personally owned devices remotely.

While the new Account-driven User Enrollment method retains the privacy functionality of segmenting personal and business data between personal and managed Apple ID’s, the management structure of the device is now tied to the managed ID itself, providing IT with greater flexibility in managing the corporate data contained within personal devices, without negatively impacting the user experiencing or compromising their privacy and personal data.

By leveraging Apple School Manager (ASM) or Apple Business Manager (ABM) to link a corporate domain, organizations can create managed Apple ID’s that are linked to the employee’s company email address. When this account is linked to a cloud-based Identity provider (IdP), Single Sign-On (SSO) is enabled and required for authentication.

When users are redirected to the company’s Jamf Pro enrollment portal, they are required to authenticate using their managed Apple ID. Upon successfully authenticating, they will be automatically prompted to install the MDM profile on their device. Once enrollment is complete, users logging in with SSO will have their user and location information added to the record in Jamf Pro for their device, making it easier for IT to locate and group devices by user, department and/or location metadata.

Requirements

  • Apple devices running iOS or iPadOS 15, or later
  • Managed Apple ID’s belonging to a verified domain linked to ASM/ABM
  • Jamf Pro device management server, running 10.33 or later
    • A push certificate in Jamf Pro
    • User-initiated enrollment enabled
  • Webserver
    • Hosted .JSON file with Jamf Pro enrollment information
    • SSL certificate for webserver & issued by trusted CA
  • LDAP or cloud-based IdP, or Jamf Pro user account

As mentioned during JNUC 2021’s keynote, “if this process feels familiar, it should. It’s a bit like zero-touch deployments for corporate devices because IT does not have to initiate the activity. It’s the user’s choice to kick off the process.”

Unlike corporate-owned devices, users don’t lose control of their personal devices. Instead, they retain full access to their devices, and personal and privacy data. IT manageability of the personal device is limited to user-centric configurations, company-deployed apps and configurations that protect organizational data — these do not extend to personal apps or data.

While implementing BYOD programs in this manner varies from the “tried and true” method that precedes it, ruling over the land with an iron fist like Dr. Doom, it does little to benefit IT nor end-users due to over management. However, through a combination of Apple’s Account-Driven User Enrollment with Service Discovery, Jamf Self Service and Private Access, the next generation of BYOD for Apple Devices — managed with Jamf — allows IT to secure corporate resources and data. All the while, flexibly allowing users to utilize their personal devices for both work and personal tasks, without compromising their data or privacy, while still maintaining the user experience Apple users have come to rely upon.

Begin managing personally owned devices while balancing user privacy and enterprise security baselines as part of your organization’s BYOD program with Jamf Pro.

Subscribe to the Jamf Blog

Have market trends, Apple updates and Jamf news delivered directly to your inbox.

To learn more about how we collect, use, disclose, transfer, and store your information, please visit our Privacy Policy.