What is Automated Device Enrollment(ADE) & Process
Businesses that deploy large fleets of Apple devices need a tool to remotely and automatically enroll them into their MDM platform. Automated device enrollment (ADE) is a protocol that automates the setup process for these. With ADE, organizations can save time, improve efficiency, and guarantee adherence to their policies.
In this article, we’ll examine what ADE is, how it operates, and how to enroll devices with this tool.
1 What is Automatic Device Enrollment?
Automatic device enrollment is Apple’s automated process to streamline the enrollment and set up of new devices within a business.
Zero-touch, Bulk Enrollment: Organizations can automatically enroll their new iOS, iPadOS, macOS, and tvOS devices in an MDM platform without having to manually access them or materially configure them before assigning them to the employees.
Full-managed: which means that the IT admin has full control over the device and its configuration, app deployment, and security settings. Therefore, it isn’t suitable for business with a BYOD (Bring Your Own Device) policy or for personal use.
Supervised Mode: devices open access to additional management features that aren’t available in non-supervised mode. These features include:
- Web filtering
- App restrictions
- Features disabling
- Remote enforcement of security setting
Prevent unenrollment: ADE offers enhanced security in regard to unenrollment. It’s because ADE enforces supervision at the system level, ensuring that devices remain managed throughout their lifecycle. They can only be unenrolled by the admins and using the ABM platform, or the Apple Configurator.
2 How to Implement Automtatic Device Enrollment(ADE) for iOS Devices?
Requirements
Before deploying ADE as an MDM solution in your organization, make sure that:
- ADE is available in your region(You can check here the supported countries and regions).
- Your Apple devices have been purchased directly from Apple or from Apple’s officially authorized resellers.
Furthermore, ADE is only available for the following Apple devices:
- iPhones with iOS7 or later versions
- iPads
- Macs with OS Mavericks 10.9 or later versions
- Apple TVs of 4th generations or later, with tvOS 10.2 or later versions
Enrollment Process
After creating your business Apple ID in Apple Business Manager, you need to perform the following steps to be able for the Apple automated device enrollment.
- Step 1.Link your MDM server to ADE
- 1. On your MDM platform (make sure that it supports ADE), navigate to Enrollment, then Apple, then Apple Enrollment (ABM/ASM)
- 2. Now, you can download the MDM Public Key. You’ll need it later.
- 3. Move on to the Apple Business Manager portal and sign in with your credentials.
- 4. Click on Preferences, then MDM Server Assignment, and then navigate to Add MDM Server.
- 5. Enter a name for the sever.
- 6. Upload the Public Key you’ve previously downloaded.
- 7. Click Save.
- 8. Still, on the Apple Business Manager portal, click on your Account Name, choose Preferences, and then Your MDM Server.
- 9. Select the server you’ve just created.
- 10. Click on Download Token.
- 11. Go back to your MDM solution and click on Upload Server Token.
- 12. Upload the token you’ve previously downloaded. Now, your MDM platform is linked to ADE and you can move on to enroll Apple devices.
- Step 2.Add Devices to Apple Business Manager
- 1. To enroll new Apple devices into the MDM solution via ADE, you need to add your reseller details to the Apple Business Manager platform. This is how you add the necessary details to the ABM platform:
- 2. Log in to Apple Business Manager with your business credentials
- 3. Click on Settings, then Device Management Settings
- 4. Under Customer Numbers, add your Apple Customer Numbers and Reseller ID. You can choose Default Device Assign, which means any time a new device is purchased from the same reseller, it is automatically added to the Apple Business Manager.
- 5. Click Apply
- Step 3.Enroll Devices from ABM to Your MDM Server
- In Apple Business Manager, click on Device, select the device you want to enroll to the MDM server, and then choose Edit MDM Server Assignment
- Select which MDM you would like to manage this device
- Click Confirm to save changes
3 How to Prepare for Enrolling Existing Apple Devices Using ADE?
The method we’ve described in the previous section is only suitable for enrolling newly purchased Apple devices but what if you need to enroll devices that the organization already own and that were purchased before starting integrating the MDM solution?
For this purpose, you can add devices in Apple Business Manager (and the MDM solution) manually. This is how you do it:
On the Apple Business Manager platform, click on Devices (vertical left menu)
Select the devices you need to add from the provided list of available devices and click Edite Device Management
In Assign to the server, select the MDM server you’ve previously configured
Click Continue and finish settings.
4 How to Unenroll ADE Devices from MDM Server?
Unlike other MDM protocols, devices enrolled into an MDM server via ADE can’t be unenrolled by the user by simply removing the MDM profile, because the device is in Supervised Mode which prevents the MDM profile from being removed.
This is an important security feature that ensures that the device remains under the control of the organization, ensures that the device remains under the control of the organization.
To unenroll a ADE device, first remove it from the MDM server, then unassign it in the ABM by following these steps:
Remove devices from the Apple Business Manager
In Apple Business Manager, select Devices on the sidebar
Select the device you’d like to unenroll
Choose "Unassign from the current MDM and click "Continue"
After saving, the device will be unassigned/unenrolled from the MDM server
5 Does Android Support Automatic Device Enrollment?
Android does have a protocol like ADE and it’s called Android Zero-Touch Enrollment. It allows admins to assign a business’ devices to an MDM server on purchase and automatically, without any manual intervention.
Just like Apple’s ADE, Android’s Zero-Touch Enrollment provides admins with a simple way to automatically enroll corporate devices on purchase. The security features are also on par with those from Apple: devices can be unenrolled only by admins, ensuring the integrity of corporate management.
FAQs
The main alternative methods to enroll Apple devices into an MDM platform are:
Apple Configurator: It’s a manual setup tool, typically used to enroll a small fleet or when admins need to enroll Apple devices that weren’t purchased through the registered resellers.
Manual Enrollment: Admins can provide a URL to users that they can use to enroll their devices into the MDM platform. This is usually used when Apple devices aren’t purchased from registered resellers.
User Enrollment with Separate Work Profile: this is a method that allows to enroll BYOD devices. It adds the device to the MDM but creates a separate work profile on the employee’s device. This way, the user can protect their privacy while being able to access work-related configurations.
Leave a Reply.