Automated device enrollment
Automated Device Enrollment is a simplified enrollment capability. The main objective is to reduce the enrollment complexity by integrating the enrollment process directly into the device setup preliminary steps. To support this controlled enrollment process, the mobile devices must have been prepared for this operation. Therefore, they must have been acquired from a device enrollment provider identified and authorized by Apple.
When the automated device enrollment is used, the enrollment process is highly simplified from an end-user perspective. There is no need to connect to any enrollment web-based portal as all the information is automatically acquired from the mobile device during the early boot stage. You need to perform some preliminary steps at the mobile device manager level.
Managed servers
Even if the end-user does not explicitly connect to the mobile device enrollment web-based portal, the device still needs to connect to a Mobile Device Manager (MDM) to get enrolled in the solution. When the mobile device executes the setup stages, it silently connects to an Apple cloud server once the device connectivity is established. Then, the device is verified by Apple to determine if an enrollment server has been defined for this mobile device unique identifier. If the device is associated to an MDM server, then the enrollment operation is automatically started.
Each MDM solution needs to provide the steps to implement the relationship between mobile device and the MDM solution. BMC Client Management needs to create managed servers under the device assignment tree node. The device assignment servers are used to create the relationships between the managed devices and the MDM solution on which the managed device will automatically and silently enroll.
A managed server must be paired with an MDM server in the Apple Business Manager web-based portal. This process requires an SSL certificate that is used to encrypt the MDM server authentication token. You need to provide an SSL certificate for which you have the pending private key. If not, BMC Client Management cannot decrypt and use the authentication token downloaded from the Apple web-based portal. It is recommended that you provide the SSL certificate used to setup the MDM endpoint. Refer to the official Apple documentation to setup an MDM server in the Apple web-based portal.
The administrator creates the MDM server in the Apple web-based portal. Using the provided SSL certificate, you can download the associated authentication token required to create the associated BMC Client Management managed server. To create a new managed server:
In the Device Assignment node, select the Add Server option from the context menu.
- To create the manager server in the Add a Server pop up, you need to provide a unique name, the authentication token downloaded from the Apple web-based portal and the private key associated with the SSL certificate used to create the paired MDM server in the Apple web-based application. If the private key is encrypted, you need to provide the password in the dedicated field. It is recommended that you name the BMC Client Management managed server with a name matching the MDM server in the Apple web-based portal.
After you create the new server, it is stored with its authentication token. As the token is critical information, it is encrypted first. Then, the server is available in the list of managed servers.
- You can also view the new server in the tree view.
- By default, BMC Client Management synchronizes all the servers once a day. You can change the default setting by using the options in the Device Assignment panel from Mobile Device Management > Configuration > Apple tree node.
- Update the Server Synchronization Interval field to match the desired frequency, in seconds. To disable the automatic server synchronization, set the interval to the special value zero. In this case, you can still synchronize the servers manually, if required.
- Like managed locations, managed servers also expire. In this case, the token status is automatically updated by the BMC Client Management to About to Expire, before updating to the Expired status. Then system then disables the automatic server synchronization.
To renew a managed server token, download a new authentication token from the Apple web-based portal related to the associated mobile device management server, and then select managed server> Renew a server option.
The system updates the token, and the new expiry date is displayed accordingly.
The MDM server created in the Apple web-based portal generates the authentication token. This token is then imported to create the paired managed server in BMC Client Management. The MDM server in the Apple web-based portal is also used to assign the purchased mobile devices. Each mobile device acquired from a reseller that officially supports the Apple Business Manager device assignment program is automatically listed in the Apple portal. From this list, company administrators associate devices to MDM servers. Once the mobile devices are assigned to their MDM server, they can be synchronized in the MDM application.
The managed server synchronization task synchronizes the mobile devices that are assigned to the MDM server. For that you need to create the coupled managed server in BMC Client Management. After a successful synchronization, the list of managed devices is available in the Managed Devices tree node.
Managed servers configuration
Managed servers are counterparts of MDM servers created in the Apple web-based portal. The managed devices associated to the MDM servers are automatically synchronized through the managed server synchronization operation, and available in the Managed Devices node. The listed managed devices can be automatically enrolled in BMC Client Management. You need to configure few parameters to effectively enroll the devices.
You need to have enrollment profiles to configure the mobile devices in the MDM solution. These profiles are linked to the enrollment server and provide additional information, such as the support email IDs. To create a new enrollment profile in a managed server:
In the Enrollment Profiles node, select the Create Profile option.
- In the Add an enrollment profile pop up, enter the following attributes:
Attribute | Description |
|---|---|
Profile name | Defines the managed enrollment profile unique name. |
Organization | Defines the organization that owns the enrollment profile. |
Department | Defines a department in the organization. |
Support Email Address | Defines the support email ID to contact in the organization. |
Support Phone Number | Defines the phone number to contact in the organization. |
Is MDM Removable | Defines whether the end-user is authorized to remove the enrollment directly on the mobile device. |
Once created, the enrollment profiles cannot be processed automatically. You cannot directly trigger the profile creation in the Apple Business Manager environment because it is not possible to synchronize this object and so the enrollment profiles cannot be managed afterwards. For example, it is not possible to update or remove the enrollment profiles and so the system pauses the objects creation.
To activate the effective enrollment profile creation, select the row and select the Configure profile option.
The MDM processes the enrollment profile creation asynchronously by using web services. A new enrollment profile is available for the managed server.
The enrollment profile creation may fail for different reasons. In that case, the object status is updated accordingly, and the log file provides additional information on the failure.
In this case, the enrollment profile creation failed because the managed server is not properly configured. It is important to know that the device assignment process silently pulls information from the Apple servers to determine where it should automatically enroll. While you have created objects to link the Apple MDM server and the BMC Client Management managed server, you did not provide information about the managed server identity. Therefore, the mobile device identifies that it needs to enroll with an MDM solution but ignores data about the MDM server itself, such as the following missing information:
- The name of the MDM server.
- The list of SSL certificates to trust to connect to the MDM server.
To complete the managed server configuration, you need to provide details about the enrollment server. The missing information is defined in the MDM endpoint configuration. For more information, see Configuring-end-points-for-Mobile-Device-Management.
By default, managed servers are not linked to any MDM endpoint configuration, because multiple configurations may exist, and it is not possible to identify the proper configuration.
To link the managed server with a server configuration, select the row and select the Assign Server Configuration option.
- In the Select the Server Configuration pop up, select the relevant MDM server configuration to assign to this managed server. Mostly, the selected MDM server configuration matches the configuration needed to configure the MDM endpoints. End users can use any existing configuration.
Select the desired configuration and click OK. The MDM server configuration is linked to the managed server. As the configuration includes the MDM server name and the list of SSL certificate to trust, the information is automatically imported in the managed server.
Select the managed server row and select the Unassign Server Configuration option.
The unassign option removes the relationship between the managed server and the server configuration. It does not impact the existing enrollment profiles. However, you need to assign a new server configuration for other enrollment profiles to be configurable. When a server configuration is associated, enrollment profiles can be configured. Select the profile that failed to be configured earlier and select the Configure profile option again.
After a few seconds, the system configures the enrollment profile successfully.
You now need to associate the managed devices with enrollment profiles. For each managed server having one or more enrollment profiles and several managed devices, you can define which enrollment profile will be used for some devices, and which enrollment profile will be used for the others. The configured enrollment profile node displays the list of associated Managed devices.
- To create the associations in the empty list, select the Add Devices option in the contextual menu. You can also select the Add Devices option in the main menu.
- The Select the Managed Devices pop up displays all the managed devices that are synchronized for the managed server. All the devices are displayed with their unique identifier, including those that are already associated to an enrollment profile.
- Select the relevant devices and click OK.
The process requires web service calls as it links the device through its unique identifier with an enrollment profile that belongs to a managed server. This association also utilizes the MDM server configuration attached to the managed server. The final configuration on the Apple servers can redirect the device to the MDM server when running the setup sequence.
You can also remove devices from an enrollment profile. Select the desired rows and select the Remove Devices option. You can also select the Remove Devices option in the main menu.
Managed devices that are not associated to a properly configured enrollment profile will fail to automatically enroll in the MDM solution. Finally, the list of devices available in the Managed Devices tree node for a managed server should display the latest changes. For example, in the following image, one device is associated to the newly configured enrollment profile.