Category filter

Introduction to Apple Device Enrollment in Hexnode UEM

Hexnode UEM offers multiple enrollment methods for Apple devices, each tailored to different organizational needs. This guide will help you evaluate your workplace requirements and select the best deployment strategy for your team.

1. Apple Automated Device Enrollment (ADE)

Automated Device Enrollment (ADE), formerly known as the Apple Device Enrollment Program (DEP), is a deployment program designed for corporate-owned devices. It leverages Apple Business Manager (ABM) or Apple School Manager (ASM) to automate enrollment and facilitate over-the-air management.

Key Features and Benefits:

Zero-Touch Deployment: Devices are automatically enrolled in MDM during the initial Apple Setup Assistant process.
Device Supervision: Provides enhanced, high-level control over the OS.
Mandatory Enrollment: You can prevent users from manually removing the MDM profile or wiping the device to escape management.
VPP Integration: Integrated with the Volume Purchase Program (VPP) for bulk app purchasing and distribution.

Eligibility (OS Versions):

iOS: 11 or later
macOS: 10.9 or later
tvOS: 10.2 or later

2. Apple Configurator Enrollment

Apple Configurator is an application used to manually enroll devices into your MDM. It is particularly useful for devices not purchased directly from Apple or authorized resellers.

Use Cases:

Non-Reseller Devices: Manually add older or non-DEP devices to ABM/ASM to gain supervision benefits.
Standalone Management: If you do not have an ABM/ASM account, you can still use Apple Configurator to supervise and control devices without relying on DEP.

Supported Versions for ABM/ASM Addition:

iOS/iPadOS: 16+
macOS: 12.0.1+

3. User Enrollment (BYOD)

Designed for Bring Your Own Device (BYOD) deployments, User Enrollment focuses on balancing enterprise security with user privacy. It requires a Managed Apple Account (owned by the organization), which co-exists with a user’s personal Apple Account.

Core Characteristics:

Data Separation: Managed apps and data exist in a separate volume, ensuring no crossover with personal data.
Privacy: The MDM has restricted access and cannot view personal apps or perform intrusive actions (like full device wipes or hardware ID retrieval).
Scope: MDM manages only the apps and services tied to the Managed Apple Account.

Eligibility:

iOS/iPadOS: 15+
macOS: 14+
visionOS: 1.1+

Comparison of Capabilities:

Here’s an overview of the functionalities available for user-enrolled iOS devices through Hexnode UEM.

Functionality	Feature
Remote Actions	Scan Device Scan Device Location Lock Device Edit Device Attributes Install Application Uninstall Application Disenroll device Broadcast Message Associate Policy Add Devices To Groups Set Friendly Name Export Device Details Delete Device
Restrictions	Allow Device Functionality Siri Allow Siri while device is locked Screen capture Allow Application Settings Sync managed data with iCloud Backup enterprise-deployed iBooks Fraud warning Allow Security and Privacy Settings Today View on lock screen Control Center on lock screen Lock screen notifications Force encrypted backup Send diagnostic data to Apple
Network	Wi-Fi VPN Per-App VPN
Security	Certificates SCEP Business Container
Accounts	Email Exchange ActiveSync CardDAV Calendar CalDAV Google Accounts LDAP
Expense Management	Network Data Usage Management
Configurations	Deploy Custom Configurations Fonts AirPrint AirPlay

User Enrollment Methods in Hexnode UEM

Hexnode UEM supports two primary enrollment methods for User Enrollment, tailored to different Apple OS versions and deployment needs.

1. Profile-driven User Enrollment

This is the legacy method of onboarding BYOD devices.

Workflow: Users are provided with an external enrollment link (usually via email or SMS). They must open this link in the Safari browser to download the MDM enrollment profile.
Authentication: The process requires the user to authenticate using their Managed Apple Account credentials during the profile download phase.
Deprecation Note: Profile-driven User enrollment is not supported on devices running iOS 18+ or macOS 15+. Organizations with these newer OS versions must transition to the Account-driven method.

2. Account-driven User enrollment

This is the modern, streamlined method introduced by Apple to simplify the onboarding experience.

Workflow

iOS/iPadOS: Navigate to Settings > General > VPN & Device Management and sign in to the Work or School Account.
macOS: Navigate to System Settings > Privacy & Security > Profiles and sign in under Work or School Account.

Benefits: It eliminates the multi-step process of downloading and manually installing a profile from a browser, reducing user confusion and support tickets.

OS Support: Account-driven User enrollment is supported on devices running:

iOS 15 and later
iPadOS 15 and later
macOS 14 and later
visionOS 1.1 and later

4. Device Enrollment

Device Enrollment is a manual enrollment type specifically designed for organization-owned devices. Unlike User Enrollment, which focuses on a work container, Device Enrollment places the entire device under MDM management. This gives administrators full control over system settings, network configurations, and all installed applications.

Key Capabilities:

Comprehensive Control: Enforce device-wide restrictions and manage all data and apps.
Supervision on Mac: For Mac computers running macOS 11 or later, Device Enrollment automatically enables Supervision, unlocking advanced management commands and restrictions.

Enrollment Methods in Hexnode UEM:

A. Profile-driven Device Enrollment

This is the standard manual method for onboarding corporate devices.

Workflow: Users are provided with an enrollment link. They must open this link in the Safari browser on the target device to download the MDM enrollment profile.
Action: Once downloaded, the user must navigate to the device Settings to manually install the profile and authorize management.

B. Account-driven Device Enrollment

This modern method streamlines the manual onboarding experience by integrating enrollment directly into the native OS settings.

Workflow: Users do not need to visit an external link or download a profile from a browser. Instead, they enroll directly from the device’s native settings menu:
- On iPhone/iPad: Navigate to Settings > General > VPN & Device Management and select Sign in to Work or School Account.
- On Mac: Navigate to System Settings > General > Device Management and sign in under Work or School Account.
Authentication: The user signs in using their Managed Apple Account credentials. The device then performs “service discovery” to find the Hexnode portal and completes the enrollment.
Benefit: This method significantly simplifies the procedure and reduces the risk of users failing to complete the manual profile installation steps.

Note: Account-driven device enrollment is supported on devices running:

iOS 17 and later
iPadOS 17 and later
macOS 14 and later
visionOS 1.1 and later

Frequently Asked Questions (FAQs)

Q1. What is the main difference between ADE and Device Enrollment?

ADE is automated and “zero-touch,” meaning the device is managed from the moment it is turned on. Device Enrollment is a manual process where an admin or user must download and install the management profile.

Q2. Why can’t I use Profile-driven User Enrollment on iOS 18?

Apple is transitioning toward Account-driven workflows for better security and user experience. Starting with iOS 18 and macOS 15, the legacy profile-driven method for User Enrollment is no longer supported.

Q3. Does User Enrollment allow an admin to see my personal photos?

No. User Enrollment uses a cryptographically separate volume for managed data. The UEM can only see and manage work-related apps and information; personal content remains completely private.

Q4. Can I supervise a device without Apple Business Manager?

Yes, by using Apple Configurator, you can manually supervise a device. However, you will not have the automated deployment benefits provided by ABM/ASM integration.

Troubleshooting iOS Enrollment

Issue 1: Existing MDM Profile Conflict

Description: Error message stating “The new MDM payload does not match the old payload” while enrolling an iOS device.

Probable Cause: The device likely already has an active MDM profile installed on it.

Solution: Remove the existing MDM profile from the device settings.

On the iOS device, go to Settings > General.
Scroll down and select VPN & Device Management.
Tap Hexnode MDM (or the name of your previous MDM provider, if applicable).
Scroll down and tap Remove Management.

Warning: Users cannot manually remove the existing MDM profile if:

The profile was created by Apple Configurator and is password-protected.
The device is currently enrolled through Apple’s Device Enrollment Program (DEP).

Issue 2: Device Type Restrictions

Probable Cause: The device type you are trying to enroll is currently restricted in your Hexnode workspace. Depending on the operating system, you may see one of the following error messages:

Device Type	Common Error Message
iOS	“According to your corporate policy, only the following devices can be enrolled and can access the corporate resources… Contact your IT administrator for more information.”
iPadOS 13	“A connection to the server could not be established.”
macOS	“Could not download the identity profile from the Encrypted Profile Service. The credentials within the Device Enrollment profile may have expired.”

Solution: Update your enrollment restrictions in the Hexnode portal to allow the specific device type.

Log in to the Hexnode portal and navigate to Enroll > Settings.
Scroll down to Enrollment Restrictions > Device Models allowed.
Select the checkbox corresponding to your device type (iPhone, iPad, or macOS).
Click Save to apply the changes.

Need more help?

Raise a Ticket

Ask Community

Chat With us