Apple MDM enrollment

DME supports the enrollment and management of Apple iOS devices through the Apple MDM Protocol. This enables Apple iOS devices to enroll with (enter into a trusted relationship with) DME, and the DME Administrator can then issue commands, send configuration profiles, etc. to the devices without end-user interaction.

It is recommended to enroll your Apple iOS devices.

On the server, a number of prerequisites must be in place before you can reap the benefits of Apple MDM.

1. An SSL certificate from a trusted vendor (such as VeriSign) must be installed on the DME server.
2. The setting Create device on first connect in Server configuration > Authentication > Security must be set to Yes or Two-factor authentication. See Authentication.
3. You need to install an application certificate on the server (see Enable Apple MDM server).

On the client device, iOS 7 from Apple caused a number of changes that affect the Apple MDM enrollment process. As a result, you can only enroll devices that have already been created as devices in DME - otherwise, duplicates may occur. For this reason, only user-initiated enrollment is possible: the user must choose MDM Enrollment from within the DME client app, which is only possible if the device has been created in DME.

To uniquely identify the device in DME, DME uses the device MAC address. However, from iOS 7 it is no longer possible for the DME client app to get the MAC (Wi-Fi) address of the device, which can make the enrollment process more complex. In some cases, the Wi-Fi address is already known to DME - if DME was installed and the device was enrolled with DME before the device was upgraded to iOS 7. This is best described through a number of scenarios:

1. A device running DME 4.1.3 on iOS 6. The MAC address is known in DME.

   When upgrading to DME 4.1.5, the MAC address is already stored in the keychain of the device. This means that when the device is upgraded to iOS 7, the MAC address is known. So when enrolling the device, the "DME device" is linked correctly with the "MDM device".

2. A new device running iOS 7; has never been in contact with DME. DME 4.1.5 is installed.

   On the first contact with DME, the device is given a random ID as DME device ID. Due to iOS 7, the client will report a fake MAC address: 02:00:00:00:00. When the user chooses to enroll the device, the client will ask the user to copy the real Wi-Fi Address into a field. This Wi-Fi address is then used to pair the "DME device" with the "MDM device". See Enroll Apple iOS devices.

3. An existing iOS 6 device running DME 4.1.3, not enrolled. It is upgraded to iOS 7, and then DME is upgraded to 4.1.5.

   As in scenario 2, the client will ask for the Wi-Fi address when enrolled.

The following sections will take you through the MDM enrollment process step by step.