What is MDM for IOS devices?
MDM for iOS refers to Mobile Device Management specifically for Apple devices running the iOS operating system—in other words, MDM for iPhones. Supervised mode is required to enable complete control over the device. This document focuses on enrolling an iPhone in supervised mode within NinjaOne. NinjaOne MDM Apple leverages the Apple Push Notification Service (APNs), and Automated Device Enrollment (ADE) to manage and secure iOS devices.
These Apple services and features enable streamlined device enrollment, centralized management, and policy enforcement. Through these integrations, NinjaOne MDM supports features like remote configuration, app distribution, and security controls, ensuring consistent management and data protection across iPhones and iPads in an organization. ADE requires the use of an Apple Business Manager (ABM) or Apple School Manager (ASM) account.
What are the enrollment methods for iPhone devices in supervised mode?
There are two enrolling methods:
Zero-Touch Enrollment (ZTE): this method is for new devices purchased through an authorized reseller. The advantage of this method is that all the configurations are done in the background, giving the end user a very seamless experience because the configuration, from their end, is very straightforward. Another advantage is that the enrollment can be done in bulk.
Manual enrollment using a second device: This method is for mobile devices you have on hand. It requires a second device for enrollment, such as a Mac, iPad, or iPhone, running the Apple Configurator application. The enrolling device connects to the device to be enrolled, resets it to factory defaults, and enrolls it in the company’s Apple Business Manager (ABM) or Apple School Manager (ASM) account. Once this is done, an IT administrator logs into the ABM/ASM account, moves the device to the NinjaOne server, and synchronizes NinjaOne with the ABM/ASM account.
What are the pre-requisites to enroll an iPhone in supervised mode in NinjaOne?
To enroll an iPhone in supervised mode in NinjaOne there are several pre-requisites, which are listed below:
Pre-requisites for enrolling devices using either enrollment method:
1.‘NinjaOne MDM Apple’ must be enabled in NinjaOne. Refer to the document IOS Supervised Mode for details on this enablement.
2. An ABM or ASM account. The account must be in verified state. If you are obtaining such an account for the first time, consider that verifying the account may take several days or even weeks, NinjaOne recommends starting this process well in advance. More information can be found in the ABM User Guide or the ASM User Guide.
If you are enrolling the devices using the manual method, additionally you need:
3. An enrolling device – A Mac computer, iPad, or an iPhone other than the one being enrolled.
4. The Apple Configuration app must be installed on the enrolling device.
5. A USB cable to connect the iPhone being enrolled to the Mac computer. iPads and iPhones can connect using NFC or barcode reader.
6. A Wi-Fi network with Internet access.
How can iPhone devices be enrolled in NinjaOne using ZTE?
This is the easiest way to enroll a brand-new mobile device as company-owned in supervised mode from the IT administrator´s standing point. Follow the steps below to complete this process:
- Purchase iOS devices from an authorized reseller or directly from Apple and provide the organization´s ABM/ASM account details. The reseller or Apple will associate these devices with the organization’s ABM or ASM account.
- Once the devices appear in ABM/ASM, move them to the NinjaOne MDM server. Refer to Step 2: Move the iPhone device from Apple Configurator to your MDM server in ABM/ASM in the section below to get more details.
- Synchronize NinjaOne with ABM/ASM.
- After the two systems are synched, the enrolled devices will appear in the NinjaOne console under the organization and location defined in the company´s ADE profile.
When the iPhone is first turned on and connected to the Internet, it will automatically enroll in NinjaOne.
How to enroll an iPhone device you have in hand in NinjaOne?
For an existing device, you must enroll it using a Mac computer, iPad, or iPhone, different than the one you are enrolling, using the Apple Configurator app.
There are three steps to accomplish this enrollment. Follow the instructions below to enroll an existing iPhone device to NinjaOne using a Mac computer (if instead of a Mac computer you are using an iPad or an iPhone, the only difference is the way the two devices connect. A Mac computer uses a USB cable, while the mobile devices use NFC or the barcode reader).
Step 1: import the iPhone device into Apple Business Manager.
1. On the Mac computer, open the Apple Configurator app.
2. If this is the first time you are enrolling an iPhone device, you must create a new Wi-Fi profile. This profile is used by the iPhone to connect to the Internet and communicate with ABM (or ASM). If the Wi-Fi profile is already created, you can skip this step.
a. On Apple Configurator, select File and then New Profile.
b. Under General, give the profile a name.
c. Under Wi-Fi, configure Wi-Fi settings for the Wi-Fi used in the location you are working in.
(See below screenshot for reference)
d. Select File and then Save. Give a name for the profile file, choose a location, and click Save.
For this example, we named it ABM Wi-Fi initial config.
3. Connect the iPhone to the Mac computer using a USB cable. After Apple Configurator connects to the iPhone, the iPhone device appears on the screen. (See below screen for reference).
4. Click the iPhone device image to ensure it´s highlighted.
5. Click Prepare on the top menu. (See below image for reference).
6. The Prepare Devices dialog box appears. Under Prepare with, choose Manual configuration, and select Add to Apple School Manager or Apple Business Manager, and Allow devices to pair with other computers, as indicated in the screenshot below, then click Next.
7. Select New Server on the next screen as indicated in the screenshot below:
8. In the next screen, in the name, type NinjaOne. We are not directly enrolling to NinjaOne, but something needs to be entered, otherwise Apple Configurator will not allow us to continue.
Don’t change anything in the host name or URL and click Next.
9. An expected error will show in the screen, ignore it, and click Next.
10. You will be asked to add a trust anchor certificate for the MDM server, click Next. Even if some options are shown, just click Next.
11. If this is the first device added to a company, select New Organization, and click Next. If not, your organization’s name will appear, click Next and go to step 13.
12. Upon a successful sign in, you will be asked if a new supervision identity will be generated or choose an existing one. Select Generate a new supervision identity and click Next.
13. You now will be asked to select the steps that will be presented to the user in Setup Assistant, here you can just click Next.
14. Choose the network Profile. In the step, choose the profile you created on step 2.
15. Click Prepare.
16. Apple Configurator will prepare the iPhone device and import it into ABM (or ASM). This process may take some minutes.
Note: You may receive a notification stating that the device is already prepared and needs to be erased. In this case, click Erase.
If you see a message saying, “Unable to activate ‘xxxxx’s iPhone“ check the phone screen and follow the instructions displayed to approve the activation.
Once unlocked, go back to Apple Configurator and click “Try Again“.
17. After the process completes, one new device will appear in ABM/ASM under “Devices Added by Apple Configurator”, at this point, you can click Show Devices to see the device list.
Step 2: Move the iPhone device from Apple Configurator to your MDM server. In ABM (or ASM).
1. Sign in to your ABM account using your administrator credentials.
2. Click your organization name on the bottom left of the screen and select Preferences.
3. Click Devices Added by Apple Configurator
4. Click Show Devices
5. The device list appears under Your Devices. Click on the desired device.
6. The device’s properties appear. Click the three dots on the right of the screen.
7. Select Edit MDM Server.
8. Choose Assign to the following MDM and make sure your MDM server is selected. Your MDM server name is the one you selected when you enabled Automated Device Enrollment (ADE). For this example, the MDM server name is NinjaOne MDM, then click Continue.
9. A warning message appears, click confirm.
10. After a few seconds, a confirmation message appears. Click Done.
11. Click your organization name on the bottom left of the screen and select Preferences.
12. You can see that the device that was showing under Apple Configurator, has now moved under your MDM server.
Step 3: Synchronize NinjaOne with ABM (or ASM).
1. Sign in to your NinjaOne account and go to Administration, then Apps.
2. Click NinjaOne MDM.
3. Go to the Automated Device Enrollment tab.
4. Select the profile corresponding to your company. A ribbon will appear at the top of the companies.
5. Click Edit. The Automated Device Enrollment Profile dialog box appears.
6. Click Devices on the left.
6. Click Sync with ABM. (See below screenshot for reference)
7. The iPhone device now appears.
8. Click Close.
Now it’s time to go to the iPhone device and complete the initial setup. The initial setup steps will be those for the enrollment profile you edited earlier. Once the initial setup is complete and the device is connected to the Internet, it will appear on the device dashboard.
Important:
- After finishing the setup, open the NinjaOne Assist app and approve the installation of applications and location tracking (if enabled).
- Enter the iPhone´s configuration menu and configure an Apple account. Failing to do so, will prevent installing apps. The end user must approve the installation of each app.