Documentation Index
Fetch the complete documentation index at: https://docs.iru.com/llms.txt
Use this file to discover all available pages before exploring further.
This guide applies to Apple devices
Apple Business Manager is now Apple Business. Apple School Manager is unchanged. For more information, see Introducing Apple Business and Apple Business Manager is now Apple Business.
Create an Automated Device Enrollment Library Item
To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.Universal Settings
In this section, configure universal Automated Device Enrollment settings that apply across supported Apple device types. The platform-specific sections that follow provide additional settings for each Apple platform.Require Authentication
When Require authentication is enabled, the enrolling user must complete single sign-on before Setup Assistant can continue. This applies to all Apple platforms except tvOS. See Require Authentication with Automated Device Enrollment for details.
If you use Passport, turn off Prefill initial account creation details and Lock pre-filled account creation details; they conflict with Passport’s account creation flow and can cause Setup Assistant errors.
Allow MDM Profile Removal
By default, when enrolling devices through Automated Device Enrollment, the MDM profile is not removable. This is by design to keep company devices managed securely. You can select Allow MDM Profile Removal if you have a test environment or a specific need to make the profile removable. Iru Endpoint recommends against using this for production environments.
Options common to platform-specific sections
These Automated Device Enrollment options work the same way on every Apple platform. Open the platform section you need in the Library Item and configure the setting there. Anything that only applies to certain platforms is documented under that platform later in this article.Install Library Items during Setup Assistant
For Mac, iPhone, iPad, Apple TV, and Vision, the Automated Device Enrollment Library Item includes Install Library Items during Setup Assistant. When you enable it, you build a list of eligible Library Items that must finish installing while the device is still in Setup Assistant.Passcode, Restrictions, FileVault, and Migration Assistant install during Setup Assistant on Automated Device Enrollment when they are assigned on the Blueprint, whether Install Library Items during Setup Assistant is on or off.
- Eligible Library Items for the platform appear in the drawer regardless of the device’s Blueprint.
- Library Items that always install during Setup Assistant appear in the drawer and cannot be deselected.
- Library Items that cannot install during Setup Assistant do not appear in the drawer.
- Library Items configured for Self Service only (for example some App Store or in-house app setups) do not appear in the drawer; those installs are user-initiated after setup, not during enrollment.
Selected Library Items install only when they are assigned to the device. Include every Library Item to install during Setup Assistant. Blueprint scoping still determines what applies. For example, a Custom Profile on the list will not install if your Blueprint does not scope it to the device. See Blueprints and Using Conditional Logic in Blueprints.
Enable the option for each platform you use
In the Automated Device Enrollment Library Item, select Mac, iPhone, iPad, Apple TV, or Vision, then turn on Install Library Items during Setup Assistant for each platform where you want this behavior.
Add Library Items to the list
Select Add Library Items to open a drawer listing every eligible Library Item in your Iru Endpoint tenant. Use search and filters to find items, select what you need, then click Done.
Only Library Items compatible with the platform section you are configuring appear. For example, if you add Library Items from the iPhone section, the list only shows items that support iPhone devices. Each row also shows the supported device types.Passport does not appear in this drawer for Mac setup. Passport settings are not applied to the device as an install-time Library Item in Setup Assistant; Passport fetches its own settings.
Review the automatic release timeout
By default, the device is released from Setup Assistant after 30 minutes if something blocks completion. You can change this fail-safe to any value from 1 to 120 minutes (two hours). The device leaves Setup Assistant when every selected Library Item is confirmed installed or when that maximum time is reached, whichever comes first. Each Library Item you add increases the time spent in Setup Assistant.
Larger lists, apps, and network conditions
Larger lists, apps, and network conditions
Larger lists and app installs keep the user on a Configuring-style screen longer while downloads and installs finish. If you add many items, particularly applications, plan for longer setup times and stronger network conditions on the device.
Installers and scripts that can interrupt Setup Assistant
Installers and scripts that can interrupt Setup Assistant
Avoid assigning Library Items to Install Library Items during Setup Assistant when their installers or scripts depend on conditions that are not true during Setup Assistant. That includes scripts that wait for the Dock or a logged-in desktop user, long sleeps or wait loops, branching logic that only succeeds after setup completes, installers that trigger an immediate restart or auto-launch apps right after install, and anything else that can stall or compete with enrollment-time work. Items like these interrupt Setup Assistant and can leave people on Configuring with an unclear or uneven ADE experience.Related options and behaviors documented elsewhere:
- Mac Custom App: Restart after successful install; Pre- and post-install scripts
- Custom Script: Restart after a successful execution (under Restart Options)
- macOS Auto App: Options (includes Add to Dock during install, Run preinstall script, and Run postinstall script)
Require minimum OS version
In the Mac, iPhone, and iPad sections of the Automated Device Enrollment Library Item, Require minimum OS version tells the device to finish an operating system update before enrollment completes. You set the required minimum OS version in those sections. Apple runs that update during Setup Assistant. This is separate from Managed OS policies you configure for after enrollment. Changing this option for a device type takes effect without resyncing ADE settings to Apple.
App preservation
For iPhone and iPad devices running iOS 26+ and iPadOS 26+, you can enable Preserve managed apps during migration so that when devices are migrated from another device management service to Iru Endpoint, any apps installed on the migrating device that are also present in the device’s new Iru Blueprint (and their associated data) remain installed and configured on the device after migration. This avoids re-downloading business-critical apps and preserves user data. Use the Preserve managed apps during migration checkbox in the iPhone and iPad device sections. For more information, see App Preservation in the Device Management Migration article.
Mac
Customize the setup experience and configuration for Mac computers. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.Configure Setup Assistant screens
Configure the Setup Assistant screens to skip for Mac computers during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant.
Install Library Items during Setup Assistant (optional)
In the Mac section, enable Install Library Items during Setup Assistant when installs from this section’s list must finish during enrollment setup. See Install Library Items during Setup Assistant for the install experience, building the list, and timeouts.
Configure Activation Lock
Use Activation Lock to choose whether an end user may enable user-based Activation Lock with Find My and a personal Apple Account.
Configure primary account type
Use Primary account type to choose whether the first account created during Setup Assistant is an administrator account, a standard account, or whether account creation is skipped. If the primary account is a standard user, you must provision an additional local administrator (see the next step).
If you deploy Passport, you should also skip primary account creation so the user account can be created after Setup Assistant through the Passport sign-in flow. For more information, see Passport compatibility with macOS and Iru Endpoint features.
Provision local administrator account (optional)
Optionally turn on Provision local administrator account to create a local administrator during enrollment. This is required if the primary account is a standard user or if you skip creating the primary account during Setup Assistant.
Global Variables can be leveraged in the Full name and Short name fields. Such as $FULL_NAME or $EMAIL_PREFIX. This can be useful if you are requiring authentication and automatically assigning the user to the device record.
Global Variables cannot be used for the Password.
Hide additional administrator account (optional)
Hide the additional administrator account if desired by selecting Hide Account.
Configure MDM-enabled user
Select MDM-enabled user when the additional local administrator account (auto admin) should be the account designated for user-level MDM profiles. You are choosing which account MDM applies user-channel management to; that account still must register as the MDM-enabled user through an interactive sign-in as described in the warning below.In the rare case where the auto admin account is the primary user of the Mac, still select MDM-enabled user so the additional administrator account remains the one specified for user-level MDM profiles.
This option is uncommon and may cause problems in your environment. Contact Iru Support before you enable it.
Require minimum OS version (optional)
Optionally use Require a minimum OS version. When the option is on, from the Version must be greater than or equal to drop-down, select a specific macOS version. If the installed macOS version does not meet that requirement, Setup Assistant shows a Software Update pane with a 60 second countdown before the device updates to the macOS version you specified.
iPhone
Customize the setup experience and configuration for iPhone devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.Configure Setup Assistant screens
Use Skip screens during Setup Assistant for iPhone devices to choose which Setup Assistant screens appear. When skipping is enabled, select Specify the screens to skip to edit the list. You can skip specific screens or specify current and future Setup Assistant panes.
Skip all Setup Assistant screens does not auto-advance through Setup Assistant. Auto-advance is only available in macOS and tvOS.
Install Library Items during Setup Assistant (optional)
In the iPhone section, enable Install Library Items during Setup Assistant when installs from this section’s list must finish during enrollment setup. See Install Library Items during Setup Assistant for the install experience, building the list, and timeouts.
Prevent MDM profile installation when restoring from backup (optional)
Optionally enable Prevent MDM profile installation when restoring from backup. When it is on, the MDM profile is not installed from a backup restored onto the same device; the device installs its MDM profile through Automated Device Enrollment instead.
Configure user-based Activation Lock
Use Activation Lock to choose whether users may enable user-based Activation Lock with Find My and a personal Apple Account.
Configure device-based activation lock (optional)
Optionally turn on Enable device-based Activation Lock to enable device-based Activation Lock through Apple Business or Apple School Manager.
Require minimum OS version (optional)
Optionally use Require a minimum OS version. When the option is on, set Version must be greater than or equal to to a specific iOS version, or to Latest public release to require the newest public iOS from Apple.If the installed version is below that minimum, Setup Assistant presents Software Update so the device can update before enrollment completes. The value in Version must be greater than or equal to is the minimum the device must meet before setup continues; it is not the OS build Software Update will install. When an update is required, Apple installs the latest public release available for that device. The list selection does not cap the update to that exact version.
Preserve managed apps during migration (optional)
When migrating devices from another device management service, check Preserve managed apps during migration if you want apps installed on the migrating device that are also present in the device’s new Iru Blueprint (and their associated data) to be preserved on the device after migration. For more information, see Device Management Migration.
iPad
Customize the setup experience and configuration for iPad devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.Configure Setup Assistant screens
Use Skip screens during Setup Assistant for iPad devices to choose which Setup Assistant screens appear. When skipping is enabled, select Specify the screens to skip to edit the list. You can skip specific screens or specify current and future Setup Assistant panes.
Skip all Setup Assistant screens does not auto-advance through Setup Assistant. Auto-advance is only available in macOS and tvOS.
Install Library Items during Setup Assistant (optional)
In the iPad section, enable Install Library Items during Setup Assistant when installs from this section’s list must finish during enrollment setup. See Install Library Items during Setup Assistant for the install experience, building the list, and timeouts.
Prevent MDM profile installation when restoring from backup (optional)
Optionally enable Prevent MDM profile installation when restoring from backup. When it is on, the MDM profile is not installed from a backup restored onto the same device; the device installs its MDM profile through Automated Device Enrollment instead.
Configure Shared iPad (optional)
Optionally turn on Shared iPad in the iPad section when you want a multi-user iPad experience during enrollment.See Configure Shared iPad for each setting in the Shared iPad section, including how User configuration changes which fields appear.
Shared iPad can only be enabled during Automated Device Enrollment.
Configure user-based Activation Lock
Use Activation Lock to choose whether users may enable user-based Activation Lock with Find My and a personal Apple Account.
Configure device-based activation lock (optional)
Optionally turn on Enable device-based Activation Lock to enable device-based Activation Lock through Apple Business or Apple School Manager.
Require minimum OS version (optional)
Optionally use Require a minimum OS version. When the option is on, set Version must be greater than or equal to to a specific iPadOS version, or to Latest public release to require the newest public iPadOS from Apple.If the installed version is below that minimum, Setup Assistant presents Software Update so the device can update before enrollment completes. The value in Version must be greater than or equal to is the minimum the device must meet before setup continues; it is not the OS build Software Update will install. When an update is required, Apple installs the latest public release available for that device. The list selection does not cap the update to that exact version.
Preserve managed apps during migration (optional)
When migrating devices from another device management service, check Preserve managed apps during migration if you want apps installed on the migrating device that are also present in the device’s new Iru Blueprint (and their associated data) to be preserved on the device after migration. For more information, see Device Management Migration.
Apple TV
Customize the setup experience and configuration for Apple TV devices. Optionally configure Auto Advance, and specify the Language and Region.Configure Setup Assistant screens
Under Skip screens during Setup Assistant for Apple TV devices, choose how Setup Assistant runs: Automatically advance through all Setup Assistant screens (requires Ethernet) or Specify which screens to skip during Setup Assistant. When you choose to specify screens, select Specify the screens to skip to edit the list. Either choice determines which Setup Assistant screens appear on the device.
Install Library Items during Setup Assistant (optional)
In the Apple TV section, enable Install Library Items during Setup Assistant when installs from this section’s list must finish during enrollment setup. See Install Library Items during Setup Assistant for the install experience, building the list, and timeouts.
Vision
Customize the setup experience and configuration for visionOS devices.Configure Setup Assistant screens
Use Skip screens during Setup Assistant for Vision devices to choose which Setup Assistant screens appear. When skipping is enabled, select the pencil icon to edit which panes are skipped.
Install Library Items during Setup Assistant (optional)
In the Vision section, enable Install Library Items during Setup Assistant when installs from this section’s list must finish during enrollment setup. See Install Library Items during Setup Assistant for the install experience, building the list, and timeouts.
Prevent MDM profile installation when restoring from backup (optional)
Optionally enable Prevent MDM profile installation when restoring from backup. When it is on, the MDM profile is not installed from a backup restored onto the same device; the device installs its MDM profile through Automated Device Enrollment instead.
Configure user-based Activation Lock
Use Activation Lock to choose whether users may enable user-based Activation Lock with Find My and a personal Apple Account.
Change Default ADE Blueprint
The default Blueprint can be changed at any time inside the Iru Endpoint Web App.
Select default Blueprint
Click the Default Blueprint dropdown menu.
Select the desired Blueprint from the list.
Enrollment Portal link and Enrollment code
You can also provide the Enrollment Portal link with the Enrollment code embedded in the URL for easier deployment. The format for the shareable link is listed below. The EnrollmentCodeHere portion should be the Enrollment code without the dash between the two sets of numbers.Shareable enrollment URL (Apple)
Generating a New Enrollment Code
Iru Endpoint allows you to generate a new random Enrollment code for each Blueprint. Generating a new code is helpful should the code be distributed to unauthorized users. A new code prevents unwanted devices from being enrolled into that Blueprint.Select the Blueprint
Click the arrow next to the name of the Blueprint where you’d like to change the code.
Troubleshooting
Migrating from previous MDM
Migrating from previous MDM
If a mobile device is already set up and enrolled in another MDM through Automated Device Enrollment, use one of these approaches:
- In Apple Business or Apple School Manager, reassign the device to Iru Endpoint, then erase and re-enroll the device if you need to keep it supervised in Iru Endpoint.
- Remove management for the device in the other MDM, then use the Iru Endpoint Enrollment Portal for manual enrollment. Only macOS devices remain Supervised when you use this path.
Devices skip ADE enrollment
Devices skip ADE enrollment
On macOS Ventura and later, Mac computers that are registered to your organization must connect to a network during Setup Assistant after an erase or reset. If that connection is missing, the user can complete setup in a way that skips Automated Device Enrollment.Enroll the Mac into Iru Endpoint first. That enrollment is how admins ensure newly provisioned devices can no longer skip Automated Device Enrollment.
Enrollment or Setup Assistant takes a long time
Enrollment or Setup Assistant takes a long time
During Automated Device Enrollment, users may stay on Configuring while the device completes Install Library Items during Setup Assistant. Setup Assistant waits until each selected Library Item is confirmed installed (not only downloading). The device can also exit when Automatically release device after is reached, whichever comes first. Long install lists, App Store applications, and a slow or unreliable network are the most common reasons this phase runs longer than expected.Try the following:
- Remove Library Items from the Setup Assistant install list when they do not need to finish during initial setup. Large applications are the most common candidates; assign them so they install after enrollment instead.
- When downloads or installs are slow, check the device’s Wi-Fi connection, captive portal behavior, and any bandwidth limits during setup.
- If users are blocked because an install never completes, lower Automatically release device after (minimum 1 minute) so the device leaves Setup Assistant when the timer ends, even when not every Library Item finished. Raise the value only when you need additional time for a longer list, up to 120 minutes.
Apple-Specific Troubleshooting
Devices not visible in Apple Business or Apple School Manager
Devices not visible in Apple Business or Apple School Manager
If you don’t see your devices available for assignment in your Apple Business or Apple School Manager account, there can be several reasons, with different solutions for each.
- You purchased your devices directly from Apple.
- You may not have registered your Apple Customer Number in Apple’s portal. In Apple Business, choose Devices → Inventory, then Get Started (first number) or Add (additional numbers), pick Apple Customer Number as the type, and finish the prompts. See Manage device suppliers in Apple Business. In Apple School Manager, use Apple’s help for your region to add customer numbers linked to your organization (labels and steps can differ from Apple Business).
- To find your Apple Customer Number, check with your Apple account executive, your purchasing department, or Apple sales support. When using an Apple Customer Number, all devices purchased from Apple since March 1, 2011, will be added to your Apple Business or Apple School Manager account.
- You purchased your devices from an Apple Authorized Reseller or a carrier.
- You may not have established a link between your Apple Business or Apple School Manager account and the reseller.
- Ask your reseller for its Reseller Number (or equivalent identifier) and add it in Apple Business under Devices → Inventory using Get Started or Add, choosing the reseller number type when prompted (Manage device suppliers in Apple Business). In Apple School Manager, follow Apple’s documentation for linking resellers or carriers.
- Provide your reseller with your Organization ID. In Apple Business, open Settings → Organization and find it under Details. In Apple School Manager, locate the organization identifier in your portal using Apple School Manager documentation. Share that ID with your reseller along with the serial numbers or orders you want added to your Apple Business or Apple School Manager account. Your reseller can choose the “Look-Back” period for devices to be added.
- Your devices may not have been purchased through a Device Enrollment-enabled reseller or were not purchased as a business from Apple.
- You may not have established a link between your Apple Business or Apple School Manager account and the reseller.
Missing local files after enrollment
Missing local files after enrollment
During initial setup, macOS allows users to sync their Desktop and Documents folders with iCloud. However, if the Mac later enrolls in Iru Endpoint and this feature is disabled, macOS will remove the previously synced data from the Mac.Although this may be alarming for users, their data should still reside in their iCloud account.
- When disallowing iCloud Syncing and access to other iCloud features, we highly recommend informing your team before enrolling in Iru Endpoint so that they can make changes to ensure they have access to any critical data.
- The Restrictions Profile Library Item contains settings related to iCloud that may be disabling the use of various iCloud functionality.
Preferred device enrollment resellers
Preferred device enrollment resellers
- A list of Preferred Device Enrollment Resellers is available here.
Customer numbers and Apple Business or Apple School Manager
Customer numbers and Apple Business or Apple School Manager
- For information about customer numbers and adding devices to Apple Business or Apple School Manager, see Apple’s Using Automated Device Enrollment Support Article.
Related articles
Configure Automated Device Enrollment
Set up Automated Device Enrollment for zero-touch deployment and lifecycle management of corporate Apple devices
Configure Require Authentication for Enrollment
Configure authentication requirements for device enrollment across Apple, Windows, and Android platforms
Apple Device Supervision
Understand Apple device supervision
Activation Lock
Configure and manage Activation Lock for Apple devices
Blueprint Routing
Configure dynamic Blueprint assignment during device enrollment using Assignment Rules
Library Overview
Curate, create, and manage Library Items and add them to Blueprints