Skip to main content
This guide applies to Apple devices
This guide covers Apple device enrollment configuration using Automated Device Enrollment (ADE) for zero-touch deployment. Apple devices support comprehensive setup assistant customization, account management, and activation lock options through Apple Business Manager integration.

Apple Enrollment Configuration

Create an Automated Device Enrollment Library Item

To add this Library Item to your Iru Endpoint Library, follow the steps outlined in the Library Overview article.

Universal Settings

For certain groups of devices, you have the option to set a different location or contact information specific to just that group.

Require Authentication

  • The Require Authentication option within the Automated Device Enrollment Library item allows admins to require users to authenticate with an identity provider (IdP) before allowing the device to proceed with enrollment.
Learn more about Require Authentication with Automated Device Enrollment

Allow MDM Profile Removal

  • By default, when enrolling devices through Automated Device Enrollment, the MDM profile is not removable. This is by design to keep company devices managed securely. You can select Allow MDM Profile Removal if you have a test environment or a specific need to make the profile removable. Kandji recommends against using this for production environments.

Override organization details

  • Optionally override the location and contact information for the configuration.
Any changes made to the ADE library item will only apply to devices that are enrolled after these changes are saved. The changes will not retroactively update devices that were enrolled before the changes were saved.

Require Minimum OS Version

In addition to the settings described below, Mac, iPhone, and iPad devices running macOS 14.0 or later or iOS/iPadOS 17.0 or later can be forced to update their OS beyond those versions before enrolling into Kandji. They must already be on at least those versions before any updates can be enforced. Requiring a minimum OS version does not affect enrollment for devices running older OS versions. Use the setting Require minimum OS version in each device type’s settings as shown below to enforce the update to the version you want to require. Note: these settings do not affect any Managed OS settings you have set for after enrollment; macOS and iOS/iPadOS enforce these updates directly in Setup Assistant before enrollment so that applicable devices enroll already up-to-date. Changing this setting for a specific device type is immediate and does not require resyncing ADE settings to Apple.

Mac

Customize the setup experience and configuration for Mac computers. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.
1

Configure Setup Assistant screens

Configure the Setup Assistant screens to skip for Mac computers during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant.
2

Configure Activation Lock

Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.
3

Configure initial computer account

Select if the initial computer account created during setup assistant should be a Standard User, Administrator, or if initial account creation should be skipped entirely.
You may want to skip account creation if you bind your Mac computers to a directory service such as Active Directory or a user account is automatically provisioned for your end user accounts with the Provision Local Administrator option by leveraging user variables.If you specify that the initial computer account should be a Standard user, you must automatically provision an additional local administrator.
4

Configure additional local administrator

Configure optionally provisioning an additional local administrator account on the computer.
Global Variables can be leveraged in the Full name and Short name fields. Such as $FULL_NAME or $EMAIL_PREFIX. This can be useful if you are requiring authentication and automatically assigning the user to the device record.Global Variables cannot be used for the Password.
5

Hide additional administrator account (optional)

Hide the additional administrator account if desired by selecting Hide Account.
6

Configure MDM-enabled user

Specify that the additional admin account should be the MDM-enabled user for user-level MDM profiles.
The additional local administrator (auto admin) account will not register as the MDM-enabled user until the account is signed into graphically.
7

Require minimum OS version (optional)

Optionally for macOS 14+ devices, Require a minimum OS version.
8

Specify region

Specify the region for Mac devices.
9

Specify language

Specify the language for Mac devices.
The Set region for Mac devices and Set language for Mac devices options are only available if Automatically advance through all Setup Assistant screens is selected. These options require Ethernet.

iPhone

Customize the setup experience and configuration for iPhone devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location dependant settings.
1

Configure Setup Assistant screens

Configure the Setup Assistant screens to skip for iPhone devices during Automated Device Enrollment. You can skip specific screens or specify any current or future setup assistant panes to be skipped.
Note that Skip all Setup Assistant screens will not Auto Advance setup assistant. Auto Advance is only available in macOS and tvOS.
2

Configure user-based Activation Lock

Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.
3

Configure device-based activation lock (optional)

Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock.
4

Require minimum OS version (optional)

Optionally for iOS 17+ devices, Require a minimum OS version.

iPad

Customize the setup experience and configuration for iPad devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.
1

Configure Setup Assistant screens

Configure the Setup Assistant screens to skip for iPhone devices during Automated Device Enrollment. You can skip specific screens or specify any current or future setup assistant panes to be skipped.
Note that Skip all Setup Assistant screens will not Auto Advance setup assistant. Auto Advance is only available in macOS and tvOS.
2

Configure Shared iPad (optional)

Configured Shared iPad. Learn more about Shared iPad
Shared iPad can only be enabled during Automated Device Enrollment.
3

Configure user-based Activation Lock

Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.
4

Configure device-based activation lock (optional)

Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock.
5

Require minimum OS version (optional)

Optionally for iPadOS 17+ devices, Require a minimum OS version.

Apple TV

Customize the setup experience and configuration for Apple TV devices. Optionally configure Auto Advance, and specify the Language and Region.
1

Configure Setup Assistant screens

Configure the Setup Assistant screens to skip for Apple TV devices during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant.
2

Specify region

Specify the region for Apple TV devices.
3

Specify language

Specify the Language for Apple TV devices.
The Set region for Apple TV devices and Set language for Apple TV devices options are only available if Automatically advance through all Setup Assistant screens is selected. These options require Ethernet.

Vision

Customize the setup experience and configuration for visionOS devices.
1

Configure user-based Activation Lock

Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.
2

Configure device-based activation lock (optional)

Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock.

Change Default ADE Blueprint

The default Blueprint can be changed at any time inside the Iru Endpoint Web App.
1

Access settings

Click Settings.
2

Open Apple integrations

Click Apple Integrations.
3

Edit defaults

Click Edit Defaults in the Automated Device Enrollment section.
4

Select default Blueprint

Click the Default Blueprint dropdown menu.Select the desired Blueprint from the list.
5

Save changes

Click Save.

Ensure Devices Do Not Skip ADE Enrollment

macOS Ventura and later Mac computers registered to an organization must connect to a network during Setup Assistant after being erased or reset. By first enrolling a device into Iru Endpoint, admins can ensure that newly provisioned devices can no longer skip ADE enrollment.

Migrating from Previous MDM

What if your mobile device is already set up and enrolled in another MDM via Automated Device Enrollment? You have two options:
  • After re-assigning the device to Iru Endpoint via Apple Business Manager, erase and re-enroll your mobile devices if you wish to maintain supervision in Iru Endpoint.
  • Un-manage the mobile device in your existing MDM and leverage the Iru Endpoint Enrollment Portal. Only macOS devices will be Supervised using this method.
If you experience any issues with the process or have any other questions, please contact support.

Enrollment Portal URL and Code

You can also provide the portal link with the Enrollment Code embedded in the URL for easier deployment. The format for the shareable link is listed below. The EnrollmentCodeHere portion should be the Enrollment Code without the dash between the two sets of numbers. 
https://subdomain.iru.com/enroll/access-code/EnrollmentCodeHere

Generating a New Blueprint Code

Iru Endpoint allows you to generate a new random code for each Blueprint. Generating a new code is helpful should the code be distributed to unauthorized users. A new code prevents unwanted devices from being enrolled into that Blueprint.
1

Access enrollment settings

Select Enrollment in the navigation bar.
2

Navigate to manual enrollment

Navigate to the Manual Enrollment tab.
3

Select the Blueprint

Click the arrow next to the name of the Blueprint where you’d like to change the code.
4

Change the code

Click Change code.
5

Distribute the new code

Distribute the new code to your desired users.
Once changed, the previous code will no longer be valid for new device enrollments.
By design, when Stolen Device Protection is enabled on devices running iOS 17.3 or later, MDM enrollment is restricted.

Apple-Specific Troubleshooting

Devices Not Visible in Apple Business Manager

If you don’t see your devices available for assignment in your Apple Business Manager account, there can be several reasons, with different solutions for each.
  • You purchased your devices directly from Apple.
    • You may not have added your Apple Customer Number in Apple Business Manager (Settings > Device Management Settings > Customer Numbers).
    • To find your Apple Customer Number, check with your Apple account executive, your purchasing department, or Apple sales support. When using an Apple Customer Number, all devices purchased from Apple since March 1, 2011, will be added to your Apple Business Manager account.
  • You purchased your devices from an Apple Authorized Reseller or a carrier.
    • You may not have established a link between your Apple Business Manager account and the reseller.
      • Ask your reseller for its Reseller ID and add this in Apple Business Manager (Settings > Device Management Settings > Customer Numbers).
      • Provide your reseller with your Apple Business Manager Organization ID, located in Apple Business Manager (Settings > Enrollment Information), along with a list of the serial numbers or orders that you want your reseller to add to your Apple Business Manager account. Your reseller can choose the “Look-Back” period for devices to be added.
    • Your devices may not have been purchased through a Device Enrollment–enabled reseller or were not purchased as a business from Apple.

Missing Local Files After Enrollment

During initial setup, macOS allows users to sync their Desktop and Documents folders with iCloud. However, if the Mac later enrolls in Iru Endpoint and this feature is disabled, macOS will remove the previously synced data from the Mac. Although this may be alarming for users, their data should still reside in their iCloud account.
  • When disallowing iCloud Syncing and access to other iCloud features, we highly recommend informing your team before enrolling in Iru Endpoint so that they can make changes to ensure they have access to any critical data.
  • The Restrictions Profile Library Item contains settings related to iCloud that may be disabling the use of various iCloud functionality.

Preferred Device Enrollment Resellers

Customer Numbers and Apple Business Manager