This guide applies to Mac computers, iOS devices, iPadOS devices, Apple TV, and Apple Vision Pro devices
How It Works
Iru Endpoint supports two approaches: Automated Device Enrollment (ADE) for corporate-owned devices (they enroll automatically during setup), and manual enrollment through the Enrollment Portal for BYOD. For ADE, you assign devices in Apple Business Manager to Iru Endpoint, then assign them to a Blueprint in Iru Endpoint. For manual enrollment, you share the enrollment link and Blueprint code with users; they sign in (if you require authentication) and install the enrollment profile. In both cases, devices are assigned to a Blueprint and configured according to your policies.Automated Device Enrollment (ADE)
ADE allows devices to enroll automatically during the initial setup process. This is the recommended method for corporate-owned devices.Prerequisites
- Apple Push Notification service (APNs) configured in Iru Endpoint
- Apple Business Manager (or Apple School Manager) account configured
- Automated Device Enrollment token set up in Iru Endpoint
- Devices added to your Apple Business Manager account
- Blueprints configured for device assignment
ADE Enrollment Flow
When users set up their devices, the device connects to Apple’s servers during setup and Iru Endpoint automatically applies the assigned Blueprint. The device gets enrolled and configured according to your policies, then the user completes setup with pre-configured settings.Configure ADE Assignment
Assign devices in ABM
a. In Apple Business Manager (or Apple School Manager), navigate to Devices.b. Select the devices you want to assign.c. Choose Assign to MDM Server.d. Select Iru Endpoint as the MDM server.e. Confirm the assignment when prompted.
Configure Blueprint assignment
a. In Iru Endpoint, navigate to Enrollment → Automated Device Enrollment.b. Filter by Awaiting Enrollment (or All) to view unenrolled devices.c. Select the devices and assign them to the appropriate Blueprint.d. Configure any required authentication settings (see Require Authentication with Automated Device Enrollment for details).e. Confirm devices appear and use Fetch Now to sync from Apple if they do not.
Manual Enrollment
Manual enrollment allows users to enroll their devices through the Iru Endpoint Enrollment Portal.Setup Manual Enrollment
Configure Enrollment Portal
a. Go to Endpoint → Enrollment → Manual Enrollment in Iru Endpoint.b. Ensure the Enrollment Portal is active.c. Determine which Blueprint you want devices to be added to after enrollment.
Configure authentication
a. Click the Blueprint and select Require authentication if you want users to authenticate prior to enrollment.b. This integrates with your SSO configuration for secure enrollment. If you see a banner that No single sign-on connections are configured, go to Access (Account Menu Button → Access) and configure Single sign-on, then return and select Require authentication. See SSO Setup for setup steps.
Share enrollment information
a. Copy the Enrollment Portal link from Enrollment → Manual Enrollment.b. Copy the Enrollment code for the Blueprint you chose and share the link and code with your end users.c. Provide a short note that they’ll authenticate (if required), then follow on-screen prompts to complete enrollment.
User Enrollment Process
When users access the Enrollment Portal, they’ll enter the provided Blueprint code and authenticate using SSO if you’ve enabled that option. They then download and install the enrollment profile to complete enrollment and receive device configuration.Enrollment Authentication
SSO Authentication
To enhance security, you can require SSO authentication during enrollment. Configure SSO in Iru Endpoint (see SSO Setup), then enable Require authentication on your Blueprint. Users will authenticate with their identity provider before enrollment.Blueprint Codes
Each Blueprint has a unique enrollment code that users need to enroll their devices. You can share codes directly with users, use SSO authentication to automatically assign users to the correct Blueprint, or create multiple Blueprints for different user groups or departments.Best Practices
Test your Blueprints on designated testing devices before enrolling production hardware. Use Automated Device Enrollment for corporate-owned devices, as it provides the best user experience. Enable SSO authentication for secure enrollment and provide clear instructions to users about the enrollment process. You can monitor enrollment success and troubleshoot issues using the Activity page.Troubleshooting
Trial tenant device limit
Trial tenants are limited to a total of 10 devices. Once this limit is reached, a banner will be displayed until the device count becomes less than 10 again.Common Issues
If devices aren’t appearing, check your Apple Business Manager configuration and device assignment. For enrollment failures, verify your Blueprint configuration and network connectivity. If you’re seeing authentication issues, check that SSO is configured correctly and that users have the right access.Support Resources
Check the Activity page for enrollment logs and errors, and review Device records for enrollment status. Contact Support if you need additional assistance. For detailed information about Apple enrollment, see Configuring Apple Enrollment and User Experience with Apple Enrollment. For requiring SSO during enrollment, see Require Authentication with Automated Device Enrollment.Next Steps
After setting up Apple enrollment:Test enrollment
Test the process with a few devices and monitor compliance and policy enforcement on the Activity page.
Set up enrollment for other platforms (optional)
To enroll Windows or Android devices as well, see Windows Enrollment or Android Enrollment.