This guide applies to Mac computers, iOS devices, iPadOS devices, Apple TV, and Apple Vision Pro devices
How It Works
Iru Endpoint supports two approaches: Automated Device Enrollment (ADE) for corporate-owned devices (they enroll automatically during setup), and manual enrollment through the Enrollment Portal for Bring Your Own Device (BYOD). For ADE, you assign devices in Apple Business Manager (ABM) to Iru Endpoint, then assign them to a Blueprint in Iru Endpoint. For manual enrollment, you share the Enrollment Portal link and Enrollment code with users; they enter the Enrollment code, then sign in (if you require authentication) and install the enrollment profile. In both cases, devices are assigned to a Blueprint and configured according to your policies.Automated Device Enrollment (ADE)
ADE allows devices to enroll automatically during the initial setup process. This is the recommended method for corporate-owned devices.Prerequisites
- Apple Push Notification service (APNs) configured in Iru Endpoint
- Apple Business Manager or Apple School Manager (ASM) account configured
- Automated Device Enrollment token set up in Iru Endpoint
- Devices added to your Apple Business Manager account
- Blueprints configured for device assignment
ADE Enrollment Flow
When users set up their devices, each device connects to Apple’s servers during setup and Iru Endpoint automatically applies the assigned Blueprint. Each device gets enrolled and configured according to your policies, then the user completes setup with pre-configured settings.Assign devices in Apple Business Manager
Configure Blueprint assignment
Navigate to Automated Device Enrollment
In Iru Endpoint, navigate to Enrollment → Automated Device Enrollment.
Configure Authentication (optional)
Configure any required authentication settings. See Require Authentication with Automated Device Enrollment for details.
ADE Library Item Assignment
Optionally set or override the ADE Library Item for a device (or multiple devices) instead of using the one from its Blueprint or Blueprint Routing.Navigate to Automated Device Enrollment
In Iru Endpoint, go to Enrollment → Automated Device Enrollment.
Filter and Select Devices
Filter by Awaiting Enrollment (or All) to view unenrolled devices, then select the device(s) whose ADE Library Item you want to set or override.
View the ADE Library Item Column
The ADE Library Item column shows the name of the ADE Library Item assigned to the Blueprint selected for enrollment or Blueprint Routing, or None if none is assigned.
Unlink from Blueprint
To override the assignment so you can choose a different ADE Library Item, click Unlink from Blueprint or Unlink from Blueprint Routing, whichever appears.
Re-link or select an ADE Library Item
Once unlinked, choose Re-link to Blueprint or Re-link to Blueprint Routing, or select an ADE Library Item from the list. You can do this for one device or for many via multi-select.
A direct assignment is sticky and will always apply to the device unless you manually re-link it to the Blueprint or Blueprint Routing. Re-linking can be done one device at a time or in bulk.
Manual Enrollment
Manual enrollment allows users to enroll their devices through the Iru Endpoint Enrollment Portal.Setup Manual Enrollment
Configure Enrollment Portal
a. Go to Endpoint → Enrollment → Manual Enrollment in Iru Endpoint.b. Ensure the Enrollment Portal is active.c. Determine which Blueprint you want devices to be added to after enrollment.
Configure Authentication
a. Click the Blueprint and select Require authentication if you want users to authenticate prior to enrollment.b. This integrates with your Single Sign-On (SSO) configuration for secure enrollment. If you see a banner that No single sign-on connections are configured, go to Access (Account Menu Button → Access) and configure Single sign-on, then return and select Require authentication. See SSO Setup for setup steps.
Share Enrollment Information
a. Copy the Enrollment Portal link from Enrollment → Manual Enrollment.b. Copy the Enrollment code for the Blueprint you chose.c. Share the Enrollment Portal link and Enrollment code with your end users.d. Provide a short note that they’ll enter the Enrollment code, then sign in (if required), and follow on-screen prompts to complete enrollment.
User Enrollment Process
When users access the Enrollment Portal, they’ll enter the provided Enrollment code and authenticate using SSO if you’ve enabled that option. They then download and install the enrollment profile to complete enrollment and receive device configuration.Enrollment Authentication
SSO Authentication
To enhance security, you can require SSO authentication during enrollment. Configure SSO in Iru Endpoint (see SSO Setup), then enable Require authentication on your Blueprint. Users will authenticate with their identity provider before enrollment.Enrollment Codes
Each Blueprint has a unique Enrollment code that users need to enroll their devices. You can share codes directly with users, use SSO authentication to automatically assign users to the correct Blueprint, or create multiple Blueprints for different user groups or departments.Best Practices
Test your Blueprints on designated testing devices before enrolling production hardware. Use Automated Device Enrollment for corporate-owned devices, as it provides the best user experience. Enable SSO authentication for secure enrollment and provide clear instructions to users about the enrollment process. You can monitor enrollment success and troubleshoot issues using the Activity page.Troubleshooting
Trial tenant device limit
Trial tenants are limited to a total of 10 devices. Once this limit is reached, a banner will be displayed until the device count becomes less than 10 again.Common Issues
If devices aren’t appearing, check your Apple Business Manager configuration and device assignment. For enrollment failures, verify your Blueprint configuration and network connectivity. If you’re seeing authentication issues, check that SSO is configured correctly and that users have the right access.Support Resources
Check the Activity page for enrollment logs and errors, and review Device records for enrollment status. Contact Support if you need additional assistance.Related articles
Blueprint Routing
Configure dynamic Blueprint assignment during device enrollment using Assignment Rules
Configuring Apple Enrollment
Configure Apple device enrollment with Automated Device Enrollment (ADE)
User Experience with Apple Enrollment
What to expect when enrolling your device through the Enrollment Portal
Configure Require Authentication for Enrollment
Configure authentication requirements for device enrollment across Apple, Windows, and Android platforms
Next Steps
After setting up Apple enrollment:Test Enrollment
Test the process with a few devices and monitor compliance and policy enforcement on the Activity page.
Set Up Enrollment for Other Platforms (optional)
To enroll Windows or Android devices as well, see Windows Enrollment or Android Enrollment.