Skip to main content
Iru Access carries each person’s device-bound sign-in credential and reports device health. How you deliver it decides whether a device is recognized as managed:
  • Managed deployment - installed and configured through your MDM. Iru recognizes the device as managed, so authentication policies that require the managed attribute are satisfied.
  • Unmanaged deployment - a personal or BYO device the person sets up themselves. It still registers a working authenticator and reports health signals, but it is not recognized as managed, so policies that require the managed attribute won’t pass on it.
Both paths give the person a working Iru Access authenticator and report device health. The only difference is whether the device counts as managed for device-trust decisions.

1. Create an MDM connection

An MDM connection is what lets Iru recognize devices enrolled in your MDM as managed. Create one for each MDM instance you use with Iru Identity.
  1. Go to Policies → MDM Connections and add an MDM Connection.
  2. Give it a display name - we recommend your MDM server’s domain.
  3. Choose a platform: Apple, Windows, or both.
  4. Enter the platform details:
    • Apple - the APNs topic and Check-in URL of your MDM server.
    • Windows - the Provider ID and Discovery service URL of your MDM server.
Not sure of those values? Run the matching Collect MDM details script from Resources on an already-enrolled device to read them off.
After the connection is created, deploy Iru Access to each platform below.

macOS

Deploy the Iru Access configuration profile

Download the macOS profile from your MDM connection and deploy it to your Macs. It already contains the Associated Domains and single sign-on extension settings - with your organization’s domains filled in - so you don’t have to assemble them by hand.

Deploy the Iru Access app

Upload the macOS package from the Downloads tab to your MDM and scope it to your Macs. If you use Iru Endpoint, you can add Iru Access directly from its app library instead.

Configure managed registration

macOS registers without any user interaction using a short script your MDM runs (ideally on a schedule). It checks whether the device is already registered for your domain and, if not, registers it.
Set regToken to your MDM connection’s client secret and regTokenDomain to your Iru domain.
#!/bin/zsh

set -euo pipefail

# Replace with your MDM connection's client secret and your Iru domain.
regToken="mdm-xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx"
regTokenDomain="yourcompany.iru.com"

iruAccessCLI="/Applications/Iru Access.app/Contents/MacOS/iru-access"

# Current list of registered secrets
listOutput="$("$iruAccessCLI" manage --list 2>/dev/null || true)"

# Existing hash for this domain, if any
existingHash="$(
  echo "$listOutput" \
  | awk -v domain="$regTokenDomain" '
      index($1, domain":") == 1 {
        split($1, a, ":");
        print a[2];
      }
    '
)"

# SHA-256 of the current token
currentHash="$(printf '%s' "$regToken" | shasum -a 256 | awk '{print $1}')"

# Already registered with this token? Nothing to do.
if [[ -n "$existingHash" && "$existingHash" == "$currentHash" ]]; then
  echo "MDM registration token already registered"
  exit 0
fi

echo "Setting registration token for domain: $regTokenDomain"
"$iruAccessCLI" manage --secret "$regToken" --domain "$regTokenDomain"

exit $?

iOS, iPadOS, and visionOS

Deploy the Iru Access configuration profile

Download the iOS profile from your MDM connection and deploy it to your devices.

Deploy the Iru Access app

Distribute the Iru Access app (from the Downloads tab) through your MDM as a managed app, and scope it to your devices.

Configure managed registration

These platforms can’t run the macOS script, so you supply the registration details through your MDM’s managed app configuration for Iru Access (bundle ID com.iru.AccessMobile). Set two keys:
  • mdmSecret (String, required) - your MDM connection’s client secret, the same value you pass to the macOS --secret.
  • mdmSecretDomain (String, required) - your base tenant domain, the same value as the macOS --domain (for example yourcompany.iru.com).
Set mdmSecretDomain to your base domain (yourcompany.iru.com) - not the id. subdomain that invitation links use (yourcompany.id.iru.com). If the id. subdomain is included, the secret isn’t applied and the person falls back to entering it by hand.
Managed app configuration (plist)
<dict>
    <key>mdmSecret</key>
    <string>mdm-REPLACE-WITH-MDM-CONNECTION-CLIENT-SECRET</string>
    <key>mdmSecretDomain</key>
    <string>yourcompany.iru.com</string>
</dict>
This makes registration credential-free - the person never enters a secret, scans a QR code, or waits for manual approval - but it isn’t fully silent like the macOS script. The person still opens their invitation (emailed to them, or a link you push to managed devices) or the in-app onboarding screen, taps Continue, and confirms with Face ID or Touch ID.
Requires iOS or iPadOS 18.4 or later. Apple Vision Pro is supported too - Iru Access runs there as the iPad app and uses the same configuration.

Windows

Windows deployment has two parts: a small command-line tool provisions your MDM connection’s secret on the device, and the person completes registration from their invitation. There is no fully unattended path - Windows Hello always involves the person.

Deploy the Iru Access app

Distribute the Windows package from the Downloads tab through your MDM and scope it to your PCs. Iru Access on Windows requires Windows 11, version 24H2 or later (the passkey plugin depends on it).

Provision the MDM secret

Run the IruID.MdmSecretTool.exe command-line tool elevated (as SYSTEM) to store your MDM connection’s client secret for your domain. Deliver it through your MDM as a Win32 app, a remediation, or a startup script. It’s a separate tool from the app, not bundled inside it.
# Store the secret (run elevated / as SYSTEM)
IruID.MdmSecretTool.exe manage --secret "<CLIENT_SECRET>" --domain "yourcompany.iru.com"

# Verify - prints "<domain>:<hash>", never the secret itself
IruID.MdmSecretTool.exe manage --list

# Rotate or remove
IruID.MdmSecretTool.exe manage --clear "yourcompany.iru.com"
The --secret and --domain values are the same as on macOS and iOS: your connection’s client secret and your base tenant domain (yourcompany.iru.com). Provision the secret with this tool rather than writing the registry directly - it’s encrypted to the device, so a value pushed by raw registry or OMA-URI won’t be usable.

Complete registration

With the app deployed and the secret provisioned, the person opens their invitation, which launches Iru Access, and confirms with Windows Hello. Because the device is enrolled in your MDM and carries the provisioned secret, Iru recognizes it as managed.
Iru Access registers its passkey plugin with Windows automatically the first time it runs, after which it appears under Settings ▸ Accounts ▸ Passkeys ▸ Advanced options. Turning that toggle on is owned by Windows and the person - it can’t currently be forced on centrally through MDM. The end-user guide covers that step.

Resources

These helper scripts collect the MDM server details you need when creating a connection. Run them on a device that is already enrolled in your MDM.
Reads the APNs topic and MDM Check-in URL from an enrolled Mac.
sudo profiles -P -o stdout 2>/dev/null | awk '
/CheckInURL = / {
    if (match($0, /"[^"]+"/)) {
        candidate_checkin = substr($0, RSTART+1, RLENGTH-2)
    }
}
/Topic = / {
    if (match($0, /"[^"]+"/)) {
        candidate_topic = substr($0, RSTART+1, RLENGTH-2)
    }
}
/PayloadType = "com.apple.mdm"/ {
    apns_topic = candidate_topic
    checkin_url = candidate_checkin
    print "APNs Topic: " apns_topic
    print "MDM Check-in URL: " checkin_url
    exit
}
'
Reads the MDM server’s Provider ID and Discovery service URL from an enrolled Windows device. Run in PowerShell.
[CmdletBinding()]
param(
    [string]
    $ProviderId
)

$basePaths = @(
    "HKLM:\SOFTWARE\Microsoft\Enrollments",
    "HKLM:\SOFTWARE\WOW6432Node\Microsoft\Enrollments"
)

$records = @()

function Get-EnrollmentRecords {
    param(
        [Parameter(Mandatory)] [string] $Path,
        [string] $Filter
    )

    if (-not (Test-Path -Path $Path)) {
        return
    }

    Get-ChildItem -Path $Path -ErrorAction SilentlyContinue | ForEach-Object {
        $props = Get-ItemProperty -Path $_.PSPath -ErrorAction SilentlyContinue
        if (-not $props) {
            return
        }

        $record = [PSCustomObject]@{
            ProviderId          = $props.ProviderID
            DiscoveryServiceUrl = $props.DiscoveryServiceFullURL
            Upn                 = $props.UPN
            EnrollmentKey       = $_.PSChildName
        }

        if (-not $record.ProviderId) {
            return
        }

        if (-not $Filter -or ($record.ProviderId -ieq $Filter)) {
            $record
        }
    }
}

foreach ($path in $basePaths) {
    $records += Get-EnrollmentRecords -Path $path -Filter $ProviderId
}

if (-not $records) {
    Write-Warning "No enrollment records found under $($basePaths -join ', ')."
    return
}

$records |
    Sort-Object ProviderId, EnrollmentKey |
    Format-Table -AutoSize |
    Out-String -Width 4096 |
    Write-Output

Where to go next

Troubleshoot the macOS SSO extension

Diagnose associated-domain approval and extension loading on a Mac.

MDM connections

Set up and manage the connection that makes a device count as managed.

Device trust

Require managed, healthy devices as a condition of access.

Installing Iru Access

The end-user walkthrough for setting up Iru Access on a personal device.

Authenticators

How Iru Access fits alongside passkeys as an authenticator.