One question I am being asked increasingly frequently is around the modes of enrollment that are available now for different mobile device platforms and there is quite a bit of confusion especially around Android devices as there exist so many different enrollment mechanisms available now.

In this series of Blog posts I will explore the different enrollment methods for each device type starting with Apple in this post…

NB: Being a VMware aficionado this post draws on VMware Workspace ONE Unified End-point Management (formerly AirWatch) articles and blog posts but the general methodologies of the different mobile operating systems will be the similar for different MDM solutions – although the specific enrollment mechanics may differ.

NB2: Please note this is not a definitive guide and for more information or assistance please get in touch with ComputerWorld and we can help you put a strategy together for enrolling your devices.

Apple Business Manager (formerly Device Enrollment Programme)

Apple Business Manager (formerly the Device Enrollment Program) is a way to automatically enroll corporate-owned iOS and MacOS devices into your MDM solution without IT ever having to touch the device.

Devices are added to the ABM portal at point of purchase by the distributer, associated with the MDM solution tenant by IT and then, when the user activates the device the ABM forwards the device communications to your MDM solution for the user to enrol. Once a device has been added to the ABM it will always be referred to the MDM solution for enrollment even after a factory reset – devices are only removed when an IT admin of the ABM manually removes the device.

ABM is described in much more detail here.

Apple Device Enrollment

As a starter for 10, I’ll look at enrollment of Apple devices first of all since it’s the most straight-forwards to explain.

1. You can enroll Apple devices by simply installing the Workspace ONE Intelligent Hub (formerly AirWatch Agent) app and then sign in to that using your AD credentials – however this method of enrollment does not allow you the fullest extent of management of the device, it’s fine for BYOD and in some cases is fine for Corporate devices.

1. However… if you want to exert the highest degree of control over your corporate devices then you need to ‘Supervise’ the device – here’s some info on supervision:

   1. https://support.apple.com/en-gb/HT202837

   2. https://docs.vmware.com/en/VMware-AirWatch/9.2/vmware-airwatch-guides-92/GUID-AW92-SupervisedBenefits.html

1. To supervise an Apple device you have 2 options and I would recommend the use of the Apple DEP with both:

   1. Manually enable supervision by using the Apple Configurator 2 application on a Mac – this can be done with or without the Apple DEP integration but MDM enrollment is more manual.

   2. When you buy a new device, have the supplier add the device’s serial number to your Apple DEP and then give the user the phone – you need to associate the DEP with your MDM tenant but the user can then just be given the phone without further intervention from you and they will enroll it themselves as part of the out of box experience setup.

So for iOS, for the lightest touch from IT and the option I believe you should be looking at – certainly moving forwards - is 3b; however please note that 3b is only for brand new devices.

For existing iOS devices you would need to use 3a – in essence IT needs to physically get hold of the phone, factory reset it and enroll via the Configurator app (ideally adding it to the Apple DEP at the same time) and then give it to the user.