When a user accesses the enrollment URL from an institutionally owned iOS or iPadOS device using Safari, they are guided through a series of steps to enroll the device. The text displayed in the images below may vary depending on if the text or languages are customized in the user-initiated enrollment settings. For more information, see User-Initiated Enrollment Settings.
If Stolen Device Protection is enabled for iOS devices, users may be prompted to disable it or to wait an hour before enrollment if the device is located in an unfamiliar location.
The following workflow describes how user-initiated enrollment can be used to enroll institutionally owned mobile devices:
The user is prompted to log in with either their directory credentials or a Jamf Pro user account with user-initiated enrollment privileges. Directory credentials may include one of the following authentication types:
LDAP
Single sign-on (SSO)
Cloud Identity Provider
After entering their credentials, the user clicks Log In. If the credentials are entered via the Jamf Pro log in page, the user must click Log In. If the user is authenticating via a single sign-on provider, the user will be redirected to their organization's login page.
The login prompt is not displayed if the enrollment portal was accessed via an enrollment invitation in which the Require Login option is disabled.
The user is prompted to enroll the device as a personally owned device or an institutionally owned device.
This step is only displayed if both institutionally owned device enrollment and personally owned device enrollment are enabled in Jamf Pro.
You can display a description to users who enroll an institutionally owned device.
Users who authenticated using a Jamf Pro user account and users who accessed the enrollment portal via an invitation for which the option is disabled will see an "Assign to user" dialog.
An LDAP or Cloud Identity Provider user may optionally be linked to the enrolling device by performing a search in the field in this dialog. The user must enter their username and click the magnifying glass icon to search for a match in the LDAP or Cloud Identity Provider directory.
If a matching user is found, a checkmark will be displayed at the end of the text field. The user can click Enroll to continue with enrollment, and the device will be associated with their username.
If the user is not found, an X is displayed at the end of the text field. The user can leave the Assign to user field blank and then click the Enroll button to continue enrollment without associating the device to a user.
Note:To assign a user to a device, the Jamf Pro user account must have the privilege.
If prompted to select a site, the user may choose a site to associate their device with. This will apply the appropriate site settings as defined by your organization to the device.
(Optional) If the user signed in with a directory user and the text for an End User License Agreement (EULA) was entered in Jamf Pro, the user must accept the EULA to continue.
(Optional) If the Skip certificate installation during enrollment checkbox is deselected in User-Initiated Enrollment settings, the user is prompted to install a profile containing the CA certificate before they install the MDM profile.
The user must follow the onscreen instructions to install the CA certificate. After the CA certificate is installed, the user must return to Safari to install the MDM profile and complete enrollment.
When prompted, the user must click Continue to download and install the MDM profile. Information about enrollment can be accessed by clicking the Information icon.
For devices with iOS 12.2 or later, the following additional message is displayed: "Complete installation of this profile in the Settings app."
Next, a Profile Downloaded dialog is displayed:
The user must click Close, and then navigate to the Settings app and click the Profile Downloaded in the left sidebar to complete the installation.
The user may need to click Install multiple times to continue and must follow the onscreen instructions to trust the MDM profile, which may include entering their passcode if one is required.
Important:The user has eight minutes to install the enrollment profile before iOS discards the profile. If this occurs, the user must restart the enrollment process from the beginning.
When the user returns to the Safari web browser, the following message will be displayed indicating that the device is enrolled with Jamf Pro.
