Using account driven user enrollment for macOS

Account driven user enrollment helps users and organizations to configure the Apple devices securely by using their managed Apple IDs. The managed IDs and personal IDs can coexist in the same device with complete separation of work and personal data.

Before you begin

Important:
  • The account driven user enrollment is applicable to the devices that run on macOS version 15.2 and later.
  • The enrollment is supported from Mac MaaS360® version 2.53.000 and later.
  • Distributing macOS applications with user-based VPP licensed are not supported for account driven enrolled devices
You must have the following before you can enroll your macOS device.
  • Setup Apple Business Manager (ABM)
    1. Create Managed Apple Accounts by using federated authentication between Apple and your IdP, or create them manually in Apple Business Manager or Apple School Manager.
    2. Under Managed Apple Accounts, make sure that the Domain is verified for the managed ID. For more information, see Add and verify a domain in Apple School Manager, Add and verify a domain in Apple Business Manager, and About Managed Apple Accounts in Apple Business Manager.
      Important: The managed Apple IDs can be created only under the verified domains.
    3. Set the Default MDM Server Assignment that is required for service discovery for iPads, iPhones, and Mac. For more information, Set the default device assignment in Apple Business Manager.
      Tip: Create a separate DEP enrollment token for account driven user enrollment. The admin can use the same token to sync with the IBM® MaaS360.
  • In IBM MaaS360, create an Apple user with the email ID same as the managed Apple ID.
  • IBM MaaS360 Settings
    1. From the IBM MaaS360 Portal, go to Setup > Settings > Directory and Enrollment > Basic Enrollment Settings > Self Enrollment > Default ownership mode and select Prompt user for ownership.
    2. Under Setup > Settings > Directory and Enrollment > Advanced Enrollment Settings > Advanced Management for Apple Devices, enable User enrollment mode - Manage only corporate resources.
    3. Under Setup > Settings > User Settings > Basic > Managed Apple ID Settings, select the Use Email Address as Managed Apple ID checkbox. This setting is to make sure that the user created in ABM is the same as the Portal.
  • Account Driven DEP Token Upload

    The DEP token is used to sync ABM with IBM MaaS360.

Procedure

  1. For DEP token, under Devices > Enrollments > Other Enrollment Options > Apple > Apple Device Enrollment > Tokens, select Add Token.
  2. Enter a Token Name and select the Token File that was created in ABM.
  3. Select the Default token for account driven enrolment checkbox and click Add.
    Important: Make sure that the token created in ABM is the same that is uploaded here.
  4. The admin can verify that the token is set for account driven user enrollment in the Account Driven column.
  5. On your Apple device, go to Settings > General > VPN & Device Management, or to System Settings > General > Device Management and tap Sign In to Work or School Account. The user is prompted to sign in and you can use the managed Apple ID to sign in.
  6. Under Device Ownership, select Employee and tap Continue.
    Note: If you select Corporate or Shared, then the enrollment fails since this feature is for Employee-owned devices only.
  7. Optional: Enter the custom attributes and tap Continue.
  8. On the Apple ID's managed workspace, tap Sign In to iCloud.
  9. On the Sign In to iCloud screen, enter the credentials and tap Continue.
  10. On the Remote Management screen, tap Allow Remote Management.
  11. Enter the device Passcode and the device configuration starts automatically.
  12. Tap Continue to complete the configuration.

Results

  • The device enrolls successfully.
  • In the Summary page of the IBM MaaS360 Portal, the device is listed and the Device Enrollment Mode for the device is User Enrollment.