If you have ever dreamed of automating 100% of the device enrollment process and conditional policy assignment based on user data (name, email, user groups) or the device data (IMEI, Serial Number, etc), Smart enrollments are the tool you were looking for.
Introduction #
Smart Enrollments are the most efficient way to manage device enrollments in an unattended manner since will allow you to define a set of rules and conditions that must be met for a device to be enrolled and, in addition, will allow you to conditionally assign policies based on these rule sets.
Smart Enrollments are useful for:
- Limit device enrollment.
- Based on user authentication through SSO integrations (user groups or email patterns).
- Based on device information (IMEI, Serial Number).
- Conditionally assign different policies based on rules.
- Automate Apple DEP enrollments to enable unattended zero-touch experiences.
- Create local accounts based on user information retrieved after the authentication through Applivery Connect (SSO integration).
Note
Note that Smart Enrollments is a feature that only works with devices that are enrolled through the Apple Device Enrollment Program (DEP). You can read more about Apple DEP here.
Smart enrollment configuration #
Let’s get started configuring your first Smart Enrollment. First, go to Device Management > Configuration and choose Smart Enrollments (1) from the Apple left menu.
Then click the + Create Smart enrollment (2) button.
In the modal view fill out the form:
- Name: choose a friendly name for your new smart enrollment.
- Description: choose a friendly description for your new smart enrollment.
- Login providers: The SSO providers configured at the workspace level will be displayed. However, you can also configure the specific integration at the smart enrollment level by clicking Override.
- Policy: choose the policy that will be applied to the device from the policies library. If you still don’t have any pre-defined policies, just type a name and a new empty policy will be created.
- Tags: Used for filtering and grouping.
- VPP Location: Choose the VPP Location that will be used to manage app licenses.
- Allow Activation Lock: Allow devices to use Activation Lock when the user enables Find My.
- Setup assistant: Activate the Applivery Setup Assistant during enrollment (only for macOS devices).
- Auxiliary fields: By filling out this form, you will be able to configure device tags during the enrollment.
- Display name pattern: Assign a display name by combining device properties.
- Optionally, configure the Account configuration form to create local accounts automatically. Note that both Admin and Primary accounts can be created at the same time. You can also use placeholders that will be replaced automatically with the information coming from the SSO authentication process.
- Admin account supports configuring the Full name, User name and password of the user. You can also hide it from the login window and some other options.
- Primary account supports configuring just the Full name and Username. The password must be selected by the user when configuring the device for the very first time.
If you click Save at this point, you will have finished setting up your basic Smart enrollment and will be able to start enrolling devices.
Applying conditions and rules #
Now that you have your basic Smart Enrollment configured, you can add Conditions (3) and Rules (4) that will make it smarter.
Use the Add condition option to enable enrollment limits based on user information (such as email patterns or groups) and device information (IMEI, Serial number, and auxiliary fields).
You can use conditional operators to make it as complex as you need.
You can also use the Add additional rule option to create groups of conditions, each of them with a target policy. As you will see, each group of conditions will also contain it’s own VPP Location, Activation lock configuration and local account configuration and, of course, as many Conditions as you need.
Once done, click Save.
Deploying Smart Enrollments #
To finish, you have to assign Smart enrollments to your ABM DEP devices so head to Device Management > Configuration and click DEP under the Apple menu.
Click in one of your DEP devices (1) and click Configure (2) below the Smart enrollment option that will appear in the side panel.
Last, choose a Smart enrollment from the dropdown (3) list and then click Assign (4) to finish.