Automated Device Enrollment quickstart

Last updated November 23rd, 2023

On this tab

Apple’s Automated Device Enrollment (ADE) allows you to quickly and easily enroll a large number of organization-owned Apple devices. Devices added by ADE enroll automatically without user intervention with the configured device management profiles.

At a high level, enrolling a device through ADE and Knox Manage proceeds like this:

You obtain an ADE token from Apple.
You register the devices on Apple Business Manager.
You configure an ADE profile for the devices.
The device user receives the device, then signs in to the Knox Manage agent, completing enrollment.

Requirements

To use ADE, you must meet the following prerequisites:

Have Apple devices running iOS 10 or higher, or iPadOS.
Register for an Apple Business account on Apple Business Manager or upgrade from the older Device Enrollment Program. To learn more, consult Upgrade your organization to Apple Business Manager in Apple support.

Connect your tenant to the Automated Device Enrollment service

To enroll devices through ADE, you must connect your Knox Manage tenant to the ADE service, which requires sharing a key and token between Knox Manage and Apple Business Manager.

To issue an ADE token and set it up with your Knox Manage tenant:

Go to Device Enrollment > Apple ADE > ADE Server Setting. If you have issued an ADE token before, the previously-issued ADE token’s information and its expiration date are displayed.
Click Download Public Key to download your public key required to create a new MDM server on the Apple ADE Portal. The file uses the PEM format.
Go to https://deploy.apple.com and sign in with your Apple Business account.
When prompted, enter the 6-digit verification code sent to the mobile device registered to your enterprise’s Apple ID. The start screen opens.
Go to Settings > Device Management Settings, then click Add MDM Server.
Configure the MDM server settings, upload your public key, and then click Save.
Click Download Token to download your ADE token. The file uses the P7M format.

Tip
To avoid authentication conflicts, use one ADE token per EMM tenant.
Back on the Knox Manage console, click Upload ADE Token and upload your token.
Click OK. If the upload and initial handshake succeeds, then your Knox Manage tenant can successfully authenticate with the Apple ADE server.
Click Set ADE Default Profile and configure the base enrollment settings of devices enrolled through ADE.
Click Set ADE Device Sync Interval to specify how frequently your tenant syncs with the ADE server.

Register an Apple device for ADE

After connecting your tenant to the ADE service, you can register an Apple device for ADE on Apple Business Manager through an authorized reseller or the Apple Configurator app on your Mac.

Before you begin, make sure to register your Knox Manage tenant with Apple Business Manager:

Sign in to Apple Business Manager with your enterprise’s Apple ID.
In Apple Configurator, add the Knox Manage server URL on the Preferences > Organizations and Servers tabs. The URL is the one you see in your web browser for the Knox Manage console, followed by /ios/depenroll.

To register an Apple device on Apple Business Manager:

Connect the device to your Mac through USB.
In Apple Configurator, select the device and click Prepare.
When prompted for what to do, click Manual Configuration, then Add to Apple School Manager or Apple Business Manager. Then, select Allow devices to pair with other computers and click Next.
Select your Knox Manage tenant and click Next.
Select your organization and click Next.
Choose which Setup Assistant panes will be available to device users, click Next, then click Prepare on the next dialog.
Wait for the activation process to complete. It should take about 10 minutes.
On the device, follow the on-screen instructions in the Setup Assistant. Make sure to sign in with your enterprise’s Apple ID so that the Knox Manage agent is activated and the VPP apps are installed.

Fix Knox Manage agent installation issues

In some cases, the device fails to install the Knox Manage agent during ADE enrollment. If the device user later manually installs and authenticates the Knox Manage agent, the Knox Manage server doesn’t recognize the device as originating from ADE.

To prevent this issue, you can optionally install the Knox Manage agent to devices by adding and assigning it as a Volume Purchase Program app. Doing so ensures that after the Knox Manage agent is reinstalled, the Knox Manage server registers the device with the ADE service.

Configure ADE profiles

After the Apple devices are registered to Apple Business Manager, you must specify the ADE profile to be assigned to the devices through the Knox Manage console.

The ADE profile is applied to the devices when you enroll them.

Caution

After you enroll a device through ADE, you can’t re-apply its ADE profile. If the profile isn’t configured or was configured incorrectly, you must reconfigure it, factory reset the device, and then resync it.

To configure an ADE profile:

Prepend user IDs to ADE-enrolled device names

By default, ADE-enrolled devices use the following name format:

AppleADE_iOS_#Sequence number

If you need more clarity and specificity in the device name, you can prepend the device’s assigned user ID to this format. Changes to this setting only apply to new enrollments.

To prepend the user ID to the device name:

Go to Device Enrollment > Apple ADE > ADE Server Setting.
Click ADE Device Name.
Select UserID_AppleADE_iOS_#Sequence Number.
Click Save.

Assign users to ADE-enrolled devices

After you enroll a device through ADE, you can assign users to it. You can add users either individually or in bulk on the Device Enrollment > Apple ADE > ADE Device Management page.

Assign a single user

To assign a single user:

Select the device you want to assign the user to.
Click Assign User.
In the dialog, select the user you want to assign to the device and click OK.

Assign users in bulk

To assign users in bulk:

Select the device you want to assign users to.
Click Bulk Assign Users.
In the dialog, click Download Template to download the assignment spreadsheet as an XLSX file.
Fill the spreadsheet in a spreadsheet app and save it.
Back on the console, click and upload the filled spreadsheet.
Click OK. The users in the spreadsheet are assigned to the devices.

Unassign a user

To assign a user from a device:

Unenroll the device.
On the ADE Device Management page, select the device.
Click Unassign User.

Manage devices enrolled through ADE

On the Knox Manage console, you can synchronize with the ADE service to update the ADE device list in the Knox Manage console, modify and assign ADE profiles, and control devices.

View device details

To view the details of an ADE-enrolled device on the Knox Manage console:

Go to Device Enrollment > Apple ADE > ADE Device Management.
Click the serial number of a device. The Device Details page opens.

Sync with the ADE service

To manually sync your Knox Manage tenant with the ADE service:

Go to Device Enrollment > Apple ADE > ADE Device Management.
Click Sync ADE and confirm. The device list on the page updates.

Note

If the device list unexpectedly fails to sync, it might be a sign that your ADE token has expired.

Modify and assign ADE profiles

To modify and assign ADE profiles to devices:

Go to Device Enrollment > Apple ADE > ADE Device Management.
Select one or more devices then click Set ADE profile.
In the dialog, modify the desired ADE profile settings, then click Save. For more details about ADE profiles, see Set ADE profiles.
Click Sync ADE to apply the ADE profile.

Select ADE enrollment method

To set an enrollment method for the ADE service:

Go to Device Enrollment > Apple ADE > ADE Server Setting.
Click ADE Enrollment Method.
In the dialog, choose an enrollment method:
- User Assignment — User accounts are assigned to the device before it’s enrolled in Knox Manage.
- User Authentication — Device users sign in with their accounts after enrollment.
Click OK to save your settings.

Unenroll a device through ADE

If an ADE-enrolled device is no longer needed, you can unenroll it on Apple Business Manager.

To unenroll an ADE-enrolled device:

Visit the Apple Business Manager website at https://business.apple.com, and then enter your enterprise’s Apple ID and password to sign in.
On the Apple Business Manager website, go to Settings > MDM Servers.
On the Server Details page, click an MDM server to disable and delete it, and then click Edit > Delete MDM Server.
In the popup window, click OK. All the ADE-enrolled devices on the MDM server are deleted.

Note
To delete the MDM server and relocate the ADE devices on this server, select Reassign Devices from the drop-down list. Then, select a different MDM server where you want to relocate the MDM devices to and click Delete.
On the Knox Manage console, go to Device Enrollment > Apple ADE > ADE Device Management.
Click Sync ADE to synchronize with the ADE service, and confirm when prompted. The ADE-enrolled devices are deleted, and the device list in the Knox Manage console reflects this.

List of skip settings

You can hide the following Setup Assistant panes during initial device setup:

This document was updated for the Knox cloud services 23.12 UAT.

On this tab

At a high level, enrolling a device through ADE and Knox Manage proceeds like this:

You obtain an ADE token from Apple.
You register the devices on Apple Business Manager.
You configure an ADE profile for the devices.
The device user receives the device, then signs in to the Knox Manage agent, completing enrollment.

Requirements

To use ADE, you must meet the following prerequisites:

Have Apple devices running iOS 14 or higher, macOS 13 or higher, or iPadOS 14 and higher.
Register for an Apple Business account on Apple Business Manager or upgrade from the older Device Enrollment Program. To learn more, consult Upgrade your organization to Apple Business Manager in Apple support.

Connect your tenant to the Automated Device Enrollment service

To enroll devices through ADE, you must connect your Knox Manage tenant to the ADE service, which requires sharing a key and token between Knox Manage and Apple Business Manager.

To issue an ADE token and set it up with your Knox Manage tenant:

Go to Device Enrollment > Apple ADE > ADE Server Setting. If you have issued an ADE token before, the previously-issued ADE token’s information and its expiration date are displayed.
Click Download Public Key to download your public key required to create a new MDM server on the Apple ADE Portal. The file uses the PEM format.
Go to https://business.apple.com/ and sign in with your Apple Business account.
When prompted, enter the 6-digit verification code sent to the mobile device registered to your enterprise’s Apple ID. The start screen opens.
Go to Settings > Device Management Settings, then click Add MDM Server.
Configure the MDM server settings, upload your public key, and then click Save.
Click Download Token to download your ADE token. The file uses the P7M format.

Tip
To avoid authentication conflicts, use one ADE token per EMM tenant.
Back on the Knox Manage console, click Upload ADE Token and upload your token.
Click OK. If the upload and initial handshake succeeds, then your Knox Manage tenant can successfully authenticate with the Apple ADE server.
Click Set ADE Default Profile and configure the base enrollment settings of devices enrolled through ADE.
Click Set ADE Device Sync Interval to specify how frequently your tenant syncs with the ADE server.

Register an Apple device for ADE

After connecting your tenant to the ADE service, you can register an Apple device for ADE on Apple Business Manager through an authorized reseller or the Apple Configurator app on your Mac.

Before you begin, make sure to register your Knox Manage tenant with Apple Business Manager:

Sign in to Apple Business Manager with your enterprise’s Apple ID.
In Apple Configurator, add the Knox Manage server URL on the Preferences > Organizations and Servers tabs. The URL is the one you see in your web browser for the Knox Manage console, followed by /ios/depenroll.

To register an iOS device on Apple Business Manager:

Connect the device to your Mac through USB.
In Apple Configurator, select the device and click Prepare.
When prompted for what to do, click Manual Configuration, then Add to Apple School Manager or Apple Business Manager. Then, select Allow devices to pair with other computers and click Next.
Select your Knox Manage tenant and click Next.
Select your organization and click Next.
Choose which Setup Assistant panes will be available to device users, click Next, then click Prepare on the next dialog.
Wait for the activation process to complete. It should take about 10 minutes.
On the device, follow the on-screen instructions in the Setup Assistant. Make sure to sign in with your enterprise’s Apple ID so that the Knox Manage agent is activated and the VPP apps are installed.

For information about enrolling new Macs, see Add a new Mac using Apple Configurator for iPhone.

Fix Knox Manage agent installation issues

Configure ADE profiles

After the Apple devices are registered to Apple Business Manager, you must specify the ADE profile to be assigned to the devices through the Knox Manage console.

The ADE profile is applied to the devices when you enroll them.

Caution

To configure an ADE profile:

Go to Device Enrollment > Apple ADE > ADE Server Setting.
Click Set ADE Default Profile.

Configure the settings in Set ADE Default Profile dialog:

Setting	Value
Supervised Mode	Select Apply to enable Supervised mode.
Delete MDM profile	Select Allow to allow users to delete the MDM profile.
Supervising host certificate list	Click Add to add the registered certificate to the Apple device you want to pair with the devices.
Shared iPad	If you want to deploy all your ADE-enrolled devices as Shared iPads, set to Apply. Then, configure the Shared iPad settings.
Shared iPad > Partition Type	Choose whether to divide the users’ partitions on the device’s local storage by the expected number of Resident Users or by a fixed Quota Size (in MB).
Shared iPad > Expected Number of Resident Users	If you divide the local storage by number of users, enter how many expected users will share this device.
Shared iPad > Maximum Size (MB) for Each User	If you divide the local storage by partition size, enter the size of each user’s parition, in MB.
Shared iPad > Temporary Session Only	Select Allow if your Shared iPads will only be used for temporary (guest) sessions without assigned users.
Shared iPad > Temporary Session Timeout (Seconds)	Enter how long a temporary session can stay inactive before it ends.
Shared iPad > User Session Timeout (Seconds)	Enter how long a user session can stay inactive before it ends.
Shared iPad > Passcode Lock Grace Period (Seconds)	Enter how long the screen can stay locked before the user must enter a passcode or password to unlock the iPad.
Shared iPad > Managed Apple ID Domains	Enter up to three domains that users can select to sign in with their Managed Apple ID.
Shared iPad > Online Authentication Grace Period (Days)	Enter the number of days after which an online authentication with Apple’s identity server is required for a user signing in on a shared device.
Pairing	Select Apply allow pairing with unmanaged Apple devices.
Skip Settings	Select the Setup Assistant panes to hide during initial setup. For the list of panes that can be skipped, see List of skip settings.

Click Save to save the ADE profile.

Prepend user IDs to ADE-enrolled device names

By default, ADE-enrolled devices use the following name format:

AppleADE_iOS_#Sequence number
AppleADE_macOS_#Sequence number

If you need more clarity and specificity in the device name, you can prepend the device’s assigned user ID to this format. Changes to this setting only apply to new enrollments.

To prepend the user ID to the device name:

Go to Device Enrollment > Apple ADE > ADE Server Setting.
Click ADE Device Name.
Select UserID_AppleADE_iOS_#Sequence Number or UserID_AppleADE_macOS_#Sequence Number.
Click Save.

Assign users to ADE-enrolled devices

After you enroll a device through ADE, you can assign users to it. You can add users either individually or in bulk on the Device Enrollment > Apple ADE > ADE Device Management page.

Assign a single user

To assign a single user:

Select the device you want to assign the user to.
Click Assign User.
In the dialog, select the user you want to assign to the device and click OK.

Assign users in bulk

To assign users in bulk:

Select the device you want to assign users to.
Click Bulk Assign Users.
In the dialog, click Download Template to download the assignment spreadsheet as an XLSX file.
Fill the spreadsheet in a spreadsheet app and save it.
Back on the console, click and upload the filled spreadsheet.
Click OK. The users in the spreadsheet are assigned to the devices.

Unassign a user

To assign a user from a device:

Unenroll the device.
On the ADE Device Management page, select the device.
Click Unassign User.

Manage devices enrolled through ADE

On the Knox Manage console, you can synchronize with the ADE service to update the ADE device list in the Knox Manage console, modify and assign ADE profiles, and control devices.

View device details

To view the details of an ADE-enrolled device on the Knox Manage console:

Go to Device Enrollment > Apple ADE > ADE Device Management.
Click the serial number of a device. The Device Details page opens.

Sync with the ADE service

You can use either an iOS dedicated sign-in page or a supported identity provider for user authentication on enrolled devices.

When identity providers are used, the provider’s sign-in page is used for device user authentication. To enable this, IT admins need to sync the ADE manually or automatically.

To set up automatic sync ADE, go to ADE Server Setting > Set ADE Device Sync Interval and specify the interval setting.

To manually sync your Knox Manage tenant with the ADE service:

Go to Device Enrollment > Apple ADE > ADE Device Management.
Click Sync ADE and confirm. The device list on the page updates.

Note

If the device list unexpectedly fails to sync, it might be a sign that your ADE token has expired.

Modify and assign ADE profiles

To modify and assign ADE profiles to devices:

Go to Device Enrollment > Apple ADE > ADE Device Management.
Select one or more devices then click Set ADE profile.
In the dialog, modify the desired ADE profile settings, then click Save. For more details about ADE profiles, see Set ADE profiles.
Click Sync ADE to apply the ADE profile.

Select ADE enrollment method

To set an enrollment method for the ADE service:

Go to Device Enrollment > Apple ADE > ADE Server Setting.
Click ADE Enrollment Method.
In the dialog, choose an enrollment method:
- User Assignment — User accounts are assigned to the device before it’s enrolled in Knox Manage. It is selected by default.
- User Authentication — Device users sign in with their accounts after enrollment. You must sync ADE before selecting this option.
Click OK to save your settings.

Unenroll a device through ADE

If an ADE-enrolled device is no longer needed, you can unenroll it on Apple Business Manager.

To unenroll an ADE-enrolled device:

Visit the Apple Business Manager website at https://business.apple.com, and then enter your enterprise’s Apple ID and password to sign in.
On the Apple Business Manager website, go to Settings > MDM Servers.
On the Server Details page, click an MDM server to disable and delete it, and then click Edit > Delete MDM Server.
In the popup window, click OK. All the ADE-enrolled devices on the MDM server are deleted.

Note
To delete the MDM server and relocate the ADE devices on this server, select Reassign Devices from the drop-down list. Then, select a different MDM server where you want to relocate the MDM devices to and click Delete.
On the Knox Manage console, go to Device Enrollment > Apple ADE > ADE Device Management.
Click Sync ADE to synchronize with the ADE service, and confirm when prompted. The ADE-enrolled devices are deleted, and the device list in the Knox Manage console reflects this.

List of skip settings

You can hide the following Setup Assistant panes during initial device setup:

Locale
Location Service
Region
Siri
Touch ID
Apple Pay
True Tone (Deprecated)
Apple ID
Privacy
Screen Time
Appearance
App Store
Terms of Address
Terms and Conditions
App and data
Diagnostic
Keyboard
Display Zoom In/Out (iOS/Deprecated)
Home Button (iOS/Deprecated)
Passcode (iOS)
Watch Migration (iOS)
Move from Android (iOS)
SIM Setup (iOS)
iMessage And FaceTime (iOS)
OnBoarding (iOS/Deprecated)
Device To Device Migration (iOS)
Messaging Activation Using Phone Number (iOS)
Restore Completed (iOS)
Update Completed (iOS)
Welcome (iOS)
Software Update (iOS)
Accessibility (macOS)
File Vault (macOS)
iCloud Storage (macOS)
iCloud Diagnostics (macOS)

Is this page helpful?