Apple User Enrollment quickstart

Knox Manage supports enrolling BYOD (personally-owned) iPhones and iPads, an activity Apple calls User Enrollment. Unlike company-owned devices, BYODs can’t be supervised.

Knox Manage implements User Enrollment by mapping a user’s Managed Apple ID from your Apple Business Manager to their EMM user account in your Knox Manage tenant. When the personally-owned device then requests enrollment, Knox Manage is able to enroll it on behalf of your organization.

Supported enrollment methods and devices

You can enroll BYOD devices using Account-driven User Enrollment (which lets device users sign in directly with their Managed Apple ID) or Profile-based User Enrollment (which allows requires users to install a pre-configured enrollment profile). Both kinds of enrollment support the same scope of features.

You can enroll the following kinds of personally-owned devices using Account-driven User Enrollment:

• iPhones running iOS 15 or higher
• iPads running iPadOS 15 or higher

Profile-based User Enrollment is only supported for:

• iPhones running iOS 15 through 17
• iPads running iPadOS 15 through 17

Prerequisites for Account-driven User Enrollment

The following steps have to be completed to set up Knox Manage for Account-driven User Enrollment of BYOD devices:

1. Register the corporate domain in Apple Business Manager.

2. Prepare Managed Apple IDs for employees, and register them in the Knox Manage console.

3. Host a service discovery JSON document on the web server that includes Knox Manage enrollment information. Ensure the schema conforms to the following schema:

   {
       "Servers": [
        {
           "Version": mdm-byod",
           "BaseURL": "<KMBaseURL>/emm/ios/userenrollmentbyaccount"
        }
       ]
   }
   

   The Version value should always be mdm-byod (same for all Knox Manage customers). Replace the <KMBaseURL> with the Knox Manage base URL, depending on your region. For example, for Asia Pacific:

   {
       "Servers": [
        {
           "Version": mdm-byod",
           "BaseURL": "https://ap01.manage.samsungknox.com/emm/ios/userenrollmentbyaccount"
        }
       ]
   }
   

Supported management features

BYOD Apple devices are subject the following conditions and limitations in Knox Manage:

• They can have Apple Volume Purchase Program apps assigned to them.
• Account-driven User Enrollment requires the user to sign in from their device’s Settings.
• Profile-based User Enrollment (deprecated by Apple) supports online sign-in and QR code enrollment methods. The sign-in method requires entering a long URL, so the QR method is more convenient for users.
• The device name format is the user’s Managed Apple ID, followed by iOS, followed by the serialized personal device number in your tenant (not the Apple serial number).
  • For example: alex@appleid.example.com_iOS_27
• Not all policies and device commands are supported for BYOD devices. To see which are compatible, check the Supported system column in the iOS policy and iOS device command references.
• You can look up a device’s User Enrollment type from Device Details > Device Information > User Enrollment Type.

Prepare your tenant for User Enrollment

Before you can enroll your users’ personal iPhones and iPads, you must turn it on for your Knox Manage tenant:

1. On the Knox Manage console, go to Setting > Configuration > Basic Configuration, then open the Device tab.
2. Set User Enrollment for iOS to Allow.
3. Save your changes.

Enroll a personally-owned device

First, prepare the user’s Knox Manage account and send an enrollment request:

1. On Apple Business Manager, copy the user’s Managed Apple ID.
2. On the Knox Manage console, go to User.
3. If you haven’t already set up an account for the user in Knox Manage, create a new account for them. If they have an account, select it and click Modify.
4. In the user details, enter the Managed Apple ID you copied earlier.
5. If you’d like to enroll the device immediately:
   1. Click Save & Request Enrollment.
   2. When asked for the request format, select Send email with installation guide and confirm.
6. If you’d like to enroll the device later:
   1. Click Save.
   2. At a later time, go to User.
   3. Select the user and click Request Enrollment.
   4. When asked for the request format, select Send email with installation guide and confirm.

Knox Manage sends an enrollment request to the device user’s email address.

Device user actions to complete enrollment

Enrollment completion steps vary, depending on if you are using Account-driven User Enrollment or Profile-based User Enrollment.

Steps for Account-driven User Enrollment

To complete enrollment, the device user must:

1. Open their device and go to Settings > General > VPN & Device Management > Sign in to Work or School Account.
2. Enter their Managed Apple ID.
3. Sign in to Knox Manage using their Knox Manage User ID and Password.
4. On the iCloud for Work screen, sign in to iCloud with their Managed Apple ID and password.
5. On the Remote Management screen, tap Allow Remote Management.

Steps for Profile-based User Enrollment

To complete enrollment, the device user must:

1. On their personal device, scan the QR code sent in the enrollment request. The Knox Manage sign-in page opens in a web browser.
2. Sign in with their Knox Manage account credentials. Knox Manage enrolls the device.
3. Open Settings and look for an EMM profile to verify that enrollment was successful.

Assign apps to a personally-owned device

To assign a Volume Purchase Program (VPP) app to the device:

1. On the Knox Manage console, start assigning a VPP app to the device.
2. Set Assignment Type to User.
3. Finish assigning the app to the device.

Once the app is assigned, the device user can manually install the app.