Jump to:navigation, search
Wiki

Account-Based User-Enrollment

From Securepoint Wiki

































{var | Verwaltete Apps über MDM konfiguriert | Über das MDM können verwaltete Apps auf Privat-Geräten konfiguriert werden | Managed apps can be configured on private devices via MDM }}




































De.png
En.png
Fr.png









Account-based User-Enrollment for IOS- / iPad devices

Last adaptation to the version: 2.2(02.2025)

New:
Last updated: 
    03.2025
notempty
This article refers to a Resellerpreview
Access: portal.securepoint.cloud  Mobile Security iOS/iPadOS Devices

Introduction

With Account-Based User-Enrollment, a work or school account can be set up on a personal IOS or iPad device.
This enrollment process does not require a second  Apple device.
To install paid apps provided by an organization on private Apple devices, Managed Apple IDs are used.

notempty
    • Via a managed Apple ID paid VPP licenses are assigned
    • Separation of data (addresses, files) from managed and private apps is possible
  • It is not possible to install an app two times (private and managed)
 notempty
    • These devices require a private, personal Apple ID.
      Otherwise, these devices will not receive operating system updates, for example.
    • Both the password of the personal Apple ID and the password of the managed Apple ID must be known to the user in order to use e.g. two-factor authentication
    • Resetting the device to factory settings is only possible if you know the access data of your personal Apple ID
    • The final control over the device itself is thereby the user of the device
  • The model device belongs to the company, personal use enabled (COPE) is not available for Apple.

Requirements

Preparation

Start-up

The following steps are necessary for commissioning the iOS/iPad device in MDM:

  1. Apple Push certificatemand Apple VPP token are available
  2. Device profile of type User registration profile has been created
  3. Apps purchased in ABM and apps summarised into app groups using tags
  4. Users created or linked via EntraID

Push certificate / VPP token

The following steps are taken under  Mobile Security Settings :

  • at  Apple Push Certificate check whether a token is available
    • If one is available, check whether it has not yet expired
    • If none is available, an Apple Push certificate is added via the { Add button
  • Enable option Enable Apple Re-Enrolment    activate
  • at  Apple VPP / Apple Business Manager / Apple School Manager check if a token is available
    • If one exists, check whether it has not yet expired
    • If none exists, an Apple Push certificate is added via the  Add button

Further information can be found in the corresponding Wiki article.

Create device profile

In  Mobile Security iOS/iPadOS Profile with the button  Add profile a new profile for the device can be created.

  • For a private iOS device or iPad, the User registration profile type is selected in the General tab

Continue the configuration of the profile accordingly. Further information can be found in the corresponding Wiki article.

Apps

If the required apps for the iOS/iPad device are not yet available, they can be purchased in the Apple Business Manager.
In  Mobile Security iOS/iPadOS  Apps , the newly acquired apps are added using  Add app.
Use   tags to summarise the apps in the required app groups.
Further information can be found in the Wiki article Apps.

Create user

A new user is created in the portal under list-general  Users . Two different options are available for this:

  • The  Add user button is used to add a user directly in the portal
  • The user is imported via CSV or Entra ID using the  Import user button

Further information on Add user and Import user via Entra ID can be found in the corresponding wiki articles.

Enrollment

Register New Device

By clicking the  Register new device button, an IOS- / iPad device is connected to the MDM. In the dialog window, the following steps are performed:
Caption Value Description MS 2.2 iOS Geräte Neues-Gerät-Anmelden AbBE-en.png
Registration of a user's own device    When activating the    button, a personal (private) device is enrolled into the MDM using a managed Apple ID.
Enrollment Mode Account-based User Enrollment Selection of the registration mode Account-based User Enrollment
Managed Apple-ID Alice<alice@tttpoint.de> Selection of the managed Apple-ID
Local Account Alice-123456@portal.securepoint.cloud An email address is generated
a combination of the Apple ID name, tenant, and portal URL)
, that must be entered on the personal IOS- / iPad device to initate the user enrollment


With the button Copy to clipboard this email address gets added to the clipboard

The next step of the enrollment process takes place directly on the personal device.

Send Invitation

By clicking the  Send Invitation button, an email is sent to the user, allowing the IOS- / iPad device to be connected to the MDM. In the diagonal window, the following steps are performed:
Caption Value Description MS 2.2 iOS Geräte Einladung-senden AbBE-en.png
Enrollment type Account-based User Enrollment Selection of the Enrollment type Account-based User Enrollment
Managed Apple-ID Alice<alice@tttpoint.de> Selection of the Managed Apple ID to which the email will be sent
The inviation is sent to the user by clicking the  Send Invitation button.

If additional users need to be added, this can be done via the  Invite more button

The sent invitation email contains instructions on how the recipient can enroll their personal device into the MDM:
  1. Open Settings on the personal device
  2. Navigate to GeneralVPN and Device Management
  3. Select Sign in to work or school account...
  4. The displayed email is entered there, for example: Alice-123456@portal.securepoint.cloud
  5. Follow the instructions on the device
MS 2.2 iOS Geräte Einladung-senden AbBE EMail-en.png
The next step of the enrollment process takes place directly on the personal device.

Process on the personal device

After adding the device via the Portal (Register New Device) or through the invitation email (Send Invitation) the next enrollment steps follow on the personal IOS or iPad device:

MS 2.2 iOS AbBE Schritt1-en.PNG
Fig.1
  • Navigate to SettingsGeneralVPN and Device Management
  • Select Sign in to work or school account...
  • Enter the email address from Register new Device or from the Invitation email
MS 2.2 iOS AbBE Schritt2-en.PNG
Fig.2
  • Log into the Securepoint Portal with the User account
MS 2.2 iOS AbBE Schritt3-en.PNG
Fig.3
  • Information regarding iCloud for work or school is displayed
  • Sign in to iCloud
MS 2.2 iOS AbBE Schritt4-en.PNG
Fig.4
  • Sign in to iCloud with the work or school account
  • continue
MS 2.2 iOS AbBE Schritt5-en.PNG
Fig.5
  • Remote management is confirmed by clicking the Allow Remote Management button
  • Confirm the following window as well
  • The completion process may take few minutes
MS 2.2 iOS AbBE Schritt6-en.png
Fig.6
  • In the Portal  Mobile Security iOS/iPadOSDevices the tile of the personal device appears
  • The label  Terms not accepted indicates that the terms and conditions still need to be accepted
  • The device tile can then be configured
  • The account-based user enrollment is now complete











Retrieved from "https://wiki.securepoint.de/index.php?title=MS/enrollment/iOS/AccountBasedUser&oldid=95190"