Configure the Automated Device Enrollment Library Item

An Automated Device Enrollment Configuration for zero-touch deployment allows you to manage specific options during Setup Assistant for Mac, iPhone, iPad, Apple TV, and Vision.

Create an Automated Device Enrollment Library Item

Log in to your Kandji tenant before performing the next steps.

1. Click Library in the left-hand navigation bar.

2. Click Add New in the upper right-hand corner. 

3. Select the Automated Device Enrollment option and then click Add & Configure. 

Universal Settings

For certain groups of devices, you have the option to set a different location or contact information specific to just that group. 

Require Authentication

• The Require Authentication option within the Automated Device Enrollment Library item allows admins to require users to authenticate with an identity provider (IdP) before allowing the device to proceed with enrollment.

Learn more about Require Authentication with Automated Device Enrollment

Allow MDM Profile Removal

• By default, when enrolling devices through Automated Device Enrollment, the MDM profile is not removable. This is by design to keep company devices managed securely. You can select Allow MDM Profile Removal if you have a test environment or a specific need to make the profile removable. Kandji recommends against using this for production environments. 

Override organization details

• Optionally override the location and contact information for the configuration.

Any changes made to the ADE library item will only apply to devices that are enrolled after these changes are saved. The changes will not retroactively update devices that were enrolled before the changes were saved.

Require Minimum OS Version

In addition to the settings described below, Mac, iPhone, and iPad devices running macOS 14.0 or later or iOS/iPadOS 17.0 or later can be forced to update their OS beyond those versions before enrolling into Kandji. They must already be on at least those versions before any updates can be enforced. Requiring a minimum OS version does not affect enrollment for devices running older OS versions.

Use the setting Require minimum OS version in each device type's settings as shown below to enforce the update to the version you want to require. Note: these settings do not affect any Managed OS settings you have set for after enrollment; macOS and iOS/iPadOS enforce these updates directly in Setup Assistant before enrollment so that applicable devices enroll already up-to-date. 

Changing this setting for a specific device type is immediate and does not require resyncing ADE settings to Apple.

Mac

Customize the setup experience and configuration for Mac computers. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings. 

1. Configure the Setup Assistant screens to skip for Mac computers during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant. 

2. Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.

3. Select if the initial computer account created during setup assistant should be a Standard User, Administrator, or if initial account creation should be skipped entirely.

   1. You may want to skip account creation if you bind your Mac computers to a directory service such as Active Directory or a user account is automatically provisioned for your end user accounts with the Provision Local Administrator option by leveraging user variables.

   2. If you specify that the initial computer account should be a Standard user, you must automatically provision an additional local administrator. 

4. Configure optionally provisioning an additional local administrator account on the computer.

   1. Global Variables can be leveraged in the Full name and Short name fields. Such as $FULL_NAME or $EMAIL_PREFIX. This can be useful if you are requiring authentication and automatically assigning the user to the device record.

   2. Global Variables cannot be used for the Password.

5. Hide the additional administrator account if desired by selecting Hide Account.

6. Specify that the additional admin account should be the MDM-enabled user for user-level MDM profiles.

   1. The additional local administrator (auto admin) account will not register as the MDM-enabled user until the account is signed into graphically.

7. Optionally for macOS 14+ devices, Require a minimum OS version.

8. Specify the region for Mac devices.

9. Specify the language for Mac devices.

   The Set region for Mac devices and Set language for Mac devices options are only available if Automatically advance through all Setup Assistant screens is selected. These options require Ethernet.

    

iPhone

Customize the setup experience and configuration for iPhone devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location dependant settings. 

1. Configure the Setup Assistant screens to skip for iPhone devices during Automated Device Enrollment. You can skip specific screens or specify any current or future setup assistant panes to be skipped.

   1. Note that Skip all Setup Assistant screens will not Auto Advance setup assistant. Auto Advance is only available in macOS and tvOS. 

2. Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.

3. Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock. 

4. Optionally for iOS 17+ devices, Require a minimum OS version.

iPad

Customize the setup experience and configuration for iPad devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.

1. Configure the Setup Assistant screens to skip for iPhone devices during Automated Device Enrollment. You can skip specific screens or specify any current or future setup assistant panes to be skipped.

   1. Note that Skip all Setup Assistant screens will not Auto Advance setup assistant. Auto Advance is only available in macOS and tvOS.

2. Configured Shared iPad. Learn more about Shared iPad

   1. Shared iPad can only be enabled during Automated Device Enrollment.

3. Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.

4. Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock. 

5. Optionally for iPadOS 17+ devices, Require a minimum OS version. 

Apple TV

Customize the setup experience and configuration for Apple TV devices. Optionally configure Auto Advance, and specify the Language and Region. 

1. Configure the Setup Assistant screens to skip for Apple TV devices during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant. 

2. Specify the region for Apple TV devices.

3. Specify the Language for Apple TV devices.

   The Set region for Apple TV devices and Set language for Apple TV devices options are only available if Automatically advance through all Setup Assistant screens is selected. These options require Ethernet.

    

Vision

Customize the setup experience and configuration for visionOS devices.

1. Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple Account.

2. Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock.