Automated Device Enrollment Configuration

A summary of the options available inside the Automated Device Enrollment Library item

For zero-touch deployment, an Automated Device Enrollment Configuration allows you to manage specific options during Setup Assistant on the following device families:

• Mac
• iPhone
• iPad
• Apple TV

Create an Automated Device Enrollment Library Item

Log in to your Kandji instance before performing the next steps.

1. Click Library in the left-hand navigation bar.
2. Click Add New in the upper right-hand corner.
   
3. Select the Automated Device Enrollment option and then click Add & Configure.
   

Universal Settings

For certain groups of devices, you have the option to set a different location or contact information specific to just that group. 

Require Authentication

• The Require Authentication option within the Automated Device Enrollment Library item allows admins to require users to authenticate with an identity provider (IdP) before allowing the device to proceed with enrollment.

Learn more about Require Authentication with Automated Device Enrollment

Allow MDM Profile Removal

• By default, when enrolling devices through Automated Device Enrollment, the MDM profile is not removable. This is by design to keep company devices managed securely. You can select Allow MDM Profile Removal if you have a test environment or a specific need to make the profile removable. Kandji recommends against using this for production environments. 

Override organization details

• Optionally override the location and contact information for the configuration.

Any changes made to the ADE library item will only apply to devices that are enrolled after these changes are saved. The changes will not retroactively update devices that were enrolled before the changes were saved.

Mac

Customize the setup experience and configuration for Mac computers. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings. 

1. Configure the Setup Assistant screens to skip for Mac computers during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant. 
2. Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple ID.
3. Select if the initial computer account created during setup assistant should be a Standard User, Administrator, or if initial account creation should be skipped entirely.
   1. You may want to skip account creation if you bind your Mac computers to a directory service such as Active Directory or a user account is automatically provisioned for your end user accounts with the Provision Local Administrator option by leveraging user variables.
   2. If you specify that the initial computer account should be a Standard user, you must automatically provision an additional local administrator. 
4. Configure optionally provisioning an additional local administrator account on the computer.
   1. Global Variables can be leveraged in the Full name and Short name fields. Such as $FULL_NAME or $EMAIL_PREFIX. This can be useful if you are requiring authentication and automatically assigning the user to the device record.
   2. Global Variables cannot be used for the Password.
5. Hide the additional administrator account if desired by selecting Hide Account.
6. Specify that the additional admin account should be the MDM-enabled user for user-level MDM profiles.
   1. The additional local administrator (auto admin) account will not register as the MDM-enabled user until the account is signed into graphically. 

iPhone

Customize the setup experience and configuration for iPhone devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location dependant settings. 

1. Configure the Setup Assistant screens to skip for iPhone devices during Automated Device Enrollment. You can skip specific screens or specify any current or future setup assistant panes to be skipped.
   1. Not that Skip all Setup Assistant screens will not Auto Advance setup assistant. Auto Advance is only available in macOS and tvOS. 
2. Select if an end user should be allowed to enable user-based Activation Lock using Find My and a personal Apple ID.
3. Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock. 

iPad

Customize the setup experience and configuration for iPad devices. It is recommended not to skip the Location Services unless your organization has a specific need. Location services are leveraged to set the Time Zone and other location-dependent settings.

1. Configure the Setup Assistant screens to skip for iPhone devices during Automated Device Enrollment. You can skip specific screens or specify any current or future setup assistant panes to be skipped.
   1. Not that Skip all Setup Assistant screens will not Auto Advance setup assistant. Auto Advance is only available in macOS and tvOS.
2. Configured Shared iPad. Learn more about Shared iPad
   1. Shared iPad can only be enabled during Automated Device Enrollment.
3. Optionally enable device-based activation lock. Sometimes referred to as organization/MDM-based activation lock. 

Apple TV

Customize the setup experience and configuration for Apple TV devices. Optionally configure Auto Advance, and specify the Language and Region. 

1. Configure the Setup Assistant screens to skip for Apple TV devices during Automated Device Enrollment. You can skip specific screens or Auto Advance through Setup Assistant. 
2. Specify the region for Apple TV devices.
3. Specify the Language for Apple TV devices.