iOS and iPadOS Corporate Owned
  • 06 Oct 2023
  • 2 Minutes to read
  • Dark
    Light
  • PDF

iOS and iPadOS Corporate Owned

  • Dark
    Light
  • PDF

Article Summary

Corporate-owned iOS devices are issued to users in many organizations to enable mobile or field work. Device management applies device wide, providing administrators with complete visibility of app inventory and network traffic.

Most corporate-owned devices should be supervised, providing IT administrators with maximum control of the device. This is typically important to ensure the device is able to adhere to more stringent security requirements.

Within the Trusted Access solution, we advise a zero-touch deployment using Apple Automated Device Enrollment (formally Device Enrollment Program) for corporate-liable devices. This way, a device is sanctioned right out-of-the-box using device-level enrollment.

Need a lighter touch?

Some organizations prefer to own mobile device assets, but values privacy over data lock down. If that is the goal, we recommend deploying those devices via User Enrollment instead of Automated Device Enrollment.

While the enrollment into MDM will not be completely automatic, it provides users the opportunity to "opt-in" to management in a more transparent and privacy-aware manner.

The overall process is:

  • An organization purchases new iOS/iPadOS devices via their authorized Apple reseller
  • The device is drop-shipped to the end user
  • The user unboxes and powers on their device
  • The device is automatically enrolled into the organization's Jamf Pro instance
  • Jamf Trust is deployed to enable networking and threat defense

Configuring Zero-Touch Device Deployment

We strongly recommend utilizing Apple's Automated Device Enrollment (formally "Device Enrollment Program") capability to automatically on-board devices into device management without IT having to manually pre-configure them. This will enable devices acquired via authorized suppliers – Apple, carriers, or other resellers – to automatically become "sanctioned" by enrolling to MDM upon first boot.

Similar to macOS!

Many of the steps here are shared with macOS Automated Device Enrollment deployment.

To adopt this deployment method, follow the below steps:

  1. If you don't already have a Apple Business Manager or Apple School Manager account, create one per these Apple Sign Up Instructions.
  2. Setup Automated Device Enrollment in Apple Business/School Manager.
  3. If this is your first use of Jamf Pro, follow the Jamf Pro Getting Started Guide.
  4. Complete the steps to Integrate Jamf Pro with Automated Device Enrollment (video).
  5. Configure Mobile Device PreStage Enrollments to define how new devices should behave once enrolled from Automated Device Enrollment.

At this point, all new devices purchased from the indicated authorized suppliers will automatically enroll into Jamf Pro out-of-the-box!

Deploying Jamf Trust

The Jamf Trust app is required to enable various security services on iOS/iPadOS devices, including Jamf Private Access.

Private Access is used in the Jamf Trusted Access solution to enable access for trusted devices to company resources. The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via Jamf Pro:

  1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
  2. Configure and deploy these additional profiles to streamline the Jamf Trust activation process:
    1. Bootstrapping the Jamf Trust App Activation.
    2. Pre-Authorizing VPN Installation: Eliminate the user to have to authenticate to their device to install a VPN configuration for Private Access.
Per-App VPN on Corporate Liable Devices

While you may use Per-App VPN on corporate managed devices, we recommend using the default device-wide VPN configuration for fully-managed iOS and iPadOS devices.

  1. In Jamf Pro, configure the "Jamf Trust" app to be automatically deployed to target devices via Volume Purchasing:
    1. Configure Volume Purchasing Integration.
    2. "Purchase" a large number of licenses of the "Jamf Trust" app in Apple Business/School Manager.
    3. Deploy the Jamf Trust app via the Volume Purchased App Deployment process.

Was this article helpful?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.