iOS and iPadOS Corporate Owned

Corporate-owned iOS devices are issued to users in many organizations to enable mobile or field work. Device management applies device wide, providing administrators with complete visibility of app inventory and network traffic.

Most corporate-owned devices should be supervised, providing IT administrators with maximum control of the device. This is typically important to ensure the device is able to adhere to more stringent security requirements.

Within the Trusted Access solution, we advise a zero-touch deployment using Apple Automated Device Enrollment (formally Device Enrollment Program) for corporate-liable devices. This way, a device is sanctioned right out-of-the-box using device-level enrollment.

The overall process is:

• An organization purchases new iOS/iPadOS devices via their authorized Apple reseller
• The device is drop-shipped to the end user
• The user unboxes and powers on their device
• The device is automatically enrolled into the organization's Jamf Pro instance
• Jamf Trust is deployed to enable networking and threat defense

Configuring Zero-Touch Device Deployment

We strongly recommend utilizing Apple's Automated Device Enrollment (formally "Device Enrollment Program") capability to automatically on-board devices into device management without IT having to manually pre-configure them. This will enable devices acquired via authorized suppliers – Apple, carriers, or other resellers – to automatically become "sanctioned" by enrolling to MDM upon first boot.

To adopt this deployment method, follow the below steps:

1. If you don't already have a Apple Business Manager or Apple School Manager account, create one per these Apple Sign Up Instructions.
2. Setup Automated Device Enrollment in Apple Business/School Manager.
3. If this is your first use of Jamf Pro, follow the Jamf Pro Getting Started Guide.
4. Complete the steps to Integrate Jamf Pro with Automated Device Enrollment (video).
5. Configure Mobile Device PreStage Enrollments to define how new devices should behave once enrolled from Automated Device Enrollment.

At this point, all new devices purchased from the indicated authorized suppliers will automatically enroll into Jamf Pro out-of-the-box!

Deploying Jamf Trust

The Jamf Trust app is required to enable various security services on iOS/iPadOS devices, including Jamf Private Access.

Private Access is used in the Jamf Trusted Access solution to enable access for trusted devices to company resources. The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via Jamf Pro:

1. Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
2. Configure and deploy these additional profiles to streamline the Jamf Trust activation process:
   1. Bootstrapping the Jamf Trust App Activation.
   2. Pre-Authorizing VPN Installation: Eliminate the user to have to authenticate to their device to install a VPN configuration for Private Access.

3. In Jamf Pro, configure the "Jamf Trust" app to be automatically deployed to target devices via Volume Purchasing:
   1. Configure Volume Purchasing Integration.
   2. "Purchase" a large number of licenses of the "Jamf Trust" app in Apple Business/School Manager.
   3. Deploy the Jamf Trust app via the Volume Purchased App Deployment process.