- 23 Sep 2022
- 2 Minutes to read
iOS and iPadOS Corporate Owned
- Updated on 23 Sep 2022
- 2 Minutes to read
Corporate-owned iOS devices are issued to users in many organizations to enable mobile or field work. Device management applies device wide, providing administrators with complete visibility of app inventory and network traffic.
Most corporate-owned devices should be supervised, providing IT administrators with maximum control of the device. This is typically important to ensure the device is able to adhere to more stringent security requirements.
Within the Trusted Access solution, we advise a zero-touch deployment using Apple Automated Device Enrollment (formally Device Enrollment Program) for corporate-liable devices. This way, a device is sanctioned right out-of-the-box using device-level enrollment.
Some organizations prefer to own mobile device assets, but values privacy over data lock down. If that is the goal, we recommend deploying those devices via User Enrollment instead of Automated Device Enrollment.
While the enrollment into MDM will not be completely automatic, it provides users the opportunity to "opt-in" to management in a more transparent and privacy-aware manner.
The overall process is:
- An organization purchases new iOS/iPadOS devices via their authorized Apple reseller
- The device is drop-shipped to the end user
- The user unboxes and powers on their device
- The device is automatically enrolled into the organization's Jamf Pro instance
- Jamf Trust is deployed to enable networking and threat defense
Configuring Zero-Touch Device Deployment
We strongly recommend utilizing Apple's Automated Device Enrollment (formally "Device Enrollment Program") capability to automatically on-board devices into device management without IT having to manually pre-configure them. This will enable devices acquired via authorized suppliers – Apple, carriers, or other resellers – to automatically become "sanctioned" by enrolling to MDM upon first boot.
Many of the steps here are shared with macOS Automated Device Enrollment deployment.
To adopt this deployment method, follow the below steps:
- If you don't already have a Apple Bussiness Manager or Apple School Manager account, create one per these Apple Sign Up Instructions.
- Setup Automated Device Enrollment in Apple Business/School Manager.
- If this is your first use of Jamf Pro, follow the Jamf Pro Getting Started Guide.
- Complete the steps to Integrate Jamf Pro with Automated Device Enrollment (video).
- Configure Mobile Device PreStage Enrollments to define how new devices should behave once enrolled from Automated Device Enrollment.
At this point, all new devices purchased from the indicated authorized suppliers will automatically enroll into Jamf Pro out-of-the-box!
Deploying Jamf Trust
The Jamf Trust app is required to enable various security services on iOS/iPadOS devices, including Jamf Private Access.
Private Access is used in the Jamf Trusted Access solution to enable access for trusted devices to company resources. The following steps outline the high-level steps required to streamline deployment of the Jamf Trust app via Jamf Pro:
- Follow the steps in Enabling Access for Trusted Devices to configure Private Access in RADAR.
- Configure and deploy these additional profiles to streamline the Jamf Trust activation process:
While you may use Per-App VPN on corporate managed devices, we recommend using the default device-wide VPN configuration for fully-managed iOS and iPadOS devices.
- In Jamf Pro, configure the "Jamf Trust" app to be automatically deployed to target devices via Volume Purchasing: