You wish to manage iOS devices with Cortado MDM or with Cortado Server. Here we present you with three different enrollment methods.
In this How-To we present three enrollment methods you can use to securely manage your iPhones and iPads with Cortado MDM/Cortado Server. Which enrollment method suits you best will depend largely on your application profile. Thus, management of so-called supervised devices only comes into consideration if the devices are company-owned. User Enrollment, on the other hand, is principally intended for a Bring Your Own Device (BYOD) scenario. If desired, this enrollment method can also be used for company-owned devices. Device Enrollment was originally designed for use in a BYOD environment however, on data protection grounds, it is now only recommended for company-owned devices.
1. Integrating supervised devices
Supervised devices are devises that are company-owned and are managed by the administrator. There are a wide range of opportunities for such devices to be centrally configured or, for example, to limit their use. Amongst other things, you can force operating system updates, distribute apps or, if required, remotely reset the entire device. In total, you have more than 100 policies available with which to shape your users’ possible actions. It is not required to have a local Apple ID on the device. In addition, roll outs of Exchange, WLAN, VPN and other profiles can be easily and centrally carried out.
The following diagram illustrates how you can integrate your iOS devices into the Cortado Administraion Portal:
Devices can only be managed if they are registered in Apple Business Manager. Devices you already have can be manually registered via the macOS program Apple Configurator 2. You can find a guide to this in our How-To:How to manually integrate iOS devices into the Apple Business Manager. Optionally, you can also request your retailer to register your devices retrospectively. Make sure when you order new devices to give your Apple ID for Apple Business Manager, so the devices will be automatically added to your account by the retailer.
When all your devices are registered, you can download a certificate in the Cortado Administration Portal and upload it to Apple Business Manager. All the devices will then be integrated there, using their serial numbers. Then a token will be generated which must, in turn, be uploaded to the Cortado Administration Portal. This process is described in detail in our manual, in the article Embedding company-owned Apple devices.
Once you have successfully completed all steps, the employees you have added to the Cortado Administration Portal can log in to the iOS devices that have been configured for them. All the Policies, Apps and Profiles, that you configured with the Cortado Administration Portal are automatically initialized on the devices.
Your employees can unpack their devices and start using them immediately, with no need for you to manually make settings in advance.
2. User Enrollment
If you want to have your employees use their private iPhones/iPads in a business setting (BYOD), the User Enrollment method is recommended.
Of course, you are also free to manage your company-owned devices via User Enrollment if you don’t want to reset your devices and manually add them to your Apple Business Manager. This approach is well suited to a situation in which your principal focus is to protect your corporate data while also allowing private use of the device.
With this enrollment method you can also distribute apps, profiles and, to a limited extent, policies. The administrator has no access to the private part of the device.
To be able to use the User Enrollment method, you also need an account for Apple Business Manager. However, in contrast to supervised devices, these devices do not need to be registered in Apple Business Manager. Instead, you will need so-called managed Apple IDs for your employees.
For this purpose, select the menu item Accounts in Apple Business Manager. In the next step you can create a managed Apple ID for each employee. Your employees will receive the managed Apple ID via email.
Furthermore, you also need to place your employees into the Cortado Administration Portal and make the desired settings (Apps, Profiles, Policies). Your employees will then receive an invitation to the Cortado Self Service Portal where they can download the MDM profile for themselves (instructions) and then enter the managed Apple ID. Alternatively, you can also integrate the device, jointly with your employee, directly via the Administration Portal. There is an description here of the steps you need to carry out on the device.
3. Device Enrollment
The Device Enrollment method is the predecessor of User Enrollment. Even though the Device Enrollment method was designed for use on private devices, the administrator can reset the entire device via the Cortado Administration Portal and see the employee’s private apps. This method therefore does not comply with data protection standards in a BYOD setting. In a BYOD scenario we recommend User Enrollment.
This method can certainly still be used for company-owned devices. It has the advantage that there is no necessity to register with Apple Business Manager. Integrating the devices is quite simple. You can embed the device together with your coworker via the administration portal. You can find out what steps you need to take on the device in our help article Embedding company-owned Apple devices via Device Enrollment.