MDM enrollment

NAVIGATION  Modules > Integrations > Connectors

NAVIGATION  Modules > Devices > MDM Enrollment

SECURITY  Connectors > Full access to all Connectors pages

SECURITY  Device Management > Add Devices

SECURITY  Administrative privileges to manage software on the device to be enrolled and any endpoints assisting in the enrollment

In addition to traditional endpoint management, VSA 10 includes mobile device management (MDM) for supported devices. This article provides compatibility, prerequisite and process information related to using VSA 10 as your MDM solution.

Prerequisites

Compatibility

Our MDM solution currently supports enrollment for the following Apple operating systems:

  • iOS 4.0 and above

  • iPadOS 4.0 and above

  • macOS 10.7 and above

Permissions

To complete this process, you'll need the following permissions in both VSA 10 and the Apple portal:

How to...

To enroll a device in MDM, you'll perform the following steps:

  1. Create a connector in VSA 10.

  2. Create a push certificate in the Apple portal and upload it to VSA 10.

  3. Enroll the device in MDM.

Select a topic to continue.

You'll start the MDM enrollment process by creating a new entry for the device on the Connectors page. To do so, perform the following steps:

  1. In your VSA 10 instance, navigate to Modules > Integrations > Connectors.

  2. Click Create Connector.

  3. The Create Connector page will load. In the Details section of the page, select the organization with which the new device will be associated.

  4. In the Download CSR File section, click Download CSR. VSA 10 will transfer a Certificate Signing Request (CSR) file named CertificateSigningRequest.plist to the default download location on your computer.

  5. Scroll down to the Create an Apple Push Certificate page area.

  6. Click Go to Apple portal.

  7. Without closing the Create Connector page, proceed to the Create a push certificate section of this article.

Once you've completed the steps in Create a connector in VSA 10, you'll need to follow the process described below to obtain a vendor-signed version of the CSR file and upload it to VSA 10 to create your new push certificate.

Create the Apple Push Certificate

  1. The Apple Push Certificates Portal will open and prompt you for credentials. Log in with the Apple ID of the device or devices you'd like to enroll.

  2. Click Create a Certificate.

  3. The Apple portal will prompt you to accept the MDM Certificate Agreement Terms of Use. Once you've done so, you'll receive a prompt to upload your CSR file.

  4. Click Choose File. Select the CSR you generated in Create a connector in VSA 10. Then, click Upload.

  5. The Apple portal will surface a confirmation that you've successfully created the push certificate. Click Download.

  6. Continue to the next section of this article.

Upload the push certificate to VSA 10

  1. Return to the Create Connector page in VSA 10 and locate the Upload Apple Push Certificate section.

  2. Upload the certificate you downloaded from the Apple portal by dragging it into or clicking the Drag your certificate here box.

  3. Confirm the ID you used to create the certificate by entering it in the Apple ID field.

  4. Click Create. Then, proceed to the Enroll a device in MDM section of this article.

After creating the signed CSR and uploading it to VSA 10, you can enroll the device in MDM. To do so, perform the following steps.

  1. In VSA 10, navigate to Modules > Devices > MDM Enrollment.

  2. In the Context page area, select the Organization Name, Site Name, and Agent Group where the device will reside.

  3. From the Enroll Path drop-down menu, choose the method via which you'd like to enroll the device in MDM. To proceed, or to learn about each configuration type, select a topic to continue:

QR Code and Link

QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS. To enroll a device via either of these methods, perform the following steps:

  1. A Scan QR Code pane, similar to the example shown below, will appear on the MDM Enrollment page.

  1. Follow the workflow it provides to complete the device enrollment. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send.

  1. Once the enrollment process is complete, the device will become available to manage on VSA 10's Device List page.

USB using Apple Configurator

IMPORTANT  The USB enrollment method will erase your device.

This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices. To enroll a device via this method, perform the following steps:

  1. A USB pane, similar to the example shown below, will appear on the MDM Enrollment page. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send. Otherwise, proceed to the next step of this workflow.

  1. On a separate device, download and install Apple Configurator 2. You'll use this device to enroll the managed endpoint. You can obtain this application from the Mac App Store.

  2. Once the application is installed, proceed to the next step.

Create a WiFi profile

  1. In Apple Configurator's top navigation menu, click File > New Profile.

  2. In the window that opens, on the General tab, enter a profile name in the Name field.

  3. In the left navigation menu, select WiFi.Then, click Configure.

  4. Input the settings of the WiFi network to which the device should connect.

  5. In Apple Configurator's top navigation menu, click File > Save.

  6. When prompted, save the file in a location that you will be able to access in the next steps of this article.

Create a blueprint

  1. In Apple Configurator's top navigation menu, click File > New Blueprint.

  2. Specify a blueprint name.
    Graphical user interface, application, Word, Teams Description automatically generated

  3. Click the blueprint. Then, click Add > Profiles.
    Graphical user interface, application, Word, PowerPoint Description automatically generated

  4. Select the WiFi profile you created in the previous section of this article and click Add.
    Graphical user interface, application Description automatically generated

Prepare the blueprint

  1. Click the blueprint. Then, click Prepare.

  2. In the Prepare Devices window, select Prepare with > Manual Configuration.

  3. Ensure that the Supervise devices check box is selected.

  4. Click Next.
    Graphical user interface, application Description automatically generated

  5. On the Enroll in MDM screen, click Server > New Server. Then, click Next.

  6. On the Define an MDM Server screen, input VSA in the Name field.

  7. In the Host name or URL field, enter the enrollment link URL from the USB pane on the MDM Enrollment page.
    Graphical user interface, application Description automatically generated

  8. Apple Configurator will fetch and add your trust anchor certificates. Click Next.

  9. You may be prompted to sign in to Apple School Manager or Apple Business Manager. You can do so, or you can skip the step.

Create an organization

  1. On the Create an organization screen, define the name of the organization with which this device will be associated. Then, click Next.

  2. When prompted, select Generate a new supervision identity and click Next.

  3. The Configure the iOS Setup Assistant screen will appear. Make any desired selections.
    Graphical user interface, application Description automatically generated

  4. Click Prepare.

Apply the blueprint to the device

  1. Via USB, connect the device you're enrolling to your current desktop or laptop computer.

  2. In Apple Configurator, right-click the device, select Apply, and choose the blueprint you created.

  3. Click Apply.

  4. Apple Configurator will apply the blueprint. It may take several minutes for this process to complete and the new device to index in the MDM server. Once the enrollment process is complete, the device will become available to manage on VSA 10's Device List page.

To unenroll a device from MDM, perform the following steps:

  1. Locate VPN & Device Management in the device's settings.

  2. Open the MDM profile.

  3. Click Remove Management.

  4. VSA 10 will automatically remove the device from your platform.

VSA 10 MDM commands

Once you've enrolled a device in MDM, the following commands will become available. Note that availability of any command is dependent on both the device type and enrollment method used.

Command iOS/iPadOS macOS
QR code enrollment USB enrollment Link enrollment
Non-supervised Supervised Supervised
Restart FALSE TRUE TRUE
Shutdown FALSE TRUE TRUE
Enable/Disable lost mode FALSE TRUE FALSE
Play Lost Mode Sound FALSE TRUE FALSE
Erase TRUE TRUE TRUE

Next steps

FAQs

The following answers to frequently-asked questions will help you get the most out of your VSA 10 MDM experience.

Refer to Compatibility.

No, currently, you'll see a "Device is not supported" error when you attempt to do so.

The available enrollment types are:

  • QR Code and Link: QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS.

  • USB using Apple Configurator: This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices.

While being powered on doesn't matter, the iPhone should not be initialized. Connect the phone to USB and follow the steps described in the MDM enrollment section of the article. The device will be erased and the new blueprint applied.

Apple recommends clearing the device when it is enrolled as supervised. However, if you back up the primary device to a secondary device before enrolling it, you can restore the backup from the secondary device to the primary device after you complete the enrollment. To do so:

  1. Ensure that Find My iPhone is off on both devices to avoid problems during enrollment.

  2. Use AppleConfigurator or Finder to back up the primary device.

  3. Restore this backup on the secondary device.

  4. Use AppleConfigurator or Finder to back up the secondary device.

  5. Restore the backup of the secondary device to the primary device.

  6. After restoration, when the primary device shows the Welcome screen on activation, connect it to Apple Configurator and enroll it via the USB method.

  7. After activation, the device should appear in VSA 10 and contain the restored data.

USB enrollment is only available for macOS devices compatible with Apple Configurator.

Supervised mode provides more options to manage the device, such as restarting, shutting down, and enabling or disabling lost mode. The Play Lost Mode Sound will work only for supervised devices.

macOS devices are always supervised. iOS and iPadOS devices are supervised if they have been enrolled via USB with the Supervised option checked. You can find out if a device is supervised in the Asset Info section of the device details pane:

Refer to Supervised vs. non-supervised devices.

There might be a delay in seeing an enrolled device or its data.

Apple does not terminate its requests. However, VSA 10 has a 20-minute cache and pings MDM services every 15 minutes to get device information.

So, if you enroll, unenroll, change lost mode, or perform any other actions with a device, there may be a delay in reporting this information to VSA 10. If you have been waiting for more than one hour and still do not see a device, please open a ticket with Kaseya Support for assistance. When doing so, be sure to include the device's serial number.

This error can appear in several different formats:

"EMM authentication token is expired."

"EMM token is invalid."

"EMM token is missing."

It can occur as a result of MDM licensing being misconfigured in the Admin app. To resolve the issue, contact Kaseya Support for assistance.

Due to Apple limitations, the following conditions apply to MDM-enrolled devices:

  • Devices enrolled via QR Code and Link only have access to the Erase command.

  • Devices enrolled via USB have access to the following commands:

    • Restart

    • Shutdown

    • Enable/Disable Lost mode

    • Play Lost Mode Sound (if Lost Mode is enabled)

    • Erase

  • macOS devices enrolled in MDM without the VSA agent app installed have access to the following commands:

    • Restart

    • Shut down

    • Erase

Refer to MDM enrollment for a complete table of commands and their availability.

Yes. To take advantage of full VSA management capabilities, you should both enroll a macOS device in MDM and have an agent installed. There is no preferred order to doing so; the process will not create duplicate devices.

There could be several reasons why a command did not execute:

  • To get and process MDM commands, a device must have an internet connection. All types of internet connections are supported; Apple IDs and SIM cards are not required.

  • VSA sends commands to Apple right after you click the action button, but we cannot control how long the queued action will take to be relayed to the device and executed. The action may be awaiting processing.

  • If a device is in sleep mode or turned off, it can not process commands. In some cases, Apple sends the same command periodically until a device is awake or until the command times out.

    • If a command times out, and Apple returns a status that the device is unavailable, our MDM server will try to send the command at the following intervals:

      • Five minutes after the first request

      • 10 minutes after the first request

      • 20 minutes after the first request

      • 40 minutes after the first request

Erasing is similar to a factory reset. All of the device's data, including the MDM profile, is deleted, and the phone is returned to its initial setup state. Erased and unenrolled devices must follow the enrollment process before they can be managed again.

Lost Mode is a feature available on Apple devices that you can use when your device is missing or stolen. When you activate Lost Mode, the device locks to prevent anyone else from accessing its data. You can activate this mode via MDM on iOS and iPadOS device. You can also display a custom message with a contact number on the Lock screen.

No. Apple does not provide a way to set up a passcode for a device with Lost Mode. However, it is possible to set up a lock screen message or phone number in the confirmation popup after you click Enable Lost Mode.

Refer to the MDM enrollment section of this article.