VSA 10 MDM: enrollment

You'll start the MDM enrollment process by creating a new entry for the device on the Connectors page. To do so, perform the following steps:

1. From the left navigation menu in VSA 10, navigate to Integrations > Connectors > Apple MDM.
2. Click Create Connector.
   
3. On the Create Connector page, select the Apple MDM Push Certificate connector type from the Type drop-down menu.
4. Select the organization with which the new device will be associated.
   
5. Click Next.
6. Click Next.
7. In the Download CSR File section, click Download CSR. VSA 10 will transfer a Certificate Signing Request (CSR) file named CertificateSigningRequest.plist to the default download location on your computer.
8. In the Create the Apple Push Certificate section, click Go to Apple portal.
   
9. Without closing the Create Connector page, perform the steps described in Create a push certificate to continue.

Once you've completed the steps in Create an Apple MDM Push Certificate connector in VSA 10, follow this process to obtain a vendor-signed version of the CSR file and upload it to VSA 10 to create your new push certificate:

Create the Apple Push Certificate

1. The Apple Push Certificates Portal will open and prompt you for credentials. Log in with the Apple ID of the device or devices you'd like to enroll.
   
2. Click Create a Certificate.
   
3. The Apple portal will prompt you to accept the MDM Certificate Agreement Terms of Use. Once you've done so, you'll receive a prompt to upload your CSR file.
4. Click Choose File. Select the CSR you generated in Create an Apple MDM Push Certificate connector in VSA 10. Then, click Upload.
   
5. The Apple portal will surface a confirmation that you've successfully created the push certificate. Click Download.
   
6. Continue to the next section of this article.

Upload the push certificate to VSA 10

1. Return to the Create Connector page in VSA 10 and locate the Upload the Apple Push Certificate section.
   
2. Add the certificate you downloaded from the Apple portal by dragging it into the Drag your certificate here box or by clicking the box and selecting the file to upload.
3. Confirm the ID you used to create the certificate by entering it in the Apple ID field.
4. Click Create. Then, proceed to either Manually enroll a device in MDM or Configure Automated Device Enrollment (ADE).

After creating the signed CSR and uploading it to VSA 10, you can enroll the device in MDM manually as follows.

Alternatively, if you wish to configure automatic VSA 10 MDM-enrollment of devices assigned to a dedicated server in Apple Business Manager, skip these steps and proceed to Configure Automated Device Enrollment (ADE).

1. From the left navigation menu in VSA 10, navigate to Devices > MDM Enrollment.
   
2. In the Context section, select the organization, site, and group where the device will reside.
   
3. From the Enroll Path drop-down menu, select the method via which you'd like to enroll the device in MDM: QR Code and Link or USB using Apple Configurator.

QR Code and Link

QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS. To enroll a device via either of these methods, perform the following steps:

1. A Scan QR Code pane, similar to the example shown below, will appear on the MDM Enrollment page.
   
   

2. Follow the workflow it provides to complete the device enrollment. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send.

3. Once the enrollment process is complete, the device will become available to manage on VSA 10's Device List page.

USB using Apple Configurator

IMPORTANT  The USB enrollment method will erase your device.

This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices. To enroll a device via this method, perform the following steps:

1. A USB pane, similar to the example shown below, will appear on the MDM Enrollment page. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send. Otherwise, proceed to the next step of this workflow.
   

2. On a separate device, download and install Apple Configurator 2. You'll use this device to enroll the managed endpoint. You can obtain this application from the Mac App Store.
3. Once the application is installed, proceed to the next step.

Create a WiFi profile

1. In Apple Configurator's top navigation menu, click File > New Profile.
   
2. In the window that opens, on the General tab, enter a profile name in the Name field.
   
3. In the left navigation menu, select WiFi.Then, click Configure.
4. Input the settings of the WiFi network to which the device should connect.
5. In Apple Configurator's top navigation menu, click File > Save.
6. When prompted, save the file in a location that you will be able to access in the next steps of this article.

Create a blueprint

1. In Apple Configurator's top navigation menu, click File > New Blueprint.
   
2. Specify a blueprint name.
   
3. Click the blueprint. Then, click Add > Profiles.
   
4. Select the WiFi profile you created in the previous section of this article and click Add.
   

Prepare the blueprint

1. Click the blueprint. Then, click Prepare.
2. In the Prepare Devices window, select Prepare with > Manual Configuration.
3. Ensure that the Supervise devices check box is selected.
4. Click Next.
   
5. On the Enroll in MDM screen, click Server > New Server. Then, click Next.
6. On the Define an MDM Server screen, input VSA in the Name field.
7. In the Host name or URL field, enter the enrollment link URL from the USB pane on the MDM Enrollment page.
   
8. Apple Configurator will fetch and add your trust anchor certificates. Click Next.
9. You may be prompted to sign in to Apple School Manager or Apple Business Manager. You can do so, or you can skip the step.

Create an organization

1. On the Create an organization screen, define the name of the organization with which this device will be associated. Then, click Next.
2. When prompted, select Generate a new supervision identity and click Next.
3. The Configure the iOS Setup Assistant screen will appear. Make any desired selections.
   
4. Click Prepare.

Apply the blueprint to the device

1. Via USB, connect the device you're enrolling to your current desktop or laptop computer.
2. In Apple Configurator, right-click the device, select Apply, and choose the blueprint you created.
   
3. Click Apply.
4. Apple Configurator will apply the blueprint. It may take several minutes for this process to complete and the new device to index in the MDM server. Once the enrollment process is complete, the device will become available to manage on VSA 10's Device List page.

BEFORE YOU BEGIN  You must create an Apple MDM Push Certificate connector for the organization you wish to configure ADE for. Refer to Create an Apple MDM Push Certificate connector in VSA 10.

By completing the following steps, every device assigned to a dedicated MDM server within Apple Business Manager will automatically be added to a specified agent group within your VSA 10 account:

Create an Apple Automated Device Enrollment connector in VSA 10

1. From the left navigation menu in VSA 10, navigate to Integrations > Connectors > Apple MDM.
2. Click Create Connector.
   
   
3. On the Create Connector page, select the Apple Automated Device Enrollment connector type from the Type drop-down menu.
4. Select the organization and site associated with the devices you wish to automatically enroll.

NOTE  The Organization Name field displays an error message if the selected organization is missing an Apple MDM Push Certificate connector, which you must configure first. Refer to Create an Apple MDM Push Certificate connector in VSA 10.

5. Select the specific agent group in which the devices will be automatically enrolled.
   
6. Optionally, enter a phone number and/or email address at which your support team can be reached, which users will see during device activation.
7. Click Next.
8. Click Download Public Key. VSA 10 will transfer a Privacy Enhanced Mail (PEM) file named ABM_Public_Key.pem to the default download location on your computer.
9. In the Generate New Server Token section, click Go to Apple Business Manager.
10. Without closing the Create Connector page, log in to Apple Business Manager and proceed to the next section.

Upload the public key to Apple Business Manager

1. In Apple Business Manager, click your name at the bottom of the sidebar and select Preferences.
2. Click MDM Server Assignment, then click Add .
3. Enter a unique name for the server.

NOTE  If you don’t want this MDM server to have the ability to release devices, refer to Release devices in the Apple Business Manager User Guide.

4. Upload the ABM_Public_Key.pem file you downloaded from VSA 10 in the previous section.
   
   
5. Click Save.
6. Click Download MDM Server Token .
7. In the confirmation dialog box, click Download MDM Server Token.
   

Upload the server token to VSA 10

1. Return to the Create Connector page in VSA 10 and locate the Upload Server Token section.
   
2. Add the .p7m server token file you downloaded from Apple Business Manager by dragging it into the Drag your server token file here box or by clicking the box and selecting the file to upload. The server token upload success will be validated.
   
3. Confirm the ID you used to generate the server token by entering it in the Apple ID field.
4. Click Create.

For more details, refer to ADE behavior.

To unenroll a device from MDM, perform the following steps:

1. Locate VPN & Device Management in the device's settings.
2. Open the MDM profile.
3. Click Remove Management.
4. VSA 10 will automatically remove the device from your platform.

Refer to Compatibility.

No. Currently, you'll see a Device is not supported error when you attempt to do so.

The available enrollment types are as follows:

• Automated Device Enrollment: Leveraging Apple Business Manager, devices can be preconfigured with specific management settings as soon as they are powered on, bypassing manual setup steps and streamlining the onboarding process. This ensures that devices are enrolled in mobile device management (MDM) from the start, offering zero-touch deployment for organizations.
• QR Code and Link: QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS.
• USB using Apple Configurator: This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices.

While being powered on doesn't matter, the iPhone should not be initialized. Connect the phone to USB and follow the steps described in the USB using Apple Configurator section of the article. The device will be erased and the new blueprint applied.

Apple recommends clearing the device when it is enrolled as supervised. However, if you back up the primary device to a secondary device before enrolling it, you can restore the backup from the secondary device to the primary device after you complete the enrollment. To do so:

1. Ensure that Find My iPhone is off on both devices to avoid problems during enrollment.
2. Use AppleConfigurator or Finder to back up the primary device.
3. Restore this backup on the secondary device.
4. Use AppleConfigurator or Finder to back up the secondary device.
5. Restore the backup of the secondary device to the primary device.
6. After restoration, when the primary device shows the Welcome screen on activation, connect it to Apple Configurator and enroll it via the USB method.
7. After activation, the device should appear in VSA 10 and contain the restored data.

USB enrollment is only available for macOS devices compatible with Apple Configurator.

Supervised mode provides more options to manage the device, such as restarting, shutting down, and enabling or disabling lost mode. The Play Lost Mode Sound will work only for supervised devices.

macOS devices are always supervised. iOS and iPadOS devices are supervised if they have been enrolled via USB with the Supervised option checked. You can find out if a device is supervised in the Asset Info section of the device details pane:

Refer to VSA 10 MDM: Supervised vs. non-supervised devices.

There might be a delay in seeing an enrolled device or its data.

Apple does not terminate its requests. However, VSA 10 has a 20-minute cache and pings MDM services every 15 minutes to get device information.

So, if you enroll, unenroll, change lost mode, or perform any other actions with a device, there may be a delay in reporting this information to VSA 10. If you have been waiting for more than one hour and still do not see a device, please open a ticket with Kaseya Support for assistance. When doing so, be sure to include the device's serial number.

This error can appear in several different formats:

"EMM authentication token is expired."

"EMM token is invalid."

"EMM token is missing."

It can occur as a result of MDM licensing being misconfigured in the Admin app. To resolve the issue, contact Kaseya Support for assistance.

Due to Apple limitations, the following conditions apply to MDM-enrolled devices:

• Devices enrolled via QR Code and Link only have access to the Erase command.
• Devices enrolled via USB using Apple Configurator have access to the following commands:
  • Restart
  • Shutdown
  • Enable/Disable Lost mode
  • Play Lost Mode Sound (if Lost Mode is enabled)
  • Erase
• macOS devices enrolled in MDM without the VSA 10 agent app installed have access to the following commands:
  • Restart
  • Shut down
  • Erase

Refer to VSA 10 MDM commands for a complete table of commands and their availability.

Yes. To take advantage of full VSA 10 management capabilities, you should both enroll a macOS device in MDM and have an agent installed. There is no preferred order to doing so; the process will not create duplicate devices.

There could be several reasons why a command did not execute:

• To get and process MDM commands, a device must have an internet connection. All types of internet connections are supported; Apple IDs and SIM cards are not required.
• VSA 10 sends commands to Apple right after you click the action button, but we cannot control how long the queued action will take to be relayed to the device and executed. The action may be awaiting processing.
• If a device is in sleep mode or turned off, it can not process commands. In some cases, Apple sends the same command periodically until a device is awake or until the command times out.
  • If a command times out, and Apple returns a status that the device is unavailable, our MDM server will try to send the command at the following intervals:
    • Five minutes after the first request
    • 10 minutes after the first request
    • 20 minutes after the first request
    • 40 minutes after the first request

Erasing is similar to a factory reset. All of the device's data, including the MDM profile, is deleted, and the phone is returned to its initial setup state. Erased and unenrolled devices must follow the enrollment process before they can be managed again.

Lost Mode is a feature available on Apple devices that you can use when your device is missing or stolen. When you activate Lost Mode, the device locks to prevent anyone else from accessing its data. You can activate this mode via MDM on iOS and iPadOS device. You can also display a custom message with a contact number on the Lock screen.

No. Apple does not provide a way to set up a passcode for a device with Lost Mode. However, it is possible to set up a lock screen message or phone number in the confirmation popup after you click Enable Lost Mode.

Refer to the Unenroll a device section of this article.