VSA 10 MDM: enrollment

NAVIGATION  Modules > Integrations > Connectors

NAVIGATION  Modules > Devices > MDM Enrollment

PERMISSIONS  Connectors > Full access to all Connectors pages

PERMISSIONS  Device Management > Add Devices

PERMISSIONS  Administrative privileges to manage software on the device to be enrolled and any endpoints assisting in the enrollment

VSA 10 includes mobile device management (MDM) for supported devices. This article provides compatibility, prerequisite, and process information related to using VSA 10 as your MDM solution.

To learn how to migrate to VSA 10 from another MDM solution, refer to VSA 10 MDM: Migrating from another MDM solution.

Prerequisites

Compatibility

Our MDM solution currently supports enrollment for the following mobile operating systems:

  • Android 10 and above
  • iOS 4.0 and above
  • iPadOS 4.0 and above
  • macOS 10.7 and above
  • tvOS 10.2 and above*

    NOTE  *While tvOS 10.2 supports MDM, certain features of MDM may not be available. To review what MDM features are supported depending on your version of tvOS, refer to Device management restrictions for Apple TV devices in the external Apple Platform Deployment documentation.

Permissions

To complete this process, you'll need the following permissions:

  • In VSA 10: 
  • For Apple OS devices: 
    • Ability to log in to appleid.apple.com with the Apple ID of the device or devices you'd like to enroll.
    • If configuring Automated Device Enrollment (ADE), ability to log in to Apple Business Manager with Administrator or Device Enrollment Manager credentials.
  • For Android OS devices:
    • Access to an Android Enterprise account, or a company email account that can be used to create an Android Enterprise account.

Device Enrollment vs. Automated Device Enrollment (ADE)

The two types of Apple MDM connectors available in VSA 10 drive your enrollment strategy. For a basic overview, refer to Types of Apple MDM connectors in the Connectors article.

Device Enrollment

To enroll Apple devices in MDM using QR code or USB enrollment methods, you'll perform the following steps:

  1. Configure an Apple Push Notification Service connector in VSA 10. Refer to Create an Apple Push Notification Service connector in VSA 10.
  2. Create a push certificate in the Apple portal and upload it to VSA 10. Refer to Create an Apple push certificate.
  3. Enroll devices one at a time into VSA 10 MDM. Refer to Manually enroll an Apple device in MDM.

ADE

To configure automatic MDM enrollment of Apple devices assigned to a dedicated server in Apple Business Manager, you'll perform the following steps:

  1. Configure an Apple Push Notification Service connector in VSA 10. Refer to Create an Apple Push Notification Service connector in VSA 10.
  2. Create a push certificate in the Apple portal and upload it to VSA 10. Refer to Create an Apple push certificate.
  3. Create an Apple Automated Device Enrollment connector in VSA 10, and generate an MDM server token in Apple Business Manager to upload to VSA 10. Refer to Configure Automated Device Enrollment (ADE).

ADE behavior

After configuring ADE, every device assigned to the newly added MDM server in Apple Business Manager automatically appears in VSA 10 and is added to the agent group specified in the connector. The following applies to devices processed through ADE:

  • Devices are enrolled in supervised mode. This grants full control over device configurations and ensuring compliance with organizational policies. Refer to VSA 10 MDM: Supervised vs. non-supervised devices.
  • Devices will receive all assigned configuration profiles. This ensures consistent and secure device management across the organization.
  • Non-activated devices appear on VSA 10 device pages as offline with an Enrollment status of Unenrolled and will not consume licenses until activated.
  • Devices are activated in VSA 10 once they are powered on and set up. During the setup process, the Remote Management screen will show that the device is enrolling into remote management by your VSA 10 instance. Once activated, the Enrollment status changes to Enrolled, and MDM Commands become available. Refer to VSA 10 MDM commands.

Agent installation

During MDM enrollment for macOS computers, VSA 10 automatically installs the macOS agent. This installation occurs silently and expands management capabilities, including remote control and workflow automation.

To enroll Android devices in MDM using a QR code or USB enrollment methods, you'll perform the following steps:

  1. Configure an Android MDM connector in VSA 10. Refer to Create an Android MDM connector in VSA 10.
  2. Enroll devices one at a time into VSA 10 MDM. Refer to Manually enroll an Android device in MDM.

How to...

  1. In VSA 10, navigate to Integrations > ConnectorsAndroid MDM.
  2. Click Create Connector.
  3. On the Create Connector page, select the Organization that enrolled devices will be added to, and configure the Enterprise Display Name, which is shown to users during device enrollment.

  4. In the Admin Email field, enter in the email address you wish to use to connect your organization to Android Enterprise, and click Authorize.

  5. You will then be redirected to the Android Enterprise account creation site. The email you entered will automatically be added to the Enter work email address field. Click Next to continue. This will send a 6 digit code to the inbox for that email.

  6. On the next screen, enter in the 6 digit code that was emailed in the last step and click Verify.

  7. One the email has been verified, click Allow and create account to link Android Enterprise with VSA 10. This will redirect you back to the Create Connector page.

  8. Back on the Create Connector page, the Android Enterprise Details will show your email and the connector status, which should be Active. You can then click Create to finish creating the connector.

Start the MDM enrollment for Apple devices by creating a new entry for the device on the Connectors page. To do so, perform the following steps:

  1. In VSA 10, navigate to Integrations > ConnectorsApple MDM.
  2. Click Create Connector.
  3. On the Create Connector page, select Apple Push Notification Service from the Type drop-down menu.
  4. Select the device's organization.

  5. Click Next.
  6. In the Download CSR File section, click Download CSR. VSA 10 will transfer a Certificate Signing Request (CSR) file named CertificateSigningRequest.plist to the default download location on your computer.
  7. In the Create the Apple Push Certificate section, click Go to Apple portal.
  8. Without closing the Create Connector page, perform the steps described in Create an Apple push certificate to continue.

Once you've completed the steps in Create an Apple Push Notification Service connector in VSA 10, follow this process to obtain a vendor-signed version of the CSR file and upload it to VSA 10 to create your new push certificate:

Create the Apple Push Certificate

  1. The Apple Push Certificates Portal will open and prompt you for credentials. Log in with the Apple ID of the device or devices you'd like to enroll.
  2. Click Create a Certificate.
  3. The Apple portal will prompt you to accept the MDM Certificate Agreement Terms of Use. Once you've done so, you'll receive a prompt to upload your CSR file.
  4. Click Choose File. Select the CSR you generated in Create an Apple Push Notification Service connector in VSA 10. Then, click Upload.
  5. The Apple portal will surface a confirmation that you've successfully created the push certificate. Click Download.
  6. Continue to the next section of this article.

Upload the push certificate to VSA 10

  1. Return to the Create Connector page in VSA 10 and locate the Upload the Apple Push Certificate section.
  2. Add the certificate you downloaded from the Apple portal by dragging it into the Drag your certificate here box or by clicking the box and selecting the file to upload.
  3. Confirm the ID you used to create the certificate by entering it in the Apple ID field.
  4. Click Create. Then, proceed to either Manually enroll an Apple device in MDM or Configure Automated Device Enrollment (ADE).

After creating an Android MDM connector, you can enroll Android devices in MDM manually as follows.

  1. From the left navigation menu in VSA 10, navigate to Devices > MDM Enrollment.
  2. In the Device Platform section, select Android.
  3. In the Context section, select the organization, site, and agent group where the device will reside.
  4. From the Enroll Path drop-down menu, select the method via which you'd like to enroll the device in MDM:
    • Personally-owned devices (BYOD): This enrollment type is intended for users that are using their personal devices to access work-related apps in a work profile. For this enrollment type, you will be given a QR code and a link to share with users. You can also email out the QR code, link, and enrollment instructions right from VSA 10 using Send Invite.
      • If Send Invite is selected, configure the email addresses you wish to send an invite to, add a custom message to the body of the email if needed, and click Send to finish.

        NOTE  If Create end user accounts and assign enrolled devices is checked on the Send Invite page, devices enrolled using the QR code or link from the email will be linked to new accounts created from the emails that were sent the invite message. After sending the invite you can specify end user names in Client Portal > End Users. This option is only available for personally owned devices.

    • Company Owned - Personal usage allowed:Use this enrollment type if you want to allow users to add a personal profile so they can use personal apps on their work device. For this enrollment type, you will be given a QR code that is meant to be scanned when setting up a new device. Follow the instructions on the page to enroll new Android devices. You can also email out the QR code and enrollment instructions right from VSA 10 using Send Invite.
      • If Send Invite is selected, configure the email addresses you wish to send an invite to, add a custom message to the body of the email if needed, and click Send to finish.
    • Company Owned - Fully Managed: Use this enrollment type for devices that will be fully managed by your organization for users that need access to multiple apps in the course of their work. For this enrollment type, you will be given a QR code that is meant to be scanned when setting up a new device. Follow the instructions on the page to enroll new Android devices.
      • If Send Invite is selected, configure the email addresses you wish to send an invite to, add a custom message to the body of the email if needed, and click Send to finish.
    • Company Owned - Kiosk Mode: Use this enrollment type for devices that will be typically locked to only using one specific app or set of web pages. This will disable normal OS navigation, system settings, and app switching. For this enrollment type, you will be given a QR code that is meant to be scanned when setting up a new device. Follow the instructions on the page to enroll new Android devices.
      • If Send Invite is selected, configure the email addresses you wish to send an invite to, add a custom message to the body of the email if needed, and click Send to finish.

After creating the signed CSR and uploading it to VSA 10, you can enroll Apple devices in MDM manually as follows.

Alternatively, if you wish to configure automatic VSA 10 MDM-enrollment of devices assigned to a dedicated server in Apple Business Manager, skip these steps and proceed to Configure Automated Device Enrollment (ADE).

  1. From the left navigation menu in VSA 10, navigate to Devices > MDM Enrollment.
  2. In the Device Platform section, select Apple.
  3. In the Context section, select the organization, site, and agent group where the device will reside.
  4. From the Enroll Path drop-down menu, select the method via which you'd like to enroll the device in MDM: QR Code and Link or USB using Apple Configurator.

QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS. To enroll a device via either of these methods, perform the following steps:

  1. A Scan QR Code pane, similar to the example shown below, will appear on the MDM Enrollment page.

  1. Follow the workflow it provides to complete the device enrollment. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send.
  1. Once the enrollment process is complete, the device will become available to manage on VSA 10's Device List page.

IMPORTANT  This process only adds the macOS device to Apple Business Manager (ABM). It does not enroll it directly into MDM.

IMPORTANT  This enrollment type requires supervision, and is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices.

Supported macOS versions: macOS Monterey and later.

To enroll a device via this method, perform the following steps:

  1. A USB pane, similar to the example shown below, will appear on the MDM Enrollment page. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send. Otherwise, proceed to the next step of this workflow.
  1. On a separate device, download and install Apple Configurator 2. You'll use this device to enroll the managed endpoint. You can obtain this application from the Mac App Store.
  2. Once the application is installed, proceed to the next step.

Create a WiFi profile

  1. In Apple Configurator's top navigation menu, click File > New Profile.
  2. In the window that opens, on the General tab, enter a profile name in the Name field.
  3. In the left navigation menu, select WiFi.Then, click Configure.
  4. Input the settings of the WiFi network to which the device should connect.
  5. In Apple Configurator's top navigation menu, click File > Save.
  6. When prompted, save the file in a location that you will be able to access in the next steps of this article.

Create a blueprint

  1. In Apple Configurator's top navigation menu, click File > New Blueprint.
  2. Specify a blueprint name.
    Graphical user interface, application, Word, Teams Description automatically generated
  3. Click the blueprint. Then, click Add > Profiles.
    Graphical user interface, application, Word, PowerPoint Description automatically generated
  4. Select the WiFi profile you created in the previous section of this article and click Add.
    Graphical user interface, application Description automatically generated

Prepare the blueprint

  1. Click the blueprint. Then, click Prepare.
  2. In the Prepare Devices window, select Prepare with > Manual Configuration.
  3. Ensure that the Supervise devices check box is selected.
  4. Click Next.
    Graphical user interface, application Description automatically generated
  5. On the Enroll in MDM screen, click Server > New Server. Then, click Next.
  6. On the Define an MDM Server screen, input VSA in the Name field.
  7. In the Host name or URL field, enter the enrollment link URL from the USB pane on the MDM Enrollment page.
    Graphical user interface, application Description automatically generated
  8. Apple Configurator will fetch and add your trust anchor certificates. Click Next.
  9. You may be prompted to sign in to Apple School Manager or Apple Business Manager. You can do so, or you can skip the step.

Create an organization

  1. On the Create an organization screen, define the name of the organization with which this device will be associated. Then, click Next.
  2. When prompted, select Generate a new supervision identity and click Next.
  3. The Configure the iOS Setup Assistant screen will appear. Make any desired selections.
    Graphical user interface, application Description automatically generated
  4. Click Prepare.

Apply the blueprint to the device

  1. Via USB, connect the device you're enrolling to your current desktop or laptop computer.
  2. In Apple Configurator, right-click the device, select Apply, and choose the blueprint you created.
  3. Click Apply.
  4. Apple Configurator will apply the blueprint. It may take several minutes for this process to complete and the new device to index in the MDM server. Once the enrollment process is complete, the device will become available to manage on VSA 10's Device List page.

BEFORE YOU BEGIN  You must create an Apple Push Notification Service connector for the organization you wish to configure ADE for. Refer to Create an Apple Push Notification Service connector in VSA 10.

NOTE  Automated Device Enrollment is only available for Apple devices.

By completing the following steps, every device assigned to a dedicated MDM server within Apple Business Manager will automatically be added to a specified agent group within your VSA 10 account:

Create an Apple Automated Device Enrollment connector in VSA 10

  1. From the left navigation menu in VSA 10, navigate to Integrations > Connectors > Apple MDM.
  2. Click Create Connector.
  3. On the Create Connector page, select the Apple Automated Device Enrollment connector type from the Type drop-down menu.

  4. Select the organization and site associated with the devices you wish to automatically enroll.

  5. NOTE  The Organization Name field displays an error message if the selected organization is missing an Apple Push Notification Service connector, which you must configure first. Refer to Create an Apple Push Notification Service connector in VSA 10.

  6. Select the specific agent group in which the devices will be automatically enrolled.
  7. Optionally, enter a phone number and/or email address at which your support team can be reached, which users will see during device activation.
  8. Click Next.
  9. Click Download Public Key. VSA 10 will transfer a Privacy Enhanced Mail (PEM) file named ABM_Public_Key.pem to the default download location on your computer.
  10. In the Generate New Server Token section, click Go to Apple Business Manager.
  11. Without closing the Create Connector page, log in to Apple Business Manager and proceed to the next section.

Upload the public key to Apple Business Manager

  1. In Apple Business Manager, click your name at the bottom of the sidebar and select Preferences.
  2. Click MDM Server Assignment, then click Add .
  3. Enter a unique name for the server.

  4. NOTE  If you don’t want this MDM server to have the ability to release devices, refer to Release devices in the Apple Business Manager User Guide.

  5. Upload the ABM_Public_Key.pem file you downloaded from VSA 10 in the previous section.

  6. Click Save.
  7. Click Download MDM Server Token .
  8. In the confirmation dialog box, click Download MDM Server Token.

Upload the server token to VSA 10

  1. Return to the Create Connector page in VSA 10 and locate the Upload Server Token section.
  2. Add the .p7m server token file you downloaded from Apple Business Manager by dragging it into the Drag your server token file here box or by clicking the box and selecting the file to upload. The server token upload success will be validated.
  3. Confirm the ID you used to generate the server token by entering it in the Apple ID field.

  4. Click Next to move on to the Configuration section

Configure connector options

  1. In the Configuration section, select which items under General Options and Setup Assistance Settings you want to apply to the connector.

    • In General Settings, you will select whether MDM enrollment is enforced, and whether you want to give users the ability to remove the MDM profile on their own.

    • In Setup Assistance Options, you will select which setup steps are present when running setup on an MDM enrolled device.

  2. When finished, click Create to save the connector.

For more details, refer to ADE behavior.

To unenroll a device from MDM, perform the following steps based on the device's OS:

Android

  1. Navigate to Settings > Security > Device Administrators or Device admin apps.
  2. Locate the Device Policy application and toggle it off. Confirm that you wish to remove the work profile if prompted.

Apple iOS and iPadOS

  1. Locate VPN & Device Management in the device's settings.
  2. Open the MDM profile.
  3. Click Remove Management.
  4. VSA 10 will automatically remove the device from your platform.

macOS

  1. Go to the Apple menu > System Settings.
  2. Click General > Device Management.
  3. Select the MDM profile.
  4. Click the Remove icon () or Remove Management, and confirm with your administrator password.

NOTE  MDM cannot be removed at the device level for tvOS devices. The device needs to be released from the management profile online. Once the profile has been released, a factory reset can be performed on the device.

VSA 10 MDM commands

Once you've enrolled a device in MDM, the following commands will become available on devices pages in VSA 10.

NOTE  Availability of any command is dependent on both the device type and enrollment method used.

Apple devices

Command iOS/iPadOS macOS
QR code enrollment USB enrollment Link enrollment
Non-supervised Supervised Supervised
Restart FALSE TRUE TRUE
Shutdown FALSE TRUE TRUE
Enable/Disable lost mode FALSE TRUE FALSE
Play Lost Mode Sound FALSE TRUE FALSE
Erase TRUE TRUE TRUE
Lock FALSE TRUE TRUE

Android devices

Command Personally-owned devices (BYOD)

Company Owned - Personal usage allowed

Company Owned - Fully Managed

Company Owned - Kiosk mode

Restart FALSE FALSE TRUE TRUE
Enable/Disable lost mode FALSE TRUE TRUE TRUE
Lock TRUE TRUE TRUE TRUE
Reset Password TRUE TRUE TRUE TRUE

Next step: Configuring MDM profiles

After a device completes the enrollment process, any configuration or management policies you've defined for its type will automatically apply. For more information, refer to VSA 10 MDM: MDM profiles.

MDM FAQ

The following answers to frequently asked questions will help you get the most out of your VSA 10 MDM experience.

Refer to Compatibility.

No. Currently, you'll see a Device is not supported error when you attempt to do so.

The available enrollment types are as follows:

  • Automated Device Enrollment: Leveraging Apple Business Manager, devices can be preconfigured with specific management settings as soon as they are powered on, bypassing manual setup steps and streamlining the onboarding process. This ensures that devices are enrolled in mobile device management (MDM) from the start, offering zero-touch deployment for organizations.
  • QR Code and Link: QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. Link enrollment is required for macOS devices, but you can also use it for iOS and iPadOS.Android devices are only able to be enrolled via this method.
  • USB using Apple Configurator: This enrollment type requires supervision, and is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices.

You can manually add devices to Apple Business Manager using the Apple Configurator. For more information, refer to this Apple Business Manager User Guide article.

While being powered on doesn't matter, the iPhone should not be initialized. Connect the phone to USB and follow the steps described in the USB using Apple Configurator section of the article. The device will be erased and the new blueprint applied.

Apple recommends clearing the device when it is enrolled as supervised. However, if you back up the primary device to a secondary device before enrolling it, you can restore the backup from the secondary device to the primary device after you complete the enrollment. To do so:

  1. Ensure that Find My iPhone is off on both devices to avoid problems during enrollment.
  2. Use AppleConfigurator or Finder to back up the primary device.
  3. Restore this backup on the secondary device.
  4. Use AppleConfigurator or Finder to back up the secondary device.
  5. Restore the backup of the secondary device to the primary device.
  6. After restoration, when the primary device shows the Welcome screen on activation, connect it to Apple Configurator and enroll it via the USB method.
  7. After activation, the device should appear in VSA 10 and contain the restored data.

USB enrollment can only be performed from macOS devices compatible with Apple Configurator.

Supervised mode provides more options to manage the device, such as restarting, shutting down, and enabling or disabling lost mode. The Play Lost Mode Sound will work only for supervised devices.

macOS devices are always supervised. iOS and iPadOS devices are supervised if they have been enrolled via USB with the Supervised option checked. You can find out if a device is supervised in the Asset Info section of the device details pane:

Refer to VSA 10 MDM: Supervised vs. non-supervised devices.

There might be a delay in seeing an enrolled device or its data.

Apple does not terminate its requests. However, VSA 10 has a 20-minute cache and pings MDM services every 15 minutes to get device information.

So, if you enroll, unenroll, change lost mode, or perform any other actions with a device, there may be a delay in reporting this information to VSA 10. If you have been waiting for more than one hour and still do not see a device, please open a ticket with Kaseya Support for assistance. When doing so, be sure to include the device's serial number.

This error can appear in several different formats:

"EMM authentication token is expired."

"EMM token is invalid."

"EMM token is missing."

It can occur as a result of MDM licensing being misconfigured in the Admin app. To resolve the issue, contact Kaseya Support for assistance.

Due to Apple limitations, the following conditions apply to MDM-enrolled devices:

  • Devices enrolled via QR Code and Link only have access to the Erase command.
  • Devices enrolled via USB using Apple Configurator have access to the following commands:
    • Restart
    • Shutdown
    • Enable/Disable Lost mode
    • Play Lost Mode Sound (if Lost Mode is enabled)
    • Erase
  • macOS devices enrolled in MDM without the VSA 10 agent app installed have access to the following commands:
    • Restart
    • Shut down
    • Erase

Refer to VSA 10 MDM commands for a complete table of commands and their availability.

Yes. To take advantage of full VSA 10 management capabilities, you should both enroll a macOS device in MDM and have an agent installed. There is no preferred order to doing so; the process will not create duplicate devices.

There could be several reasons why a command did not execute:

  • To get and process MDM commands, a device must have an internet connection. All types of internet connections are supported; Apple IDs and SIM cards are not required.
  • VSA 10 sends commands to Apple right after you click the action button, but we cannot control how long the queued action will take to be relayed to the device and executed. The action may be awaiting processing.
  • If a device is in sleep mode or turned off, it can not process commands. In some cases, Apple sends the same command periodically until a device is awake or until the command times out.
    • If a command times out, and Apple returns a status that the device is unavailable, our MDM server will try to send the command at the following intervals:
      • Five minutes after the first request
      • 10 minutes after the first request
      • 20 minutes after the first request
      • 40 minutes after the first request

Erasing is similar to a factory reset. All of the device's data, including the MDM profile, is deleted, and the phone is returned to its initial setup state. Erased and unenrolled devices must follow the enrollment process before they can be managed again.

Lost Mode is a feature available on Apple devices that you can use when your device is missing or stolen. When you activate Lost Mode, the device locks to prevent anyone else from accessing its data. You can activate this mode via MDM on iOS and iPadOS device. You can also display a custom message with a contact number on the Lock screen.

No. Apple does not provide a way to set up a passcode for a device with Lost Mode. However, it is possible to set up a lock screen message or phone number in the confirmation popup after you click Enable Lost Mode.

Refer to the Unenroll a device section of this article.