Enrolment methods in Apple Business
To view critical device facts, send apps and settings or push commands to a device, devices need to be enrolled into the built-in device management service in Apple Business.
There are different ways that you can enrol a device based on the plan you choose and you can use the following enrolment methods to manage devices:
Account-driven User Enrollment: User Enrollment is designed for BYOD—or bring-your-own-device deployments—where the user, not the organization, owns the device.
Device Enrollment: Device Enrollment is designed for company-owned devices already in use by the employee. Device Enrollment allows users to manually enroll them without requiring the device to be erased.
Automated Device Enrollment: Automated Device Enrollment is designed for new or erased devices. Automated Device Enrollment lets organizations configure and manage devices from the moment the devices are removed from the box and turned on. This method of enrollment can be used for both employee plans and device plans.
Employee plans in Apple Business allow up to three devices per employee. All the employee needs to do is sign in on their device with their Managed Apple Account to get their device managed. To view all plan options, see Intro to AppleCare+ for Business plans.
After a device is successfully enrolled and managed, the device gets all of the configured settings and assigned apps, has the Apple Business app installed and gets access to work iCloud storage.
Note: Depending on the enrolment method, not all apps and features are available to sync with iCloud. For more information, see Service access with Managed Apple Accounts.
Enrolment methods in Apple Business
Feature | Account-driven User Enrollment | Account-driven Device Enrollment | Profile-based Device Enrollment | Automated Device Enrollment |
|---|---|---|---|---|
Minimum supported operating system versions | iOS 15 iPadOS 15 macOS 14 visionOS 26.4 | iOS 17 iPadOS 17 macOS 14 visionOS 26.4 | macOS 13 | iOS 15 iPadOS 15 macOS 12.0.1 tvOS 15 (device plan only) visionOS 26.4 (if the beta feature is turned on) |
Plans | User | User | User | Device User |
Supervision | No | No (iPhone, iPad, Apple Vision Pro) Yes (Mac) | Yes (Mac) | Yes |
Data separation | Yes | Yes | No | No |
Use an unmanaged (personal) Apple Account | Yes | Yes | Yes | No (user plan) Not supported (device plan) |
Account-driven User Enrollment
You can use Account-driven User Enrolment to enrol an employee’s personal iPhone, iPad, Mac and Apple Vision Pro, into Apple Business. When a device uses this enrolment method, the following occurs:
Apple Business app installed: Yes
Assigned apps available: In the Apple Business app
Settings applied: Yes
Device supervised: Mac: No. iPhone, iPad, Apple Vision Pro: No
Personal and work data separated: No
Unmanaged (personal)Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Requirements
This feature requires iOS 15, iPadOS 15, macOS 14, visionOS 26.4 or later. To require the device enrol using Account-driven User Enrolment when signed in with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to manage devices.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Devices > Management Services.
Select the Device Enrollment tab.
Select Enrol as personal device for all device types you want to enrol with Device Enrolment upon sign in with a Managed Apple Account.
Note: User Enrolment leads to unsupervised management, meaning your IT department has limited management over User Enrolled devices. This method of enrolment is best for personally owned devices or organisationally owned devices that don’t need to be supervised. Any iPhone or iPad that requires supervision needs to enrol using Automated Device Enrolment. For more information, see About Apple device supervision in Apple Platform Deployment.
Account-driven Device Enrollment
You can use Account-driven Device Enrolment on any organisation-owned Mac that is already in use by an employee or hasn’t been linked to your Apple Customer Number or Reseller Number.
When a device uses this enrolment method by signing in with a Managed Apple Account, the following occurs:
Apple Business app installed: Yes
Assigned apps available: In the Apple Business app
Settings applied: Yes
Device supervised: Mac: Yes. iPhone, iPad, Apple Vision Pro: No
Personal and work data separated: Yes
Unmanaged (personal) Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Requirements
This feature requires iOS 17.1, iPadOS 17.1, macOS 14.1, visionOS 26.4 or later. For devices with previous versions, signing in with a Managed Apple Account results in User Enrolment.
To require an iPhone, iPad, Mac or Apple Vision Pro to enrol using Account-driven Device Enrolment when signed in with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to manage devices.
To view roles and permissions, see Intro to roles and permissions.
In your browser, choose Devices > Management Services.
Select the Device Enrollment tab.
Select Enrol as organisation-owned device for all device types you want to enrol with Device Enrolment upon sign in with a Managed Apple Account.
Profile-based Device Enrollment
Mac computers can do Profile-based Device Enrolment with the use of an enrolment profile. When a Mac uses this enrolment method, the following occurs:
Apple Business app installed: Yes
Assigned apps available: In the Apple Business app
Settings applied: Yes
Device supervised: Yes
Personal and work data separated: No
Unmanaged (personal)Apple Account iCloud storage: Yes
Organization Managed Apple Account iCloud storage: Available
Requirements
This feature requires macOS 13 or later. For devices with previous versions, signing in with a Managed Apple Account results in User Enrolment. To have a Mac enrol using Profile-based Device Enrolment when signed in with a Managed Apple Account, do the following:
To send to a single user, complete the task Send enrollment instructions to a single user.
To send to multiple users, complete the task Send enrollment instructions to multiple users.
Automated Device Enrollment (all devices)
You can use Automated Device Enrolment with an employee plan on any organisation-owned iPhone, iPad, Mac, Apple TV and Apple Vision Pro (if the beta feature is turned on).
After the employee signs in to Setup Assistant with their Managed Apple Account and password, their device is managed and the following occurs:
Apple Business app installed: Yes (not available for AppleTV)
Assigned apps available: In the Apple Business app for user plans, or downloaded immediately for device plans
Settings applied: Yes
Device supervised: Yes
Unmanaged (personal)Apple Account iCloud storage: Unavailable
Organization Managed Apple Account iCloud storage: Available (Not available for AppleTV)
Requirements
This feature requires iOS 15, iPadOS 15, macOS 12.0.1, tvOS 15, visionOS 26.4 or later. To require the device enrol using Automated Device Enrolment when signed in with a Managed Apple Account, do the following:
Link your Apple Customer Number or Reseller Number to Apple Business. See Manage device suppliers.
After a device appears in Apple Business, assign it to the Apple Business device management service. See Device workflow.
If your device doesn’t appear in Apple Business, you can add it using Apple Configurator. See Add devices from Apple Configurator.
The devices need to be connected to the internet and powered on. A specified user can then finish Setup Assistant for iPhone, iPad and Mac. Apple TV finishes the Setup Assistant automatically.
Users then sign in to Setup Assistant with their Managed Apple Account user name and password.
Automated Device Enrollment (Devices that use a device plan)
To keep your organisation secure, any device with a device subscription needs to be manually approved by any user whose role has permissions to purchase Apple Business subscriptions before it can be managed. You can either do this when adding the device to a device plan or after the device has enrolled.
To automatically approve devices when adding them to a device plan, simply select Approve recently added devices for management without manual review at the time of plan confirmation. This is possible only on devices that are newly added to a device plan and have never previously been approved and managed by Apple Business.
Requirements
This feature requires iOS 15, iPadOS 15, macOS 12.0.1, tvOS 15, visionOS 26.4 or later. For Automated Device Enrolment with a device subscription, first complete the task Automated Device Enrollment (all devices).
Note: Make sure you check to see if a device is supported for a Device plan. See AppleCare+ for Business coverage.
To approve devices after they’ve been enrolled:
In Apple Business, sign in with a user whose role has permissions to manage devices.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the device in the search field. See How to search.
To search for specific devices, you can paste up to 1024 serial numbers from a text file, with each serial number separated by a comma.
Select the device you want to manage.
Review the enrollment details, including the date and time of enrollment, the operating system, and the certificate fingerprint. (This step is important. Ensure that all this information is correct before approving any devices for management.)
To find the certificate fingerprint, do one of the following:
iPhone, iPad, Apple Vision Pro: Find the certificate fingerprint of your iPhone, iPad or Apple Vision Pro by navigating to Settings > your Managed Apple Account > More Details > Device Identity Certificate. The certificate fingerprint is found at the bottom of the page under Fingerprints > SHA-256.
Mac: Find the certificate fingerprint of your Mac by navigating to Keychain > Certificates > Systems and then selecting the entry with a random UUID that has Issued by: Apple MDM RSA CA 1 - G1. Open the window and scroll down. The certificate fingerprint is found under Fingerprints > SHA-256.
Choose one of the following:
If the enrollment details are correct, approve the device for management.
If the enrollment details are incorrect, deny the device for management. Denying a device removes the enrollment profile, and won’t be managed.
Send enrollment instructions to a single user
To send instructions to an employee directing them to signing into a device with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to create, edit and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the user in the search field. See How to search.
Select the user from the list, then select Enrol Devices
.Choose the device instructions to send to the user:
Mac
iPhone, iPad, Apple Vision Pro
Note: If the Mac has macOS 13 or earlier installed, you need to select download an enrolment profile.
Select Send.
When the user receives the email, they can select the link contained in the Note at the bottom of the Mac enrollment instructions and follow the directions on the webpage to get their device managed.
Send enrollment instructions to multiple users
To send instructions to multiple employees at once directing them to signing into a device with a Managed Apple Account, do the following:
In Apple Business, sign in with a user whose role has permissions to create, edit and delete Managed Apple Accounts.
To view roles and permissions, see Intro to roles and permissions.
If necessary, search for the users in the search field. See How to search.
Select the users from the list, then select Send Device Enrolment Instructions
.Choose the device instructions to send to the users:
Mac
iPhone, iPad, Apple Vision Pro
Note: If the Mac has macOS 13 or earlier installed, you need to select download an enrolment profile.
Select Send.
When the user receives the email, they can select the link contained in the Note at the bottom of the Mac enrolment instructions and follow the directions on the webpage to get their device managed.
Apple Business app
With Apple Business and the Apple Business app, employees can:
Download the work apps they’ve been assigned by their organization.
View all of their managed devices.
Directly access AppleCare+ for Business support.
Request, track and cancel repairs covered under AppleCare+ for Business.
After users enrol in device management, the app is automatically downloaded to their iPhone, iPad, Mac or Apple Vision Pro. See the Apple Support article About the Apple Business app.