Jamf Pro - enrolling devices without DEP

Apple's Device Enrollment Program (DEP) is the preferred way to enroll Macs and iOS devices into Jamf Pro, and comes with many advantages. However, only devices bought through certain channels are eligible for DEP; if, for example, your department bought an iPad at Best Buy, it will not be eligible for DEP. However, there are still options to gain the same advantages on Macs and iOS devices. In this article we will explore the options for both.

See IS&T Device Enrollment Program (DEP) for Macs for more information on enrolling Macs in DEP.

Enrolling Macs manually:

1. On the client mac, go to https://casper1.mit.edu:8443/enroll and follow the prompts:
   1. Log in with your MIT kerberos name and password
   2. Enter the end user's kerb (optional but recommended)
   3. Select the Jamf site into which the Mac should be enrolled and click Enroll
   4. On the next page you will be prompted to download the Jamf Certificate Authority. Click Continue to download it.
   5. Open the downloaded file (Safari will do this automatically by default).
   6. Confirm installation of the cert in System Preferences > Profiles
      
   7. Back in Safari, click Continue again to download the MDM profile
   8. Again, open the downloaded profile and then confirm installation in System Preferences > Profiles
      
2. If you'd like to get the standard suite of software and configurations normally deployed on DEP-enrolled Macs, open Terminal and run `sudo jamf policy -event newmac`.
   1. Wait until that command finishes. The Mac will shut down automatically when complete.
   2. When the user logs into the Mac, they will be prompted to enable FileVault encryption.

See IS&T Device Enrollment Program (DEP) for Macs for a list of software and settings deployed in this standard suite.

Enrolling iOS devices manually:

There are two ways to enroll iOS devices: via Apple Configurator with a Supervision Identity, and manually via user-initiated enrollment. The approach with Apple Configurator will enroll devices as "supervised" in Jamf Pro, which is required for advanced features like enabling Lost Mode or Activation Lock via Jamf Pro.

To enroll an iPad with supervised mode, please contact euc-help@mit.edu for access to a Supervision Identity certificate and password, which you will need to install on your local Mac. Then follow these steps:

Initial setup:

1. Double-click the .p12 certificate file you get from the End User Computing team. 
   
   
2. When prompted, click Add to add the cert to your login keychain.
   
   
3. Enter the cert password you got from the EUC team.
   
   
4. Log into the JSS, and go to Devices > Enrollment Invitations, then click New.
   
   
5. Set the Enrollment Method to "Apple Configurator Enrollment" and click Next.
   
   
6. Set the expiration date of this enrollment as you see fit – you will reuse this invitation with Apple Configurator so when it expires you'll need to make a new one. Click Next.
   
   
7. Enter your email address (or your team's email address) and click Next.
8. You can customize the message if you like. Otherwise, just click Next to send the email.
9. Copy the unique enrollment URL you receive in that email. You will need it shortly to set up Apple Configurator.
10. Install Apple Configurator from the macOS App Store: https://apps.apple.com/us/app/apple-configurator-2/id1037126344?mt=12
11. In Apple Configurator, open "Preferences" and go to the "Servers" tab.
    
    
12. Click the + icon in the lower-left to add a new server.
13. Set the name to something human-readable and useful for you, e.g. "IS&T Jamf Pro".
14. Paste in the URL you got from your email and save.
    
    
15. After saving, double-click the server to edit it again, and confirm the URL is correct. A bug in Apple Configurator resets the URL during initial setup sometimes, in which case just re-paste it and save again.
16. Click on the Organizations tab in the "Preferences" window and click the + button.
17. When prompted for an AppleID, click Skip.
18. Set the name to MIT and click Next.
    
    
19. Select "Choose an existing supervision identity" and click Next.
    
    
20. Choose the Jamf Pro supervision identity and click Done. (This might be auto-filled on your machine if it is the only certificate available.)

Preparing iOS devices:

Now that you have Apple Configurator fully set up, you can prepare an iOS device with the following steps:

1. Connect your device to your Mac via USB cable.
2. Make sure your device is unlocked and click "trust" if prompted to trust your computer.
3. In Apple Configurator, select the iPad and click Prepare.
   
   
4. Select Manual Configuration, and leave only the "Supervise devices" box checked. You can optionally also check the box to allow devices to be paired with other computers. Click Next.
   
   
5. Select IS&T Jamf Pro from the list (or whatever you named it in the previous setup steps). Click Next.
6. Select MIT from the list and click Next.
7. Configure the next screen as you see fit. Select "Don't show any of these steps" to skip all iOS setup screens. Click Prepare.
   
   
8. You may be prompted to erase the iPad. If you are ready to wipe the device completely, click Erase. This cannot be undone!
9. When done, continue through the iOS setup procedure on the iPad until you connect to a Wi-Fi network.
10. After connecting to a Wi-Fi network on the iPad, wait. After a few minutes, Apple Configurator will finish and the iPad will show you a "Remote Management" screen.
11. Once you see the "Remote Management" screen, continue through setup on the iPad until you reach the home screen.
12. Repeat as needed with other iOS devices.

Enrolling iOS devices without Supervision

If you prefer to enroll devices without supervision, you do not need to set up Apple Configurator. See Jamf Pro - Mobile Device Enrollment for more information.

Have Questions or Still Need Help?

Contact the End User Computing team at euc-help@mit.edu