Enroll Apple devices in bulk 编辑

You can enroll large numbers of iOS, iPadOS, macOS, and tvOS devices in Endpoint Management in two ways:

• Use the Apple Deployment Programs (ADP) to enroll Apple devices that you buy directly from Apple or from a participating Apple Authorized Reseller or a carrier.

  For more information about deploying ADP-enabled devices, see Deploy devices through the Apple Deployment Programs. This article describes how users enroll ADP-enabled devices and how to reenroll the devices.

• Use Apple Configurator 2 to enroll iOS devices regardless of whether you buy them directly from Apple.

This article describes how to deploy devices in bulk using Apple Configurator 2.

About bulk enrollment

The ADPs include Apple Business Manager (ABM) for business and Apple School Manager (ASM) for Education. Bulk enrollment through the ADPs features the following:

• You don’t have to touch or prepare the devices.
• After you complete deployment settings in Endpoint Management, you can give the devices to users who can start using them right away.
• You can simplify the setup process for users by eliminating some of the Setup Assistant steps.
• For more information about setting up ABM and ASM, see the documentation available from Apple Business Manager and Apple School Manager.

Bulk enrollment through Apple Configurator 2 features the following:

• You attach iOS devices to a Mac running macOS 10.7.2 or later and the Apple Configurator 2 app. You prepare the iOS devices and configure policies through Apple Configurator 2.
• Devices automatically enroll in Endpoint Management during the setup process. Once setup is completed, Endpoint Management pushes policies, apps, and other resources to devices. You can then start managing the devices.
• For more information about using Apple Configurator 2, see the Apple Configurator Help.

How users enroll ADP-enabled devices

Users enroll their devices in Endpoint Management as follows:

1. Users start their device.

2. Endpoint Management delivers the ADP settings that you configured on the Settings > Apple Deployment Programs page to the device.

3. Users configure the initial settings on their device.

4. The device automatically starts the Endpoint Management device enrollment process.

5. If you integrate Endpoint Management with Citrix Workspace, the Deployment Program deployment package includes the Workspace App as a required app. In that case, Secure Hub prompts users to enroll the device in Citrix Workspace before enrolling in Endpoint Management.

6. Users continue to configure the other initial settings on their device.

7. In the home screen, users might be prompted to sign in to the Apple App Store so that they can download Citrix Secure Hub.

   Note:

   This step is optional if you configure Endpoint Management to deploy the Secure Hub app using the device-based volume purchase app assignment. In this case, you don’t need to create an Apple App Store account or use an existing account.

   

8. Users open Secure Hub and type their credentials. If required by the policy, users might be prompted to create and verify a Citrix PIN.

   Endpoint Management deploys any remaining required apps to the device.

Reenroll the ADP-enabled devices

ADP-enabled devices enroll from a factory reset condition. To reenroll an ADP-enabled device, you must first complete a full wipe to unenroll the device. Detailed steps are as follows:

1. On the Manage > Devices page, select the device.
2. Click Security.
3. Click Full Wipe to unenroll the device to the factory reset condition.
4. Start the device.

Important:

Do not use Selective Wipe to unenroll an ADP-enabled device because ADP enrollment requires the device in the factory reset condition.

Deploy devices using Apple Configurator 2

You can use Apple Configurator 2 to deploy large numbers of devices with settings, apps, and data and enroll these devices in Endpoint Management.

Step 1: Configure settings in Endpoint Management

1. In the Endpoint Management console, go to Settings > Apple Configurator Device Enrollment.

   

2. Set Enable Apple Configurator device enrollment to Yes.

3. Copy the Enrollment URL to enter in Apple Configurator setting and paste this URL when you configure settings in Apple Configurator 2. This setting provides the URL for the Endpoint Management server that communicates with Apple. The enrollment URL is the Endpoint Management server fully qualified domain name (FQDN), such as mdm.server.url.com, or the IP address.

4. To prevent unknown devices from enrolling, set Require device registration before enrollment to Yes. Note: If this setting is Yes, you must add the configured devices to Manage > Devices in Endpoint Management manually or through a CSV file before enrollment.

5. To require users of iOS devices to enter their credentials when enrolling, set Require credentials for device enrollment to Yes. The default is No.

   Note:

   If the Endpoint Management server is using a trusted SSL certificate, skip this step. Click Export anchor certs and save the certchain.pem file to the macOS keychain (login or System).

   

Step 2: Configure settings in Apple Configurator 2

1. Prepare a Mac that runs macOS 10.7.2 or later and has Apple Configurator 2 installed.

2. Use a Dock Connector-to-USB cable to connect Apple devices to the Mac. You can configure up to 30 connected devices simultaneously. If you do not have a Dock Connector, use one or more powered USB 2.0 high-speed hubs to connect the devices.

3. Start Apple Configurator 2. The configurator shows any devices that you can prepare for supervision.

4. To prepare a device for supervision:

   • Select Supervise devices if you intend to maintain control of the device by reapplying a configuration regularly. Click Next.

     Important:

     Placing a device into Supervised mode installs the selected version of iOS on the device, completely wiping the device of any previously stored user data or apps.

   • In iOS, click Latest for the latest version of iOS that you want to install.

5. In Enroll in MDM Server, choose an MDM server. To add a server, click Next.

6. In Define an MDM server, provide a name for the server and paste the MDM server URL from the Endpoint Management console.

7. In Assign to organization, choose an organization to supervise the device.

   For more information on preparing devices with Apple Configurator 2, see the Apple Configurator help page, Prepare devices.

8. As each device is prepared, turn it on to start the iOS Setup Assistant, which prepares the device for first-time use.

Add devices to ABM or ASM using Apple Configurator 2

You can add iPhone, iPad, and Apple TV devices to your ABM or ASM account using Apple Configurator 2 regardless of where the devices were bought. After you add devices, they appear in the Devices section. These devices no longer include enrollment settings assigned through Apple Configurator 2. For more information, see the Apple Business Manager User Guide or Apple School Manager User Guide.

Renew the ADP token

Endpoint Management displays a license expiration warning when your ADP token expires. Replace the token from ASM or ABM.

Step 1: Download a public key from your Endpoint Management server

1. In the Endpoint Management console, go to Settings > Apple Deployment Program to download a new public key.

Step 2: Create and download a server token file from your Apple account

1. Sign in to ABM to download the token.

2. Open Settings and select the server from which you need a token. Click Edit.

3. Under MDM Server Settings, upload the new public key you downloaded from Endpoint Management and save the changes.

4. Click Download Token to download the new token.

Step 3: Upload a server token file in Endpoint Management

1. In Citrix Endpoint Management, go to Settings > Apple Deployment Program.

2. Select the Deployment Program account, click Edit, and upload your server token file.

3. Click Next and save the changes.