UniFi Identity Enterprise - Enroll Devices and Manage Device Enrollment Approvers

Notes: To enroll Macs, please set up Apple Push Notification Service (APNs) first.

Once a device is enrolled:

• A Desktop Agent will be automatically installed on the device. Admins can then control the device remotely through the Desktop Agent, which sends device status and updates to the UniFi Identity Enterprise Server automatically.
• The device type will be Corporate-Owned, its status will be Active, and its MDM status will be Supervised. You can manually change the device’s type to BYOD as needed. The device's MDM status will not change if the type is changed. Understand the Device and MDM Status

Device Requirements

Windows

• OS: Windows 10 or later
• Edition:
  • Education: Windows Education, Windows Education N, and Windows 10 Pro Education
  • Enterprise: Windows Enterprise, Windows Enterprise E, Windows Enterprise Evaluation, Windows Enterprise N, Windows Enterprise N Evaluation, Windows Enterprise 2015 LTSB, Windows Enterprise 2015 LTSB Evaluation, Windows Enterprise 2015 LTSB N, and Windows Enterprise 2015 LTSB N Evaluation
  • Workstations: Windows Pro for Workstations and Windows Pro for Workstations N
  • Pro: Windows Pro and Windows Pro N.

macOS

• OS: macOS 10.15 or later

Enroll by Admin

Admins can download macOS profile files or use a magic link for Windows PC to enroll users’ devices. Admin enrollment is an ideal method for enrolling only one or a few devices.

Enroll Mac

1. On the Mac you want to enroll, sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
2. Go to Trusted Devices > Devices.
3. Click the "+" icon.
4. In the Enroll by Whom field, select "By Admin".
5. Select "Mac" in Device Type.
6. Click Download MDM Profile.
7. Open the downloaded file.
8. Do either of the following per your device’s version:
   • macOS Ventura 13: Go to Apple menu > System Settings > Privacy and Security > Profiles > Downloaded.
   • macOS Monterey 12: Go to Apple menu > System Preferences > Profiles > Downloaded.
9. Click the profile, review the profile contents, and click Continue, Install, or Enroll to install the profile. You may be prompted for a password or other information during the installation.
10. Once a profile is installed, the device will be automatically assigned to the admin who enrolled it. The MDM policies assigned to the admin will also be applied to the enrolled device.
11. Return to the Identity Enterprise Manager and specify the following fields:
    • Device Name: Enter the device name. The device name may be unedited if it is applied a policy with the "Rename devices using a specific format" feature enabled.
    • Assign to: Select whom to assign the enrolled device.
12. Click Save to finish.

Enroll Windows PC

1. Go to Trusted Devices > Devices.
2. Click the "+" icon.
3. In the Enroll by Whom field, select "By Admin".
4. Select "Windows" in Device Type.
5. Do either of the following:
   • To enroll the current Windows PC, click Enroll Current Device.
   • To enroll another Windows PC, click Copy Link and open the link on the desired device.
6. Click Next.
7. Return to your Identity Enterprise Manager, and go to Trusted Devices > Devices to view the enrolled device and assign it to a user.

Enroll by User

Users have two methods to enroll their devices.

• Admins can invite users to enroll devices by themselves.
• Users can go to their Identity Enterprise Workspace > DOWNLOAD to enroll their Mac or Windows PC.

Once a user completes the device enrollment process, an enrollment request will be sent to the enrollment approvers via emails and notifications. The request must be approved for successful MDM enrollment.

Add or Remove Device Enrollment Approvers

Notes

• The workspace owner is set as a device enrollment approver by default. You can remove them anytime.
• Devices enrolled by admins do not require enrollment request approval.

1. Go to Trusted Devices > MDM Settings > Advanced > Device Enrollment Approver.
2. Hover your mouse over an approver and click the Trash icon to remove them, or click Select Approver to add more approvers.

Invite Users to Enroll

This method allows you to bulk invite users to enroll their Macs or Windows PCs. UniFi Identity Enterprise will send the instructions via emails and push notifications to the selected users and groups.

1. Go to Trusted Devices > Devices.
2. Click the "+" icon.
3. In the Enroll by Whom field, select "By User".
4. Click Select User to select the users or groups required to enroll their devices.
5. Tick the "Exclude the users already assigned with MDM-enrolled devices" checkbox if you selected a group but want to exclude the users who have already been assigned with MDM-enrolled devices.
6. Click Send Instructions to send the enrollment instructions to the selected users via email and push notifications.
7. Once a user completes the device enrollment process, their enrollment request will be sent to the enrollment approvers via email and push notifications. The device can be used as usual before the request is approved.