UniFi Identity Enterprise - Enrolling Devices in MDM
Notes: To enroll Macs, please set up Apple Push Notification Service (APNs) first.
Once a device is enrolled:
- A Desktop Agent will be automatically installed on the MDM-enrolled Mac or Windows PC. Admins can then control the device remotely through the Desktop Agent, which sends device status and updates to the UniFi Identity Enterprise Server automatically.
- The device type will be Corporate-Owned, its status will be Active, and its MDM status will be Supervised. You can manually change the device’s type to BYOD as needed. The device's MDM status will not change if the type is changed. Understand the Device and MDM Status
Device Requirements
Windows
- OS: Windows 10 or later
- Edition:
- Education: Windows Education, Windows Education N, and Windows 10 Pro Education
- Enterprise: Windows Enterprise, Windows Enterprise E, Windows Enterprise Evaluation, Windows Enterprise N, Windows Enterprise N Evaluation, Windows Enterprise 2015 LTSB, Windows Enterprise 2015 LTSB Evaluation, Windows Enterprise 2015 LTSB N, and Windows Enterprise 2015 LTSB N Evaluation
- Workstations: Windows Pro for Workstations and Windows Pro for Workstations N
- Pro: Windows Pro and Windows Pro N.
macOS
- OS: macOS 10.15 or later
iOS
- OS: iOS 10.3 or later.
Apple tvOS
- OS: tvOS 10.2 or later.
- macOS device with Apple Configurator 2.5 or later.
- Ensure both the Mac and Apple TV are connected to the same Ethernet or Wi-Fi network.
Enroll by Me
Admins can download macOS profile files or use a magic link for Windows PC to enroll users’ devices. Admin enrollment is an ideal method for enrolling only one or a few devices.
Enroll Mac
- On the Mac you want to enroll, sign in to your Identity Enterprise Manager (https://[your workspace domain].ui.com/cloud).
- Go to Trusted Devices > Devices.
- Click the "+" icon and go to Enroll by Me.
- Select Mac in Device Type.
- Click Download MDM Profile.
- Open the downloaded file.
- Do either of the following per your device’s version:
- macOS Ventura 13: Go to Apple menu > System Settings > Privacy and Security > Profiles > Downloaded.
- macOS Monterey 12: Go to Apple menu > System Preferences > Profiles > Downloaded.
- Click the profile, review the profile contents, and click Continue, Install, or Enroll to install the profile. You may be prompted for a password or other information during the installation.
- Once a profile is installed, the device will be automatically assigned to the admin who enrolled it. The MDM policies assigned to the admin will also be applied to the enrolled device.
- Return to the Identity Enterprise Manager and specify the following fields:
- Device Name: Enter the device name. The device name may be unedited if it is applied a policy with the "Rename devices using a specific format" feature enabled.
- Assign to: Select whom to assign the enrolled device.
- Click Save to finish.
Enroll Windows PC
- Go to Trusted Devices > Devices.
- Click the "+" icon and go to Enroll by Me.
- Select Windows in Device Type.
- Do either of the following:
- To enroll the current Windows PC, click Enroll Current Device.
- To enroll another Windows PC, click Copy Link and open the link on the desired device.
- Click Next.
- Return to your Identity Enterprise Manager, and go to Trusted Devices > Devices to view the enrolled device and assign it to a user.
Enroll iPhone
- Go to Trusted Devices > Devices.
- Click the "+" icon and go to Enroll by Me.
- Select iOS in Device Type.
- Use the Camera app on your iOS device to scan the QR code displayed in UniFi Identity Enterprise Manager. Your workspace domain will appear; tap it to proceed. If you cannot scan the QR code, copy the link provided in the instructions and open it in your iOS device's browser.
- Tap Allow to download the MDM profile on your device.
- Open the Settings app on your device and tap Profile Downloaded.
- Tap Install in the upper right corner, verify your identity, and tap Install > Trust.
- When the profile is installed, go to Identity Enterprise Manager > Trusted Devices > Devices to manage your device. To restart or power off the device remotely, you must enable Apple device supervision.
Enroll Apple TV
- Go to Trusted Devices > Devices.
- Click the "+" icon and go to Enroll by Me.
- Select Apple TV in Device Type.
- Download the latest Apple Configurator to your Mac.
- Ensure both the Mac and Apple TV are connected to the same Ethernet or Wi-Fi network.
- Click Download MDM Profile in your Identity Enterprise Manager.
- Launch Apple Configurator on your Mac.
- Select Paired Devices from the Apple Configurator menu, then select Apple TV and click Pair.
- Enter the six-digit PIN displayed on your Apple TV screen. Alternatively, connect your Apple TV to your Mac using a USB cable.
- Select your Apple TV from the Apple Configurator devices window and click Add > Profiles.
- Select the MDM profile downloaded in Step 6 and click Add. This will install the MDM configuration file on your Apple TV.
- When the profile is installed, go to Identity Enterprise Manager > Trusted Devices > Devices to manage the device. To restart the device remotely, you must enable Apple device supervision.
Invite Users to Enroll
Users have two methods to enroll their devices.
- Admins can invite users to enroll their Mac, Windows PC, iPhone, and Apple TV by themselves.
- Users can go to their Identity Enterprise Workspace > DOWNLOAD to enroll their Mac or Windows PC.
Once a user completes the device enrollment process, an enrollment request will be sent to the enrollment approvers via push notifications. The request must be approved for successful MDM enrollment.
Add or Remove Device Enrollment Approvers
Notes
- The workspace owner is set as a device enrollment approver by default. You can remove them anytime.
- Devices enrolled by admins do not require enrollment request approval.
- Go to Trusted Devices > MDM Settings > Advanced > Device Enrollment Approver.
- Hover your mouse over an approver and click the Trash icon to remove them, or click Select Approver to add more approvers.
Invite Users to Enroll
This method allows you to bulk invite users to enroll their Macs or Windows PCs. UniFi Identity Enterprise will send the instructions via emails and push notifications to the selected users and groups.
- Click the "+" icon and select Invite User to Enroll.
- Select device types.
- Click Select User to select the users or groups required to enroll their devices.
- Tick the "Exclude the users already assigned with MDM-enrolled devices" checkbox if you selected a group but want to exclude the users who have already been assigned with MDM-enrolled devices.
- Click Send Instructions to send the enrollment instructions to the selected users via email and push notifications.
- Once a user completes the device enrollment process, their enrollment request will be sent to the enrollment approvers via push notifications. The device can be used as usual before the request is approved.
Approve or Reject Enrollment Requests
Method 1
- Go to your Identity Enterprise Workspace, Manager, or app > Notifications > All Notifications> Trusted Devices.
- Click Approve or Reject.
Method 2
- Go to your Identity Enterprise Manager > Trusted Devices > Devices.
- Hover over a device whose status is Pending Approval, and click Approve or Reject.