iOS Enrollment
Before you enroll iOS devices, make sure you have an Apple Push Certificate set up in your Dashboard organization.
Prerequisites
-
SM Administrator: Full Organization Admin or SM Network Admin: System Manager > Configure > General > Network Administrators
Certifications Used for SM Deployment
This Document shows the different certification types and the purposes of each cert.
Access Rights
By default, Systems Manager will grant administrators the maximum amount of control available when applied to your Apple devices upon enrollment. However, in certain bring-your-own-device (BYOD) environments where the device is personally owned, device owners may not want administrators to have this level of control over their personal devices.
Systems Manager can be customized to meet the needs of different deployment models by changing the permissions of what can be retrieved from or sent to the device. It is important to note that Access Rights must be set before devices are enrolled; changes made after enrollment will only take effect if a device is re-enrolled.
Access rights limitations can be found in Configure > General. See the General Systems Manager Configuration article for more info.
Supervised vs. non-Supervised
Device supervision is an important concept to understand when enrolling iOS devices in an EMM solution like Systems Manager. Supervising your iOS devices allows Systems Manager to manage many additional device settings, like locking a device into a single app, specifying a homescreen layout, or restricting access to additional apps like iMessage.
Enrolling your devices in supervised mode is typically recommended if your devices are organization-owned, or if you want to have deeper levels of control over your devices. Note that supervising a device requires either setting up devices as new, or factory resetting existing devices.
There are two options for supervision: ADE and Apple Configurator.
Automated Device Enrollment (ADE)
ADE allows you to permanently manage your organization's macOS, iOS, and tvOS devices. Your devices need to qualify for Apple's program to use this method, but it grants you the most control over your devices. For example, ADE allows you to make MDM enrollment mandatory and unremovable, and also automates enrollment into Systems Manager so that it happens automatically during the initial device setup.
Please reference our ADE deployment guide for information on how to link your account and supervise devices with ADE.
Apple Configurator
Apple Configurator can be used to bulk configure and deploy iOS devices for both supervised and unsupervised methods of enrollment. Both methods will require you to connect your iOS devices to a MacOS for setup. For supervised deployment via Apple Configurator, the administrator will be required to use a managed Apple Business/School Manager account with administrative privileges to prepare the device. Please ensure the device has been added to the Apple Server (ABM/ASM) and assigned to the Meraki MDM server to successfully sync to our MDM solution.
Please reference our documentation for instructions on using Apple Configurator 2.5 and later or Apple Configurator 2.0.
Note: Although iOS can be managed without the use of the Systems Manager app, additional features (e.g. GPS location, jailbreak detection) require the app. It can also be used for manual enrollments. View the following article here for more information.
Unsupervised or Non-Supervised Enrollment
For unsupervised enrollment, administrators will have limited management of their enrolled iOS devices and limited MDM features to deploy remotely. This enrollment type does not require the administrator to associate an Apple Business/School Manager account to complete enrollment.
To manually enroll a device without supervising it, navigate to Systems Manager > Manage > Add Devices in Dashboard.
Here are the different methods of non-supervised deployment.
Mobile Browser
- From the device's Safari browser, open: enroll.meraki.com
- Enter your ten-digit Network ID found in the Dashboard: XXX-XXX-XXX
- Press register - If using SM Enrollment Authentication then follow the prompts accordingly.
- Open the iOS "Settings" app and tap on the downloaded profile.
- Follow the prompts to install the profile.
- You are now done!
Systems Manager iOS App
By clicking on the iOS App link, you will be prompted to scan a QR code or enter manually the network ID for your network. If using SM Enrollment Authentication then follow the prompts accordingly.
User Email or SMS Enrollment Link
Administrators can also email or text the end user an enrollment link that will direct them to our self-service portal to complete enrollment. If using SM Enrollment Authentication then follow the prompts accordingly. This method allows you to pre-configure a tag to be applied upon registration.
Systems Manager > Add devices > iOS
Apple Configurator
Another way to enroll unsupervised devices iOS devices to SM is to use the Apple Configurator application via manual setup. The Apple Configurator is available on both MacOS or iOS app.
MacOS Apple Configurator Application:
iOS Apple Configurator Application
Apple User Enrollment
Apple User Enrollment is a method of iOS and macOS enrollment aimed at allowing organizations to securely deliver business content to end users’ devices while protecting end users’ privacy and data. Follow the steps in our Link to enroll or unenroll devices from Apple User Enrollment using Meraki Systems Manager.
Endpoint Management Enrollment SSID
You can also use SM Sentry to force iOS, Android, Windows, and Mac devices to enroll in Systems Manager for an efficient mass deployment or BYOD. When enabled on a given SSID for a Cisco Meraki wireless access point, Sentry facilitates the secure and rapid onboarding and deployment of SM to mobile devices. For more information on Endpoint management enrollment, please visit the following page.