Skip to main content
Cisco Meraki Documentation

Enrolling and Supervising iOS Devices using Apple Configurator 2.5 or Later

  1. Last updated
  2. Save as PDF

NOTE: All references to iOS in this article can be considered to include iPadOS

 

Meraki Systems Manager provides administrators the ability to mass enroll and supervise devices using Apple Configurator, a macOS application. Apple Configurator 2 allows for mass configuration of iOS 11+ devices while physically connected to a Mac computer. A USB hub can be used to configure dozens of devices at once. Follow these links to download the application, and view more Apple Configurator documentation.

 

With Apple Configurator 2.5 or later, Apple has allowed the use of the Automated Device Enrollment (ADE) for automatic enrollment into Meraki Systems Manager, which can be used to speed up the process into a no-touch experience for mass enrollment of devices. ADE is accessible to all devices in the Apple Business Manager and Apple School Manager portals. Alternatively, if your iOS devices are not in Apple's ADE, you can use the manual enrollment method by configuring your Systems Manager MDM Server in Apple Configurator via enrollment URL, or provisionally move non-ADE devices into an existing ADE account! This article will cover both Apple Configurator 2.5 MDM enrollment options in detail: ADE automatic enrollment method and manual enrollment methods. 

iOS devices that are using Apple's Automated Device Enrollment (ADE) can be supervised and enrolled over-the-air anytime they are factory reset. ADE is the best way to permanently force your devices to be owned and managed by your organization, and it is important to assign your ADE settings properly before deployment. 

Device Supervision

During the enrollment process, it is possible to supervise iOS devices. Supervision enables many additional features including restrictions, which you can find listed in the Meraki Dashboard under Systems Manager > Manage > Settings > Restrictions > iOS restrictions (supervised).

If your iOS devices are not currently Supervised, they will be required to be factory reset to become Supervised. Therefore, it is recommended to Supervise devices (if desired) prior to performing any configuration or providing the device to users. Supervision steps are covered in detail in the guide below. 

Prerequisites

  • Apple Configurator 2.5 or greater

  • macOS 14 or greater

  • iOS device(s) powered up and physically connected to Mac

  • The Mac and iOS device(s) are not locked

  • Internet access with unblocked access to Apple and Meraki Systems Manager

    • Refer to Help > Firewall info for a list of ports and IP addresses

  • For Automatic enrollment: iOS devices must be in Apple’s ADE program. 

Access to the internet is critical to the enrollment process. If an iOS device is not able to contact Meraki Systems Manager when trying to enroll, it will be unable to complete the process and/or receive any additional profiles and apps. 

Apple Configurator 2.5+ Automatic Enrollment

Automatic Enrollment through Apple Configurator only works on iOS devices that are in Apple’s Automated Device Enrollment (ADE), and allows you to pre-provision wireless settings on devices to seamlessly enroll during the device's setup assistant. Please be sure to add your Apple ADE account to Meraki Systems Manager before beginning this process, and ensure your devices are visible in Systems Manager > Manage > ADE.

If devices are not currently in Apple's Device Enrollment Program, please follow the steps for the Apple Configurator 2.5 - Manual Enrollment later in this guide. 

  1. Open your Meraki Dashboard and go to Systems Manager > Manage > ADE.   

  2. Checkmark the devices you want to assign ADE settings.

  3. Click on Assign settings.
    clipboard_e3a0a6c0e41ea867e1348be4c70b31477.png
     

  4. If you have an existing setting profile created, select it from the dropdown. Otherwise, create a new one and complete the fields/selections that appear in the setup 

    For a full explanation of ADE setting options check out this article.

    For a full zero touch automatic device setup, it is recommended to select "Skip all steps". 

  5. Click Assign. Now you will see these devices change to have an orange “Assigned” status next to it. The device is currently waiting to be turned on for the first time, or to be factory reset so it can activate with Apple and receive the new ADE settings.
    clipboard_eca4701614b57e82d942950a7734e8d69.png
     

  6. Download and open Apple Configurator 2.5 on a Mac OS X workstation.  Connect your iOS devices to your workstation via USB, they should automatically appear in Apple Configurator. Highlight the devices you want to automatically enroll in Apple Configurator 2 and click on Actions > Prepare…
    Screen Shot 2017-09-27 at 9.01.01 AM.png

  7. Choose Prepare with: Automatic Enrollment. Click Next
    Screen Shot 2017-09-27 at 9.01.14 AM.png
     

  8. [Optional] Upload a wireless profile, so the iOS device(s) can automatically connect to an SSID in range.

    8.png

    For a true automatic / no touch enrollment, Step 8 is very important! 

    To create a wifi profile in Apple Configurator 2, go to File > New Profile, and add your wifi settings. Save this profile as a .mobileconfig file then upload it during Step 8. 

    It is necessary to add a wifi profile during this step so each iOS device can communicate to Apple to activate and complete the automatic ADE settings assignment for automatic Meraki Systems Manager enrollment. 

  9. [Optional] If your Meraki Systems Manager enrollment requires User Authentication (SM > Configure > General), you may input your username/password here to automatically enroll and assign a device user. If these fields are left blank, the device will prompt for username/password credentials during the provisioning process.
    9.png

  10. Apple Configurator will now download the latest iOS version from Apple and install it on the connected devices. Be patient while the latest iOS version downloads and installs.

  11. These devices now contain the wifi profile as well as the Meraki Management enrollment profile. These devices will skip the steps chosen in Step 4. Once these devices are at their homescreen, they can have apps and profiles installed through Meraki Systems Manager. All your devices can now be managed in Systems Manager > Configure > Devices.

 

At this point, the automatic enrollment process is complete - your devices are now managed and ready to be distributed to end users!

Apple Configurator 2.5+ Manual Enrollment

Manual Enrollment is the way to enroll iOS devices not currently in Apple’s Automated Device Enrollment (ADE). First we will cover how to setup your organization and server in Apple Configurator. Then, Apple Configurator go through the Manual Enrollment process to factory erase the device(s) and supervision and enroll into your Meraki Systems Manager dashboard. 

New In Apple Configurator 2.5 and iOS 11: You can now move non-ADE devices into an existing ADE account! This is an optional step during the Manual Enrollment process to move non-ADE devices into your current ADE account.

If you do not have a ADE account, you can still enroll & supervise devices through the manual enrollment process. 

Create Organization and Supervision Identity

  1. Go to Apple Configurator in the menu bar and choose "Settings"
    Apple Configurator Settings.png
  2. Click on the Organizations tab and click the “+” to add a new server.
     Screen Shot 2017-09-27 at 9.42.32 AM.png
  3. Sign in with an Apple ID.
    Screen Shot 2017-09-27 at 9.42.39 AM.png
    If you want to move a non-ADE device into your ADE account, be sure to sign in with your Apple Business Manager or Apple School Manager Apple ID during this step, so the supervision identity can be pulled from Apple automatically. If not, Skip this step and manually fill in your Name, Phone, Email, and Address on the next page.
     
  4. Generate a new supervision identity.

    The supervision identity will be pulled automatically from your Apple ID if the Apple ID you signed in with on Step 3 is a "device enrollment manager" account role for Apple Business Manager or Apple School Manager. 
    Screen Shot 2017-09-27 at 9.57.31 AM.png

Add MDM Server URL 

  1. Go to Apple Configurator in the menu bar and choose "Settings"

  2. Click on the Servers tab.   

  3. Click the “+” to add a new server.  

  4. Define your MDM Server:

    • Name: Any name you choose.

    • Hostname or URL: Enrollment URL copied from your Meraki Dashboard found in Systems Manager > Manage > Add Devices > iOS > Apple Configurator > Enrollment URL (AC2+)
      2-4.png

  5. You have now successfully configured your Systems Manager MDM Server. Close this window and now you can begin the Manual Enrollment process. 
    Screen Shot 2017-09-27 at 11.26.08 AM.png
     

Manual Enrollment - Add device(s) to Automated Device Enrollment (ADE)

Now that you have added the organization's supervision identity and MDM server URL, you are ready to being the manual enrollment process. New to iOS 11 and Apple Configurator 2.5+ is the ability to move non-ADE devices into an existing ADE account. These steps will show you this process.

Note that after initially adding devices into ADE through Apple Configurator, there is a 30-day provisional period where the management profile can still be removed. After this period, the management profile will no longer be removable.

If you do not have an ADE account, skip this section and move to the Manual Enrollment - Enrollment & supervision without Apple Automated Device Enrollment (ADE) section further below. 

 

  1. Plug your iOS devices to the Mac running Apple Configurator 2.5+. Click the device you would like to enroll and go to the menu bar and choose Actions > Prepare...
    Screen Shot 2017-09-27 at 10.37.28 AM.png
     

  2. Choose Prepare with: Manual Configuration

    If you signed into a ADE account in "Create Organization and Supervision Identity" - Step 3 (above), you can check the new Add to Automated Device Enrollment option. This is a new feature for iOS 11 and Apple Configurator 2.5+ that allows you to move non-ADE devices into your existing ADE account. If you do not have an ADE account with Apple (Apple Business Manager / Apple School Manager), leave the Add to Automated Device Enrollment checkbox unchecked. 

    Furthermore, if you have a school.apple.com account as your ADE account, you can enable Shared iPad mode. Screen Shot 2017-09-27 at 1.25.14 PM.png

    Supervision will allow many additional restrictions to be added to devices in Meraki later.

    The Allow devices to pair with other computers option will not allow these iOS devices to connect to other computers via USB cable. If you do not allow pairing here, they will be undetectable to other computers via iTunes, Apple Configurator, or any USB data detection. 

    Click Next
     

  3. Choose your Meraki MDM Server (set up in the Add MDM Server URL steps above).
    Screen Shot 2017-09-27 at 10.37.55 AM.png
    Click Next.
     

  4. Choose the organization that you want to have supervision of these devices. org.png
    Click Next
     
  5. Choose what steps you would like the initial iOS Setup Assistant to skip.

    Screen Shot 2017-09-27 at 12.21.30 PM.png
    Click Next.
     
  6. If you selected 'Activate and complete enrollment' in step 2, upload a .mobileconfig wireless profile so the device can automatically connect to an SSID in range and be self-configured with Apple and Meraki.
    Screen Shot 2017-09-27 at 12.21.14 PM.png
    Click Next
     
  7. If your Meraki Systems Manager network requires enrollment authentication (SM > Configure > General), input your username/password here. If not, leave these fields blank.
    4-7.png
    Click Prepare.

    Screen Shot 2017-09-28 at 8.32.46 AM.png
    You may be asked to re-authenticate the ADE account's Apple ID during this step, so the device(s) can be successfully moved into this ADE account with Apple. 

    Apple Configurator will now download the latest iOS version from Apple and install it on the connected device(s). iOS 11+ is required for this process to complete. Be patient while the latest iOS version downloads and installs. All devices will now be prepared and all data saved on the device will be lost during this process. 
     
  8. After this process completes, login to the Apple Business Manager or Apple School Manager portal and access "Assignment History." You will find the iOS device(s) assigned to a new “Devices Added by Apple Configurator 2” MDM server.

    clipboard_e069ef67150b8687bb95fc5465e2794ee.png
  9. In the Apple Business Manager or Apple School Manager portals, click on "Device Assignments" to assign all devices to your Meraki MDM server
  10. A 30 day provisional period begins when the device is subsequently activated. During the 30 day provisional period the lock screen and setup assistant on the device(s) indicate that it is provisionally enrolled. End users can remove the device(s) from ADE during this provisional period (which also factory erases the device). However, after the 30 days provisional period expires, end users can no longer remove the device(s) from ADE. 

Devices are now ready to go through the Automatic Enrollment steps detailed in the "Apple Configurator 2.5+ Automatic Enrollment" section above. Our video "Systems Manager Tutorial: Assigning Settings in DEP" can be used at this stage, note some terminology and UI may vary. For more information on over-the-air ADE enrollment, reference the "Assigning Settings" section of our "Apple Automated Device Enrollment (ADE)" document.

Manual Enrollment - Enrollment & supervision without Apple Automated Device Enrollment (ADE)

Now that you have added the Organization's supervision identity and MDM server URL, you are ready to being the manual enrollment process. If you want to simply supervise and enroll devices with Apple Configurator, you can easily do this without access to a Apple Automated Device Enrollment account. 
 

  1. Plug your iOS devices to the Mac running Apple Configurator 2.5+. Highlight the device you would like to enroll and go to the menu bar and choose Actions > Prepare...
    Screen Shot 2017-09-27 at 10.37.28 AM.png
     

  2. Choose Prepare with: Manual Configuration
    Screen Shot 2017-09-27 at 10.37.42 AM.png

    Supervision will allow many additional restrictions to be added to devices in Meraki later. 

    The Allow devices to pair with other computers option will not allow these iOS devices to connect to other computers via USB cable. If you do not allow pairing here, they will be undetectable to other computers via iTunes, Apple Configurator, or any USB data detection. 

    Click Next
     

  3. Choose your Meraki MDM Server (set up in the Add MDM Server URL steps above).
    Screen Shot 2017-09-27 at 10.37.55 AM.png
    Click Next.
     

  4. Choose the Organization that you want to have Supervision of these devices. org.png
    Click Next
     
  5. Choose what steps you would like the initial iOS Setup Assistant to skip.
    Screen Shot 2017-09-27 at 10.38.33 AM.png
    Click Prepare.
     
  6. Apple Configurator will now download the latest iOS version from Apple and install it on the connected devices. Be patient while the latest iOS version downloads and installs. All devices will now be prepared with these settings, which requires a device factory reset. All data saved on the device will be lost. 
     
  7. Now, your devices will be at their iOS initial setup assistant "Hello" screen. You will need to configure each iOS device from here one by one, just so it can connect to wifi and receive the enrollment profile. Slide to set up. 
     
  8. Choose a wifi network in range for device to connect to. 
     
  9. The iOS device will now show a Remote Management page during the iOS Setup Assistant. Apply configuration here and you will be enrolled in Systems Manager.
     AC2-5.png
  10. After you Apply configuration and get to the Homescreen of the device, it is now enrolled. Look for this client in Systems Manager > Monitor > Devices, and begin mobile device management!
    db.png