Getting started with Enrollment Configurations
Introduction
The following is a description of how to create and use enrollment configurations in CapaInstaller.
Enrollment configurations enable fast and easy enrollment of mobile devices for administration, according to the relevant business units and other company structures.
When enrolled via a specific enrollment configuration the device is sorted and categorized, ready for management, the second it is enrolled.
Requirements
Technical requirements
iOS specific requirements
Simple device enrollment: The default configuration
CapaInstaller enables administrators and users to enroll devices in a simple manner, right out of the box.
Enrolling devices are enabled by default via the Default Enrollment Configuration. Simply point an internet browser on the device, to the default enrollment URL.
https://<server>:443/cimdm/
This configuration is configured with AD authentication and devices enrolled will not be joined into any groups or have any asset tags applied. Enrolled devices will end up in the root of the "Computers and Devices" section among all your other non-sorted devices and computers.
To utilize the more powerful features of the Enrollment Configuration system administrators should clone the default configuration and create a set of new enrollment configurations fitting for the organization's enrollment needs.
Device enrollment: Creating your first Enrollment Configuration
Configuration dialog |
---|
When you open the configuration dialog it will only contain the general section, where you can specify a name, description, and enrollment ID. The enrollment ID will be a part of the enrollment URL and is limited to 15 characters. Once created the Enrollment ID string cannot be altered. You can add additional sections of settings to the configuration by clicking the buttons on the left side. Once added, they can be removed again by clicking the red x in the upper right corner of a section. |
In the location and groups section, you can choose where the target devices are placed in your CapaInstaller management infrastructure during enrollment.
First, you decide on a Management Point (CMP) and a Business Unit (BU), and then you can select a unit folder in either the CMP or BU.
Next, you can choose one or more groups in the CMP and/or BU that the devices should be made members of during enrollment.
This enables fine-grained sorting of devices enrolling in CapaInstaller. Sort units by Company, Location, Department or any other structural division your organization are built around.
If this option is not configured, devices will still be able to enroll, but like the default enrollment configuration, they will end up in the root of the "Computers and Devices" section among all your other non-sorted devices and computers in the default management point.
If you have added groups from a CMP or BU and later change to another CMP/BU, it will automatically clear the previously selected groups.
To offer even finer granularity in enrollment scenarios, and to support customers utilizing CapaInstaller Asset Management in identifying and describing company devices, this configuration option offers to assign asset tags to devices.
The asset tags which can be chosen here are created in Asset Management.
Click the Add button in the Asset tags panel to open the Asset Browser dialog.
You can select multiple values in the same entry to give the enrolling user a choice between them, or you can select only one value if you don't wish to give the user a choice.
The values you or the enrolling user chooses will be assigned to the enrolled devices.
If used in a DEP enrollment, the user will not be able to choose between multiple values, so those values will be ignored. DEP enrolled devices will only get tagged with the values where only one is selected in the same entry.
This option offers the possibility to secure enrollment with authentication and enables support for linking users to enroll devices.
Three authentication modes are offered.
- Active Directory
- Simple
- None
If you have no access to authentication via an Active Directory you can set up a simple user/password to be asked at the enrollment page prior to enrolling the device.
Linked user: Select existing users to link the device to or prompt for a username on the enrollment page. This option is available for Simple and None authentication modes. If AD authentication is chosen, the AD user enrolling the device will also be linked to the device.
Below is an example of a configuration with simple authentication chosen, and the user enrolling a device will be asked to supply a user name to be linked to the device.
Example of a configuration with no authentication selected, where all devices being enrolled using it will be linked to the same user:
Devices enrolled with this configuration option added will be placed in quarantine right after enrollment, and will wait for an Administrators approval before the rest of the configuration options are put into effect.
This will let you control and review enrollment of all devices enrolled via the configurations specific URL.
You can find the quarantined devices in Configuration Management in CMP->Views->Quarantined Units or CMP->Business Units->'Your BU'->Views->Quarantined Units.
If some devices have enrolled using this configuration and are currently in quarantine, and you then change the CMP or BU of the configuration, the devices will be moved from quarantine in the old CMP or BU, and into quarantine in the new one.
The MDM section has no impact on whether or not the configuration is active on your specific MDM service. Rather its function is to generate an enrollment URL consisting of the public URL of your MDM service and the Enrollment ID specified in the configuration.
Clicking the icon next to the MDM Enrollment URL will copy the URL to your clipboard, and you can then send it to users in a mail or paste it on your intranet etc so they can start enrolling their devices.
In the Volume Purchase Program section, you can select one of your VPP accounts and/or give the user the option to choose one during enrollment. Devices running iOS8 or higher, enrolled with this configuration, will receive an invitation to the selected VPP account. This will associate the Apple ID on the device with the VPP Account, once the user on the device accepts the invitation.
The combination of this VPP setting and which groups devices should be made members of, enables users to enroll their device, and without further actions from an administrator be able to receive licensed applications.
A possible enrollment scenario to take advantage of this:
Devices are made a member of a group that contains some licensed applications, which are configured to retrieve licenses from the same VPP account selected in this configuration. Once devices are enrolled, an invitation to VPP is sent and applications from the groups are assigned. The first attempt to install the licensed applications will result in the status 'Needs license key'. Once the user accepts the invitation sent to their device, they will be associated with the VPP account, and the system will periodically check and assign the license they need and attempt the installation again.
Cloning a device enrollment profile
Creating multiple Enrollment Configurations in a snap can be done with the "Clone" function on an existing Enrollment Configuration.
In 4 Steps the new Enrollment Configuration is ready:
- Simply right-click the Enrollment Configuration that you will use as the base for the new one and select "Clone".
- Change the values that you want to change
- Give it a new name
- Hit "OK" and you are done
Read more about:
/wiki/spaces/CIDD/pages/18943183253