Skip to main content

Within ABM, we currently have our main domain verified, company.com. Within the “Managed Apple Accounts” section of ABM, this domain is not ‘Locked’ and ‘Domain Capture’ is not set up. Jamf Support sent us steps on how to setup Account Driven Enrollment, which requires 3 steps.

  • Associate the domain with ABM (and verify it)
  • Setup Federated Authentication (following the instructions found here)
  • Host the Service Discovery JSON File

Jamf told us we should create a separate domain for this task, such as company-byod.com. That we would be able to use this as a plain domain to utilize the user-initiated account driven enrollment. But unfortunately, when we try to add our IdP, it does not work.

After getting off the phone with ABM Support, they stated that we must lock the domain and turn on the domain capture process. While ‘Lock’ is available for the new domain (company-byod.com), the ‘Domain Capture’ option is not available. This is most likely due to no accounts being associated with that new domain (is that correct?).

My question to y’all is: Have you setup Account-Driven User Enrollment? And if so, have you done it using a different domain or subdomain, without affecting the ‘main’ domain?

Reference: https://learn.jamf.com/en-US/bundle/technical-articles/page/Prepare_for_Account-Driven_Enrollment_with_Managed_Apple_IDs_and_Service_Discovery.html

Wait, so do you want to use your primary domain?

I’d recommend setting up a subdomain for “personal” apple accounts such as paa.company.com.

The main domain (company.com) should be federated if you want to keep a consistent setup for your users.  The json should be located on your domain web-server here: /.well-known/com.apple.remotemanagement (leave off the file type ending).

This json will point the device to your MDM server.  Here’s an example for Intune:
{"Servers":[{"Version":"mdm-byod", "BaseURL":"https://manage.microsoft.com/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=TENANTIDHERE"}]}

If you don’t have this json, it’s supposed to look against the ABM tenant that’s federated for the MDM.  

**I haven’t configured all of this yet - I did something similar in our test environment and postured against Intune though and it worked by what I said above - so take it with a grain of salt.  Talk to Dr. K (Emily) at JAMF.  Her and Mitch are great resources..  Well Mitch is no longer at JAMF, but Dr. K is a great resource on this!

Check out their JNUC video from Austin:

 

Wait, so do you want to use your primary domain?

Eventually yes, but we were trying to test a separate domain first to ensure we want to utilize this functionality for our BYOD enrollment. Jamf said this was possible, but it doesn’t seem to be.

We configured the JSON and Webserver correctly, but it was pointed to company-byod.com, which I don’t think can work. Seems like a subdomain is the only option, unless the IdP also has some association with the -byod domain.

You’ll want to test with a non-production IdP that’s tied to the secondary (or sub) domain. 
 

That’s the only way this will work. 

Terms & ConditionsCookie settingsAccessibility statement