Kaseya MDM: Enrollment

You'll start the MDM enrollment process by creating a new entry for the device on the Connectors page. To do so, perform the following steps:

1. From the left navigation menu in Kaseya MDM, navigate to Integrations > Connectors > Apple MDM.
2. Click Create Connector.
   
3. On the Create Connector page, select the Apple MDM Push Certificate connector type from the Type drop-down menu.
4. Select the organization with which the new device will be associated.
   
5. Click Next.
6. In the Download CSR File section, click Download CSR. Kaseya MDM will transfer a Certificate Signing Request (CSR) file named CertificateSigningRequest.plist to the default download location on your computer.
7. In the Create the Apple Push Certificate section, click Go to Apple portal.
   
8. Without closing the Create Connector page, perform the steps described in Create a push certificate to continue.

Once you've completed the steps in Create an Apple MDM Push Certificate connector in Kaseya MDM, follow this process to obtain a vendor-signed version of the CSR file and upload it to Kaseya MDM to create your new push certificate:

Create the Apple Push Certificate

1. The Apple Push Certificates Portal will open and prompt you for credentials. Log in with the Apple ID of the device or devices you'd like to enroll.
   
2. Click Create a Certificate.
   
3. The Apple portal will prompt you to accept the MDM Certificate Agreement Terms of Use. Once you've done so, you'll receive a prompt to upload your CSR file.
4. Click Choose File. Select the CSR you generated in Create an Apple MDM Push Certificate connector in Kaseya MDM. Then, click Upload.
   
5. The Apple portal will surface a confirmation that you've successfully created the push certificate. Click Download.
   
6. Continue to the next section of this article.

Upload the push certificate to Kaseya MDM

1. Return to the Create Connector page in Kaseya MDM and locate the Upload the Apple Push Certificate section.
   
2. Add the certificate you downloaded from the Apple portal by dragging it into the Drag your certificate here box or by clicking the box and selecting the file to upload.
3. Confirm the ID you used to create the certificate by entering it in the Apple ID field.
4. Click Create. Then, proceed to either Manually enroll a device in MDM or Configure Automated Device Enrollment (ADE).

After creating the signed CSR and uploading it to Kaseya MDM, you can enroll the device in MDM manually as follows.

Alternatively, if you wish to configure automatic Kaseya MDM-enrollment of devices assigned to a dedicated server in Apple Business Manager, skip these steps and proceed to Configure Automated Device Enrollment (ADE).

1. From the left navigation menu in Kaseya MDM, navigate to Devices > MDM Enrollment.
   
2. In the Context section, select the organization, site, and group where the device will reside.
   
3. From the Enroll Path drop-down menu, select the method via which you'd like to enroll the device in MDM: QR Code and Link or USB using Apple Configurator.

QR Code and Link

QR code enrollment is intended for personal (BYOD) iOS and iPadOS devices. To enroll a device via either of these methods, perform the following steps:

1. A Scan QR Code pane, similar to the example shown below, will appear on the MDM Enrollment page.
   
   

2. Follow the workflow it provides to complete the device enrollment. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send.
3. Once the enrollment process is complete, the device will become available to manage on Kaseya MDM's Device List page.

USB using Apple Configurator

IMPORTANT  The USB enrollment method will erase your device.

This enrollment type is intended for business or corporate-owned devices and enables additional management capabilities. Currently, it only supports iOS and iPadOS devices. To enroll a device via this method, perform the following steps:

1. A USB pane, similar to the example shown below, will appear on the MDM Enrollment page. To send the instructions to a recipient via email, click Send Invite, complete the required contact fields, and click Send. Otherwise, proceed to the next step of this workflow.
   

2. On a separate device, download and install Apple Configurator 2. You'll use this device to enroll the managed endpoint. You can obtain this application from the Mac App Store.
3. Once the application is installed, proceed to the next step.

Create a WiFi profile

1. In Apple Configurator's top navigation menu, click File > New Profile.
   
2. In the window that opens, on the General tab, enter a profile name in the Name field.
   
3. In the left navigation menu, select WiFi.Then, click Configure.
4. Input the settings of the WiFi network to which the device should connect.
5. In Apple Configurator's top navigation menu, click File > Save.
6. When prompted, save the file in a location that you will be able to access in the next steps of this article.

Create a blueprint

1. In Apple Configurator's top navigation menu, click File > New Blueprint.
   
2. Specify a blueprint name.
   
3. Click the blueprint. Then, click Add > Profiles.
   
4. Select the WiFi profile you created in the previous section of this article and click Add.
   

Prepare the blueprint

1. Click the blueprint. Then, click Prepare.
2. In the Prepare Devices window, select Prepare with > Manual Configuration.
3. Ensure that the Supervise devices check box is selected.
4. Click Next.
   
5. On the Enroll in MDM screen, click Server > New Server. Then, click Next.
6. On the Define an MDM Server screen, input VSA in the Name field.
7. In the Host name or URL field, enter the enrollment link URL from the USB pane on the MDM Enrollment page.
   
8. Apple Configurator will fetch and add your trust anchor certificates. Click Next.
9. You may be prompted to sign in to Apple School Manager or Apple Business Manager. You can do so, or you can skip the step.

Create an organization

1. On the Create an organization screen, define the name of the organization with which this device will be associated. Then, click Next.
2. When prompted, select Generate a new supervision identity and click Next.
3. The Configure the iOS Setup Assistant screen will appear. Make any desired selections.
   
4. Click Prepare.

Apply the blueprint to the device

1. Via USB, connect the device you're enrolling to your current desktop or laptop computer.
2. In Apple Configurator, right-click the device, select Apply, and choose the blueprint you created.
   
3. Click Apply.
4. Apple Configurator will apply the blueprint. It may take several minutes for this process to complete and the new device to index in the MDM server. Once the enrollment process is complete, the device will become available to manage on Kaseya MDM's Device List page.

BEFORE YOU BEGIN  You must create an Apple MDM Push Certificate connector for the organization you wish to configure ADE for. Refer to Create an Apple MDM Push Certificate connector in Kaseya MDM.

By completing the following steps, every device assigned to a dedicated MDM server within Apple Business Manager will automatically be added to a specified agent group within your Kaseya MDM account:

Create an Apple Automated Device Enrollment connector in Kaseya MDM

1. From the left navigation menu in Kaseya MDM, navigate to Integrations > Connectors.
2. Click Create Connector.
   
   
3. On the Create Connector page, select the Apple Automated Device Enrollment connector type from the Type drop-down menu.
4. Select the organization and site associated with the devices you wish to automatically enroll.

NOTE  The Organization Name field displays an error message if the selected organization is missing an Apple MDM Push Certificate connector, which you must configure first. Refer to Create an Apple MDM Push Certificate connector in Kaseya MDM.

5. Select the specific agent group in which the devices will be automatically enrolled.
   
6. Optionally, enter a phone number and/or email address at which your support team can be reached, which users will see during device activation.
7. Click Next.
8. Click Download Public Key. Kaseya MDM will transfer a Privacy Enhanced Mail (PEM) file named ABM_Public_Key.pem to the default download location on your computer.
9. In the Generate New Server Token section, click Go to Apple Business Manager.
10. Without closing the Create Connector page, log in to Apple Business Manager and proceed to the next section.

Upload the public key to Apple Business Manager

1. In Apple Business Manager, click your name at the bottom of the sidebar and select Preferences.
2. Click MDM Server Assignment, then click Add .
3. Enter a unique name for the server.

NOTE  If you don’t want this MDM server to have the ability to release devices, refer to Release devices in the Apple Business Manager User Guide.

4. Upload the ABM_Public_Key.pem file you downloaded from Kaseya MDM in the previous section.
   
   
5. Click Save.
6. Click Download MDM Server Token .
7. In the confirmation dialog box, click Download MDM Server Token.
   

Upload the server token to Kaseya MDM

1. Return to the Create Connector page in Kaseya MDM and locate the Upload Server Token section.
   
2. Add the .p7m server token file you downloaded from Apple Business Manager by dragging it into the Drag your server token file here box or by clicking the box and selecting the file to upload. The server token upload success will be validated.
   
3. Confirm the ID you used to generate the server token by entering it in the Apple ID field.
4. Click Create.

For more details, refer to ADE behavior.

To unenroll a device from MDM, perform the following steps:

1. Locate VPN & Device Management in the device's settings.
2. Open the MDM profile.
3. Click Remove Management.
4. Kaseya will automatically remove the device from your MDM platform.