Using Apple Automated Device Enrollment with Workspace ONE UEM
Overview
Omnissa Workspace ONE® UEM provides a comprehensive management solution for macOS and iOS devices, supporting macOS 10.15 and later, and iOS 11.0 and later. With the ability to manage Corporate-Dedicated, Corporate Owned or Employee Owned (BYOD) devices, Workspace ONE UEM offers enterprises the flexibility to meet their employees’ needs at any level.
Workspace ONE UEM seamlessly integrates with Apple Business Manager and Apple School Manager, enabling the management of Apple devices, including macOS, iOS, iPadOS, and tvOS, directly out of the box. Once configured, corporate devices can be added to Apple Business Manager during purchase and automatically synced to Workspace ONE UEM, facilitating device enrollment during activation. This proactive management ensures devices are controlled before users even log in for the first time, resulting in a streamlined and more secure enrollment process.
Purpose of this tutorial
This tutorial provides an overview of the features of Apple’s Automated Device Enrollment and takes you through the steps required to integrate Automated Device Enrollment with Workspace ONE UEM. It also describes some examples of its use when managing macOS and iOS devices. This tutorial assumes that you have already signed up for Apple Business Manager and that you have a managed Apple ID. For more information on enrolling in Apple Business Manager, see Sign up for Apple Business Manager.
Audience
This operational tutorial is intended for IT professionals and Workspace ONE administrators of existing production environments.
Both current and new administrators can benefit from using this tutorial. Familiarity with macOS and iOS is assumed.
Knowledge of additional technologies such as Omnissa Intelligence and Omnissa Workspace ONE® UEM is also helpful.
Validation environment
The content created for this operational tutorial used the following software and hardware versions for testing:
- Workspace ONE UEM version 2506 (25.6.917.14)
The content in this tutorial may apply to earlier Workspace ONE UEM and Hub versions, but this was not specifically tested.
Note: Any process steps referencing Apple Business Manager were up to date as of the writing on this document (November 2025). Changes made by Apple to the Apple Business Manager interface after publication might not be reflected in this document.
Apple Business Manager
Apple Business Manager is a portal where IT admins can manage Apple’s Automated Device Enrollment, Volume Purchase Program (VPP), and Managed Apple Accounts.
Apple Business Manager provides the following three key functions:
- Automated Device Enrollment – Automates MDM enrollment and initial device setup without requiring IT admins to physically access the devices.
- Volume Purchase Program - Allows organizations to buy content (such as apps and books) in volume, assign them to devices or users, and then install and update that content wirelessly, even if the App Store is not enabled.
- Managed Apple Accounts – Create unique managed Apple IDs for users within your organization.
This tutorial will focus on the functionality within Automated Device Enrollment. For information about using Apple’s Volume Purchase Program to deploy apps with Workspace ONE UEM, see Deploying a Third-Party macOS App: Workspace ONE UEM Operational Tutorial on Omnissa Tech Zone.
For a complete guide to Workspace ONE’s integration with Apple Business Manager, please see the Omnissa product documentation at: Introduction to Apple Business Manager.
Apple’s Automated Device Enrollment
Automated Device Enrollment (formerly known as the Device Enrollment Program) provides IT administrators with a simplified approach to deploying corporate-owned Apple devices, including iPhones, iPads, and macOS computers. By automating mobile device management (MDM) with zero-touch enrollment and supervision, Automated Device Enrollment streamlines the initial setup and configuration process.
Automated Device Enrollment offers IT admins the following features:
- Mandatory and lockable MDM enrollment – Automated Device Enrollment can automatically enroll Apple devices into Workspace ONE UEM ensuring that users receive all required configurations and locking the devices in MDM for ongoing management.
- Wireless supervision – Supervision offers a higher level of device management, providing additional device configurations and features, and allowing additional restrictions to be applied to devices, such as turning off iMessage, AirDrop, or Game Center.
- Zero-touch configuration – Automated Device Enrollment makes large-scale deployments of Apple devices easier with over-the-air setup and configuration, eliminating the need for staging services or physically accessing each device.
- Streamlined Setup Assistant – When using Workspace ONE UEM with Apple’s Automated Device Enrollment, IT admins can streamline the built-in Setup Assistant by specifying which screens are displayed to guide users through the activation process.
For a device to be eligible for Automated Device Enrollment, it must be purchased from one of the following channels:
- Directly from Apple
- Participating Apple Authorized Resellers
- Cellular carriers
Alternatively, you can add a device to Apple Business Manager using Apple Configurator. For instructions on how to manually add devices to Apple Business Manager with Apple Configurator, see the Apple Business Manager User Guide.
Initial setup and configuration for Automated Device Enrollment is performed in Apple Business Manager or Apple School Manager and requires your organization to be signed up for one of these two programs. The processes described in this tutorial will focus on Apple Business Manager.
Note: Automated Device Enrollment was formerly called Device Enrollment Program. Some settings within Workspace ONE UEM still refer to the function as Device Enrollment Program, or DEP. This document will use Automated Device Enrollment unless referring to a specific component within Workspace ONE UEM where Device Enrollment Program is still used within the name.
Enrollment process
The Automated Device Enrollment process ensures a smooth enrollment of new Apple devices into Workspace ONE UEM. Before the user logs in for the first time, the process secures and manages the devices, accelerating the enrollment and onboarding processes. This allows users to quickly access corporate apps and resources, enabling them to become productive more rapidly.
There are five primary phases in the Automated Device Enrollment process. These phases assume that you have already configured the integration between Workspace ONE UEM and Apple Business Manager. The five phases are described below.
- Device purchase – When an organization purchases devices from Apple or an authorized Apple reseller, these devices are registered to the organization’s ID within Apple Business Manager. Additionally, IT administrators can register existing devices in Apple Business Manager using the Apple Configurator app, which links the devices to the organization’s account.
- MDM Assignment – The device must be assigned to the appropriate MDM assignment for enrollment to take place during device activation. If the organization has only one instance configured in Apple Business Manager, the device will automatically be assigned to that instance. However, if there are multiple instances, a default MDM assignment can be configured for each device type. Additionally, an IT administrator can manually change the assignment for a device if necessary.
- Initial Activation – Once purchased and assigned to a Workspace ONE instance, the device can be directly shipped to the user from Apple or an authorized reseller. The organization’s IT department doesn’t need to handle the device for preparation. When the user turns on the device for the first time and connects to Wi-Fi, the device contacts Apple for activation. During this process, the device receives the details of the Workspace ONE instance for enrollment. This step occurs before the Setup Assistant and must be completed before the user is granted access to the device.
- Enrollment / Policy Configuration – The device will proceed with enrollment into the assigned Workspace ONE instance. Depending on how the enrollment is configured, the process might require the user to input their username and password for authentication. Once enrollment has completed, the Setup Assistant will run, allowing the user to complete device setup. Additionally, Workspace ONE will begin pushing assigned profiles, apps, and other resources to the device. The level of interaction required by the user during this process will be dependent on how the onboarding experience is configured within Workspace ONE.
- Ready to use – Once all profiles, apps, and content have been installed, the device is ready for the user. Administrators can manage and monitor the device through Workspace ONE.
Automated Device Enrollment profile
The Automated Device Enrollment profile in Workspace ONE UEM manages the initial configuration of devices enrolled via Automated Device Enrollment. This configuration encompasses authentication, MDM features, and the specific Setup Assistant screens displayed to the user, among other elements. Upon the first power-up of a new device, it will download the enrollment profile once Wi-Fi is established.
Note: If an incorrect enrollment profile is assigned or the assignment fails, a factory reset will be required before enrollment can be attempted again.
The enrollment profile manages seven key areas of enrollment. Each area can be configured within the profile and includes:
- Custom Enrollment
- Authentication
- Minimum OS Version
- MDM Features
- Setup Assistant
- Primary User Account
- Admin Account Creation
Each of these areas is discussed in further detail within this section.
Custom Enrollment
Custom enrollment provides administrators with the flexibility to tailor the user experience by incorporating customized enrollment screens during the automated enrollment process, replacing the conventional Apple screens. These customized screens can streamline the user experience and implement additional security measures that align with your organization’s specific requirements. Some of the options available include:
- Terms of use
- Basic authentication
- Token authentication
- Multi-factor authentication
- SAML federation to an identity provider
- Corporate branding
Note: Custom enrollment is only available on iOS 13 and later, and macOS 10.15 and later.
Authentication
The Authentication settings control whether user authentication is mandatory during enrollment, identify device ownership, specify the default Device organization group, and indicate if a custom message is provided to the user in the Setup Assistant’s Authentication pane.
The following table describes the settings available for Authentication.
| Setting | Description |
| Authentication | When authentication is enabled, the user will be prompted for credentials during the Setup Assistant on the device. When disabled, you will select a default staging user to be used during the enrollment process. |
| Device Ownership Type | This option allows you to set the ownership type for the device when it is enrolled. Three options are available to you: Corporate-Dedicated, Corporate-Shared, and Employee Owned. |
| Device Organization Group | This option allows you to specify the organization group where your end users will authenticate. |
| Custom Prompt | With this option turned on, you can present custom text to the user on the device authentication screen during the Setup Assistant. |
| Message Template | This allows you to select the message template used by the Custom Prompt. This option is only available when Custom Prompt is On. |
Minimum OS Version
Workspace ONE UEM supports enforcing a minimum operating system version for iOS and macOS devices in enrollment profiles. This feature, available on iOS 17 and higher and macOS 14 and higher, enables IT administrators to specify the minimum OS version required for Apple device enrollment into Workspace ONE UEM. When enabled, Workspace ONE UEM prevents device enrollment from completing until the device meets or exceeds the specified minimum OS version.
When enabled, this option offers four configurable settings:
- iOS Minimum Version - This dropdown menu displays all active iOS updates signed by Apple. It’s mandatory if Enforce Minimum OS Version is enabled.
- macOS Minimum Version - This dropdown menu presents all active macOS updates signed by Apple. It’s also mandatory if Enforce Minimum OS Version is enabled.
- Message - The text entered in this field will be displayed to the end user on the device during enrollment. This message will only appear if an update is necessary for the device. This setting is optional.
- Description - You can enter text in this field to log the necessary updates to Workspace ONE. This information will be logged into in the troubleshooting log for the device. This setting is optional and will not be displayed to the end user.
During the enrollment process, Workspace ONE verifies the device’s iOS version. If it finds a mismatch with the enrollment profile’s requirements, Workspace ONE triggers the Setup Assistant to initiate a device update. All necessary restarts are automatically performed. Once the update is complete, the Setup Assistant resumes the enrollment process.
MDM Features
This section of the enrollment profile configures the Mobile Device Management (MDM) features on the devices. These settings are applied during the device enrollment process, and control the behavior of MDM on the device, such as whether MDM enrollment is mandatory, if the MDM profile is locked, and whether anchor certificates are utilized. The following table provides an overview of the various options available.
| Setting | Description |
| Profile Name | The name of the profile as it appears in the UEM console. |
| Department | The preferred name of your department. This will appear in the About Configuration screen during setup and enrollment. |
| Support Email | The support contact email for your organization. This will appear in the About Configuration screen during setup and enrollment. |
| Support Number | The support contact phone number for your organization. This will appear in the About Configuration screen during setup and enrollment. |
| Require MDM Enrollment | When enabled, this option requires MDM enrollment in Workspace ONE UEM during device activation. |
| Supervision | Setting this option will set devices in Supervised mode. This option only applies to iOS 12.4 and earlier. |
| Lock MDM Profile | When enabled, end users will be prevented from removing the Workspace ONE UEM MDM profile from the device. |
| Anchor Certificate | Enabling this option will result in a trusted anchor certificate being uploaded to devices during DEP enrollment. |
| Device Pairing | When this option is enabled, devices can sync with any workstation using iTunes or Apple Configurator. With iOS 13 and up, this option is enabled by default and cannot be disabled. |
| Await Configuration | You can enable this setting if you expect to send extra commands to the device before the user proceeds with the Setup Assistant. When enabled, the device will not come out of the Setup Assistant until the expected commands are sent to the device. |
| Auto Advance Setup | If this option is enabled, the device will automatically apply the DEP enrollment Profile and skip all Setup Assistant panes, applying the most restrictive options to the device by default. |
Setup Assistant
With the device enrollment profile, you can customize the Apple Setup Assistant items that users see during device activation. You can instruct the Setup Assistant to skip certain items, such as biometric ID setup, Siri configuration, Apple Pay, Software Update settings, and App Store ID configuration. Some items are applicable across multiple platforms (iOS, macOS, and tvOS), while others are specific to a single Apple platform. If an item is skipped, the default setting is applied to the device.
Primary User Account
The primary user account enables administrators to configure the user’s device account. Administrators can specify the type of account created, whether the username and full name are auto filled, and the data used for auto filling those fields. These settings are only applicable to macOS devices.
Note: These settings only apply if the Primary Account Setup item is not skipped in the Setup Assistant settings.
The following table describes the available options for the primary user account.
| Setting | Description |
| Account Type | This determines the type of user account created at the end of the Setup Assistant. The options available are Standard and Administrator. Note: If Standard is selected, an Admin account must be defined in the Admin Account Creation section. |
| Autofill | When enabled, this option will autofill the username and full name fields with the account information of the enrollment user. |
| Username | To automatically populate the enrollment user's organization username, use the lookup values, such as |
| Full Name | To automatically populate the enrollment user's first and last name, use the default lookup values, such as |
| Allow Editing | If enabled, the end user can edit the primary account during creation. |
Admin Account Creation
In many cases, it’s beneficial to have a local admin account on devices used by support staff. This account should be distinct from the one used by the end user. During enrollment, the enrollment profile can create an administrator on the device. This option enables you to configure the admin username, account password, and specify whether the account is hidden from the end user on macOS devices.
The following options are only available if Create New Admin Account is set to Yes.
| Setting | Description |
| Username | Specify the username for the admin account. |
| Full Name | Enter the full name of the admin account. |
| Unique Random Password | If set to Yes, a random password is generated composed of 14 characters (at least 2 symbols, 1 lowercase, 1 uppercase, and 1 digit). Note: If this is enabled, you cannot change it back to a static password. |
| Password | If Unique Random Password is disabled, you can create a static password for the admin account. |
| Hidden | When enabled, this option will hide the admin account from the device’s end user. Hidden accounts are not visible in the Login window to end users. |
Integrating Automated Device Enrollment with Workspace ONE UEM
This exercise will detail the process for integrating Automated Device Enrollment with Workspace ONE UEM. The steps are sequential and build upon one another, so make sure that you complete each step before going to the next step.
The process includes the following steps:
- Configure the Apple Business Manager Portal.
- Create the Automated Device Enrollment profile.
Prerequisites
Before you can perform the steps in this exercise, you must have:
- Signed up for Apple Business Manager
- A managed Apple ID
Configure the Apple Business Manager Portal
To integrate Automated Device Enrollment with Workspace ONE UEM, you must set up a virtual MDM server in Apple Business Manager. By establishing a trust relationship between Apple Business Manager and Workspace ONE UEM, the two platforms can communicate seamlessly, enabling the integration of Automated Device Enrollment.
To get the desired result, perform the following steps:
- In the Workspace ONE UEM console, click Groups & Settings. Then select All Settings.
- Expand Devices & Users, then expand Apple. Select Automated Device Enrollment.
- To begin the process of configuring Automated Device Enrollment, click the Configure button.
- Download the Public Key from your Workspace ONE instance by clicking the link called MDM_DEP_PublicKey.pem.
- Log in to your Apple Business Manager portal. In the lower left-hand corner, click your name and select Preferences.
- Create a new virtual MDM server. Select Add next to Device Management Services.
- Enter a name for the new MDM Server. For example, enter
MyMDMServer. - Ensure you check the box for Allow this MDM Server to release devices. Then, upload the public key you just downloaded from Workspace ONE. Click Save.
- Click the Download Token button to get the newly created token from Apple Business Manager.
Create a Device Enrollment profile
Before you can assign devices, you need to create an enrollment profile in Workspace ONE UEM. This profile assigns a collection of Automated Device Enrollment policies to your registered devices. These policies create a customized experience for users when enrolling their Apple devices.
The Automated Device Enrollment configuration process serves two purposes: it links your Workspace ONE UEM instance with Apple Business Manager and guides you through setting up your authentication options. These options include the default device ownership type and device organization group, the initial MDM profile and device properties, and your preferred Setup Assistant configuration.
While there are many options available in the configuration process, you’ll only configure the default settings for this exercise. For more information about each option, hover over the information icon beside it.
To get the desired result, perform the following steps:
- In the Workspace ONE UEM console, click Groups & Settings. Then select All Settings.
- Expand Devices & Users, then expand Apple. Select Automated Device Enrollment. Click the Configure button.
- To upload the token that you retrieved from Apple Business Manager earlier in this tutorial, click the Upload button.
- Click Choose File and navigate to the token you retrieved from Apple Business Manager. Click Save.
- Click Next.
- Leave the default settings on the next page and click Next.
- Enter a name for the MDM profile. For example, enter
Default Enrollment Profile. - Enter a Department name. For example, enter
IT. - Enter a Support number. For example, enter
123-456-7890.
- For this exercise, the remaining settings can be left at their respective defaults. Click Next.
- On the next screen, you can configure which Setup Assistant options are presented to the user during device activation. For this exercise, keep all the settings at their default values. Click Next.
- On the Summary screen, click Save.
Managing Automated Device Enrollment devices
Devices purchased directly from Apple, through a participating Apple Authorized reseller, or from a cellular carrier are eligible for Automated Device Enrollment. If configured correctly, these devices will automatically be added to Apple Business Manager. For more information on configuring your Apple Business Manager instance, refer to the Apple Business Manager User Guide.
Before taking any action on new devices added to Apple Business Manager, they must be synced with Workspace ONE UEM. Additionally, certain remote tasks can be performed on ADE-enrolled devices.
The following exercises discuss the following:
- Manually syncing devices with Apple Business Manager.
- Remote tasks on DEP-enrolled devices
- Wiping DEP-enrolled devices
Perform a manual sync with Apple Business Manager
You can perform a manual sync with Apple Business Manager at any time.
To get the desired result, perform the following steps:
- In the Workspace ONE UEM console, click Devices. Then select Registration.
- Select the Sync Devices dropdown menu, and click Apple.
- On the Sync Devices from Apple Enrollment Program screen, click Sync. Any newly registered devices in Apple Business Manager will be synced into Workspace ONE UEM.
Available remote tasks for devices
When a device is enrolled through Automated Device Enrollment, certain additional remote tasks become available within Workspace ONE UEM. These remote tasks are only available to devices that are supervised through Apple Business Manager. The following table describes these additional tasks.
| Task | Description |
| Device Configured | You send this command to a device that is stuck in “Awaiting Configuration” state. |
| iOS Updates | This task can be used to update a device or devices in bulk. |
| Enable/Disable Lost Mode | Lost Mode will lock the device and send a message to the lock screen. Lost mode can only be deactivated by an administrator. |
| Request Device Location | If a device is in Lost Mode, you can query its location. This applies to supervised iOS 9.3 and up devices. |
To execute these tasks, perform the following steps:
- In the Workspace ONE UEM console, click Devices. Then select List View. Select a device from the list.
- On the Details View, select the More Actions menu. Click one of the above-mentioned actions.
Available actions for synced devices
Once a device is synced with Workspace ONE through Apple Business Manager, administrators gain the capability to modify the device’s registration record and perform other device-specific actions. These actions empower organizations to control the device’s enrollment process in Workspace ONE. The actions encompass managing the organization group and assigned enrollment profile. You can also completely delete the device’s registration record from Workspace ONE UEM.
Editing organization group and ownership
Organization group
By default, devices synced from Apple Business Manager are assigned to the organization group (OG) where Automated Device Enrollment is configured. For example, if Automated Device Enrollment is configured on an OG called Acme Corp, all devices synced from Apple Business Manager will be assigned to the Acme Corp OG during enrollment.
However, some organizations use child OGs to compartmentalize devices by department, location, or other criteria. In this case, some devices might need to be reassigned to the correct OG prior to enrollment to ensure that they receive the correct departmental or regional profiles, apps, and other resources. Administrators can change the assigned OG for a device.
Ownership
Device ownership in Workspace ONE UEM categorizes devices as either corporate-owned or employee-owned. This classification significantly impacts management capabilities and policies. Therefore, comprehending this distinction is essential for effective device management and ensuring compliance with organizational policies.
Workspace ONE UEM supports three primary device ownership models:
- Corporate-Owned Devices: These devices are owned and managed by the organization. The organization has complete control over the device, including the ability to enforce policies, push applications, and perform remote actions like wiping the device. These devices are typically assigned to a single individual user.
- Corporate-Shared Devices: Similar to corporate-owned devices, corporate-shared devices are owned and managed by the organization, which has full control over the device. However, these devices are shared among multiple users, such as frontline or shift workers.
- Employee-Owned Devices: Also known as Bring Your Own Device (BYOD), these devices are owned by the employees. The organization has limited control, focusing on securing corporate data without infringing on personal data.
Administrators can change the ownership type of synced devices with Apple Business Manager.
Editing the assigned enrollment profile
When a device is synced from Apple Business Manager to Workspace ONE, it is automatically assigned to the default Automated Device Enrollment profile. However, organizations may have multiple enrollment profiles to accommodate different device use cases, such as varying configurations for different departments. Administrators can either assign a new enrollment profile or remove the profile from devices that haven’t been enrolled in Workspace ONE.
Summary and additional resources
This operational tutorial discussed the features and functions of Apple’s Automated Device Enrollment and provided a step-by-step guide on how to integrate Workspace ONE UEM with Apple Business Manager.
Content in this tutorial included:
- Introduction to Automated Device Enrollment
- Integrate Automated Device Enrollment with Workspace ONE UEM
- Managing Automated Device Enrollment devices
Additional resources
For more information about Workspace ONE, explore the Omnissa Workspace ONE UEM page on Tech Zone. The page offers step-by-step guidance to help enhance your knowledge of Workspace ONE. You will find everything from beginner to advanced curated assets in the form of articles and videos.
For further information about Workspace ONE’s integration with Apple Business Manager, please see our product documentation at: Introduction to Apple Business Manager.
You may also wish to read these additional operational tutorials from macOS on Omnissa Tech Zone.
- Configuring Basic macOS Management
- Getting Started with Freestyle Orchestrator on macOS Devices
- Managing Updates with the macOS Updater Utility
- Distributing Scripts to macOS Devices
- Deploying a Third-Party macOS App
Changelog
The following updates were made to this guide:
| Date | Description of Changes |
| 12/1/2025 |
|
| 06/14/2024 |
|
| 04/18/2023 |
|
About the author and contributors
This tutorial was written by:
- Michael Bradley, Senior Product Specialist, Omnissa.
Additional contributions were provided by:
- Sandhya US, Product Specialist, Omnissa
Questions and feedback
For questions or feedback, send to tech_content_feedback@omnissa.com.
Associated Content
From the action bar MORE button.