Fleet logo
Menu An icon indicating that interacting with this button will open the navigation menu.
Fleet logo An 'X' icon indicating that this can be interacted with to close the navigation menu.
Multi platform
Device management + MDM Orchestration + monitoring Software management + CVEs, usage, software catalog Integrations
Docs Pricing
More
News Case studies Ask around Meetups Share your story
The handbook Get your license Schedule a demo
Try it yourself
{{thisPage.meta.articleTitle}}
search

Account-driven User Enrollment for personal Apple devices (BYOD)

{{articleSubtitle}}

| The author's GitHub profile picture

Marko Lisica

Share

Share this article on Hacker News Share this article on LinkedIn Share this article on Twitter
Docs Docs REST API REST API Guides Guides Talk to an engineer Talk to an engineer

Account-driven User Enrollment for personal Apple devices (BYOD)

{{articleSubtitle}}

| The author's GitHub profile picture

Marko Lisica

Account-driven User Enrollment for personal Apple devices (BYOD)

Apple Account-driven User Enrollment (BYOD)

Available in Fleet Premium.

In Fleet, you can allow your end users to enroll their personal iPhones and iPads to Fleet using Account-driven User Enrollment.

With Account-driven User Enrollment, end users can separate work and personal data using their Managed Apple Account. End users retain privacy over their personal information, while IT admins manage work-related OS settings and applications.

Step 1: Connect Apple Business Manager (ABM) to Fleet

  1. Follow the instructions to connect ABM to Fleet.
    An icon indicating that this section has important information

    Note: You may skip this if you have already connected ABM to enable automatic enrollment.

  2. For Account-driven User Enrollment to work, ensure that personal (BYOD) iOS and iPadOS hosts are associated with Fleet in the Default Server Assignment section in Apple Business Manager.
    An icon indicating that this section has important information

    Note: If you're trying Fleet and testing Account-driven User Enrollment, self-host a service discovery file instead. That way, hosts keep enrolling to your current MDM solution instead of Fleet.

Step 2: Add and verify your domain in Apple Business Manager (ABM)

Follow the Apple documentation to add and verify your company domain in your ABM. Use the domain name associated with your work email (for example, yourcompany.com from [email protected]). This will enable the automatic creation of Apple Managed Accounts from your identity provider (IdP) accounts in the next step.

Step 3: Connect (federate) your identity provider (IdP) with Apple Business Manager (ABM)

Follow the Apple documentation to connect your identity provider (IdP). This will enable end users to log in to their Managed Apple Account using their existing IdP credentials.

An icon indicating that this section has important information

Note: For visual walk-throughs, see Connect Google Workspace to ABM and Connect Microsoft Entra ID to ABM.

Step 4: Create a team for personal hosts

Fleet's best practice is to create a team, e.g., 📱🔐 Personal mobile devices, for personal hosts that have access to company resources.

In this team you can add custom OS settings that are compatible with hosts enrolled with Account-driven User Enrollment. To find out which payloads are compatible with User Enrollment, visit the Apple documentation.

Step 5: Log in on the device to enroll to Fleet (end user's iPhone or iPad)

On their iPhone or iPad, ask end users to:

  1. Open the Settings app.
  2. Go to General > VPN & Device Management.
  3. Tap Sign In to Work or School Account.
  4. Sign in with their IdP credentials (e.g., Google Workspace or Microsoft Entra ID).

After signing in, the device will automatically enroll in Fleet.

Self-host a service discovery file (well-known resource)

An icon indicating that this section has important information

Note:

  • If your iOS/iPadOS hosts are running version 18.2 or later, you can skip this. Fleet manages service discovery automatically for these versions.
  • If your iOS/iPadOS hosts are running a version below 18.2 or you're trying Fleet, you'll need to self-host a service discovery JSON file.
  • If you're trying Fleet and using a different MDM solution in production, hosting this file will direct only Account-driven User Enrollments to Fleet. iOS/iPadOS hosts purchased in ABM and hosts using an enrollment profile will still enroll to your current MDM solution.

Host the JSON file below at the following URL: https://<company_domain>/.well-known/com.apple.remotemanagement.

An icon indicating that this section has important information

Note: Make sure to include the trailing dot in the URL when hosting the file.

Make sure the Content-Type header is set to application/json.

{
  "Servers": [
    {
      "Version": "mdm-byod",
      "BaseURL": "https://<fleet_server_url>/api/mdm/apple/account_driven_enroll"
    }
  ]
}

Host vitals limitations

Apple limits the amount of host vitals Fleet can collect on personal iOS/iPadOS hosts.

  • Fleet can't collect serial numbers from personal iOS/iPadOS hosts.
  • Software inventory will only include applications installed by Fleet.