Planning your Deployment

• Introduction
• Enrollment Methods
• Authentication & Assignment Options
• Integrations
• Management Profiles and Configurations

Introduction

The basis for any deployment includes the following:

• How will devices be enrolled?
• How will devices be assigned - to users, shared device groups, etc.?
• Will users be imported and from which source?
• Who will complete the enrollment process - IT or end users (students/teachers)?
• What configurations should be applied and which apps should be installed?

The following sections provide information on what can be accomplished using Mosyle for your deployment to help with the discussion and decision-making for the questions above.

Enrollment Methods

When planning your deployment, you need to consider how the devices will be enrolled. When possible, it's always recommended to erase devices and enroll them fresh into the MDM using Automated Device Enrollment. If it's not possible, you can use any other enrollment method.

Most deployments utilize Automated Device Enrollment or some combination of Automated Device Enrollment and Device Enrollment.

Automated Device Enrollment

Mosyle supports Automated Device Enrollment which provides the ability to enroll devices over-the-air by syncing an enrollment profile with Apple servers. Using Automated Device Enrollment, users can easily complete enrollment by erasing the device and then going through the Setup Assistant. After connecting the device to a network connection, it will retrieve the enrollment profile from Apple servers and complete the enrollment. With Automated Device Enrollment, devices can be handed directly to users so they can complete the enrollment to accomplish a zero-touch deployment.

Enrolling with Automated Device Enrollment locks the MDM enrollment profile on the device so that it cannot be manually removed by the user.

NOTES:

• iPhone and iPad devices must be erased in order to be enrolled using Automated Device Enrollment
• Mac computers can be enrolled using Automated Device Enrollment without erasing by using a Terminal command. The user will need Admin rights to complete the installation of the enrollment profile and some settings configured in the Automated Device Enrollment profile may not apply using this method.

Device Enrollment

If erasing devices is not possible, you can still enroll them using Device Enrollment. For iPhone and iPad devices, you can complete enrollment using Apple Configurator 2 or by entering the Safari enrollment URL. For Mac computers, you can complete enrollment by entering the Safari enrollment URL and manually installing the MDM enrollment profile. Users will need Admin rights to complete the installation of the MDM enrollment profile.

This method of enrollment requires a more hands-on approach to ensure users are properly installing the MDM profile. Keep in mind, the MDM enrollment profile cannot be locked on the device and can be manually removed when using this method of enrollment.

User Enrollment

Users can complete User Enrollment by logging in to the device or specified URL with their Managed Apple ID. User Enrollment is beneficial in environments where students or teachers bring their own devices and need access to school or district resources, such as apps or books.

User Enrollment requires users to be registered in Mosyle with their school/district Managed Apple ID.

Authentication & Assignment Options

As mentioned, Mosyle is organized to make management and the configuration of devices as intuitive as possible, allowing you to assign configurations based on the user who is using the device, the grade level or class the assigned user is associated with, or the shared device group or dynamic device group the device belongs to.

Since configurations can be assigned to specific users, it's important users are assigned or associated with the specific device, or devices, they use. Assignment of devices can be fully automated so that students or teachers simply authenticate with their school credentials and Mosyle will automatically pair them with the device. In order to do this, users must be imported into Mosyle.

An ideal zero-touch deployment flow would include users imported into Mosyle and devices enrolled using Automated Device Enrollment, along with prompting users for authentication during the enrollment in order to complete the device assignment. From there, management profiles and applications that are assigned to the user will automatically be deployed upon device enrollment. This enrollment example is dependent on the user completing the device enrollment.

If the IT team or a provisioning service will be enrolling devices, user authentication during enrollment may not be ideal. Instead, device assignment can be completed by students or teachers authenticating in the Mosyle Manager app on iOS/iPadOS or via a login event on macOS, either through the native macOS login window or Mosyle Auth.

Integrations

Mosyle supports integration with Apple School Manager and Active Directory to import students, teachers, staff, grade levels, and classes. If the school data is not available in ASM or Active Directory, it can be created manually within the web panel, or in bulk using the Spreadsheet import or API integration.

When importing users, it's important to ensure the correct email address and user ID is imported in Mosyle. If app and book deployment using user-based license assignment will be used, or User Enrollment will be used, it's important to also import the user's Managed Apple ID.

Management Profiles and Configurations

Any and all configurations and profiles created and assigned to the device will be applied immediately upon enrollment. Configurations and profiles assigned to the user, grade level, course/class, or shared device group will be applied once the device is assigned to the user or shared device group.

This allows you to build out all management configurations needed so that once devices are enrolled and assigned, they will be provisioned and protected as expected and ready for use.