Bulk enrollment of Apple devices

You can enroll large numbers of iOS, iPadOS, and macOS devices in XenMobile in two ways.

• Use the Apple Deployment Program to enroll the iOS, iPadOS, and macOS devices that you buy directly from Apple, a participating Apple Authorized Reseller, or a carrier. That support includes Shared iPads. XenMobile supports the Apple Deployment Program for Apple Business Manager (ABM) and Apple School Manager (ASM) for Education. This article describes how to integrate multiple devices with your ABM account. For information on enrolling in ABM and connecting your ABM account with XenMobile, seeDeploy devices through Apple Deployment Program. For information about Apple School Manager accounts, see我ntegrate with Apple Education features.

  For enrollment of macOS devices, XenMobile requires that the devices run macOS 10.10 or later.

• You can also use Apple Configurator 2 to enroll iOS devices whether you purchased them directly from Apple or not.

With ABM:

• 你不需要接触或准备设备。我nstead, you submit device serial numbers or purchase order numbers through ABM to configure and enroll the devices.
• XenMobile允许该设备后,可以给予them to users who can start using them right away. When you set up devices with ABM, you can eliminate some of the Setup Assistant steps that users would have to complete when they first start their devices.
• For more information on setting up ABM, see the documentation available from一个pple Business Manager.

With Apple Configurator 2:

• You attach iOS devices to an Apple computer running macOS 10.7.2 or later and the Apple Configurator 2 app. You prepare the iOS devices and configure policies through Apple Configurator 2.
• 一个fter you provision the devices with the required policies, the first time the devices connect to XenMobile, the devices receive policies from XenMobile. You can then start managing the devices.
• For more information about using Apple Configurator 2, see the一个pple Configurator Help.

Prerequisites

Open required ports for connectivity between XenMobile and Apple. For more information, seePort requirements.

我ntegrate your Apple Business Manager account with XenMobile

我f you do not have an ABM account set up with XenMobile, complete the following steps inDeploy devices through Apple Deployment Program.

• Enroll in Apple Business Manager.
• Connect your Apple Business Manager account with XenMobile.
• Order Deployment Program enabled devices.
• 管理部署Program enabled devices.

Set a default server for bulk enrollment

To assign large orders of iOS, iPadOS, and macOS devices to an MDM server, you can set XenMobile as the default server.

1. Sign in to一个pple Business Managerusing an administrator or device enrollment manager account.
2. 我n the sidebar, clickSettings > Device Management Settings.
3. Choose an existing MDM server. UnderDefault Device Assignment, clickChange. Select the default XenMobile server for each device type. ClickDone.

Configure deployment rules of device policies and apps for ABM accounts

You can associate ABM accounts with different device policies and apps by using theDeployment Rulessection underConfigure > Device PoliciesandConfigure > Apps. You can specify that a policy or app either:

• Deploys only for a particular ABM account.
• Deploys for all ABM accounts except the one selected.

The list of ABM accounts includes only those accounts with a status of enabled or disabled. If the ABM account is disabled, the ABM device doesn’t belong to this account. Therefore, XenMobile doesn’t deploy the app or policy to the device.

我n the following example, a device policy deploys only for devices with the ABM account name “ABM Account NR”.

User experience when enrolling an Apple Deployment Program enabled device

When users enroll an Apple Deployment Program enabled device, their experience is as follows.

1. Users start their Apple Deployment Program enabled device.

2. XenMobile delivers the Apple Deployment Program configuration that you configured in the XenMobile console to the Apple Deployment Program enabled device.

3. Users configure the initial settings on their device.

4. The device automatically starts the XenMobile device enrollment process.

5. Users continue to configure the other initial settings on their device.

6. 我n the home screen, users might be prompted to sign in to Apple App Store so that they can download Citrix Secure Hub.

   Note:

   This step is optional if you configure XenMobile to deploy the Secure Hub app using the device-based volume purchase app assignment. In this case, you don’t need to create an Apple App Store account or use an existing account.

   

7. Users open Secure Hub and type their credentials. If required by the policy, users might be prompted to create and verify a Citrix PIN.

   XenMobile deploys any remaining required apps to the device.

To configure Apple Configurator 2 settings

You can configure and deploy iPhone and iPad devices in bulk using Apple Configurator 2 instead of Apple Business Manager.

Step 1: Configure settings in XenMobile

1. 我n the XenMobile console, go toSettings > Apple Configurator Device Enrollment.

   

2. SetEnable Apple Configurator device enrollment来Yes.

3. TheEnrollment URL to enter in Apple Configuratoris a read-only field. This setting provides the URL for the XenMobile server that communicates with Apple. Copy and paste this URL when you configure settings in Apple Configurator 2. The enrollment URL is the XenMobile server fully qualified domain name (FQDN), such asmdm.server.url.com, or the IP address.

4. To prevent unknown devices from enrolling, setRequire device registration before enrollment来Yes. Note: If this setting isYes, you must add the configured devices toManage > Devicesin XenMobile manually or through a CSV file before enrollment.

5. To require users of iOS devices to enter their credentials when enrolling, setRequire credentials for device enrollment来Yes. The default is not to require credentials for enrollment.

6. Note: If the XenMobile server is using a trusted SSL certificate, skip this step. ClickExport anchor certs并保存certchain.pem file to the macOS keychain (login or System).

   

Step 2: Configure settings in Apple Configurator 2

1. 安装苹果从App Store配置器2。

2. Use a Dock Connector-to-USB cable to connect devices to the Mac running Apple Configurator 2. You can configure up to 30 connected devices simultaneously. If you do not have a Dock Connector, use one or more powered USB 2.0 high-speed hubs to connect the devices.

3. Start Apple Configurator 2. The configurator shows any devices that you can prepare for supervision.

4. To prepare a device for supervision:

   • 选择Supervise devicesif you intend to maintain control of the device by reapplying a configuration regularly. ClickNext.

     我mportant:

     Placing a device into Supervised mode installs the selected version of iOS on the device, completely wiping the device of any previously stored user data or apps.

   • 我n iOS, clickLatestfor the latest version of iOS that you want to install.

5. 我nEnroll in MDM Server, choose an MDM server. To add a new server, clickNext

6. 我nDefine an MDM server, provide a name for the server and paste the MDM server URL from the XenMobile console.

7. 我n一个ssign to organization, choose an organization to supervise the device.

   For more information on preparing devices with Apple Configurator 2, see the Apple Configurator help page,Prepare devices.

8. 一个s each device is prepared, turn it on to start the iOS Setup Assistant, which prepares the device for first-time use.

To assign devices from Apple Configurator 2 to Apple Business Manager

You can associate iPhone and iPad devices from Apple Configurator 2 with your Apple Business Manager account. When you add devices, they appear in theDevicessection. These devices no longer include enrollment settings assigned through Apple Configurator 2. For more information, see一个ssign devices added from Apple Configurator 2 to Apple Business Manager.

Renew or update certificates when using the Apple Deployment Program

When the XenMobile Secure Sockets Layer (SSL) certificate is renewed, you upload a new certificate in the XenMobile console inSettings > Certificates. In the我mportdialog box, inUse as, clickSSL Listenerso that the certificate is used for SSL. After you restart the server, XenMobile uses the new SSL certificate. For more information about certificates in XenMobile, seeUploading Certificates in XenMobile.

我t is not necessary to reestablish the trust relationship between Apple Deployment Program and XenMobile when you renew or update the SSL certificate. You can, however, reconfigure your一个pple Deployment Programsettings at any time by following the preceding steps in this article.

For more information about the Apple Deployment Program, see the一个pple documentation.

Renew your connection between the Apple Deployment Program and XenMobile

XenMobile displays a License Expiration Warning when your Automated Device Enrollment server token expires.

Replace the token from Apple School Manager/Apple Business Manager.

Step 1: Download a public key from your XenMobile server

1. 我n the XenMobile console, go toSettings > Apple Deployment Program来download a new public key.

Step 2: Create and download a server token file from your Apple account

1. Sign in to Apple Business Manager to download the token.

2. OpenSettingsand select the server from which you need a token. ClickEdit.

3. UnderMDM Server Settings, upload the new public key you downloaded from XenMobile and save the changes.

4. ClickDownload Token来download the new token.

Step 3: Upload a server token file in XenMobile

1. 我n Citrix XenMobile, go toSettings > Apple Deployment Program.

2. 选择the Deployment Program account, clickEdit, and upload your server token file.

3. ClickNextand save the changes.