For providing a workspace on private iOS devices, Apple has provided user enrollment. With User Enrollment there is a clear separation of the workspace from the privately used area on the device. This enrollment method is therefore recommended when embedding private iOS devices (privately-owned) that will be provided with a managed workspace (BYOD – Bring Your Own Device). Users can manage the workspace themselves using the Cortado app.
As the administrator, you only have access to the workspace and have the option to delete it from the device (Partial Wipe). The user´s private data can be neither viewed nor deleted.
Set up account driven User Enrollment
Creating a managed Apple ID
The employment of User Enrollment, requires the creation of managed Apple IDs.
Open the Apple Business Manager. for this. Then create a separate, managed Apple ID for each user under Accounts (left arrow in illus.). The Apple ID should correspond to the e-mail address of the user (with company domain).
Note! Managed Apple IDs must belong to a verified domain.
Proceed with that as described in the Apple Business Manager User Guide. The users will subsequently receive an email from Apple with the managed Apple ID and a temporary password.
Enter the managed Apple ID for each user under Administration→ Users→ Settings→ Edit in the Administration Portal.
Set up account driven User Enrollment
Caution! This setup step is mandatory from now on, otherwise user registration will fail.
- Create a JSON file that contains the registration information (content type: application/json).
- The content of the JSON file must look like this:
{"Servers":[{"BaseURL":"https://go.mycortado.com/Push.svc/mdm/apple/enroll/byod","Version":"mdm-byod"}]}
- Set up the file in the same domain in which the users log in and publish it.
- Use your organization's domain instead of mycompany.com. This must match the e-mail address of the managed Apple ID.
- Create the JSON file with the name com.apple.remotemanagement and host it on your web server. The web server must have the same domain name as the verified domain to which the managed Apple IDs belong.
- Publish the file in a domain that supports HTTP GET requests.
- Apple retrieves the file via an HTTP GET request to “https://mycompany.com/.well-known/com.apple.remotemanagement”.
- To check whether the content of the JSON file has been hosted correctly, enter the following link in a browser: “https://mycompany.com/.well-known/com.apple.remotemanagement” Replace mycompany.com (highlighted in the image) with your domain.
- If the JSON file has been implemented correctly, the following view is returned in the browser:
Please find further information on the Apple developer website.
Registering mobile devices
Users can now configure their devices themselves. They can find out how this works in our help article Enroll private iOS devices (User Enrollment). To log in to My Cortado, users who have been imported from Microsoft Entra ID use the login data of their Microsoft account. Local users must generate their own password using the invitation email. The invitation email is sent automatically when new users are added to the administration portal. You can find more information about the invitation email here.