Apple introduced Account Driven Apple User Enrollment as a privacy-centric way to manage personal devices in enterprise and education environments. It’s enabling organizations to securely manage corporate apps and data on employee-owned (BYOD) devices without compromising personal privacy.
A crucial part of this process is the Service Discovery Server, which enables seamless enrollment into Mobile Device Management (MDM) systems.
This article explores the purpose and how to create Service Discovery Server to be used in Account Driven Apple User Enrollment.
Role of the Service Discovery Server: it’s Mandatory for organization that enables users to enroll their devices via account driven apple user enrollment.
When a user attempts to enroll their device using a company domain (e.g., user@company.com), the Service Discovery Server helps direct the Managed Apple ID and enrollment process to the correct Organization’s Tenant.
How the Service Discovery Process Works:
1- Enrollment Trigger: the user starts Account Driven Apple User Enrollment on their Apple device by entering their Managed Apple ID (e.g., jane.doe@company.com).
2- Domain Query: the Apple device queries the domain name (e.g., company.com) to discover the associated Service Discovery Server.
3- DNS Lookup: Apple checks for A Record for that Domain.
4- MDM URL Response: Once the DNS query succeeds, the discovery server provides the MDM enrollment URL to the device, allowing it to proceed to the correct MDM platform.
5- Authentication and Enrollment: The user logs in with their Managed Apple ID or work credentials.
The MDM service applies policies and work profiles as part of User Enrollment.
How to Setup Service Discovery Server:
1- Setup Normal Windows Machine or Windows Server VM on Azure or even on your on-premise environment.
2- After Accessing the Machine, open start menu (search for Turn Windows Features on or off and select IIS) or in Windows Server access Server Manager (Add Role and select IIS)
3- Open IIS after that, Click on Default Web Site and select “MIME Types”
Click on Add to create new extension and how to be handled
Add in file name extension ‘.remotemanagement’ and in MIME Type: ‘application/json’
4- Click back again on the Default Web Site and select Directory Browsing and enable it.
5- Access C:\inetpub and create folder inside names ‘.well-known’ and inside create a text file.
Then rename the text file and REMOVE name+extension to be replaced with ‘com.apple.remotemanagement’
6- Edit the file ‘com.apple.remotemanagement’ with notepad and add inside it
===============================================
{“Servers”:[{“Version”:”mdm-byod”, “BaseURL”:”https://manage.microsoft.com/EnrollmentServer/PostReportDeviceInfoForUEV2?aadTenantId=YOUR Tenant ID Goes HERE”}]}
===============================================
You can get the Tenant ID from Azure Portal entra.microsoft.com, then click on identity, overview and you should see the Tenant ID.
Now, you can save the ‘com.apple.remotemanagement’ file and TEST the IIS Server.
Try to access localhost/.well-known/com.apple.remotemanagement
7- You should be seeing this response
8- You can now redirect traffic from your Organization’s DNS Records to the real-ip of that server.
And try to access it externally by the domain name or IP.
9- Now, its confirmed via browser that Server is redirecting enrollment requests to the new VM or server and replies are all in JSON Format.
10- Last action needed is to enable HTTPS, you can simply generate Certificate from your Domain’s CA and install it on the new VM or Server.
11- Then from IIS, you just need to click on Default Web Site again and on the right panel select Bindings.
Then Add HTTPS and select from SSL Certificate the newly installed Certificate on this Server.
Don’t forget to restart IIS Server.
With all these steps, You’ve completed the prerequisite by Apple to allow users enrolling BYOD iOS as Account Driven Apple User Enrollment.
Learn more about Apple User Enrollment Requirements, end-user experience check next article Apple User Enrollment Explained.
Leave a Reply