Login  
Hello there!

Need Help? We are right here!
miniOrange Support Chat - Get Help and Support
miniOrange Email Support
Success Checkmark - Form Submitted Successfully

Thanks for your Enquiry.

If you don't hear from us within 24 hours, please feel free to send a follow-up email to uemsupport@xecurify.com

Search Results:

×

Contents


User enrollment (BYOD)

This flow enables User Enrollment (BYOD) using Apple Account-Driven Enrollment. In this flow, users sign in with their corporate identity, which triggers the device to create a managed Apple partition specifically for work. This architectural separation ensures that personal data remains isolated from the managed work volume, maintaining user privacy while allowing secure corporate management.


Prerequisites

1. APNs certificate

APNs must already be configured before you rely on this enrollment path.

  • APNs is the communication channel between your MDM and Apple devices.
  • Without APNs, devices may appear to enroll, but the server cannot reliably deliver commands over Apple’s push service.

Complete APNs Certificate in this handbook first.

2. Verified corporate domain

Example: mycompany.com

  • The domain must be publicly resolvable and reachable for Apple’s checks.
  • It must serve valid HTTPS only (no broken or self-signed certificates in production).

3. Web server access

Publish Apple’s service discovery document over HTTPS at the fixed path Apple expects on that domain—for example:

https://yourdomain.com/.well-known/com.apple.remotemanagement

4. OAuth provider

Configure identity for the same corporate domain using one of:

  • Google
  • Microsoft Entra ID
  • Any custom Identity Provider

Step-by-step configuration

Configure service discovery in the UEM console, publish the JSON on your domain, then confirm from the dashboard.

  • Sign in to the miniOrange Unified Endpoint Management (UEM) dashboard.
  • Open Getting Started → Apple → User Enrollment and click Configure Service Discovery.
    • Configure Apple service discovery in miniOrange UEM

  • Enter your corporate domain (for example yourdomain.com). It must match the user email domain and the OAuth identity domain you use for sign-in.
    • Enter corporate domain for Apple Account-Driven enrollment in miniOrange UEM

  • Download the service discovery file from the console. It carries the MDM server endpoint and enrollment metadata Apple expects at the well-known URL.
  • Publish that file on your web server so it is available at https://yourdomain.com/.well-known/com.apple.remotemanagement (replace yourdomain.com with your verified domain). The path and filename are part of Apple’s contract with the device; a typo causes enrollment to fail.

    • Correct server setup (critical)

    RequirementValue
    ProtocolHTTPS
    Path/.well-known/
    Filenamecom.apple.remotemanagement
    Content-Typeapplication/json

    Important: Wrong or missing Content-Type often produces a silent failure on the device—treat correct headers as mandatory in production.


Optional: Apache configuration

If you serve the file from Apache, you can force JSON headers for that file, for example:

<Files "com.apple.remotemanagement">
    Header set Content-type 'application/json'
</Files>

After the file is hosted and headers are correct, return to User Enrollment in the UEM dashboard and use the Reload (↻) control to validate service discovery. Fix any reported errors before inviting users.