How To Enroll in MDM with Apple Configurator 2

Last updated May 9, 2019

What is Apple Configurator?

Apple Configurator, which is currently on version 2, is a macOS application that allows for the create configurations and then apply them to iOS devices. It also allows the installation of apps to an iOS device. Before Apple Configurator, Apple had an application named iPhone Configuration Utility. Apple Configurator (1 and 2) are essentially the continuation of the iPhone Configuration utility, which is no longer distributed.

The range of configuration options in Configurator cover the gamut of what you might imagine is possible: minimum security requirements for passcodes, VPN configurations, on-device certificates, and even fonts. Generally, any configurations that can be applied via mobile device management (MDM) are also available in Apple Configurator 2.

Apple Configurator 2 provides the ability for an administrator to select which apps to have installed to iOS as well. Once signed in with an Apple ID, any app ever downloaded or purchased under that Apple ID will be available for selection.

Apple Configurator 2 combines these two abilities, configurations (actually called profiles, which are made of up individual payloads) and apps into a parent object called a blueprint. An administrator is able to create multiple blueprints within Apple Configurator 2, whether they are role based (executive, manager, contributor), department based (sales, marketing, support), or some other division. Blueprints can also be layered on a device, allowing devices to have more than just a single blueprint.

Once blueprints have been configured, Apple Configurator 2 can be placed in a mode called ‘prepare’. As iOS devices are connected to the computer running Apple Configurator 2 with a USB to lightning connector, Apple Configurator 2 pushes the configuration to the device. Optionally, devices can also be wiped, have iOS upgraded to the latest version, be placed into supervision mode, enroll with an MDM, among others.

Since the process from plug in to unplug can take some time, especially if wiping, upgrading iOS or switching to supervised mode (which requires a system wipe), many administrators use high-capacity USB hubs. Though we haven’t used it personally, the Cambrionix PowerPad15 is an example of such a USB hub that is used quit extensively for this very purpose. A side note: if looking to purchase a hub, check what capacity of power the hub is capable of providing. If the wattage is too low, devices may not charge whilst plugged in, which may or may not matter depending upon your workflow.

Why Use Both Configurator and MDM?

After explaining the functionality of Apple Configurator 2, an often asked question is: So why do I need MDM if I can manage configurations and apps this way? The question is a fair one, and the the answer largely depends upon your organizational needs.

Apple Configurator 2 can provide parity with MDM for some organizations with limited requirements. The big difference is in the ability to control configurations after deployment. With Configurator, once a device is unplugged from its lightning connection, no further communication is possible unless the device is plugged back in. With MDM, configuration can be controlled over-the-air, meaning wirelessly via WiFi or cellular connection.

Apple Configurator’s ability to manage apps is also very limited. Whereas the Configurator doesn’t extend far beyond allowing you to select apps to install, most MDMs will allow you to distribute company owned app licenses as well as remotely update and remove apps, too. MDM is even capable of pushing app-specific configurations, allowing app developers and IT to work together to automatically sign a user into their app, for instance. If you’re interested in how MDM can be used to simplify app deployment, we strongly recommend this read: Install Apps Remotely to iPads and iPhones which provides a comprehensive view of the many ways to deploy apps, each having their own strengths.

MDM provides a multitude of additional features. Actions are possible, like locking the device, wiping its contents, and monitoring what apps are installed, all remotely. MDM also allows you to access advanced functionalities, like forcing a device to only display a single app. This is great for situations where a device needs to act like an appliance: for instance, a Square point of sale system.

Organizations, if using both of these technologies, will establish a balance between the two. Apple Configurator 2 may be used to make sure all devices are running the latest iOS version, are supervised, and have an initial WiFi network connection, whereas MDM is then used for all further configurations and management. For some organizations, additional tooling, such as GroundControl provides even more control and automation between where Apple Configurator ends and MDM starts.

How To Enroll With MDM Using Apple Configurator 2

The path of least resistance when enrolling a device with MDM is generally using a link, sent to the device by SMS, email, or manually typed. This is a reasonable “get it done” method if you only have a few devices or if employees will be enrolling their devices on their own. It absolutely does not scale for companies with a large number of company-owned devices that to be set up. Instead, an organization will generally use the relatively newer Apple Device Enrollment Program (read Explained: The Apple Device Enrollment Program) to have devices automatically configured with their MDM out-of-the-box, or they’ll use Apple Configurator 2.

We’ll now explain how to configure a device with MDM using Apple Configurator 2. To start, if you haven’t already, download Apple Configurator 2 from the Mac App Store. It’s a free download. Install the app and then run it.

Once the application is running, create any blueprints that you desire to. It isn’t required that blueprints are used, so feel free to skip this step.

Next, click the ‘Prepare’ button from the app top bar.

Supervisor Prepare

Configurator will ask you which mode you’d like to use. Select ‘Manual’ unless you are enrolled with Apple DEP, in which case you probably don’t need to use Apple Configurator 2 in the first place.

Apple Configurator will ask you if you’d like to assign the device to an MDM. Select ‘New server…’ if you haven’t completed this process before. The following screen will allow you to specify a name for your MDM as well as the enrollment URL.

The process for getting an enrollment url varies between MDM vendors. For SimpleMDM, sign in and click the ‘Enroll Devices’ button. Select a group for group enrollment and click ‘Show Enrollment’. An enrollment link will be provided on the screen and will likely look similar to the one in our screenshot. Copy this URL from SimpleMDM and paste it within Configurator. On the next screen, Configurator will allow you to add anchor certificates. When using SimpleMDM, you can leave this as-is.

SimpleMDM Enrollment Interface

The remaining steps do not deal with MDM specifically. You will be asked if you’d like to:

1. Supervise the device and block other computers from managing it.
2. Provide information about your organization to be displayed on the device.
3. Skip certain set-up screens during the initial iOS startup.
4. Create or use an existing configurator identity. This is essentially a certificate that allows you to re-access these devices down the road with Apple Configurator on the same or on a different computer.

Once you’ve completed these steps, Configurator will begin setting up the devices you selected initially or plug in subsequently. As these devices are configured, they will appear in your MDM software automatically. Not bad, right?

I Only Have Windows. Can I Use Apple Configurator?

The strict answer is ‘no’. Apple Configurator software is only for macOS; Apple does not distribute a Windows version.

The nitty gritty answer is ‘sort of’. None of these methods are recommended and may provide more pain than gain, so we generally recommend that organizations in this scenario purchase a Mac Mini to have as a resource for around the office. If interested in going down the rabbit hole, here are some methods that we’ve heard employed:

1. Apple used to distribute a Windows version of the iPhone Configuration Utility. It’s still available on c|net here. Note that the last version of this software was released in January of 2013. At best it’s missing many features and at worse it won’t work at all.

2. Run macOS as a virtual machine on Windows. We’re pretty sure this breaks Apple macOS software licensing rules, so we cannot recommend this methodology. We’ve heard some reports that most virtual machine software handles USB emulation in a manner that causes issues when connecting and disconnection iOS devices, but we cannot confirm this.

3. Use Apple DEP instead. Apple DEP can generally be used as a substitute to Apple Configurator when MDM is also being used. Apple DEP devices are ready out-of-the-box, eliminating the need for USB connections and extra touches. Referenced earlier, you can learn more about Apple DEP via this article. If you’d like to use DEP, apply for an account at deploy.apple.com.

If you aren’t already using MDM, manage your devices with a SimpleMDM account. If you have any questions, feel free to ask them in the comments section. We’re here to help!

Comments (2)

Greetings,

As a quick background, I’m already set up in Apple w/ Apple DEP and I am hoping to use an MDM such as SimpleMDM to manage internal iOS devices. Obviously, it’s best if devices are added into DEP by Apple so that they show up in DEP automatically. However, Apple provides for the use of Apple Configurator in cases where a customer did not purchase the iOS device directly from Apple. In fact, I do this at work, using a different MDM with Apple Configurator 2. Does SimpleMDM support the adding of iOS devices via Configurator, as this other MDM does? In essence, I can then transfer the serial number from the Apple Configurator ‘MDM server’ entry into the SimpleMDM one, via business.apple.com.

I appreciate any help you can provide,

–Peter

Leave a Reply

Your email address will not be published. Required fields are marked *

See Why Apple Admins Prefer SimpleMDM

Start My FREE 30-Day Trial Now
  • How to Enroll an Apple TV in MDM - 4 Methods

    By on January 24, 2019
    Read more
  • How To Sign macOS PKGs for Deployment with MDM

    By on October 4, 2018
    Read more
  • How To Use Custom Configuration Profiles With Custom Attributes

    By on September 17, 2018
    Read more

See Why Apple Admins Prefer SimpleMDM No strings. No Spam.

Start My 30-Day Free Trial Now