To manage iOS devices in Endpoint Management, you set up an Apple Push Notification service (APNs) certificate from Apple. For information, see APNs certificates.

Endpoint Management enrolls iOS devices into MDM+MAM mode, with the option for users to register in MAM-only mode. Endpoint Management supports the following authentication types for iOS devices in MDM+MAM mode. For information, see the articles under Certificates and authentication.

  • Domain
  • Domain plus security token
  • Client certificate
  • Client certificate plus domain
  • Derived credentials

A general workflow for starting iOS device management is as follows:

  1. Complete the onboarding process. See Onboarding and resource setup and Prepare to enroll devices and deliver resources.

  2. Choose and configure an enrollment method. See Supported enrollment methods.

  3. Configure iOS device policies.

  4. Enroll iOS devices that use user-provided credentials.

  5. Set up device and app security actions. See Security actions.

For supported iOS devices, see Supported device operating systems.

Supported enrollment methods

The following table lists the enrollment methods that Endpoint Management supports for iOS devices:

Method Supported
Apple Device Enrollment Program (DEP) Yes
Apple School Manager DEP Yes
Apple Configurator Yes
Manual enrollment Yes
Enrollment invitations Yes

Apple has device enrollment programs for business and education accounts. For business accounts, you enroll in the Apple Deployment Program to use the Apple Device Enrollment Program (DEP) for device enrollment and management in Endpoint Management. That program is for iOS, macOS, and Apple TV devices. See Deploy devices through Apple DEP.

For education accounts, you create an Apple School Manager account. Apple School Manager unifies the Device Enrollment Program (DEP) and Volume Purchase Program (VPP). Apple School Manager is a type of Education DEP. See Integrate with Apple Education features.

You can use the Apple Device Enrollment Program (DEP) to bulk enroll iOS, macOS, and Apple TV devices. You can purchase those devices directly from Apple, a participating Apple Authorized Reseller, or a carrier. Whether you purchase iOS devices directly from Apple, you can use the Apple Configurator to enroll those devices. See Bulk enrollment of Apple devices.

Configure iOS device policies

Use these policies to configure how Endpoint Management interacts with devices running iOS. This table lists all device policies available for iOS devices.

AirPlay mirroring AirPrint APN
App access App attributes App configuration
App inventory App lock App network usage
App uninstall Apps notifications Calendar (CalDAV)
Cellular Contacts (CardDAV) Control OS update
Credentials Device name Education configuration
Exchange Font Home screen layout
Import iOS & macOS profile LDAP Location
Lock screen message Mail Managed domains
MDM options Organization info Passcode
Personal Hotspot Profile removal Provisioning profile
Provisioning profile removal Proxy Restrictions
Roaming SCEP Shared iPad - Maximum resident users
Shared iPad - Passcode lock grace period SSO account Store
Subscribed calendars Terms & conditions VPN
Wallpaper Web content filter Webclip

Enroll iOS devices that use user-provided credentials


For more information, see Enroll iOS devices that use derived credentials.

  1. Download the Secure Hub app from the Apple iTunes App Store on the device and then install the app on the device.

  2. On the iOS device Home screen, tap the Secure Hub app.

  3. When the Secure Hub app opens, enter the server address that your help desk provided.

    The screens presented might differ from these examples, depending on how Endpoint Management is configured.

    Image of Secure Hub with server address prompt

  4. When prompted, enter your user name and password or PIN. Click Next.

    Image of sign-on screen

  5. When prompted to enroll, click Yes, Enroll and then enter your credentials when prompted.

    Image of Yes, Enroll button

  6. Tap Install to install the Citrix Profile Services.

    Image of Citrix Profile Services screen

  7. Tap Trust.

    Image of Remote Management trust screen

  8. Tap Open and then enter your credentials.

    Image of Secure Hub open prompt

    Image of credentials prompt

Security actions

iOS supports the following security actions. For a description of each security action, see Security actions.

Activation Lock Bypass App Lock App Wipe
ASM DEP Activation Lock Clear Restrictions Enable/Disable Lost Mode
Enable/Disable Tracking Full Wipe Locate
Lock Ring Request/Stop AirPlay Mirroring
Restart/Shut Down Revoke/Authorize Selective Wipe