Hi All!
I absolutely love the changes this year around user enrollment. It seems this flow will be much easier for a user to enroll their device
However, I am curious about the design decisions around the new account driver user enrollment flow. From a vendor perspective, it seems like it could potentially be improved further for sake of the end-user experience.
For a cloud-hosted MDM provider, the MDM provider would need to instruct customers to place a file within their web host "/.well-known/com.apple.remotemanagement".
I'm curious since a user has to authenticate with a Managed Apple ID anyway during the process, why not have that part done first, and associate a "dep profile" with a Managed Apple ID. Similar to how we associate a "dep profile" with a device available for automated device enrollment.
That way, the discovery is all done on Apple's end, and potentially only a single authentication is required unless the MDM inserts an authentication webview into the process the same way it can optionally be done for ADE/DEP enrollments.
i.e.
User attempts sign in with Managed Apple ID -> Apple performs discovery for enrollment profile based on MAID -> user is prompted to enroll to sign in -> mdm optionally displays a webview (similar to ade/dep -> session token granted -> user enrolls
It seems like it would be easier for the end user if we could reduce the number of sign-ins required during an enrollment process.
I would love to hear others' thoughts on the new process and user enrollment in general.