Skip to content

Configure service discovery

You must configure service discovery before you can use account-driven Apple User Enrollment.

For iPhones and iPads owned by the user, service discovery is an enrollment step where the device identifies itself to Sophos Mobile.

Users must enter their Managed Apple ID when enrolling their device with Sophos Mobile. The device uses the domain part of the ID to connect to a service discovery resource on your web server, which contains information the device needs to enroll with Sophos Mobile.

Requirements

Before configuring service discovery, make sure that you comply with the following requirements:

  • Your web server’s SSL/TLS certificate covers the domain you registered in Apple Business Manager for your Managed Apple IDs. More precisely, the certificate’s Common Name (CN) or Subject Alternative Name (SAN) must match the domain name.
  • The devices you want to enroll have all certificates from your web server certificate’s chain of trust.

    If your certificate is signed by a commercial or non-profit Certificate Authority (CA), such as Let’s Encrypt, there’s nothing to do. iOS and iPadOS already include the required chain-of-trust certificates.

    In contrast, if your certificate is self-signed or issued by your organization’s PKI (public key infrastructure), you must manually install the chain-of-trust certificates on the devices.

Configure service discovery

To configure service discovery, do as follows:

  1. In Sophos Mobile, go to Setup > Apple setup > Apple User Enrollment.
  2. Click Set up account-driven Apple User Enrollment.

    The Apple User Enrollment tab.

  3. Click Copy to clipboard to copy the JSON code shown on the page.

    The Copy to clipboard button.

  4. Paste the JSON code into a new text file.

  5. Publish the file on your web server at the following URL:

    https://your-domain.com/.well-known/com.apple.remotemanagement
    

    Replace your-domain.com with the domain you registered in Apple Business Manager for your Managed Apple IDs.

  6. In your web server configuration, set the file’s content-type header to application/json.

  7. Configure your web server to allow HTTP GET requests to the URL.