You're new to SimpleMDM and need some help getting started.
This guide will cover the basics of getting started with SimpleMDM, including: Critical early decisions to make, creating a SimpleMDM account, configuring SimpleMDM, and Common Errors.
The Complete SimpleMDM Knowledge Base can be found here:
SimpleMDM Knowledge Base
The Complete SimpleMDM API Documentation (Advanced) can be found here:
SimpleMDM API Documentation
Check out our YouTube Playlist for Getting Started With SimpleMDM:
PDQ + SimpleMDM YouTube
Table of Contents
The Importance of Making Informed Early Decisions
Making informed early decisions is crucial when Getting Started With SimpleMDM.
Some examples of critical early decisions to be made are:
- Whether or not to use Apple Business Manager
- How you will manage your AppleIDs in your environment
- Whether or not to supervise devices
- Which enrollment methods will be used
Apple Business Manager
Apple Business Manager is not required for SimpleMDM to manage your devices, but it offers additional MDM functionality when utilized.
Utilizing Apple Business Manager adds the following additional functionality:
- Automated Device Enrollment - When purchased through Apple Business Manager or an Authorized Reseller
- Volume Purchase Program - Allows installing App Store Apps without an end user AppleID
Apple Business Manager is not available in all regions.
Create an Appropriate AppleID
An AppleID is required for managing Push Certificates. The AppleID created for managing your Apple devices with SimpleMDM should not be an individual's personal AppleID. It is considered best practice for this AppleID to use a generic administrator username, e.g.: 'MDMAdmin@company.com'.
A new AppleID can be created at appleid.apple.com. The process is the same as creating an AppleID for personal use. This AppleID can be an Apple ID that is associated with your Apple Business Manager account, but is not required.
An Apple Push Certificate is required for Apple devices to be managed via the MDM Protocol. Push Certificates need to be renewed yearly, using the same AppleID it was originally created with. Creating and uploading a Push Certificate to SimpleMDM is required during the SimpleMDM account creation process.
When creating your Push Certificate, you should use the generic administrator AppleID for your organization. Instructions for creating a Push Certificate are provided during the SimpleMDM sign up process.
Create a SimpleMDM Account
When you are ready to create a SimpleMDM account, sign up for a free 30 day trial at:
Additional SimpleMDM Administrators can be added after creating your organization's account.
Supervised Mode is a special iOS configuration that allows an organization's MDM Administrators additional MDM control & functionality. SimpleMDM can have a mix of supervised and un-supervised devices, so choosing whether or not to use device supervision is a decision that can be made on a per-device basis. Devices that are enrolled from Apple Business Manager (Automated Enrollment) will be in supervised mode automatically.
Supervision is the ideal configuration for company-owned devices, but it is not appropriate for employees who are bringing their own devices (BYOD).
Managing SimpleMDM Admins
In SimpleMDM you can create multiple users to manage your organization's account and devices. This includes the ability to create User Roles with different permissions, as well as security features such as 2 Factor Authentication and SAML Single Sign On.
Connecting SimpleMDM to Apple Business Manager
Apple Business Manager allows for Automated Enrollment using the Device Enrollment Program (DEP) as well as the Volume Purchase Program (VPP) for deploying purchased applications with SimpleMDM. In order to link Apple Business Manager to SimpleMDM, to be able to use DEP and VPP with SimpleMDM, you must first create DEP and VPP tokens in Apple Business Manager and upload them to SimpleMDM.
It is always recommended to use a generic MDM Administrator email address for the AppleID that will be generating the DEP Token, in order to prevent DEP Token renewals from being linked to a personal AppleID.
SimpleMDM has four methods for enrolling devices. The method you choose is dependent on who owns the device being managed, where it was purchased, and whether or not supervision will be used.
The four enrollment methods are:
- Automated Enrollment with Apple Business Manager
- Apple Configurator (Requires a Mac computer)
- Enroll by Link
- User Enrollment
Device Groups in SimpleMDM are for grouping together devices that require the same Configuration Profiles, Restrictions, Passcode Settings, and Apps.
Configuration Profiles are the policies that can be applied to devices or Device Groups that allow an administrator to set up accounts, services, and other functionalities on devices.
SimpleMDM provides multiple methods for managing applications for MacOS, iOS, and tvOS devices. Apps can be individually deployed to one or more devices, or assigned to Device Groups for simplifying app deployments.
The App Catalog allows for the distribution of App Store Apps, purchased from Apple Business Manager under the Volume Purchase Program, for MacOS, iOS, and tvOS devices.
Managing Applications for iOS & tvOS Devices
There are three methods for managing applications for iOS & tvOS devices.
- App Store - Volume Purchase Program (VPP)
- App Store - Using Apple IDs
- Enterprise & Ad-Hoc (Custom Apps)
Managing Applications for MacOS Devices
There are three methods for managing applications for iOS & tvOS devices.
SimpleMDM offers the ability to perform Device Actions on managed devices, that can simplify remotely managing your devices. Device Actions include the ability to push assigned apps and media, send the device a message, clear the passcode, enable Lost Mode, Wipe the device, and more.
Location Tracking is available for enrolled devices that have the SimpleMDM iOS app installed.
SimpleMDM retains Admin & Device Logs. The Admin Namespace logs activity from the SimpleMDM Portal & API, while the Device Namespace logs device activity between SimpleMDM and the devices being managed.
SimpleMDM only retains logs for two weeks. If you wish to retain the SimpleMDM logs for a longer period of time, logs can be exported with the SimpleMDM API.
SimpleMDM allows Custom Scripts to be uploaded and deployed to MacOS devices. Custom Script Jobs can be deployed to Device Groups, Assignment Groups, or individual devices.
Attributes & Custom Attributes
Attributes enable you to create configurations that are customized on a per-device basis. With attributes, you can create profiles and managed app configurations that include values specific to the device they are being installed to. Additionally, you can use custom attributes as a way to store device or asset metadata specific to your business.
Authentication Integration for Enrollments
SimpleMDM supports the ability to configure LDAP and SAML authentication for device enrollments.
SAML SSO Integration
For added security, SimpleMDM can integrate with the Security Assertion Markup Language (SAML) standard for Single Sign On (SSO). Several vendors can be configured as a Trusted Identity Provider to authenticate your SimpleMDM Administrators with SAML SSO.
The SimpleMDM API exists as a RESTful JSON implementation. It is designed to work over authenticated, HTTPS secured channels. Since the SimpleMDM API is based upon the HTTP protocol, you can directly interact with it using any HTTP client library.
API Keys can be created in the API page of the SimpleMDM Portal, and each API key created can be configured with different permissions.