Skip to main content

Set up Enrollment SSO for Apple devices

With Apple Enrollment SSO, employees can use a Managed Apple ID to sign in on macOS, iOS, or iPadOS devices and automatically enroll in Swif for device management. Below are two ways to integrate Swif with Apple’s Enrollment SSO:

  1. CNAME approach – Point your chosen domain to apple-enrollment.swifteam.com.

  2. Hosting JSON – Serve a .well-known/com.apple.remotemanagement file yourself for Apple to fetch enrollment details.

Important

  • If you need both BYOD (Bring Your Own Device) and non-BYOD (Company-Owned/ADE) enrollments, handle them differently depending on the approach.

  • CNAME approach uses one domain and differentiates BYOD vs. non-BYOD via email prefixes.

  • Hosting JSON requires two separate domains—one for BYOD JSON and one for non-BYOD JSON. The benefit is that you can host JSON on your root domain, so your Managed Apple ID can be the same as your company work email.

  • Make sure to add each user’s Managed Apple ID in the ABM (see Step 5).

  • Apple Business Manager (ABM) allows users to use Google, Azure, or Okta credentials to authenticate to their Apple iCloud or Apple Device Management.


Important notice for BYOD with Enrollment SSO

Notice: During Enrollment SSO BYOD enrollment, the Swif Agent cannot be installed. Therefore, many MDM functions will not work.


For BYOD enrollment, we recommend using Application or Silent installer instead.

If you need full MDM capabilities (e.g., advanced policies, deep device posture, and continuous monitoring), make sure your BYOD flow uses one of the supported Swif agent installation methods above.


1) Prerequisites

(Same as in the original article.)

  1. Admin access in Swif and Apple Business Manager (ABM) or Apple School Manager (ASM).

  2. Ability to configure DNS (for CNAME) or upload files to your domain (for JSON hosting).

  3. Managed Apple IDs set up in ABM/ASM for your employees.


2) Set Up Employee’s Managed Apple ID

Each employee who will use Apple Enrollment SSO needs a Managed Apple ID in your ABM/ASM.

  • Create or Update the Managed Apple ID in ABM/ASM.

Differentiating BYOD vs. Non-BYOD

  • CNAME approach:

    • You have one domain, e.g. applesso.yourcompany.com, pointed to apple-enrollment.swifteam.com.

    • Separate employees’ IDs by prefix or suffix, e.g.

      • BYOD: username.byod@applesso.yourcompany.com

      • Non-BYOD: username@applesso.yourcompany.com

  • Hosting JSON:

    • If you can host JSON on your root domain, you can sync your Google Workspace or Azure directory email in Apple Business Manager directly without an additional Managed Apple ID domain and then use that same email as a Managed Apple ID.

    • You need two different domains or subdomains (one for BYOD JSON, one for non-BYOD JSON).

    • Match each user’s Managed Apple ID domain to the correct enrollment flow.

      • employee@byod.yourcompany.com → fetches BYOD JSON

      • employee@yourcompany.com or employee@applesso.yourcompany.com or → fetches non-BYOD JSON


3) Method 1: CNAME to Swif

Pick a subdomain

  • For example, applesso.yourcompany.com.

Create a CNAME record

  • Point applesso.yourcompany.comapple-enrollment.swifteam.com.

Verify

  • Check via a DNS lookup tool.

Set Your Domain to Swif

In the Swif admin console, set the domain you want to use for Enrollment SSO.

You can also set it on the Device Enrollment page.

Enrollment (Optional, you can test enrollment at #6)

  • On an Apple device, go to System Settings (macOS) or Settings (iOS/iPadOS) → GeneralDevice Management (or VPN & Device Management).

  • Tap or click Sign in to Work or School Account.

  • If prompted for a domain, enter applesso.yourcompany.com.

  • User enters their Managed Apple ID (e.g., username@applesso.yourcompany.com).

  • Swif will automatically enroll the device as BYOD or non-BYOD based on the user’s ID prefix/suffix.

  • No separate Swif login prompt is required; the Managed Apple ID sign-in triggers the entire SSO flow.


4) Method 2: Host on your own domain(s)

4.1) Host by JSON

When hosting JSON yourself, you have three configuration options depending on your enrollment needs:

Configuration

Use Case

BYOD JSON (Static)

All enrollments should be BYOD

Non-BYOD JSON (Static)

All enrollments should be Non-BYOD (Company-Owned / ADE)

Retrieve Your Configuration

Swif provides all three configurations via a single API call:

curl -X GET "https://mdm.swifteam.com/api/v2/sso/enroll/json" \
-H "Authorization: Bearer {{TOKEN}}" \
-H "team-id: {{TEAM-ID}}"

For EU, use mdm.eu.swifteam.com.

The response includes your team identifier, static JSON for both BYOD and Non-BYOD, and proxy configurations for dynamic routing:

{
"teamIdentifier": "{{IDENTIFIER}}",
"adde": {
"Servers": [
{
"Version": "mdm-adde",
"BaseURL": "https://mdm.swifteam.com/api/v1/sso/enroll?team-identifier={{IDENTIFIER}}"
}
]
},
"byod": {
"Servers": [
{
"Version": "mdm-byod",
"BaseURL": "https://mdm.swifteam.com/api/v1/sso/enroll?team-identifier={{IDENTIFIER}}&isbyod=true"
}
]
},
"proxyConfigs": { ... }
}

You can also download the static JSON files directly from the Swif admin console under the Enrollment SSO settings:

  • "JSON For BYOD Device" — downloads the BYOD JSON

  • "JSON For Non BYOD Device" — downloads the Non-BYOD JSON

Option A: Static BYOD JSON

Use this if all Enrollment SSO enrollments should be BYOD.

  1. Download or copy the byod JSON from the API response (or use the "JSON For BYOD Device" link in the admin console).

  2. Serve it at: {{YOUR_DOMAIN}}/.well-known/com.apple.remotemanagement

  3. The URL must return only this JSON text — no .json filename extension, no extra HTML.

Option B: Static Non-BYOD JSON

Use this if all Enrollment SSO enrollments should be Non-BYOD (Company-Owned / ADE).

  1. Download or copy the adde JSON from the API response (or use the "JSON For Non BYOD Device" link in the admin console).

  2. Serve it at: {{YOUR_DOMAIN}}/.well-known/com.apple.remotemanagement

  3. The URL must return only this JSON text — no .json filename extension, no extra HTML.


4.2) Host by Proxy configuration

Use this if some users will be Non-BYOD (ADE) and others will be BYOD on the same domain. A proxy redirects the .well-known request to Swif's server, which dynamically determines the enrollment type per user.

Configuration

Use Case

Proxy (Dynamic)

Some users are BYOD and others are Non-BYOD — enrollment type is determined dynamically

How It Works

  1. You configure a reverse proxy on your domain so that requests to /.well-known/com.apple.remotemanagement are forwarded to Swif.

  2. On the first enrollment attempt, the user signs in with their Managed Apple ID. Swif caches the user's email and presents a page instructing them to close the window and start the SSO flow again.

  3. On the second attempt, Swif recognizes the user's email from the cache and dynamically routes them to the correct enrollment type (BYOD or Non-BYOD) based on the user's configuration in the Swif admin console.

Note: The two-pass flow is required because Apple initiates the enrollment step before the authentication page opens. The first pass allows Swif to identify the user; the second pass completes enrollment with the correct BYOD/Non-BYOD routing.

Proxy Configuration

The API response includes ready-to-use configurations for common web servers under proxyConfigs. The proxyTarget URL is:

https://mdm.swifteam.com/api/v1/sso/well-known/{{IDENTIFIER}}

For EU: use mdm.eu.swifteam.com.

Choose the configuration that matches your web server:

Nginx:

location = /.well-known/com.apple.remotemanagement {
proxy_pass https://mdm.swifteam.com/api/v1/sso/well-known/{{IDENTIFIER}};
proxy_set_header Host mdm.swifteam.com;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
}

Caddy:

handle /.well-known/com.apple.remotemanagement {
rewrite * /api/v1/sso/well-known/{{IDENTIFIER}}
reverse_proxy https://mdm.swifteam.com {
header_up Host mdm.swifteam.com
header_up X-Real-IP {remote_host}
header_up X-Forwarded-For {remote_host}
header_up X-Forwarded-Proto {scheme}
}
}

Apache:

ProxyPass        "/.well-known/com.apple.remotemanagement" "https://mdm.swifteam.com/api/v1/sso/well-known/{{IDENTIFIER}}"
ProxyPassReverse "/.well-known/com.apple.remotemanagement" "https://mdm.swifteam.com/api/v1/sso/well-known/{{IDENTIFIER}}"

<Location "/.well-known/com.apple.remotemanagement">
ProxyPreserveHost Off
RequestHeader set X-Real-IP expr=%{REMOTE_ADDR}
RequestHeader set X-Forwarded-For expr=%{REMOTE_ADDR}
RequestHeader set X-Forwarded-Proto expr=%{REQUEST_SCHEME}
</Location>

Traefik:

http:
routers:
apple-well-known:
rule: "Path(`/.well-known/com.apple.remotemanagement`)"
service: swif-mdm
middlewares:
- apple-well-known-rewrite

middlewares:
apple-well-known-rewrite:
replacePath:
path: "/api/v1/sso/well-known/{{IDENTIFIER}}"

services:
swif-mdm:
loadBalancer:
servers:
- url: "https://mdm.swifteam.com"

Enrollment Flow (for all options)

  1. On the Apple device, open System Settings (macOS) or Settings (iOS/iPadOS) → General → Device Management (or VPN & Device Management).

  2. Tap or click Sign in to Work or School Account.

  3. Enter the user's Managed Apple ID. Apple fetches the JSON (or proxy response) from the domain associated with the ID.

  4. For Static (Options A & B): Enrollment completes automatically — no separate Swif login is required.

  5. For Proxy (Option C): The user will see a sign-in page, then be prompted to close the window and repeat the flow. On the second attempt, enrollment completes with the correct BYOD or Non-BYOD routing.


5) Add Managed Apple ID to Apple Business Manager

Note, you can skip step 5 and create a federated Managed Apple ID from Google Workspace, Azure, etc., on Apple Business Manager. For the step-by-step guide, please visit Set up ABM Managed ID federation by Google Workspace.

  • Add a new managed domain, eg. applesso.<yourdomain> to Apple Business Manager (ABM) -> Managed Apple Accounts. You need to create a TXT record on your DNS server to verify the newly added managed domain.

    • You might need to change the CNAME to the TXT record for Apple verification if you are using the CNAME approach for your Enrollment SSO set up.

    • After the domain is verified and added to ABM, please replace the TXT record from your DNS server with the CNAME you set up at Step 2.1.

  • Create a managed Apple ID for the employee (device user) on Apple Business Manager with these managed Apple ID formats:

    • CNAME:

      1. For BYOD (Bring your own device) users: xxx.byod@applesso.{yourdomain}

      2. For Non-BYOD users: xxx@applesso.{yourdomain}

    • JSON Hosting:

      1. You can use any email format: xxx@yourcompany.com because BYOD depends on the JSON hosting.

  • After creating, please send an email to inform the user to finish signing on ABM.


6) Test Enrollment

To enroll a device via Enrollment SSO, please follow the Device-side experience (Enrollment SSO with Managed Apple ID).


7) Troubleshooting & FAQs

  1. DNS Checks

    • For the CNAME approach, confirm applesso.yourcompany.comapple-enrollment.swifteam.com.

    • For JSON, ensure /.well-known/com.apple.remotemanagement is publicly accessible and returns only the JSON.

  2. BYOD vs. Non-BYOD

    • CNAME: Use email suffixes like .byod vs. no suffix.

    • JSON: Use separate domains for each scenario.

  3. One JSON per Domain

    • Apple only supports a single JSON response at /.well-known/com.apple.remotemanagement per domain.

  4. Hosted JSON on Webflow

    • You can follow this article to upload well well-known file to Webflow assets.

  5. Hosted JSON with 301 redirect

    • Apple follows well-known folder redirect, so you can use a domain that has a 301 redirect, eg.

      $ curl -L https://swifteam.com/.well-known/com.apple.remotemanagement

      When you remove -L, you will see this is a redirect.

  6. No Additional Authentication

    • Enrollment SSO handles enrollment with the Managed Apple ID, so employees do not sign in separately to Swif.

  7. Contact Support

    • If enrollment fails, check device logs and your domain setup. Contact Swif Support if you need more assistance.


That’s it! By setting up your domain and JSON (or CNAME) and assigning each employee’s Managed Apple ID in ABM, you’ll enable a seamless Apple Enrollment SSO flow. Users simply sign in with their Managed Apple ID on the device, and enrollment completes automatically—no separate Swif login is required. For more details, see Swif’s Knowledge Base or contact our Support team.

Did this answer your question?