With Apple Enrollment SSO, employees can use a Managed Apple ID to sign in on macOS, iOS, or iPadOS devices and automatically enroll in Swif for device management. Below are two ways to integrate Swif with Apple’s Enrollment SSO:
CNAME approach – Point your chosen domain to
apple-enrollment.swifteam.com
.Hosting JSON – Serve a
.well-known/com.apple.remotemanagement
file yourself for Apple to fetch enrollment details.
Important
If you need both BYOD (Bring Your Own Device) and non-BYOD (Company-Owned/ADE) enrollments, handle them differently depending on the approach.
CNAME approach uses one domain and differentiates BYOD vs. non-BYOD via email prefixes.
Hosting JSON requires two separate domains—one for BYOD JSON and one for non-BYOD JSON. The benefit is that you can host JSON on your root domain, so your Managed Apple ID can be the same as your company work email.
Make sure to add each user’s Managed Apple ID in the ABM (see Step 5).
Apple Business Manager (ABM) allows users to use Google, Azure, or Okta credentials to authenticate to their Apple iCloud or Apple Device Management. To set up SSO login for iCloud, please visit https://business.apple.com/#/main/preferences/maid.
1. Prerequisites
(Same as in the original article.)
Admin access in Swif and Apple Business Manager (ABM) or Apple School Manager (ASM).
Ability to configure DNS (for CNAME) or upload files to your domain (for JSON hosting).
Managed Apple IDs set up in ABM/ASM for your employees.
2. Set Up Employee’s Managed Apple ID
Each employee who will use Apple Enrollment SSO needs a Managed Apple ID in your ABM/ASM.
Create or Update the Managed Apple ID in ABM/ASM.
2.1 Differentiating BYOD vs. Non-BYOD
CNAME approach:
You have one domain, e.g.
applesso.yourcompany.com
, pointed toapple-enrollment.swifteam.com
.Separate employees’ IDs by prefix or suffix, e.g.
BYOD:
username.byod@applesso.yourcompany.com
Non-BYOD:
username@applesso.yourcompany.com
Hosting JSON:
If you can host JSON on your root domain, you can sync your Google Workspace or Azure directory email in Apple Business Manager directly without an additional Managed Apple ID domain and then use that same email as a Managed Apple ID.
You need two different domains or subdomains (one for BYOD JSON, one for non-BYOD JSON).
Match each user’s Managed Apple ID domain to the correct enrollment flow.
employee@byod.yourcompany.com
→ fetches BYOD JSONemployee@yourcompany.com
oremployee@applesso.yourcompany.com
or → fetches non-BYOD JSON
3. Method 1: CNAME to Swif
Pick a subdomain
For example,
applesso.yourcompany.com
.
Create a CNAME record
Point
applesso.yourcompany.com
→apple-enrollment.swifteam.com
.
Verify
Check via a DNS lookup tool.
Set Your Domain to Swif
In the Swif admin console, set the domain you want to use for Enrollment SSO.You can also set it on the Device Enrollment page.
Enrollment (Optional, you can test enrollment at #6)
On an Apple device, go to System Settings (macOS) or Settings (iOS/iPadOS) → General → Device Management (or VPN & Device Management).
Tap or click Sign in to Work or School Account.
If prompted for a domain, enter
applesso.yourcompany.com
.User enters their Managed Apple ID (e.g.,
username@applesso.yourcompany.com
).Swif will automatically enroll the device as BYOD or non-BYOD based on the user’s ID prefix/suffix.
No separate Swif login prompt is required; the Managed Apple ID sign-in triggers the entire SSO flow.
4. Method 2: Host the JSON on Your Own Domain(s)
4.1 Two Domains for BYOD and Non-BYOD
Each domain can only serve one JSON at
/.well-known/com.apple.remotemanagement
.If you need both BYOD and non-BYOD, create two domains or subdomains, e.g.:
byod.yourcompany.com
→ BYOD JSONyourcompany.com
orapplesso.yourcompany.com
→ Non-BYOD JSON
4.2 Obtain the Correct JSON
Swif provides:
Non-BYOD (Company-Owned / ADE)
{ "Servers": [ { "Version": "mdm-adde", "BaseURL": "https://mdm.swifteam.com/api/v1/sso/enroll?team-identifier={{IDENTIFIER}}" } ] }
BYOD
{ "Servers": [ { "Version": "mdm-byod", "BaseURL": "https://mdm.swifteam.com/api/v1/sso/enroll?team-identifier={{IDENTIFIER}}&isbyod=true" } ] }
The {{IDENTIFIER}}
is your Swif team identifier.
4.3 Serve the JSON Immediately at /.well-known/com.apple.remotemanagement
Create the
.well-known
folderFor example:
byod.yourcompany.com/.well-known/com.apple.remotemanagement
yourcompany.com/.well-known/com.apple.remotemanagement
orapplesso.yourcompany.com/.well-known/com.apple.remotemanagement
Return the JSON
The URL must serve only this JSON text—no
.json
filename, no extra HTML.
Enrollment Flow (Optional, you can test enrollment at #6)
On the Apple device
Open System Settings (macOS) or Settings (iOS/iPadOS) → General → Device Management (or VPN & Device Management).
Tap or click Sign in to Work or School Account.
Enter Your Managed Apple ID
Apple prompts the user for the Managed Apple ID to proceed with Enrollment SSO.
If the user’s ID domain is
byod.yourcompany.com
, Apple fetches the BYOD JSON;For
yourcompany.com
orapplesso.yourcompany.com
, it fetches the non-BYOD JSON.
No Extra Sign-In
Once Apple validates the Managed Apple ID, the device automatically follows Swif’s enrollment—no separate Swif credentials are required.
5. Add Managed Apple ID to Apple Business Manager
Note, you can skip step 5 and create a federated Managed Apple ID from Google Workspace, Azure, etc., on Apple Business Manager. For the step-by-step guide, please visit Set up ABM Managed ID federation by Google Workspace.
Add a new managed domain, eg.
applesso.<yourdomain>
to Apple Business Manager (ABM) -> Managed Apple Accounts. You need to create a TXT record on your DNS server to verify the newly added managed domain.You might need to change the CNAME to the TXT record for Apple verification if you are using the CNAME approach for your Enrollment SSO set up.
After the domain is verified and added to ABM, please replace the TXT record from your DNS server with the CNAME you set up at Step 2.1.
Create a managed Apple ID for the employee (device user) on Apple Business Manager with these managed Apple ID formats:
CNAME:
For BYOD (Bring your own device) users: xxx.byod@applesso.{yourdomain}
For Non-BYOD users: xxx@applesso.{yourdomain}
JSON Hosting:
For BYOD (Bring your own device) users: xxx@byod.yourcompany.com
For Non-BYOD users: xxx@yourcompany.com
After creating, please send an email to inform the user to finish signing on ABM.
6. Test Enrollment
To enroll a device via Enrollment SSO, please follow the Device-side experience (Enrollment SSO with Managed Apple ID).
7. Troubleshooting & FAQs
DNS Checks
For the CNAME approach, confirm
applesso.yourcompany.com
→apple-enrollment.swifteam.com
.For JSON, ensure
/.well-known/com.apple.remotemanagement
is publicly accessible and returns only the JSON.
BYOD vs. Non-BYOD
CNAME: Use email suffixes like
.byod
vs. no suffix.JSON: Use separate domains for each scenario.
One JSON per Domain
Apple only supports a single JSON response at
/.well-known/com.apple.remotemanagement
per domain.
Hosted JSON on Webflow
You can follow this article to upload well well-known file to Webflow assets.
Hosted JSON with 301 redirect
Apple follows well-known folder redirect, so you can use a domain that has a 301 redirect, eg.
$ curl -L https://swifteam.com/.well-known/com.apple.remotemanagement
When you remove -L, you will see this is a redirect.
No Additional Authentication
Enrollment SSO handles enrollment with the Managed Apple ID, so employees do not sign in separately to Swif.
Contact Support
If enrollment fails, check device logs and your domain setup. Contact Swif Support if you need more assistance.
That’s it! By setting up your domain and JSON (or CNAME) and assigning each employee’s Managed Apple ID in ABM, you’ll enable a seamless Apple Enrollment SSO flow. Users simply sign in with their Managed Apple ID on the device, and enrollment completes automatically—no separate Swif login is required. For more details, see Swif’s Knowledge Base or contact our Support team.